Tech Support banner

Status
Not open for further replies.
1 - 20 of 77 Posts

·
Registered
Joined
·
40 Posts
Discussion Starter #1
Hello,
I've been having issues with my computer for a while. It started out with a virus that "scanned" my computer for an infection, and of course my wife hits "OK". I had thought i cleaned that up, then I had the "The FBI has locked your computer" for whatever reason, and I had cleaned that up as well (I thought). I have Malware Bytes PRO, and recently Norton 360 installed, and I have not had any new findings on those, but now my computer cannot create shortcuts. The shortcuts are created, but it is not linked to the target. I have given up on trying anything, as it appears I'm not solving any problems. Sorry for making problems worse if I have. Thank you for any help.
Andy


DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 7.0.6000.16945
Run by Andy at 12:31:43 on 2012-12-26
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1010 [GMT -5:00]
.
.
============== Running Processes ================
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\IDT\WDM\sttray.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton 360\Engine\20.2.0.19\ccSvcHst.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - <orphaned>
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - c:\program files\norton 360\engine\20.2.0.19\CoIEPlg.dll
BHO: Norton Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - c:\program files\norton 360\engine\20.2.0.19\ips\IPSBHO.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - <orphaned>
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: ShopAtHomeIEHelper Class: {E8DAAA30-6CAA-4b58-9603-8E54238219E2} - c:\program files\selectrebates\toolbar\ShopAtHomeToolbar.dll
BHO: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: ShopAtHome Toolbar: {98279C38-DE4B-4bcf-93C9-8EC26069D6F4} - c:\program files\selectrebates\toolbar\ShopAtHomeToolbar.dll
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\norton 360\engine\20.2.0.19\CoIEPlg.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil32_11_3_300_265_Plugin.exe -update plugin
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [StartCCC] c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe
mRun: [SysTrayApp] c:\program files\idt\wdm\sttray.exe
mRun: [wipobc] "c:\windows\system32\rundll32.exe" "c:\documents and settings\andy\application data\wipobc.dll",WriteClassDefinition
mRun: [Monitor] "c:\program files\leapfrog\leapfrog connect\Monitor.exe"
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: mswsock.dll
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 192.168.200.1
TCP: Interfaces\{9250FC3D-526F-4BD8-93C6-3B08B1F91E47} : DHCPNameServer = 192.168.200.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\1402000.013\SymDS.sys [2012-12-17 368288]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\1402000.013\SymEFA.sys [2012-12-17 927904]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_20.2.0.19\definitions\bashdefs\20121130.005\BHDrvx86.sys [2012-11-29 995488]
R1 ccSet_N360;Norton 360 Settings Manager;c:\windows\system32\drivers\n360\1402000.013\ccSetx86.sys [2012-12-17 134304]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\1402000.013\Ironx86.sys [2012-12-17 175264]
R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2012-9-13 399432]
R2 N360;Norton 360;c:\program files\norton 360\engine\20.2.0.19\ccSvcHst.exe [2012-12-17 143928]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-12-17 106656]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_20.2.0.19\definitions\ipsdefs\20121225.001\IDSXpx86.sys [2012-12-26 373728]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_20.2.0.19\definitions\virusdefs\20121225.022\NAVENG.SYS [2012-12-26 92704]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_20.2.0.19\definitions\virusdefs\20121225.022\NAVEX15.SYS [2012-12-26 1601184]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-10-24 676936]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\lavasoft\ad-aware\kernexplorer.sys --> c:\program files\lavasoft\ad-aware\KernExplorer.sys [?]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-10-24 22856]
.
=============== Created Last 30 ================
.
2012-12-26 14:01:26 -------- d-----w- c:\windows\F1A6A09F5FF34648B293CDF044348A24.TMP
2012-12-21 19:05:58 -------- d-----w- c:\documents and settings\andy.andy_new\application data\Malwarebytes
2012-12-20 03:30:27 -------- d-----w- c:\documents and settings\andy.andy_new\local settings\application data\{CA3D0BB9-D46C-11E1-8270-B8AC6F996F26}
2012-12-19 04:40:32 -------- d-----w- c:\windows\system32\N360_BACKUP
2012-12-19 04:14:02 -------- d-----w- C:\TDSSKiller_Quarantine
2012-12-19 03:05:56 -------- d-----w- c:\documents and settings\andy.andy_new\local settings\application data\Mozilla
2012-12-17 21:39:55 142496 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2012-12-17 21:38:50 -------- d-----w- c:\program files\NortonInstaller
2012-12-16 04:28:01 -------- d-----w- c:\program files\common files\Symantec Shared
2012-12-16 04:27:11 -------- d-----w- c:\documents and settings\all users\application data\NortonInstaller
2012-12-16 04:22:39 -------- d-----w- c:\documents and settings\all users\application data\Norton
.
==================== Find3M ====================
.
2012-10-09 01:00:02 586400 ----a-r- c:\windows\system32\drivers\n360\1402000.013\srtsp.sys
2012-10-04 01:40:35 927904 ----a-r- c:\windows\system32\drivers\n360\1402000.013\SymEFA.sys
2012-10-04 01:40:20 368288 ----a-r- c:\windows\system32\drivers\n360\1402000.013\SymDS.sys
2012-10-04 01:19:14 134304 ----a-r- c:\windows\system32\drivers\n360\1402000.013\ccSetx86.sys
2012-09-29 23:54:26 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
.
============= FINISH: 12:32:28.94 ===============
 

Attachments

·
Security Team , Moderator, Analyst , Rangemaster,
Joined
·
29,790 Posts
Hello and Welcome to TSF.

If you haven't already, please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

One or more of the identified infections is a backdoor trojan/rootkit.

This type of infection allows hackers to remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Please refer to Microsoft's Online Safety article for tips on creating a strong password.

Do not change passwords or do any transactions from the infected computer until it has been cleaned.

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

If there are any personal files, pics, etc. on your computer you cannot live without, back them up now just as a precaution.

Emergency Backup Procedure - Tech Support Forum

------------------------------------------------------

Please download ComboFix and Save it to your Desktop.

**Note: It is important that it is saved directly to your desktop**

Disable all antivirus and antispyware programs. Get help here

Double-click ComboFix.exe and follow the prompts to run it.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
  • With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
  • It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




ComboFix will now automatically install the Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Windows Recovery Console option when you start your computer unless requested to by a helper.

Once the Recovery Console is installed, this blue window will appear:



  • Please click Yes to continue scanning for malware.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done.
  • ComboFix may reboot your machine. This is normal. For some infections, it may do this multiple times.
  • When the tool is finished, it will produce a log for you.
Please post that log, C:\ComboFix.txt, in your next reply.

Please re-enable your antivirus before posting the ComboFix.txt log.

------------------------------------------------------
 

·
Registered
Joined
·
40 Posts
Everything seemed to go smooth. Thanks and let me know what to do from here.

ComboFix 12-12-27.03 - Andy 12/27/2012 22:45:46.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.862 [GMT -5:00]
Running from: c:\documents and settings\Andy.ANDY_NEW\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Andy2\My Documents\~WRL0481.tmp
c:\documents and settings\Andy2\My Documents\~WRL1015.tmp
c:\program files\SelectRebates
c:\program files\SelectRebates\FFToolbar\chrome.manifest
c:\program files\SelectRebates\FFToolbar\chrome\sahtoolbar.jar
c:\program files\SelectRebates\FFToolbar\defaults\preferences\sahtoolbar.js
c:\program files\SelectRebates\FFToolbar\install.rdf
c:\program files\SelectRebates\SelectAlerts.dat
c:\program files\SelectRebates\SelectRebates.ini
c:\program files\SelectRebates\SelectRebatesA.dat
c:\program files\SelectRebates\SelectRebatesB.dat
c:\program files\SelectRebates\SelectRebatesBT.dat
c:\program files\SelectRebates\SelectRebatesDownload.exe
c:\program files\SelectRebates\Toolbar\AddtoList.bmp
c:\program files\SelectRebates\Toolbar\basis.xml
c:\program files\SelectRebates\Toolbar\Basis.xml.dym
c:\program files\SelectRebates\Toolbar\Blank.bmp
c:\program files\SelectRebates\Toolbar\CashBack.bmp
c:\program files\SelectRebates\Toolbar\Coupons.bmp
c:\program files\SelectRebates\Toolbar\GroceryCoupon.bmp
c:\program files\SelectRebates\Toolbar\i_magnifying.bmp
c:\program files\SelectRebates\Toolbar\icons.bmp
c:\program files\SelectRebates\Toolbar\ImageCache\alert-red.bmp
c:\program files\SelectRebates\Toolbar\logo.bmp
c:\program files\SelectRebates\Toolbar\logo_24.bmp
c:\program files\SelectRebates\Toolbar\logo_HotSpots.bmp
c:\program files\SelectRebates\Toolbar\ReviewSite.bmp
c:\program files\SelectRebates\Toolbar\RightControls.dym
c:\program files\SelectRebates\Toolbar\Scissors.bmp
c:\program files\SelectRebates\Toolbar\ShOPathometoolbar.dll
c:\windows\Installer\{ba76f9ac-eea7-2102-3459-2fb5fc6c8063}\@
c:\windows\Installer\{ba76f9ac-eea7-2102-3459-2fb5fc6c8063}\L\[email protected]
c:\windows\Installer\{ba76f9ac-eea7-2102-3459-2fb5fc6c8063}\L\201d3dde
c:\windows\Installer\{ba76f9ac-eea7-2102-3459-2fb5fc6c8063}\U\[email protected]
c:\windows\system32\SET64.tmp
c:\windows\system32\SET68.tmp
c:\windows\system32\SET70.tmp
.
.
((((((((((((((((((((((((( Files Created from 2012-11-28 to 2012-12-28 )))))))))))))))))))))))))))))))
.
.
2012-12-26 14:01 . 2012-12-26 14:01 -------- d-----w- c:\windows\F1A6A09F5FF34648B293CDF044348A24.TMP
2012-12-19 04:40 . 2012-12-19 04:40 -------- d-----w- c:\windows\system32\N360_BACKUP
2012-12-19 04:14 . 2012-12-19 04:14 -------- d-----w- C:\TDSSKiller_Quarantine
2012-12-19 03:04 . 2012-12-19 03:04 -------- d-----w- c:\documents and settings\Andy.ANDY_NEW
2012-12-17 21:50 . 2012-12-17 21:50 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer
2012-12-17 21:39 . 2012-12-17 21:39 -------- d-----w- c:\program files\Symantec
2012-12-17 21:39 . 2012-12-17 21:39 142496 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2012-12-17 21:39 . 2012-12-17 21:39 -------- d-----w- c:\windows\system32\drivers\N360
2012-12-17 21:39 . 2012-12-17 21:39 -------- d-----w- c:\program files\Norton 360
2012-12-17 21:38 . 2012-12-17 21:38 -------- d-----w- c:\program files\NortonInstaller
2012-12-16 17:54 . 2012-12-16 17:54 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2012-12-16 04:28 . 2012-12-17 21:41 -------- d-----w- c:\program files\Common Files\Symantec Shared
2012-12-16 04:22 . 2012-12-17 21:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-09-29 23:54 . 2010-10-24 05:36 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-14 00:17 . 2012-07-26 20:39 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-10-04 8491008]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2008-09-18 442470]
"wipobc"="c:\documents and settings\Andy\Application Data\wipobc.dll" [2012-07-23 446976]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2012-09-28 298376]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\LeapFrog\\LeapFrog Connect\\LeapFrogConnect.exe"=
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\1402000.013\SymDS.sys [12/17/2012 4:39 PM 368288]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\1402000.013\SymEFA.sys [12/17/2012 4:39 PM 927904]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.2.0.19\Definitions\BASHDefs\20121130.005\BHDrvx86.sys [11/29/2012 6:13 PM 995488]
R1 ccSet_N360;Norton 360 Settings Manager;c:\windows\system32\drivers\N360\1402000.013\ccSetx86.sys [12/17/2012 4:39 PM 134304]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\1402000.013\Ironx86.sys [12/17/2012 4:39 PM 175264]
R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [9/13/2012 7:23 PM 399432]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [10/24/2010 12:36 AM 676936]
R2 N360;Norton 360;c:\program files\Norton 360\Engine\20.2.0.19\ccSvcHst.exe [12/17/2012 4:39 PM 143928]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [12/17/2012 4:40 PM 106656]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.2.0.19\Definitions\IPSDefs\20121227.001\IDSXpx86.sys [12/27/2012 8:55 PM 373728]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [10/24/2010 12:36 AM 22856]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-12-28 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-19 21:41]
.
2012-12-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2012-12-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-28 20:29]
.
2012-12-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-28 20:29]
.
.
------- Supplementary Scan -------
.
TCP: DhcpNameServer = 192.168.200.1
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-67766650.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2012-12-27 22:52
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\20.2.0.19\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\20.2.0.19\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(552)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
.
Completion time: 2012-12-27 22:54:26
ComboFix-quarantined-files.txt 2012-12-28 03:54
.
Pre-Run: 149,925,801,984 bytes free
Post-Run: 150,937,329,664 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - C624A1F23D9AD31E45C1F2E2A1DAD797
 

Attachments

·
Security Team , Moderator, Analyst , Rangemaster,
Joined
·
29,790 Posts
Hello Andy. You're welcome.

No need to attach logs going forward. Just copy/paste them directly into the Reply to Thread window. Thanks.

------------------------------------------------------

CCleaner

We do not recommend the use of registry cleaners, or the registry cleaner features of CCleaner or Norton 360. Our colleague miekiemoes has an excellent writeup here

We advise turning off the registry cleaning feature of Norton 360.

------------------------------------------------------

Please go to: VirusTotal
  • Click the Choose File button.
  • Please copy/paste the following bolded text into the 'File name:' box:

    c:\documents and settings\Andy\Application Data\wipobc.dll

  • Click Open then click the Scan it! button just below.
  • This will scan the file. Please be patient.
  • If you get a message saying File already analyzed: click Reanalyse
  • Once scanned, copy and paste the URL from your browser address bar in your next reply.
------------------------------------------------------
 

·
Security Team , Moderator, Analyst , Rangemaster,
Joined
·
29,790 Posts
Hello again, Andy.

Disable your antivirus and antispyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with ComboFix.

Open Notepad and copy/paste all the text in the codebox below into Notepad:

Code:
http://www.techsupportforum.com/forums/f50/cannot-create-shortcuts-681076.html#post4001262

Collect::
c:\documents and settings\Andy\Application Data\wipobc.dll

ClearJavaCache::

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000

Driver::
Lavasoft Kernexplorer
Save this Notepad file as CFScript.txt to your Desktop and then close the file.





Referring to the picture above, drag CFScript onto ComboFix.

If you are prompted to update ComboFix and have an internet connection, please choose Yes

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

When finished, it shall produce a log for you. Please post that log, C:\ComboFix.txt, in your next reply.

Please re-enable your antivirus before posting the ComboFix.txt log.

------------------------------------------------------

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
------------------------------------------------------
 

·
Registered
Joined
·
40 Posts
Discussion Starter #7
ComboFix 12-12-28.02 - Andy 12/28/2012 13:33:07.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1227 [GMT -5:00]
Running from: c:\documents and settings\Andy.ANDY_NEW\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Andy.ANDY_NEW\Desktop\CFScript.txt
AV: Norton 360 *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *Disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
file zipped: c:\documents and settings\Andy\Application Data\wipobc.dll
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_LAVASOFT_KERNEXPLORER
-------\Service_Lavasoft Kernexplorer
.
.
((((((((((((((((((((((((( Files Created from 2012-11-28 to 2012-12-28 )))))))))))))))))))))))))))))))
.
.
2012-12-28 13:42 . 2012-12-28 13:42 -------- d-----w- c:\windows\LastGood.Tmp
2012-12-26 14:01 . 2012-12-26 14:01 -------- d-----w- c:\windows\F1A6A09F5FF34648B293CDF044348A24.TMP
2012-12-19 04:40 . 2012-12-19 04:40 -------- d-----w- c:\windows\system32\N360_BACKUP
2012-12-19 04:14 . 2012-12-19 04:14 -------- d-----w- C:\TDSSKiller_Quarantine
2012-12-19 03:04 . 2012-12-19 03:04 -------- d-----w- c:\documents and settings\Andy.ANDY_NEW
2012-12-17 21:50 . 2012-12-17 21:50 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer
2012-12-17 21:39 . 2012-12-17 21:39 -------- d-----w- c:\program files\Symantec
2012-12-17 21:39 . 2012-12-17 21:39 142496 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2012-12-17 21:39 . 2012-12-17 21:39 -------- d-----w- c:\windows\system32\drivers\N360
2012-12-17 21:39 . 2012-12-17 21:39 -------- d-----w- c:\program files\Norton 360
2012-12-17 21:38 . 2012-12-17 21:38 -------- d-----w- c:\program files\NortonInstaller
2012-12-16 17:54 . 2012-12-16 17:54 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2012-12-16 04:28 . 2012-12-17 21:41 -------- d-----w- c:\program files\Common Files\Symantec Shared
2012-12-16 04:22 . 2012-12-17 21:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-09-29 23:54 . 2010-10-24 05:36 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-14 00:17 . 2012-07-26 20:39 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-10-04 8491008]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2008-09-18 442470]
"wipobc"="c:\documents and settings\Andy\Application Data\wipobc.dll" [2012-07-23 446976]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2012-09-28 298376]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\LeapFrog\\LeapFrog Connect\\LeapFrogConnect.exe"=
"%windir%\\system32\\sessmgr.exe"=
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\1402000.013\SymDS.sys [12/17/2012 4:39 PM 368288]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\1402000.013\SymEFA.sys [12/17/2012 4:39 PM 927904]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.2.0.19\Definitions\BASHDefs\20121130.005\BHDrvx86.sys [11/29/2012 6:13 PM 995488]
R1 ccSet_N360;Norton 360 Settings Manager;c:\windows\system32\drivers\N360\1402000.013\ccSetx86.sys [12/17/2012 4:39 PM 134304]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\1402000.013\Ironx86.sys [12/17/2012 4:39 PM 175264]
R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [9/13/2012 7:23 PM 399432]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [10/24/2010 12:36 AM 676936]
R2 N360;Norton 360;c:\program files\Norton 360\Engine\20.2.0.19\ccSvcHst.exe [12/17/2012 4:39 PM 143928]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [12/17/2012 4:40 PM 106656]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.2.0.19\Definitions\IPSDefs\20121227.001\IDSXpx86.sys [12/27/2012 8:55 PM 373728]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [10/24/2010 12:36 AM 22856]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-12-28 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-19 21:41]
.
2012-12-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2012-12-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-28 20:29]
.
2012-12-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-28 20:29]
.
.
------- Supplementary Scan -------
.
TCP: DhcpNameServer = 192.168.200.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2012-12-28 13:44
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\20.2.0.19\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\20.2.0.19\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(560)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
.
- - - - - - - > 'explorer.exe'(2876)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\LeapFrog\LeapFrog Connect\CommandService.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2012-12-28 13:46:11 - machine was rebooted
ComboFix-quarantined-files.txt 2012-12-28 18:46
ComboFix2.txt 2012-12-28 03:54
.
Pre-Run: 150,269,005,824 bytes free
Post-Run: 150,347,411,456 bytes free
.
- - End Of File - - CB5B097A1FE0093816F8D1920B7839CA
Upload was successful
 

·
Security Team , Moderator, Analyst , Rangemaster,
Joined
·
29,790 Posts
Hello again, Andy. Thanks for submitting the file.

For some reason that file was submitted, but not deleted. Not sure why. We'll have to run ComboFix again.

------------------------------------------------------

Disable your antivirus and antispyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with ComboFix.

Open Notepad and copy/paste all the text in the codebox below into Notepad:

Code:
Rootkit::
c:\documents and settings\Andy\Application Data\wipobc.dll

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"wipobc"=-
Save this Notepad file as CFScript.txt to your Desktop and then close the file.





Referring to the picture above, drag CFScript onto ComboFix.

If you are prompted to update ComboFix and have an internet connection, please choose Yes

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

When finished, it shall produce a log for you. Please post that log, C:\ComboFix.txt, in your next reply.

Please re-enable your antivirus before posting the ComboFix.txt log.

------------------------------------------------------
 

·
Registered
Joined
·
40 Posts
Discussion Starter #9
I do have a RUNDLL error, i left it open. It reads : Error in C:\documents and settings\andy\application data\wipobc.dll. Missing entry : WriteClassDefinition. Should I still proceed with the combofix?
 

·
Security Team , Moderator, Analyst , Rangemaster,
Joined
·
29,790 Posts
Close the error box then proceed with the ComboFix instructions.
 

·
Registered
Joined
·
40 Posts
Discussion Starter #11
ComboFix 12-12-28.02 - Andy 12/28/2012 14:58:40.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1401 [GMT -5:00]
Running from: c:\documents and settings\Andy.ANDY_NEW\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Andy.ANDY_NEW\Desktop\CFScript.txt
AV: Norton 360 *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *Disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
.
((((((((((((((((((((((((( Files Created from 2012-11-28 to 2012-12-28 )))))))))))))))))))))))))))))))
.
.
2012-12-28 20:15 . 2012-12-28 20:15 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-12-26 14:01 . 2012-12-26 14:01 -------- d-----w- c:\windows\F1A6A09F5FF34648B293CDF044348A24.TMP
2012-12-19 04:40 . 2012-12-19 04:40 -------- d-----w- c:\windows\system32\N360_BACKUP
2012-12-19 04:14 . 2012-12-19 04:14 -------- d-----w- C:\TDSSKiller_Quarantine
2012-12-19 03:04 . 2012-12-28 20:04 -------- d-----w- c:\documents and settings\Andy.ANDY_NEW
2012-12-17 21:50 . 2012-12-17 21:50 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer
2012-12-17 21:39 . 2012-12-17 21:39 -------- d-----w- c:\program files\Symantec
2012-12-17 21:39 . 2012-12-17 21:39 142496 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2012-12-17 21:39 . 2012-12-17 21:39 -------- d-----w- c:\windows\system32\drivers\N360
2012-12-17 21:39 . 2012-12-17 21:39 -------- d-----w- c:\program files\Norton 360
2012-12-17 21:38 . 2012-12-17 21:38 -------- d-----w- c:\program files\NortonInstaller
2012-12-16 17:54 . 2012-12-16 17:54 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2012-12-16 04:28 . 2012-12-17 21:41 -------- d-----w- c:\program files\Common Files\Symantec Shared
2012-12-16 04:22 . 2012-12-17 21:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-09-29 23:54 . 2010-10-24 05:36 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-14 00:17 . 2012-07-26 20:39 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-10-04 8491008]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2008-09-18 442470]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2012-09-28 298376]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\LeapFrog\\LeapFrog Connect\\LeapFrogConnect.exe"=
"%windir%\\system32\\sessmgr.exe"=
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\1402000.013\SymDS.sys [12/17/2012 4:39 PM 368288]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\1402000.013\SymEFA.sys [12/17/2012 4:39 PM 927904]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.2.0.19\Definitions\BASHDefs\20121130.005\BHDrvx86.sys [11/29/2012 6:13 PM 995488]
R1 ccSet_N360;Norton 360 Settings Manager;c:\windows\system32\drivers\N360\1402000.013\ccSetx86.sys [12/17/2012 4:39 PM 134304]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\1402000.013\Ironx86.sys [12/17/2012 4:39 PM 175264]
R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [9/13/2012 7:23 PM 399432]
R2 N360;Norton 360;c:\program files\Norton 360\Engine\20.2.0.19\ccSvcHst.exe [12/17/2012 4:39 PM 143928]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [12/17/2012 4:40 PM 106656]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.2.0.19\Definitions\IPSDefs\20121227.001\IDSXpx86.sys [12/27/2012 8:55 PM 373728]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [10/24/2010 12:36 AM 676936]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [10/24/2010 12:36 AM 22856]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-12-28 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-19 21:41]
.
2012-12-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2012-12-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-28 20:29]
.
2012-12-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-28 20:29]
.
.
------- Supplementary Scan -------
.
TCP: DhcpNameServer = 192.168.200.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2012-12-28 15:15
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\20.2.0.19\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\20.2.0.19\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(556)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
.
- - - - - - - > 'explorer.exe'(2676)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\LeapFrog\LeapFrog Connect\CommandService.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\DllHost.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2012-12-28 15:18:17 - machine was rebooted
ComboFix-quarantined-files.txt 2012-12-28 20:18
ComboFix2.txt 2012-12-28 19:00
ComboFix3.txt 2012-12-28 03:54
.
Pre-Run: 150,446,288,896 bytes free
Post-Run: 150,433,607,680 bytes free
.
- - End Of File - - 414DC1A9DF7847E1D23E66EC0C4DE37B
 

·
Security Team , Moderator, Analyst , Rangemaster,
Joined
·
29,790 Posts
Hello again, Andy. The file is gone now. Please tell us how your system is behaving. Still have the shortcut problem?

------------------------------------------------------
  • Launch Malwarebytes' Anti-Malware
  • Under the Update tab, click Check for Updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad and you may be prompted to Restart your computer.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy/Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.


------------------------------------------------------

Please run this online scan to help look for remnants. Ensure your external and/or USB drives are inserted during the scan.

Go here and click 'ESET Online Scanner'.
  • If you are not using Internet Explorer, double-click esetsmartinstaller_enu.exe to install it, then click 'Run'.
  • Turn off the real-time scanner of any existing antivirus program while performing the online scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • If using Internet Explorer, allow the ActiveX control to install when asked.
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Next to 'Current scan targets: Operating memory, Local drives', click the Change.. button.
  • Tick all the boxes that correspond to your external/inserted drives.
  • Click Start
  • Wait for the scan to finish, then click 'Finish'.
  • Use Notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Copy/paste that log as a reply to this topic.
------------------------------------------------------

Please post the following in your next reply:

MBAM log
ESET report
report on system behavior
 

·
Registered
Joined
·
40 Posts
Discussion Starter #13
I'm having issues.
My computer was noticeably slower on the restart, which I can deal with. The problem I had came when I went to open Malware Bytes. It asked to update, and I hit OK, and now it's giving me an error message and I can't do anything with it.

Run-time error '372':
Failed to load control "WebBrowser" from ieframe.dll. Your version of ieframe.dll may be outdated. Make sure you are using the version of the control that was provided with your application.

I realized at this time that IE was removed from my system. I went to microsoft.com and tried to reinstall IE7, but it did not install (it froze on downloading updates..I let it go for about 20 minutes).
I don't know what to do from here, so I will await instruction. Sorry if I messed something up.
 

·
Security Team , Moderator, Analyst , Rangemaster,
Joined
·
29,790 Posts
Hello again, Andy. Sorry you are having troubles.

My computer was noticeably slower on the restart
Not unusual after malware removal, but it usually improves.

I realized at this time that IE was removed from my system
What makes you think IE was removed? Is it still listed in Add or Remove Programs?

What happens if you go Start > Run and type iexplore.exe then Enter?

------------------------------------------------------
 

·
Registered
Joined
·
40 Posts
Discussion Starter #15
It is not listed on my Add/Remove Programs. I uninstalled IE more than 6 months ago because I did not like it (and I didn't want my wife using it). When I hit iexplore.exe, IE does open, and it opens a blank screen with MyStart by Incredibar as the tab header. I also now see Incredibar for IE listed on my Add or Remove Programs list. I am positive this was not there a few days ago.
The computer booted up fine this morning. The shortcuts work, but they don't have any icons attached to them.
 

·
Security Team , Moderator, Analyst , Rangemaster,
Joined
·
29,790 Posts
Hello again, Andy. Uninstall Incredibar for IE.

You need IE in order to receive Windows Updates. Have you tried installing IE7 or IE8 again?

Windows Internet Explorer 7 was listed as installed in your second dds log, Attach.txt, that you attached to your original post.

Please run dds again and post/attach the logs as before.

------------------------------------------------------
 

·
Registered
Joined
·
40 Posts
Discussion Starter #17
DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 7.0.6000.17115
Run by Andy at 14:46:59 on 2012-12-29
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.965 [GMT -5:00]
.
AV: Norton 360 *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *Enabled*
.
============== Running Processes ================
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\IB Updater\ExtensionUpdaterService.exe
C:\WINDOWS\system32\dmwu.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton 360\Engine\20.2.0.19\ccSvcHst.exe
C:\Program Files\Norton 360\Engine\20.2.0.19\ccSvcHst.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\SoftwareDistribution\Download\Install\IE8-WindowsXP-x86-ENU.exe
c:\3c972d36b8c89fa2332db5c180\update\iesetup.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://mystart.incredibar.com/mb185?a=6R8PEvsVsp&i=26
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - <orphaned>
BHO: Deal Vault: {11111111-1111-1111-1111-110111981166} - c:\program files\deal vault\Deal Vault.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: IB Updater: {336D0C35-8A85-403a-B9D2-65C292C39087} - c:\program files\ib updater\Extension32.dll
BHO: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - c:\program files\norton 360\engine\20.2.0.19\CoIEPlg.dll
BHO: Norton Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - c:\program files\norton 360\engine\20.2.0.19\ips\IPSBHO.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - <orphaned>
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\norton 360\engine\20.2.0.19\CoIEPlg.dll
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\norton 360\engine\20.2.0.19\CoIEPlg.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [StartCCC] c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe
mRun: [SysTrayApp] c:\program files\idt\wdm\sttray.exe
mRun: [Monitor] "c:\program files\leapfrog\leapfrog connect\Monitor.exe"
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 192.168.200.1
TCP: Interfaces\{9250FC3D-526F-4BD8-93C6-3B08B1F91E47} : DHCPNameServer = 192.168.200.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\1402000.013\SymDS.sys [2012-12-17 368288]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\1402000.013\SymEFA.sys [2012-12-17 927904]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_20.2.0.19\definitions\bashdefs\20121130.005\BHDrvx86.sys [2012-11-29 995488]
R1 ccSet_N360;Norton 360 Settings Manager;c:\windows\system32\drivers\n360\1402000.013\ccSetx86.sys [2012-12-17 134304]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\1402000.013\Ironx86.sys [2012-12-17 175264]
R2 IB Updater;IB Updater;c:\program files\ib updater\ExtensionUpdaterService.exe [2012-12-28 188760]
R2 IBUpdaterService;IBUpdaterService;c:\windows\system32\dmwu.exe [2012-12-28 1008496]
R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2012-9-13 398184]
R2 N360;Norton 360;c:\program files\norton 360\engine\20.2.0.19\ccSvcHst.exe [2012-12-17 143928]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-12-17 106656]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_20.2.0.19\definitions\ipsdefs\20121228.001\IDSXpx86.sys [2012-12-29 373728]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-10-24 21104]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-12-28 40776]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_20.2.0.19\definitions\virusdefs\20121228.023\NAVENG.SYS [2012-12-29 92704]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_20.2.0.19\definitions\virusdefs\20121228.023\NAVEX15.SYS [2012-12-29 1601184]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-10-24 682344]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-7-13 160944]
.
=============== Created Last 30 ================
.
2012-12-29 17:38:34 -------- d-----w- C:\3c972d36b8c89fa2332db5c180
2012-12-29 10:07:55 -------- d-----w- C:\c7205820ce448ae362643d8d77dbba55
2012-12-29 10:02:01 21504 ----a-w- c:\windows\system32\drivers\hidserv.dll
2012-12-29 02:24:14 -------- d-----w- C:\a7728a5c22a163506d91b98ee2038c42
2012-12-29 02:17:58 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-12-28 23:21:10 632656 ----a-w- c:\windows\system32\msvcr80.dll
2012-12-28 23:21:10 554832 ----a-w- c:\windows\system32\msvcp80.dll
2012-12-28 23:21:10 479232 ----a-w- c:\windows\system32\msvcm80.dll
2012-12-28 23:21:10 28160 ----a-w- c:\windows\system32\ImHttpComm.dll
2012-12-28 23:21:10 1008496 ----a-w- c:\windows\system32\dmwu.exe
2012-12-28 23:21:10 -------- d-----w- c:\windows\system32\ARFC
2012-12-28 23:21:07 -------- d-----w- c:\windows\system32\WNLT
2012-12-28 23:21:01 -------- d-----w- c:\program files\IB Updater
2012-12-28 23:20:47 -------- d-----w- c:\documents and settings\andy.andy_new\local settings\application data\Google
2012-12-28 23:20:46 -------- d-----w- c:\documents and settings\andy.andy_new\local settings\application data\Deal Vault
2012-12-28 23:20:43 -------- d-----w- c:\program files\Deal Vault
2012-12-28 03:38:47 -------- d-sha-r- C:\cmdcons
2012-12-28 03:36:43 98816 ----a-w- c:\windows\sed.exe
2012-12-28 03:36:43 256000 ----a-w- c:\windows\PEV.exe
2012-12-28 03:36:43 208896 ----a-w- c:\windows\MBR.exe
2012-12-26 20:18:07 -------- d-----w- c:\documents and settings\andy.andy_new\application data\My Games
2012-12-26 14:01:26 -------- d-----w- c:\windows\F1A6A09F5FF34648B293CDF044348A24.TMP
2012-12-21 19:05:58 -------- d-----w- c:\documents and settings\andy.andy_new\application data\Malwarebytes
2012-12-20 03:30:27 -------- d-----w- c:\documents and settings\andy.andy_new\local settings\application data\{CA3D0BB9-D46C-11E1-8270-B8AC6F996F26}
2012-12-19 04:40:32 -------- d-----w- c:\windows\system32\N360_BACKUP
2012-12-19 04:14:02 -------- d-----w- C:\TDSSKiller_Quarantine
2012-12-19 03:05:56 -------- d-----w- c:\documents and settings\andy.andy_new\local settings\application data\Mozilla
2012-12-17 21:39:55 142496 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2012-12-17 21:38:50 -------- d-----w- c:\program files\NortonInstaller
2012-12-16 04:28:01 -------- d-----w- c:\program files\common files\Symantec Shared
2012-12-16 04:27:11 -------- d-----w- c:\documents and settings\all users\application data\NortonInstaller
2012-12-16 04:22:39 -------- d-----w- c:\documents and settings\all users\application data\Norton
.
==================== Find3M ====================
.
2012-12-16 12:23:59 290560 ----a-w- c:\windows\system32\atmfd.dll
2012-12-14 21:49:28 21104 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-11-13 01:25:12 1866368 ----a-w- c:\windows\system32\win32k.sys
2012-11-02 02:02:42 375296 ----a-w- c:\windows\system32\dpnet.dll
2012-11-01 03:30:04 832512 ----a-w- c:\windows\system32\wininet.dll
2012-11-01 03:30:04 78336 ----a-w- c:\windows\system32\ieencode.dll
2012-11-01 03:30:04 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2012-11-01 03:30:04 17408 ----a-w- c:\windows\system32\corpol.dll
2012-11-01 00:35:32 389120 ----a-w- c:\windows\system32\html.iec
2012-10-09 01:00:02 586400 ----a-r- c:\windows\system32\drivers\n360\1402000.013\srtsp.sys
2012-10-04 01:40:35 927904 ----a-r- c:\windows\system32\drivers\n360\1402000.013\SymEFA.sys
2012-10-04 01:40:20 368288 ----a-r- c:\windows\system32\drivers\n360\1402000.013\SymDS.sys
2012-10-04 01:19:14 134304 ----a-r- c:\windows\system32\drivers\n360\1402000.013\ccSetx86.sys
2012-10-02 18:04:21 58368 ----a-w- c:\windows\system32\synceng.dll
.
============= FINISH: 14:47:42.89 ===============
 

Attachments

·
Security Team , Moderator, Analyst , Rangemaster,
Joined
·
29,790 Posts
Hello again, Andy. Did you have any trouble uninstalling Incredibar?

------------------------------------------------------

Please uninstall the following via Start->(or My Computer)->Control Panel->Add or Remove Programs if it still exists:

Deal Vault<<Please read this

------------------------------------------------------

Open Notepad and copy/paste the entire contents of the codebox below into Notepad(don't forget to copy and paste REGEDIT4):

Code:
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110111981166}

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Start Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome"

[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome"
Save the file as fix.reg and choose to Save as type: - All Files then close the Notepad file.
It should look like this:


Double-click on fix.reg and choose Yes to merge/add it to the registry. Please delete the file afterwards.

------------------------------------------------------

Go to Start > Run and copy/paste the following into the Run box and click OK:

cmd /c rd /s/q "c:\program files\deal vault"

A DOS window will open and close again, this is normal.

Repeat for the following:

cmd /c rd /s/q "c:\documents and settings\andy.andy_new\local settings\application data\Deal Vault"

------------------------------------------------------

Are you still getting the ieframe.dll error message when updating MBAM?

If so, you could try upgrading to IE8, which will update your ieframe.dll file:

Download Windows Internet Explorer 8 for Windows XP from Official Microsoft Download Center

I believe you can choose to not allow the other Windows Updates during the IE8 installation process if you wish.

If you prefer not to upgrade to IE8, or you still get the ieframe.dll error...

Download and run this file > http://downloads.malwarebytes.org/file/mbam_clean

Then re-install and update MBAM and proceed with the rest of the previous instructions in post #12 above.

Let me know if you still have trouble.

------------------------------------------------------
 

·
Registered
Joined
·
40 Posts
Discussion Starter #20
No problems uninstalling incredibar.
I got rid of the Deal Vault, and updated the registry.
At that point, I could not run MBAM still. I tried to upgrade to IE8, but had no luck again. I went ahead and did the mbam uninstall, and reinstalled it. I ran a quick scan at that point, but the program was out of date by 90 days. I then tried to update it, but I still ran in to the same problem. I went ahead and ran the ESET. Both logs are attached below.

Should I try to uninstall IE and reinstall that?

Malwarebytes Anti-Malware 1.65.1.1000
Malwarebytes : Free anti-malware download

Database version: v2012.09.29.05

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 7.0.5730.13
Andy :: ANDY_NEW [administrator]

12/29/2012 11:26:23 PM
mbam-log-2012-12-29 (23-26-23).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 246372
Time elapsed: 5 minute(s), 25 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKCU\SOFTWARE\CROSSRIDER (Adware.GamePlayLab) -> Quarantined and deleted successfully.

Registry Values Detected: 1
HKCU\Software\Crossrider|215AppVerifier (Adware.GamePlayLab) -> Data: 2f243c48cb1beadd6658ae2050e48c4c -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Documents and Settings\Andy2\My Documents\Downloads\7zip_installer_d162802.exe (PUP.BundleOffers.IIQ) -> Quarantined and deleted successfully.

(end)

[email protected] as downloader log:
all ok
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6844
# api_version=3.0.2
# EOSSerial=6e79808f28cae1429db2bcc3bf394a7b
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-12-30 09:18:33
# local_time=2012-12-30 04:18:33 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=3592 16777213 100 94 93750 107478409 0 0
# scanned=87855
# found=10
# cleaned=0
# scan_time=4722
C:\Documents and Settings\Andy.ANDY_NEW\Local Settings\Application Data\{CA3D0BB9-D46C-11E1-8270-B8AC6F996F26}\chrome\content\browser.xul JS/Redirector.NIQ trojan (unable to clean) EDCE2E11469B021506B852946CD1F526920451AE I
C:\Documents and Settings\Andy.ANDY_NEW\Local Settings\temp\DM\malwarebytes-anti-malware_049\software\Dealvault.exe Win32/Toolbar.CrossRider.B application (unable to clean) 05699E466E4DE1D5915D57CEBEDE1DA2097F798B I
C:\Documents and Settings\Andy.ANDY_NEW\Local Settings\temp\DM\malwarebytes-anti-malware_049\software\Incredibar2.exe Win32/OutBrowse.C application (unable to clean) 3FB6D8502ABB22FF0CCF903D10ED0114844AEBA1 I
C:\Documents and Settings\Andy2\Local Settings\Application Data\{CA3D0BB9-D46C-11E1-8270-B8AC6F996F26}\chrome\content\browser.xul JS/Redirector.NIQ trojan (unable to clean) EDCE2E11469B021506B852946CD1F526920451AE I
C:\Program Files\Deal Vault\Deal Vault.dll a variant of Win32/Toolbar.CrossRider.A application (unable to clean) A29D0B42F43B13280A28E2C2F2FDBB1C8E702081 I
C:\Program Files\Deal Vault\Uninstall.exe Win32/Toolbar.CrossRider.B application (unable to clean) 6E186AEF43C71F069A31E900395D290270D167DD I
C:\Qoobox\Quarantine\[4]-Submit_2012-12-28_13.32.52.zip a variant of Win32/Medfos.BT trojan (unable to clean) 9C677623419B80B39405CE3694E80C124FA02111 I
C:\System Volume Information\_restore{C1BEACDC-E912-4199-9FB4-9515C6C752F6}\RP1469\A0201460.exe Win32/Toolbar.SearchSuite application (unable to clean) 9759D3F2BE6495CA5EF4F1A9714D11B86777D23B I
C:\System Volume Information\_restore{C1BEACDC-E912-4199-9FB4-9515C6C752F6}\RP1474\A0211699.dll a variant of Win32/Toolbar.CrossRider.A application (unable to clean) A29D0B42F43B13280A28E2C2F2FDBB1C8E702081 I
C:\System Volume Information\_restore{C1BEACDC-E912-4199-9FB4-9515C6C752F6}\RP1474\A0211703.exe Win32/Toolbar.CrossRider.B application (unable to clean) 6E186AEF43C71F069A31E900395D290270D167DD I
 
1 - 20 of 77 Posts
Status
Not open for further replies.
Top