I have a virus 'go-google' which redirects me to anywhere but where I want to go when attempting to go to web sites via Google serach results. I have read threads from others who have suffered the same fate and I was directed to this site for help - so thanks for being here. I am also unable to connect to Norton or Microsoft web sites - IE also becomes very slow and I eventually get a message to say that the site does not exist or was not responding.
Using a borrowed laptop I have followed the instructions in I'm infected - What do I do now? I downloaded the mbam-setup.exe and copied the desktop of my infected machine using a USB memory stick. I double click on the icon and can see the mbam-setup.exe as a process in taskmanager using 2,224K of memory but it never uses any CPU. It stays in taskmanager for 5 minutes before it disappears - I have timed it 3 times! I would appreciate any help you can give as I have already spent 2 days trying to hunt down and get rid of this nasty virus.
Full Version: mbam-setup.exe does not run
Please try the following. You may need to rename the file multiple times trying to get it to run, or you may have to try it in Safe Mode.
Please visit this webpage for instructions for downloading ComboFix to your DESKTOP : how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
NOTE!!: You must save and run ComboFix.exe on your DESKTOP and not from any other folder.
Also, DO NOT click the mouse or launch any other applications while this is running or it may stall the program
Additional links to download the tool:
ComboFix.exe
ComboFix.exe
ComboFix.exe
Note: The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Once installed, you should see a blue screen prompt that says:
The Recovery Console was successfully installed.
Please continue as follows:
- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Click Yes to allow ComboFix to continue scanning for malware.
- When the tool is finished, it will produce a report for you.
- Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.
Success!I have successfully removed a number of Trojans after a bit of renaming. I presume one or more of the viruses has got wise to your mbam software and is blocking it from running as it was intended. However, just for the record, this is what I did to resolve the problem.
1. I logged on to my PC in 'safe mode' and, using the Administrator account, went into windows explorer and renamed the mbam-setup.exe to 'fix-setup.exe'
2. I double clicked on the program and that started the installation.
3. Although the installation went through to the point where it shows the 'Finishing Installation....' window with the blue progress bar showing 100% complete, it took some time (but < 10 minutes) before the 'Installation Complete' window appeared.
4. Both the 'Update Malwarebytes' Anti Malware' and 'Launch Malwarebytes' Anti Malware' check boxes were ticked.
5. I clicked 'Finish' and the Installation Complete window closed although the 'setup' task remained in my taskbar at the bottom of the screen for several minutes afterwards, but it did eventually disappear. I was expecting the Malwarebytes' Anti Malware' application to launch but nothing happened. I check Task Manager and could see a mbam.exe sitting there, but again it was not using any CPU.
6. Next I tried launching the application using the 'Malwarebytes' Anti-Malware' icon on the desktop but again nothing happened and I could see mbam.exe in Task Manager but never using any CPU. This stayed in the Task Manager for about 5 minutes before it disappeared.
7. Using windows explorer I drilled down to the Malwarebytes directory and copied the mbam.exe member giving it the name PTFix.exe. This I double clicked and successfully launched the scanning application which found a number of Trojans.
8. Having found the viruses I then asked the application to remove them, which it did. I have attached the log for your information.
Click to view attachment
9. I then rebooted my machine and logged on as normal to one of my XP accounts (NOT in safe mode this time). From there I initiated the original mbam.exe application using the Malwarebytes' icon that was added by the setup installation. This time the application ran in its own right, giving me immediate confidence that the viruses had indeed been killed! However, another set of viruses were identified (see second attached log).
Q: Should mbam.exe be run from every user account? The machine I am cleaning runs XP Home Edition and has multiple user accounts. I assumed that the scan only needed to be run once but when I ran the second time not in 'safe mode' and found more viruses it made me wonder if I do need to scan from every account. I would be interested to know why the second batch of viruses were not detected first time round, which I'm sure you be able to explain.
I have no idea when or how I picked these viruses up and I am more concerned that my Norton Anti Virus and Internet Security software did not pick these up especially as they have been around for some time.
Many thanks to Malwarebytes for your help and support.
A much happier and less MrAngry!
In general yes MBAM needs to run under each account to remove Registry items that might be listed.
However it can normally clean up most of the system by running on an Administrative account.
When you ran it is SAFE MODE it was severely crippled from running in it full capacity. When you ran it in Normal mode it had much more power and access to items to remove them.
Due to the nature of this infection and most of it being cleaned already I would like you to still run this tool and we can check for other items that might be left over.
However it can normally clean up most of the system by running on an Administrative account.
When you ran it is SAFE MODE it was severely crippled from running in it full capacity. When you ran it in Normal mode it had much more power and access to items to remove them.
Due to the nature of this infection and most of it being cleaned already I would like you to still run this tool and we can check for other items that might be left over.
Please visit this webpage for instructions for downloading ComboFix to your DESKTOP : how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
NOTE!!: You must save and run ComboFix.exe on your DESKTOP and not from any other folder.
Also, DO NOT click the mouse or launch any other applications while this is running or it may stall the program
Additional links to download the tool:
ComboFix.exe
ComboFix.exe
ComboFix.exe
Note: The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Once installed, you should see a blue screen prompt that says:
The Recovery Console was successfully installed.
Please continue as follows:
- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Click Yes to allow ComboFix to continue scanning for malware.
- When the tool is finished, it will produce a report for you.
- Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.
This doesn't look too good.To add a little more information to my problem I should have said that this problem is on a laptop that does not get used very often. I used it two weeks ago to try and update the anti-virus software (Norton Internet Security 2008) before the subscription was due to expire but I was prevented from getting to the Norton site, which I now know to be caused by one of the viruses I had, or possibly still have.
The subscription has now expired and, having looked at a number of reviews and spoken to friends and colleagues, I have now purchased Kaspersky and hopefully, once this mess is sorted out, I hope I'll be able to install it.
Unfortunately I am stuck at another wall. I am now following the instructions to disable firewalls and anti virus software before running ComboFix.
Whether the fact that the subscription has expired is a factor or not, whilst following the instructions on how to turn off Norton Internet Security (http://service1.symantec.com/SUPPORT/nip.nsf/docid/2003071515220236) there is no User Account in the left pane. I can disable the Firewall but I cannot see any other way of disabling the software and, as the subscription has expired, and I'm less than happy that it has not protected me I decided to uninstall it. Using my own account, which is a Computer Administrator, from Conrol Panel I go into Add or Remove Programs option to get a list of installed programs. However, when I click on any program whereas I expect to see a Chage or Remove option, there is nothing but Size, Used frequency and Last Used information. The only application that brings up the Remove option is Malwarebytes' Anti Malware. Do you know what's going on? I have no idea how to remove software completely other than this method.
Thanks for your continued support, it's nice to know there's a guardian angel out there who can help take some of the stress of this situation away. I'll try and pick up your response and action as soon as possible.
Please try the Norton Antivirus Removal Tool.
http://service1.symantec.com/Support/tsgen...005033108162039
http://service1.symantec.com/Support/tsgen...005033108162039
Thanks. I was able to remove Norton and run ComboFix. Please let me know what I should do next.
Here's the log file.
ComboFix 09-02-28.01 - User1 2009-03-02 9:46:15.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.290 [GMT 0:00]
Running from: c:\documents and settings\User1\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\TDSSorvd.dat
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_TDSSSERV.SYS
-------\Service_TDSSserv.sys
((((((((((((((((((((((((( Files Created from 2009-02-02 to 2009-03-02 )))))))))))))))))))))))))))))))
.
2009-03-02 09:22 . 2009-03-02 09:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-02-28 19:07 . 2009-02-28 19:07 <DIR> d-------- c:\documents and settings\User2\Application Data\Malwarebytes
2009-02-28 14:00 . 2009-02-28 14:00 <DIR> d-------- c:\documents and settings\User1\Application Data\Malwarebytes
2009-02-28 13:31 . 2009-02-28 17:30 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-28 13:31 . 2009-02-28 13:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-28 13:31 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-28 13:31 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-26 22:51 . 2009-02-26 22:51 <DIR> d-------- c:\program files\XoftSpySE
2009-02-26 16:57 . 2009-02-26 16:57 410,984 --a------ c:\windows\system32\deploytk.dll
2009-02-26 16:57 . 2009-02-26 16:57 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-02-26 16:45 . 2009-02-26 16:46 <DIR> d-------- c:\program files\Norton Security Scan
2009-02-26 09:53 . 2009-03-01 17:38 <DIR> d--hs---- c:\documents and settings\User1\Temporary Internet Files
2009-02-23 15:39 . 2009-02-23 15:39 54,156 --ah----- c:\windows\QTFont.qfn
2009-02-23 15:39 . 2009-02-23 15:39 1,409 --a------ c:\windows\QTFont.for
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-02 09:23 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-03-02 09:21 --------- d-----w c:\program files\Google
2009-03-02 09:14 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-02 09:11 --------- d-----w c:\documents and settings\User1\Application Data\Symantec
2009-02-26 16:57 --------- d-----w c:\program files\Java
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"InstantTray"="c:\program files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe" [2003-10-22 746496]
"IW_Drop_Icon"="c:\program files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe" [2003-11-19 1134080]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-14 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-04-24 327680]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2003-07-17 184412]
"CamMonitor"="c:\program files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [2002-10-06 90112]
"HPHUPD05"="c:\program files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-05-22 49152]
"HPHmon05"="c:\windows\System32\hphmon05.exe" [2003-05-22 483328]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-02-16 49152]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-07-20 98304]
"Camera Detector"="c:\progra~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE" [2003-06-17 208896]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-08-07 180269]
"PinnacleDriverCheck"="c:\windows\system32\PSDrvCheck.exe" [2003-11-10 406016]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-26 148888]
"ATIModeChange"="Ati2mdxx.exe" [2002-08-28 c:\windows\system32\Ati2mdxx.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2003-05-06 c:\windows\AGRSMMSG.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-03 15360]
c:\documents and settings\User2\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2006-09-12 225280]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Monitor.lnk - c:\program files\QLink 1.0\devmonit.exe [2006-03-26 45056]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2004-08-19 151552]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= vdrcodec.dll
"VIDC.ACDV"= ACDV.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
R0 VOBID;VOBID;c:\windows\system32\drivers\vobid.sys [2003-08-01 29239]
R1 vobcom;vobcom;c:\windows\system32\drivers\vobcom.sys [2001-10-04 9728]
R1 vobiw;vobiw;c:\windows\system32\drivers\vobIW.sys [2003-08-27 187392]
R2 BCDCNDIS;Belkin Direct Connect Network Adapter;c:\windows\system32\drivers\BCDCNDIS.SYS [2000-08-08 14054]
R2 DFBatchSvc;DataFlux Batch Scheduler;c:\progra~1\DataFlux\DFPOWE~1\7.1\bin\DFBATC~1.EXE [2007-07-09 86016]
R2 GtDetectSc;GtDetectSc;c:\program files\Orange\ICON 225 USB Connect\GtDetectSc.exe [2007-12-18 196704]
R3 cdrdrv;Cdrdrv;c:\windows\system32\drivers\Cdrdrv.sys [2002-12-13 64000]
R3 GT72NDISIPXP;GT 72 IP NDIS;c:\windows\system32\drivers\Gt51Ip.sys [2007-11-13 106112]
R3 GT72UBUS;GT 72 U BUS;c:\windows\system32\drivers\gt72ubus.sys [2008-11-19 59264]
R3 GTPTSER;GT PT SER;c:\windows\system32\drivers\gtptser.sys [2007-03-30 8064]
R3 WBSD;Winbond Secure Digital Storage (SD/MMC) Device Driver;c:\windows\system32\drivers\wbsd.sys [2003-09-09 26240]
S3 BCDCLINK;Belkin USB Direct Connect;c:\windows\system32\drivers\BCDCLINK.SYS [2004-04-10 14279]
S3 Dz3s2kxp;Dz3s2kxp;c:\windows\system32\drivers\Dz3s2kxp.sys [2004-08-19 10496]
S3 Dz3u2kxp;Dz3u2kxp;c:\windows\system32\drivers\Dz3u2kxp.sys [2004-08-19 11264]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{042ed220-81f2-11d9-9d80-00500c00ffaa}]
\Shell\access\command - g:\.\sgportable\SGPortable.exe
\Shell\AutoRun\command - g:\.\sgportable\SGPortable.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{62175a32-adcc-11dd-9f8f-000cf11012f7}]
\Shell\AutoRun\command - G:\AutoRun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{62175a35-adcc-11dd-9f8f-000cf11012f7}]
\Shell\AutoRun\command - G:\AutoRun.exe
.
Contents of the 'Scheduled Tasks' folder
2009-02-23 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - User1.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe []
2009-02-26 c:\windows\Tasks\Norton Security Scan for User1.job
- c:\program files\Norton Security Scan\Nss.exe [2008-09-19 04:18]
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-MobileConnect.EXE - c:\program files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.EXE
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://gb8l.hpwis.com/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-02 09:50:29
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
c:\windows\explorer.exe [1668] 0x828ADBC0
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe???????????????|?????? ?deB???????????????B? ??????
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\DVDRAMSV.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-03-02 9:53:39 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-02 09:53:36
Pre-Run: 9,999,642,624 bytes free
Post-Run: 10,105,991,168 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
162 --- E O F --- 2009-02-26 00:06:55
Here's the log file.
ComboFix 09-02-28.01 - User1 2009-03-02 9:46:15.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.290 [GMT 0:00]
Running from: c:\documents and settings\User1\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\TDSSorvd.dat
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_TDSSSERV.SYS
-------\Service_TDSSserv.sys
((((((((((((((((((((((((( Files Created from 2009-02-02 to 2009-03-02 )))))))))))))))))))))))))))))))
.
2009-03-02 09:22 . 2009-03-02 09:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-02-28 19:07 . 2009-02-28 19:07 <DIR> d-------- c:\documents and settings\User2\Application Data\Malwarebytes
2009-02-28 14:00 . 2009-02-28 14:00 <DIR> d-------- c:\documents and settings\User1\Application Data\Malwarebytes
2009-02-28 13:31 . 2009-02-28 17:30 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-28 13:31 . 2009-02-28 13:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-28 13:31 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-28 13:31 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-26 22:51 . 2009-02-26 22:51 <DIR> d-------- c:\program files\XoftSpySE
2009-02-26 16:57 . 2009-02-26 16:57 410,984 --a------ c:\windows\system32\deploytk.dll
2009-02-26 16:57 . 2009-02-26 16:57 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-02-26 16:45 . 2009-02-26 16:46 <DIR> d-------- c:\program files\Norton Security Scan
2009-02-26 09:53 . 2009-03-01 17:38 <DIR> d--hs---- c:\documents and settings\User1\Temporary Internet Files
2009-02-23 15:39 . 2009-02-23 15:39 54,156 --ah----- c:\windows\QTFont.qfn
2009-02-23 15:39 . 2009-02-23 15:39 1,409 --a------ c:\windows\QTFont.for
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-02 09:23 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-03-02 09:21 --------- d-----w c:\program files\Google
2009-03-02 09:14 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-02 09:11 --------- d-----w c:\documents and settings\User1\Application Data\Symantec
2009-02-26 16:57 --------- d-----w c:\program files\Java
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"InstantTray"="c:\program files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe" [2003-10-22 746496]
"IW_Drop_Icon"="c:\program files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe" [2003-11-19 1134080]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-14 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-04-24 327680]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2003-07-17 184412]
"CamMonitor"="c:\program files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [2002-10-06 90112]
"HPHUPD05"="c:\program files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-05-22 49152]
"HPHmon05"="c:\windows\System32\hphmon05.exe" [2003-05-22 483328]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-02-16 49152]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-07-20 98304]
"Camera Detector"="c:\progra~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE" [2003-06-17 208896]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-08-07 180269]
"PinnacleDriverCheck"="c:\windows\system32\PSDrvCheck.exe" [2003-11-10 406016]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-26 148888]
"ATIModeChange"="Ati2mdxx.exe" [2002-08-28 c:\windows\system32\Ati2mdxx.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2003-05-06 c:\windows\AGRSMMSG.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-03 15360]
c:\documents and settings\User2\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2006-09-12 225280]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Monitor.lnk - c:\program files\QLink 1.0\devmonit.exe [2006-03-26 45056]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2004-08-19 151552]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= vdrcodec.dll
"VIDC.ACDV"= ACDV.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
R0 VOBID;VOBID;c:\windows\system32\drivers\vobid.sys [2003-08-01 29239]
R1 vobcom;vobcom;c:\windows\system32\drivers\vobcom.sys [2001-10-04 9728]
R1 vobiw;vobiw;c:\windows\system32\drivers\vobIW.sys [2003-08-27 187392]
R2 BCDCNDIS;Belkin Direct Connect Network Adapter;c:\windows\system32\drivers\BCDCNDIS.SYS [2000-08-08 14054]
R2 DFBatchSvc;DataFlux Batch Scheduler;c:\progra~1\DataFlux\DFPOWE~1\7.1\bin\DFBATC~1.EXE [2007-07-09 86016]
R2 GtDetectSc;GtDetectSc;c:\program files\Orange\ICON 225 USB Connect\GtDetectSc.exe [2007-12-18 196704]
R3 cdrdrv;Cdrdrv;c:\windows\system32\drivers\Cdrdrv.sys [2002-12-13 64000]
R3 GT72NDISIPXP;GT 72 IP NDIS;c:\windows\system32\drivers\Gt51Ip.sys [2007-11-13 106112]
R3 GT72UBUS;GT 72 U BUS;c:\windows\system32\drivers\gt72ubus.sys [2008-11-19 59264]
R3 GTPTSER;GT PT SER;c:\windows\system32\drivers\gtptser.sys [2007-03-30 8064]
R3 WBSD;Winbond Secure Digital Storage (SD/MMC) Device Driver;c:\windows\system32\drivers\wbsd.sys [2003-09-09 26240]
S3 BCDCLINK;Belkin USB Direct Connect;c:\windows\system32\drivers\BCDCLINK.SYS [2004-04-10 14279]
S3 Dz3s2kxp;Dz3s2kxp;c:\windows\system32\drivers\Dz3s2kxp.sys [2004-08-19 10496]
S3 Dz3u2kxp;Dz3u2kxp;c:\windows\system32\drivers\Dz3u2kxp.sys [2004-08-19 11264]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{042ed220-81f2-11d9-9d80-00500c00ffaa}]
\Shell\access\command - g:\.\sgportable\SGPortable.exe
\Shell\AutoRun\command - g:\.\sgportable\SGPortable.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{62175a32-adcc-11dd-9f8f-000cf11012f7}]
\Shell\AutoRun\command - G:\AutoRun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{62175a35-adcc-11dd-9f8f-000cf11012f7}]
\Shell\AutoRun\command - G:\AutoRun.exe
.
Contents of the 'Scheduled Tasks' folder
2009-02-23 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - User1.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe []
2009-02-26 c:\windows\Tasks\Norton Security Scan for User1.job
- c:\program files\Norton Security Scan\Nss.exe [2008-09-19 04:18]
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-MobileConnect.EXE - c:\program files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.EXE
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://gb8l.hpwis.com/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-02 09:50:29
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
c:\windows\explorer.exe [1668] 0x828ADBC0
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe???????????????|?????? ?deB???????????????B? ??????
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\DVDRAMSV.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-03-02 9:53:39 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-02 09:53:36
Pre-Run: 9,999,642,624 bytes free
Post-Run: 10,105,991,168 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
162 --- E O F --- 2009-02-26 00:06:55
Okay please update MBAM and run another Quick Scan and post back that log.
Then run this tool.
Then run this tool.
Download DDS and save it to your desktop
http://download.bleepingcomputer.com/sUBs/dds.scr
Disable any script blocker if your Anti-Virus/Anti-Malware has it.
Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.
Then double click dds.scr to run the tool.
When done, the DDS.txt will open.
Click Yes at the next prompt for Optional Scan.When done, DDS will open two (2) logs:
- DDS.txt
- Attach.txt
- Save both reports to your desktop
- Please include the following logs in your next reply: DDS.txt and Attach.txt
Here's the results of the Quick Scan. I'll run the dds and post when complete.
Malwarebytes' Anti-Malware 1.34
Database version: 1814
Windows 5.1.2600 Service Pack 2
02/03/2009 13:16:59
mbam-log-2009-03-02 (13-16-59).txt
Scan type: Quick Scan
Objects scanned: 85931
Time elapsed: 1 hour(s), 7 minute(s), 0 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Malwarebytes' Anti-Malware 1.34
Database version: 1814
Windows 5.1.2600 Service Pack 2
02/03/2009 13:16:59
mbam-log-2009-03-02 (13-16-59).txt
Scan type: Quick Scan
Objects scanned: 85931
Time elapsed: 1 hour(s), 7 minute(s), 0 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Here's the dds.txt report and Attach.zip.
I really appreciate your help. Many thanks.
DDS (Ver_09-02-01.01) - NTFSx86
Run by User1 at 13:51:37.76 on 02/03/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.511.298 [GMT 0:00]
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\DataFlux\DFPOWE~1\7.1\bin\DFBATC~1.EXE
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Orange\ICON 225 USB Connect\GtDetectSc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe
C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\QLink 1.0\devmonit.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\User1\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://gb8l.hpwis.com/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [InstantTray] c:\program files\pinnacle\shared files\instantcddvd\PCLETray.exe
uRun: [IW_Drop_Icon] c:\program files\pinnacle\instantcddvd\instantwrite\iwctrl.exe /DropDisc
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ATIModeChange] Ati2mdxx.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [CamMonitor] c:\program files\hewlett-packard\digital imaging\unload\hpqcmon.exe
mRun: [HPHUPD05] c:\program files\hewlett-packard\{45b6180b-dcab-4093-8ee8-6164457517f0}\hphupd05.exe
mRun: [HPHmon05] c:\windows\system32\hphmon05.exe
mRun: [HP Software Update] c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Camera Detector] c:\progra~1\acdsys~1\devdet~1\DEVDET~1.EXE -autorun
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [PinnacleDriverCheck] c:\windows\system32\PSDrvCheck.exe
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\monitor.lnk - c:\program files\qlink 1.0\devmonit.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - hxxp://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} - hxxp://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} - hxxp://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxp://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
============= SERVICES / DRIVERS ===============
R0 VOBID;VOBID;c:\windows\system32\drivers\vobid.sys [2003-8-1 29239]
R1 vobcom;vobcom;c:\windows\system32\drivers\vobcom.sys [2001-10-4 9728]
R1 vobiw;vobiw;c:\windows\system32\drivers\vobIW.sys [2003-8-27 187392]
R2 BCDCNDIS;Belkin Direct Connect Network Adapter;c:\windows\system32\drivers\BCDCNDIS.SYS [2000-8-8 14054]
R2 DFBatchSvc;DataFlux Batch Scheduler;c:\progra~1\dataflux\dfpowe~1\7.1\bin\DFBATC~1.EXE [2007-7-9 86016]
R2 GtDetectSc;GtDetectSc;c:\program files\orange\icon 225 usb connect\GtDetectSc.exe [2007-12-18 196704]
R3 cdrdrv;Cdrdrv;c:\windows\system32\drivers\Cdrdrv.sys [2002-12-13 64000]
R3 WBSD;Winbond Secure Digital Storage (SD/MMC) Device Driver;c:\windows\system32\drivers\wbsd.sys [2003-9-9 26240]
S3 BCDCLINK;Belkin USB Direct Connect;c:\windows\system32\drivers\BCDCLINK.SYS [2004-4-10 14279]
S3 Dz3s2kxp;Dz3s2kxp;c:\windows\system32\drivers\Dz3s2kxp.sys [2004-8-19 10496]
S3 Dz3u2kxp;Dz3u2kxp;c:\windows\system32\drivers\Dz3u2kxp.sys [2004-8-19 11264]
S3 GT72NDISIPXP;GT 72 IP NDIS;c:\windows\system32\drivers\Gt51Ip.sys [2007-11-13 106112]
S3 GT72UBUS;GT 72 U BUS;c:\windows\system32\drivers\gt72ubus.sys [2008-11-19 59264]
S3 GTPTSER;GT PT SER;c:\windows\system32\drivers\gtptser.sys [2007-3-30 8064]
=============== Created Last 30 ================
2009-03-02 09:44 <DIR> a-dshr-- C:\cmdcons
2009-03-02 09:42 161,792 a------- c:\windows\SWREG.exe
2009-03-02 09:42 98,816 a------- c:\windows\sed.exe
2009-03-02 09:42 <DIR> --d----- C:\ComboFix
2009-03-02 09:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller
2009-02-28 14:00 <DIR> --d----- c:\docume~1\user1~1\applic~1\Malwarebytes
2009-02-28 13:31 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-28 13:31 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-28 13:31 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-28 13:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-26 22:51 <DIR> --d----- c:\program files\XoftSpySE
2009-02-26 16:57 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-26 16:57 73,728 a------- c:\windows\system32\javacpl.cpl
2009-02-26 16:45 <DIR> --d----- c:\program files\Norton Security Scan
2009-02-26 09:53 <DIR> --dsh--- c:\documents and settings\user1\Temporary Internet Files
2009-02-23 15:39 54,156 a---h--- c:\windows\QTFont.qfn
2009-02-23 15:39 1,409 a------- c:\windows\QTFont.for
==================== Find3M ====================
2009-01-16 21:35 3,594,752 a------- c:\windows\system32\dllcache\mshtml.dll
2008-12-19 09:10 70,656 a------- c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 09:10 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-12-19 05:25 634,024 a------- c:\windows\system32\dllcache\iexplore.exe
2008-12-19 05:23 161,792 a------- c:\windows\system32\dllcache\ieakui.dll
2008-12-11 11:57 333,184 a------- c:\windows\system32\dllcache\srv.sys
============= FINISH: 13:52:08.25 ===============
Click to view attachment
I really appreciate your help. Many thanks.
DDS (Ver_09-02-01.01) - NTFSx86
Run by User1 at 13:51:37.76 on 02/03/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.511.298 [GMT 0:00]
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\DataFlux\DFPOWE~1\7.1\bin\DFBATC~1.EXE
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Orange\ICON 225 USB Connect\GtDetectSc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe
C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\QLink 1.0\devmonit.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\User1\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://gb8l.hpwis.com/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [InstantTray] c:\program files\pinnacle\shared files\instantcddvd\PCLETray.exe
uRun: [IW_Drop_Icon] c:\program files\pinnacle\instantcddvd\instantwrite\iwctrl.exe /DropDisc
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ATIModeChange] Ati2mdxx.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [CamMonitor] c:\program files\hewlett-packard\digital imaging\unload\hpqcmon.exe
mRun: [HPHUPD05] c:\program files\hewlett-packard\{45b6180b-dcab-4093-8ee8-6164457517f0}\hphupd05.exe
mRun: [HPHmon05] c:\windows\system32\hphmon05.exe
mRun: [HP Software Update] c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Camera Detector] c:\progra~1\acdsys~1\devdet~1\DEVDET~1.EXE -autorun
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [PinnacleDriverCheck] c:\windows\system32\PSDrvCheck.exe
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\monitor.lnk - c:\program files\qlink 1.0\devmonit.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - hxxp://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} - hxxp://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} - hxxp://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxp://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
============= SERVICES / DRIVERS ===============
R0 VOBID;VOBID;c:\windows\system32\drivers\vobid.sys [2003-8-1 29239]
R1 vobcom;vobcom;c:\windows\system32\drivers\vobcom.sys [2001-10-4 9728]
R1 vobiw;vobiw;c:\windows\system32\drivers\vobIW.sys [2003-8-27 187392]
R2 BCDCNDIS;Belkin Direct Connect Network Adapter;c:\windows\system32\drivers\BCDCNDIS.SYS [2000-8-8 14054]
R2 DFBatchSvc;DataFlux Batch Scheduler;c:\progra~1\dataflux\dfpowe~1\7.1\bin\DFBATC~1.EXE [2007-7-9 86016]
R2 GtDetectSc;GtDetectSc;c:\program files\orange\icon 225 usb connect\GtDetectSc.exe [2007-12-18 196704]
R3 cdrdrv;Cdrdrv;c:\windows\system32\drivers\Cdrdrv.sys [2002-12-13 64000]
R3 WBSD;Winbond Secure Digital Storage (SD/MMC) Device Driver;c:\windows\system32\drivers\wbsd.sys [2003-9-9 26240]
S3 BCDCLINK;Belkin USB Direct Connect;c:\windows\system32\drivers\BCDCLINK.SYS [2004-4-10 14279]
S3 Dz3s2kxp;Dz3s2kxp;c:\windows\system32\drivers\Dz3s2kxp.sys [2004-8-19 10496]
S3 Dz3u2kxp;Dz3u2kxp;c:\windows\system32\drivers\Dz3u2kxp.sys [2004-8-19 11264]
S3 GT72NDISIPXP;GT 72 IP NDIS;c:\windows\system32\drivers\Gt51Ip.sys [2007-11-13 106112]
S3 GT72UBUS;GT 72 U BUS;c:\windows\system32\drivers\gt72ubus.sys [2008-11-19 59264]
S3 GTPTSER;GT PT SER;c:\windows\system32\drivers\gtptser.sys [2007-3-30 8064]
=============== Created Last 30 ================
2009-03-02 09:44 <DIR> a-dshr-- C:\cmdcons
2009-03-02 09:42 161,792 a------- c:\windows\SWREG.exe
2009-03-02 09:42 98,816 a------- c:\windows\sed.exe
2009-03-02 09:42 <DIR> --d----- C:\ComboFix
2009-03-02 09:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller
2009-02-28 14:00 <DIR> --d----- c:\docume~1\user1~1\applic~1\Malwarebytes
2009-02-28 13:31 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-28 13:31 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-28 13:31 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-28 13:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-26 22:51 <DIR> --d----- c:\program files\XoftSpySE
2009-02-26 16:57 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-26 16:57 73,728 a------- c:\windows\system32\javacpl.cpl
2009-02-26 16:45 <DIR> --d----- c:\program files\Norton Security Scan
2009-02-26 09:53 <DIR> --dsh--- c:\documents and settings\user1\Temporary Internet Files
2009-02-23 15:39 54,156 a---h--- c:\windows\QTFont.qfn
2009-02-23 15:39 1,409 a------- c:\windows\QTFont.for
==================== Find3M ====================
2009-01-16 21:35 3,594,752 a------- c:\windows\system32\dllcache\mshtml.dll
2008-12-19 09:10 70,656 a------- c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 09:10 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-12-19 05:25 634,024 a------- c:\windows\system32\dllcache\iexplore.exe
2008-12-19 05:23 161,792 a------- c:\windows\system32\dllcache\ieakui.dll
2008-12-11 11:57 333,184 a------- c:\windows\system32\dllcache\srv.sys
============= FINISH: 13:52:08.25 ===============
Click to view attachment
The attached log file was either edited or did not complete properly. Regardless, how is the computer running now?
Are there still any signs of infection?
Are there still any signs of infection?
You are correct, I amended the user name as I did not want it on the web, but that is all. I'm sorry but I did not think this would make a material difference to the output. Would you like me to run dss again and email the files to you? The machine seems to be OK but to be honest I have been reluctant to use it in earnest before I know whether it is clean. First thing I want to do is load my new Internet Security software before I start using the internet again. Do you think it's OK to load this now and start using the web again? The logs looked pretty clean to me but I'm not the expert!
I'm sorry if I screwed the log files, but thank you once again for all your assistance. Please let me know what you would like me to do next.
I'm sorry if I screwed the log files, but thank you once again for all your assistance. Please let me know what you would like me to do next.
It wasn't the username it was the list of applications that was removed, at this point though it's not an issue.
Yes the logs look good now. Let's do a little clean up and then you can install your new Security package but remember you can not have more than 1 Anti-Virus application installed at the same time as they can conflict with each other.
Please run the following to remove any tools that might have been used during the scaning and cleaning of your system.
STEP 1
STEP 2
STEP 3
If needed:Download and Update Java Runtime
The most current version of Sun Java is: Java Runtime Environment (JRE) 6 Update 12.
Great, all looks good now.
I'll close your post soon so that other don't post into it and leave you with this information and suggestions.
So how did I get infected in the first place?
Yes the logs look good now. Let's do a little clean up and then you can install your new Security package but remember you can not have more than 1 Anti-Virus application installed at the same time as they can conflict with each other.
Please run the following to remove any tools that might have been used during the scaning and cleaning of your system.
STEP 1
Uninstall ComboFix.exe
- Click START then RUN
- Now type Combofix /u (if you renamed Combofix.exe use that name instead) in the runbox and click OK. Note the space between the X and the /U, it needs to be there.
- When shown the disclaimer, Select "2"
Remove this folder C:\QooBox if the uninstall instructions don't work and delete Combofix.exe
STEP 2
Uninstall GMER
Click on START - RUN and type in or copy/paste %windir%\gmer_uninstall.cmd to remove GMER.
STEP 3
Uninstall other tools
Please Download OTMoveIt3 by Old Timer and save it to your Desktop.
- Double-click OTMoveIt3.exe to run it.
- While connected to the Internet, Click on the green CleanUp! button and it will populate a list of items to clean from your system that we used or may have used.
- It should ask if you want to clean up, select Yes and allow the system to clean up these items.
NOW please reboot your computer to finish the cleanup process
If needed:Download and Update Java Runtime
The most current version of Sun Java is: Java Runtime Environment (JRE) 6 Update 12.
- Go to http://java.sun.com/javase/downloads/index.jsp
- Go to Java Runtime Environment (JRE) 6 Update 12 about half way down the page and click on the Download button.
- In Platform box choose Windows.
- Check the box to Accept License Agreement and click Continue.
- Click on Windows Offline Installation, click on the link under it which says jre-6u12-windows-i586-p.exe and save the downloaded file to your desktop.
- Install the new version by running the newly-downloaded file with the java icon which will be on your desktop, and follow the on-screen instructions.
- Uncheck the Toolbar button (unless you want the toolbar)
- Reboot your computer
Great, all looks good now.
I'll close your post soon so that other don't post into it and leave you with this information and suggestions.
So how did I get infected in the first place?
At this time your system appears to be clean. Nothing else in the logs indicates that you are still infected.
Now that you appear to be clean, please follow these simple steps in order to keep your computer clean and secure:
Disable and Enable System Restore-WINDOWS XP
This is a good time to clear your existing system restore points and establish a new clean restore point:
Turn off System Restore
- On the Desktop, right-click My Computer.
- Click Properties.
- Click the System Restore tab.
- Check Turn off System Restore.
- Click Apply, and then click OK.
- Reboot.
Turn ON System Restore
- On the Desktop, right-click My Computer.
- Click Properties.
- Click the System Restore tab.
- UN-Check *Turn off System Restore*.
- Click Apply, and then click OK.
This will remove all restore points except the new one you just created.
Here are some free programs I recommend that could help you improve your computer's security.
Install SpyWare Blaster
Download it from here
Find here the tutorial on how to use Spyware Blaster here
Install WinPatrol
Download it from here
Here you can find information about how WinPatrol works here
Install FireTrust SiteHound
You can find information and download it from here
Install hpHosts
Download it from here
hpHosts is a community managed and maintained hosts file that allows an additional layer of protection against access to ad,
tracking and malicious websites. This prevents your computer from connecting to these untrusted sites
by redirecting them to 127.0.0.1 which is your own local computer.
hpHosts Support Forum
Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector
F-secure Health Check
Visit Microsoft often to get the latest updates for your computer.
http://www.update.microsoft.com
Note 1: If you are running Windows XP SP2, you should upgrade to SP3.
Note 2: Users of Norton Internet Security 2008 should uninstall the software before they install Service Pack 3.
The security suite can then be reinstalled afterwards.
The windows firewall is not sufficient to protect your system. It doesn't monitor outgoing traffic and this is a must.
I recommend Online Armor Free
A little outdated but good reading on how to prevent Malware
Keep safe online and happy surfing.
Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.
The fixes and advice in this thread are for this machine only. Do not apply to your machine unless you Fully Understand how these programs work and what you're doing. Please start a thread of your own and someone will be happy to help you, just follow the Pre-Hijackthis instructions found here before posting Pre- HJT Post Instructions
Also don't forget that we offer FREE assistance with General PC questions and repair here PC Help
If you're pleased with the product Malwarebytes and the service provided you, please let your friends, family, and co-workers know. http://www.malwarebytes.org
Thanks very much for your time and brilliant service, I really don't know how I would have managed to sort this out without you - probably would have had to reinstall XP and start life again!
The problem for me is that I do not have a fast 'copper' broadband connection and up until recently I have had to rely on dial-up, which is rubbish when you need to be downloading Windows and Anti Virus updates on a regular basis. For example, it takes 1 hour to download 16mb. So I recently purchased a USB mobile broadband device which is far better and will help me get all my updates in a reasonable time. However, perhaps it is this faster speed that also allowed these viruses in? Who knows? I'll be looking at all your recommendations and I'll certainly act on them.
Once again, thank you so much for all your help.
The problem for me is that I do not have a fast 'copper' broadband connection and up until recently I have had to rely on dial-up, which is rubbish when you need to be downloading Windows and Anti Virus updates on a regular basis. For example, it takes 1 hour to download 16mb. So I recently purchased a USB mobile broadband device which is far better and will help me get all my updates in a reasonable time. However, perhaps it is this faster speed that also allowed these viruses in? Who knows? I'll be looking at all your recommendations and I'll certainly act on them.
Once again, thank you so much for all your help.
You're quite Welcome. Take care and stay safe out there.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.