Sign In
Create Account
1
Malwarebytes' Anti-Malware 1.41
Database version: 3128
Windows 5.1.2600 Service Pack 2
11/8/2009 1:34:23 PM
mbam-log-2009-11-08 (13-34-23).txt
Scan type: Quick Scan
Objects scanned: 113538
Time elapsed: 7 minute(s), 34 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6209829c-a2aa-4fd0-a7f6-3a2e0e59b60b} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\fxrmgcrf (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{6209829c-a2aa-4fd0-a7f6-3a2e0e59b60b} (Trojan.Vundo.H) -> Delete on reboot.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
c:\windows\system32\yhvglrc.dll (Trojan.Vundo.H) -> Delete on reboot.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:34:53 PM, on 11/8/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Lexmark 7600 Series\lxdwmon.exe
C:\Program Files\Lexmark 7600 Series\lxdwMsdMon.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdwserv.exe
C:\WINDOWS\system32\lxdwcoms.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\StacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://127.0.0.1:4664/first_usage&s=Li...hEvLsgcnuepXa7M
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6209829C-A2AA-4FD0-A7F6-3A2E0E59B60B} - c:\windows\system32\yhvglrc.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: Lexmark Printable Web - {D2C5E510-BE6D-42CC-9F61-E4F939078474} - C:\Program Files\Lexmark Printable Web\bho.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [SigmatelSysTrayApp] "stsystra.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [SecureUpgrade] "C:\Program Files\Wave Systems Corp\SecureUpgrade.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [Persistence] "C:\WINDOWS\system32\igfxpers.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [lxdwmon.exe] "C:\Program Files\Lexmark 7600 Series\lxdwmon.exe"
O4 - HKLM\..\Run: [lxdwamon] "C:\Program Files\Lexmark 7600 Series\lxdwamon.exe"
O4 - HKLM\..\Run: [KADxMain] "C:\WINDOWS\system32\KADxMain.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [IgfxTray] "C:\WINDOWS\system32\igfxtray.exe"
O4 - HKLM\..\Run: [HotKeysCmds] "C:\WINDOWS\system32\hkcmd.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Document Manager] "C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe"
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint\Apoint.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail....es/MSNPUpld.cab
O16 - DPF: {51A1CDAB-573D-45A4-B69F-B44791DFF60A} (Pictometry Viewer Control) - http://www.brevardpropertyappraiser.com/pi...ImageCtrl30.cab
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h20264.www2.hp.com/ediags/dd/instal...nosticsxp2k.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2....re/HPDEXAXO.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: fxrmgcrf - C:\WINDOWS\SYSTEM32\yhvglrc.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: lxdwCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdwserv.exe
O23 - Service: lxdw_device - - C:\WINDOWS\system32\lxdwcoms.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SecureStorageService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\StacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: NTRU TSS v1.2.1.12 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
--
End of file - 12793 bytes
Back to top
#2
Posted 08 November 2009 - 08:07 PM
-
- Experts
-
- 1,130 posts
Elite Member
- Location:Westchester County, NY
Hi and Welcome to the Malwarebytes' forum.
Please download ATF Cleaner by Atribune
Launch HijackThis (HJT) by double-clicking the desktop shortcut and choosing the Scan Only option. Close all programs except HJT and all browser windows, then check the following items for removal and click on "Fix Checked":
O20 - Winlogon Notify: fxrmgcrf - C:\WINDOWS\SYSTEM32\yhvglrc.dll
Close HJT.
Reboot
Next, download this Antirootkit Program to a folder that you create such as C:\ARK, by choosing the "Download EXE" button on the webpage.
Disable the active protection component of your antivirus by following the directions that apply here:
http://www.bleepingc...opic114351.html
Please perform a rootkit scan:
Please download Combofix from one of these locations:
HERE or HERE
I want you to rename Combofix.exe as you download it to a name of your choice such as fixit.exe
Notes:
Here is a tutorial that describes how to download, install and run Combofix more thoroughly. Please review it and follow the prompts to install Recovery Console if you have not done that already:
http://www.bleepingc...to-use-combofix
Very Important! Temporarily disable your antivirus and antimalware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix and even remove onboard components so it is rendered ineffective:
http://www.bleepingc...opic114351.html
NOTE: It's especially important is that you disable your McAfee Antivirus as it is known to drastically interfere with Combofix.
Also, disable your firewall!
You can enable the Window firewall in the interim, until the scan is complete.
Note: The above tutorial does not tell you to rename Combofix as I have instructed you to do in the above instructions, so make sure you complete the renaming step before launching Combofix.
Running Combofix
In the event you already have Combofix, please delete it as this is a new version.
1. Double click on the renamed combofix.exe & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt
3. Post the contents of that log in your next reply with a new hijackthis log.
Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.
Please post back ARK.txt and C:\Combofix.txt
Please download ATF Cleaner by Atribune
- Close Internet Explorer and any other open browsers
- Double-click ATF-Cleaner.exe to run the program.
- Under Main choose: Select All
- Click the Empty Selected button.
- Click Firefox at the top and choose: Select All
- Click the Empty Selected button.
- NOTE: If you would like to keep your saved passwords, please click
- Click the Empty Selected button.
- No at the prompt.
- Click Opera at the top and choose: Select All
- NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Launch HijackThis (HJT) by double-clicking the desktop shortcut and choosing the Scan Only option. Close all programs except HJT and all browser windows, then check the following items for removal and click on "Fix Checked":
O20 - Winlogon Notify: fxrmgcrf - C:\WINDOWS\SYSTEM32\yhvglrc.dll
Close HJT.
Reboot
Next, download this Antirootkit Program to a folder that you create such as C:\ARK, by choosing the "Download EXE" button on the webpage.
Disable the active protection component of your antivirus by following the directions that apply here:
http://www.bleepingc...opic114351.html
Please perform a rootkit scan:
- Double-click the randomly name EXE located in the C:\ARK folder that you just downloaded to run the program.
- When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.
- When this "quick" scan is finished (a few seconds), copy the quick scan report to the windows clipboard, save it as ARKQ.txt and paste it in a reply back here
- Only if the ARK program alerts you to rootkit activity and invites you to complete a complete scan - then relaunch the ARK program, and click the Rootkit/Malware tab,and then select the Scan button.
- Leave your system completely idle while this longer scan is in progress.
- When the scan is done, save the scan log to the Windows clipboard
- Open Notepad or a similar text editor
- Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
- Exit the Program
- Save the Scan log as ARK.txt and post it in your next reply. If the log is very long attach it please.
Please download Combofix from one of these locations:
HERE or HERE
I want you to rename Combofix.exe as you download it to a name of your choice such as fixit.exe
Notes:
- It is very important that save the newly renamed EXE file to your desktop.
- You must rename Combofixe.exe as you download it and not after it is on your computer.
You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that: - For Firefox
- Open Firefox and click Tools -> Options -> Main
- Under the downloads section check the button that says "Always ask me where to save files".
- Click OK
- Open Firefox and click Tools -> Options -> Main
- For Internet Explorer:
- When downloading, choose to save, not open the file
- When prompted - save the file to your desktop, and rename it anything with an .exe extension on the end.
- When downloading, choose to save, not open the file
Here is a tutorial that describes how to download, install and run Combofix more thoroughly. Please review it and follow the prompts to install Recovery Console if you have not done that already:
http://www.bleepingc...to-use-combofix
Very Important! Temporarily disable your antivirus and antimalware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix and even remove onboard components so it is rendered ineffective:
http://www.bleepingc...opic114351.html
NOTE: It's especially important is that you disable your McAfee Antivirus as it is known to drastically interfere with Combofix.
Also, disable your firewall!
You can enable the Window firewall in the interim, until the scan is complete.
Note: The above tutorial does not tell you to rename Combofix as I have instructed you to do in the above instructions, so make sure you complete the renaming step before launching Combofix.
Running Combofix
In the event you already have Combofix, please delete it as this is a new version.
- Close any open browsers.
- Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.
1. Double click on the renamed combofix.exe & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt
3. Post the contents of that log in your next reply with a new hijackthis log.
Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.
Please post back ARK.txt and C:\Combofix.txt
#3
Posted 18 November 2009 - 03:18 AM
-
- Members
-
- 7 posts
New Member
negster22, on Nov 8 2009, 03:07 PM, said:
Hi and Welcome to the Malwarebytes' forum.
Please download ATF Cleaner by Atribune
Launch HijackThis (HJT) by double-clicking the desktop shortcut and choosing the Scan Only option. Close all programs except HJT and all browser windows, then check the following items for removal and click on "Fix Checked":
O20 - Winlogon Notify: fxrmgcrf - C:\WINDOWS\SYSTEM32\yhvglrc.dll
Close HJT.
Reboot
Next, download this Antirootkit Program to a folder that you create such as C:\ARK, by choosing the "Download EXE" button on the webpage.
Disable the active protection component of your antivirus by following the directions that apply here:
http://www.bleepingc...opic114351.html
Please perform a rootkit scan:
Please download Combofix from one of these locations:
HERE or HERE
I want you to rename Combofix.exe as you download it to a name of your choice such as fixit.exe
Notes:
Here is a tutorial that describes how to download, install and run Combofix more thoroughly. Please review it and follow the prompts to install Recovery Console if you have not done that already:
http://www.bleepingc...to-use-combofix
Very Important! Temporarily disable your antivirus and antimalware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix and even remove onboard components so it is rendered ineffective:
http://www.bleepingc...opic114351.html
NOTE: It's especially important is that you disable your McAfee Antivirus as it is known to drastically interfere with Combofix.
Also, disable your firewall!
You can enable the Window firewall in the interim, until the scan is complete.
Note: The above tutorial does not tell you to rename Combofix as I have instructed you to do in the above instructions, so make sure you complete the renaming step before launching Combofix.
Running Combofix
In the event you already have Combofix, please delete it as this is a new version.
1. Double click on the renamed combofix.exe & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt
3. Post the contents of that log in your next reply with a new hijackthis log.
Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.
Please post back ARK.txt and C:\Combofix.txt
Please download ATF Cleaner by Atribune
- Close Internet Explorer and any other open browsers
- Double-click ATF-Cleaner.exe to run the program.
- Under Main choose: Select All
- Click the Empty Selected button.
- Click Firefox at the top and choose: Select All
- Click the Empty Selected button.
- NOTE: If you would like to keep your saved passwords, please click
- Click the Empty Selected button.
- No at the prompt.
- Click Opera at the top and choose: Select All
- NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Launch HijackThis (HJT) by double-clicking the desktop shortcut and choosing the Scan Only option. Close all programs except HJT and all browser windows, then check the following items for removal and click on "Fix Checked":
O20 - Winlogon Notify: fxrmgcrf - C:\WINDOWS\SYSTEM32\yhvglrc.dll
Close HJT.
Reboot
Next, download this Antirootkit Program to a folder that you create such as C:\ARK, by choosing the "Download EXE" button on the webpage.
Disable the active protection component of your antivirus by following the directions that apply here:
http://www.bleepingc...opic114351.html
Please perform a rootkit scan:
- Double-click the randomly name EXE located in the C:\ARK folder that you just downloaded to run the program.
- When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.
- When this "quick" scan is finished (a few seconds), copy the quick scan report to the windows clipboard, save it as ARKQ.txt and paste it in a reply back here
- Only if the ARK program alerts you to rootkit activity and invites you to complete a complete scan - then relaunch the ARK program, and click the Rootkit/Malware tab,and then select the Scan button.
- Leave your system completely idle while this longer scan is in progress.
- When the scan is done, save the scan log to the Windows clipboard
- Open Notepad or a similar text editor
- Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
- Exit the Program
- Save the Scan log as ARK.txt and post it in your next reply. If the log is very long attach it please.
Please download Combofix from one of these locations:
HERE or HERE
I want you to rename Combofix.exe as you download it to a name of your choice such as fixit.exe
Notes:
- It is very important that save the newly renamed EXE file to your desktop.
- You must rename Combofixe.exe as you download it and not after it is on your computer.
You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that: - For Firefox
- Open Firefox and click Tools -> Options -> Main
- Under the downloads section check the button that says "Always ask me where to save files".
- Click OK
- Open Firefox and click Tools -> Options -> Main
- For Internet Explorer:
- When downloading, choose to save, not open the file
- When prompted - save the file to your desktop, and rename it anything with an .exe extension on the end.
- When downloading, choose to save, not open the file
Here is a tutorial that describes how to download, install and run Combofix more thoroughly. Please review it and follow the prompts to install Recovery Console if you have not done that already:
http://www.bleepingc...to-use-combofix
Very Important! Temporarily disable your antivirus and antimalware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix and even remove onboard components so it is rendered ineffective:
http://www.bleepingc...opic114351.html
NOTE: It's especially important is that you disable your McAfee Antivirus as it is known to drastically interfere with Combofix.
Also, disable your firewall!
You can enable the Window firewall in the interim, until the scan is complete.
Note: The above tutorial does not tell you to rename Combofix as I have instructed you to do in the above instructions, so make sure you complete the renaming step before launching Combofix.
Running Combofix
In the event you already have Combofix, please delete it as this is a new version.
- Close any open browsers.
- Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.
1. Double click on the renamed combofix.exe & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt
3. Post the contents of that log in your next reply with a new hijackthis log.
Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.
Please post back ARK.txt and C:\Combofix.txt
Attached Files
-
ARKQ.txt 3.14K
9 downloads
-
combofixlog.txt 11.58K
64 downloads
#4
Posted 18 November 2009 - 03:20 AM
-
- Members
-
- 7 posts
New Member
Sorry I didn't follow the instructions and post these sooner! I thought I'd get an email reading that someone had replied to my post. In either case, thanks for your help! Also, I tried disabling my McAfee Virus sw, but the Combofix program kept saying it was enabled. If I need to go thru the steps again, just let me know. Thanks again!
#5
Posted 18 November 2009 - 03:26 AM
-
- Experts
-
- 1,130 posts
Elite Member
- Location:Westchester County, NY
Please copy and paste your logs into a reply. Thank you!!!
#6
Posted 20 November 2009 - 11:27 PM
-
- Members
-
- 7 posts
New Member
negster22, on Nov 17 2009, 10:26 PM, said:
Please copy and paste your logs into a reply. Thank you!!!
GMER 1.0.15.15227 - http://www.gmer.net
Rootkit quick scan 2009-11-17 21:45:58
Windows 5.1.2600 Service Pack 2
Running: ARK.exe; Driver: C:\DOCUME~1\Z\LOCALS~1\Temp\pxtdypow.sys
---- System - GMER 1.0.15 ----
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xA75C087B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xA75C07FB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xA75C08A5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xA75C080F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xA75C083B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xA75C08CF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xA75C07E7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xA75C088F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xA75C0825]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xA75C0851]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xA75C0867]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xA75C08E5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xA75C08B9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
---- EOF - GMER 1.0.15 ----
ComboFix 09-11-18.04 - Z 11/17/2009 21:59.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1312 [GMT -5:00]
Running from: c:\documents and settings\Z\Desktop\fixit.exe
AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Outdated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\recycler\S-1-5-21-165822833-1632583300-1373009395-210718
c:\windows\AegisP.inf
c:\windows\system32\clauth1.dll
c:\windows\system32\clauth2.dll
c:\windows\system32\drivers\ghzdhhuw.sys
c:\windows\system32\drivers\wbxgazxw.sys
c:\windows\system32\dsshonaq.dll
c:\windows\system32\nsprs.dll
c:\windows\system32\sntbduf.dll
c:\windows\system32\ssprs.dll
c:\windows\system32\yhvglrc.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_CYTYZDFR
-------\Legacy_GHZDHHUW
-------\Service_cytyzdfr
-------\Service_ghzdhhuw
((((((((((((((((((((((((( Files Created from 2009-10-18 to 2009-11-18 )))))))))))))))))))))))))))))))
.
2009-11-18 02:44 . 2009-11-18 02:44 291840 ----a-w- C:\ARK.exe
2009-11-18 02:32 . 2009-11-18 02:32 -------- d-----w- C:\rsit
2009-11-16 01:39 . 2009-11-18 02:15 -------- d-----w- c:\program files\Registry Easy
2009-11-08 17:43 . 2009-11-08 17:43 -------- d-----w- c:\program files\Trend Micro
2009-11-08 15:40 . 2009-11-08 15:40 -------- d-----w- c:\documents and settings\Z\Application Data\Malwarebytes
2009-11-08 15:40 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-08 15:40 . 2009-11-08 15:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-08 15:40 . 2009-11-08 15:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-08 15:40 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-08 15:28 . 2009-11-08 15:53 -------- d-----w- c:\documents and settings\Z\Local Settings\Application Data\jekeeo
2009-10-30 05:13 . 2009-10-30 05:13 174144 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-10-19 16:30 . 2009-10-19 16:30 -------- d-----w- c:\program files\Citrix
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-13 11:04 . 2007-12-25 18:50 -------- d-----w- c:\documents and settings\Z\Application Data\Wave Systems Corp
2009-11-13 00:48 . 2008-08-17 13:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-22 12:48 . 2007-12-09 23:36 78360 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-07 00:02 . 2009-10-07 00:02 -------- d-----w- c:\documents and settings\Z\Application Data\Office Genuine Advantage
2009-10-06 23:02 . 2008-08-17 13:18 -------- d-----w- c:\program files\Microsoft Works
2009-09-21 19:24 . 2008-04-13 23:32 -------- d-----w- c:\program files\Hp
2009-09-12 16:32 . 2009-09-12 16:32 127872 ----a-w- c:\documents and settings\Z\Application Data\Move Networks\uninstall.exe
2009-09-12 16:32 . 2009-06-16 06:35 4183416 ----a-w- c:\documents and settings\Z\Application Data\Move Networks\plugins\npqmp071503000010.dll
2009-09-11 14:03 . 2004-08-11 23:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 20:45 . 2004-08-11 23:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36 . 2004-08-11 23:00 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2004-08-11 23:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2004-08-11 23:00 17408 ------w- c:\windows\system32\corpol.dll
2009-08-26 08:16 . 2004-08-11 23:00 247326 ----a-w- c:\windows\system32\strmdll.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [2002-07-17 200767]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2007-10-17 111952]
"SecureUpgrade"="c:\program files\Wave Systems Corp\SecureUpgrade.exe" [2007-01-22 212992]
"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-05-18 138008]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-12-19 136768]
"lxdwmon.exe"="c:\program files\Lexmark 7600 Series\lxdwmon.exe" [2008-09-10 676520]
"lxdwamon"="c:\program files\Lexmark 7600 Series\lxdwamon.exe" [2008-09-10 16040]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-07-25 823296]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-07-25 974848]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-05-18 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-05-18 162584]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Document Manager"="c:\program files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe" [2007-01-30 102400]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2007-01-25 159744]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"ISUSPM Startup"="c:\progra~1\common~1\instal~1\update~1\isuspm.exe" [2004-07-27 221184]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2007-02-19 303104]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-12-9 50688]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\SPSSInc\\SPSS16Student\\spss.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\WINDOWS\\system32\\lxdwcoms.exe"=
"c:\\Program Files\\Lexmark 7600 Series\\lxdwamon.exe"=
"c:\\Program Files\\Lexmark 7600 Series\\frun.exe"=
"c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"11869:TCP"= 11869:TCP:@xpsp2res.dll,-22009
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [12/19/2006 3:21 PM 79432]
R2 lxdw_device;lxdw_device;c:\windows\system32\lxdwcoms.exe -service --> c:\windows\system32\lxdwcoms.exe -service [?]
R2 lxdwCATSCustConnectService;lxdwCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdwserv.exe [3/30/2009 5:38 PM 98984]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [12/29/2007 6:58 PM 24652]
R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [8/11/2004 6:00 PM 5120]
R3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [11/2/2006 1:32 PM 97536]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - GHZDHHUW
*Deregistered* - ghzdhhuw
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder
2009-11-18 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://127.0.0.1:4664/first_usage&s=LitdE1da95oshEvLsgcnuepXa7M
IE: E&xport to Microsoft Excel
.
- - - - ORPHANS REMOVED - - - -
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKCU-Run-Aim6 - (no file)
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-17 22:11
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'lsass.exe'(952)
c:\windows\system32\wvauth.dll
c:\windows\system32\biolsp.dll
- - - - - - - > 'explorer.exe'(2984)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Lexmark 7600 Series\lxdwMsdMon.exe
c:\program files\McAfee\Common Framework\McTray.exe
c:\program files\Apoint\ApMsgFwd.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Apoint\HidFind.exe
c:\program files\Apoint\Apntex.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\lxdwcoms.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\StacSV.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\msdtc.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\\?\c:\windows\system32\WBEM\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2009-11-17 22:13 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-18 03:13
Pre-Run: 100,132,274,176 bytes free
Post-Run: 99,973,623,808 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
- - End Of File - - FEC9928953C2063E4CDE7CA5B498F630
#7
Posted 21 November 2009 - 05:32 AM
-
- Experts
-
- 1,130 posts
Elite Member
- Location:Westchester County, NY
OK, now launch MBAM and update it.
Perform a quick scan and post back the scan log.
Perform a quick scan and post back the scan log.
#8
Posted 21 November 2009 - 05:31 PM
-
- Members
-
- 7 posts
New Member
negster22, on Nov 21 2009, 12:32 AM, said:
OK, now launch MBAM and update it.
Perform a quick scan and post back the scan log.
Perform a quick scan and post back the scan log.
Because I thought not being able to turn off my McAfee Enterprise would interfere with the debugging, I retraced your steps from the second post and now my computer will not get past the "blue screen of death". In short, it states a problem is as follows:
"STOP: 0x000007B (0xBA4CB524, 0xc0000034, 0x00000000, 0x00000000)"
Has my restlessness totally screwed my computer?
#9
Posted 21 November 2009 - 05:39 PM
-
- Members
-
- 7 posts
New Member
I also noticed when fix it was running, it deleted the file "WINDOWS/system32/drivers/pciide.sys". Could this be causing the booting problem?
#10
Posted 22 November 2009 - 12:40 AM
-
- Experts
-
- 1,130 posts
Elite Member
- Location:Westchester County, NY
Did you run Combofix a second time because your first Combofix log makes no mention of deleting pciide.sys driver?
That is an ide disk controller and if it was deleted it could definitely make your system unbootable.
Normally, Combofix will not delete any infected essential or system file without replacing it with a suitable and verified backup it locates elsewhere on your system, but this may have been a temporary glitch.
If you installed Recovery Console as directed during the Combofix run, then it will be quite easy to restore a backup from
c:\windows\system32\dllcache\pciide.sys
or
c:\i386\pciide.sys
Here are the directions for that
That is an ide disk controller and if it was deleted it could definitely make your system unbootable.
Normally, Combofix will not delete any infected essential or system file without replacing it with a suitable and verified backup it locates elsewhere on your system, but this may have been a temporary glitch.
If you installed Recovery Console as directed during the Combofix run, then it will be quite easy to restore a backup from
c:\windows\system32\dllcache\pciide.sys
or
c:\i386\pciide.sys
Here are the directions for that
#11
Posted 22 November 2009 - 06:56 PM
-
- Members
-
- 7 posts
New Member
negster22, on Nov 21 2009, 07:40 PM, said:
Did you run Combofix a second time because your first Combofix log makes no mention of deleting pciide.sys driver?
That is an ide disk controller and if it was deleted it could definitely make your system unbootable.
Normally, Combofix will not delete any infected essential or system file without replacing it with a suitable and verified backup it locates elsewhere on your system, but this may have been a temporary glitch.
If you installed Recovery Console as directed during the Combofix run, then it will be quite easy to restore a backup from
c:\windows\system32\dllcache\pciide.sys
or
c:\i386\pciide.sys
Here are the directions for that
That is an ide disk controller and if it was deleted it could definitely make your system unbootable.
Normally, Combofix will not delete any infected essential or system file without replacing it with a suitable and verified backup it locates elsewhere on your system, but this may have been a temporary glitch.
If you installed Recovery Console as directed during the Combofix run, then it will be quite easy to restore a backup from
c:\windows\system32\dllcache\pciide.sys
or
c:\i386\pciide.sys
Here are the directions for that
Yes, I ran combofix a second time since I was retracing your steps after trying to disable McAfee better than the first time. I'll try your directions (I haven't looked at them yet). May take me until tonight to look though. Thanks for all of your help.
#12
Posted 23 November 2009 - 03:33 AM
-
- Experts
-
- 1,130 posts
Elite Member
- Location:Westchester County, NY
You're welcome and don't worry, you have to have a back-up of that file pciide.sys.
1 user(s) are reading this topic
0 members, 1 guests, 0 anonymous users
