TechSpot

MBAM,gmer and DDS results!

By megabomination
Jun 15, 2011
  1. Hi guys. Ive pasted my results after following the 'seven step' guide for your help.
    The symptoms my pc is having is a constantly redirected IE8, unable to use task manager and all of my files and some programs seem to have been erased!?
    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 6624

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    14/06/2011 7:56:25 PM
    mbam-log-2011-06-14 (19-56-25).txt

    Scan type: Quick scan
    Objects scanned: 166444
    Time elapsed: 4 minute(s), 29 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
    .
    DDS (Ver_2011-06-03.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702
    Run by Adam Livermore at 19:51:23 on 2011-06-15
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3583.3017 [GMT 10:00]
    .
    AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    svchost.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    E:\Program Files\VIRGIN BROADBAND\VIRGIN BROADBAND.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Documents and Settings\Adam Livermore\Desktop\ujd3zmfq.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uSearch Page = ${URL_SEARCHPAGE}
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: HistoryTriggerBHO Class: {21a88cb9-84d2-4020-a2d1-b25a21034884} - c:\program files\lg electronics\lg pc suite iv\linkair\LinkAirBrowserHelper.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
    mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    uPolicies-system: DisableTaskMgr = 30
    IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
    IE: LG Air Sync (R-Click) - Save as Mobile Image - c:\program files\lg electronics\lg pc suite iv\linkair\IEContextMenu.dll/206
    IE: LG Air Sync (R-Click) - Save as Mobile Memo - c:\program files\lg electronics\lg pc suite iv\linkair\IEContextMenu.dll/208
    IE: LG Air Sync (R-Click) - Save as Mobile Text file - c:\program files\lg electronics\lg pc suite iv\linkair\IEContextMenu.dll/210
    IE: LG Air Sync (R-Click) - Set as Mobile Wallpaper - c:\program files\lg electronics\lg pc suite iv\linkair\IEContextMenu.dll/205
    IE: LG Air Sync Option - c:\program files\lg electronics\lg pc suite iv\linkair\IEContextMenu.dll/209
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
    Notify: AtiExtEvent - Ati2evxx.dll
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-4-30 11608]
    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-18 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-18 67656]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-4-30 136360]
    R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-4-30 269480]
    R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-4-30 61960]
    R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdXP3.sys [2010-10-8 101904]
    R3 LgBttPort;LGE Bluetooth TransPort;c:\windows\system32\drivers\lgbtport.sys [2009-9-29 12160]
    R3 lgbusenum;LG Bluetooth Bus Enumerator;c:\windows\system32\drivers\lgbtbus.sys [2009-9-29 10496]
    R3 LGVMODEM;LGE Virtual Modem;c:\windows\system32\drivers\lgvmodem.sys [2009-9-29 12928]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-19 130384]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-6-3 135664]
    S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-5-1 1684736]
    S3 PciCon;PciCon;\??\d:\pcicon.sys --> d:\PciCon.sys [?]
    S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-18 12872]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-19 753504]
    S4 LGScsiCommandService;LG SCSI command service;c:\windows\system32\LGScsiCommandService.exe [2010-11-20 47616]
    .
    =============== Created Last 30 ================
    .
    2011-05-29 20:27:30 601048 ----a-w- c:\windows\system32\PerfStringBackup.TMP
    .
    ==================== Find3M ====================
    .
    2011-04-17 04:36:18 6264 ---ha-w- c:\windows\system32\ealregsnapshot1.reg
    .
    ============= FINISH: 19:51:32.62 ===============
    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-06-03.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 29/04/2010 2:33:05 PM
    System Uptime: 15/06/2011 6:28:08 PM (1 hours ago)
    .
    Motherboard: ASUSTeK Computer INC. | | P5G41T-M LX
    Processor: Intel Pentium III Xeon processor | LGA775 | 2933/266mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 466 GiB total, 395.852 GiB free.
    D: is CDROM ()
    E: is FIXED (NTFS) - 77 GiB total, 48.746 GiB free.
    F: is FIXED (FAT32) - 64 GiB total, 63.874 GiB free.
    I: is Removable
    J: is Removable
    K: is Removable
    L: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
    Description: Ethernet Controller
    Device ID: PCI\VEN_1969&DEV_1063&SUBSYS_83FE1043&REV_C0\4&38D2602C&0&00E1
    Manufacturer:
    Name: Ethernet Controller
    PNP Device ID: PCI\VEN_1969&DEV_1063&SUBSYS_83FE1043&REV_C0\4&38D2602C&0&00E1
    Service:
    .
    Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
    Description:
    Device ID: ACPI\ATK0110\1010110
    Manufacturer:
    Name:
    PNP Device ID: ACPI\ATK0110\1010110
    Service:
    .
    ==== System Restore Points ===================
    .
    RP186: 8/03/2011 8:19:38 PM - System Checkpoint
    RP187: 10/03/2011 7:19:04 AM - Software Distribution Service 3.0
    RP188: 10/03/2011 7:24:01 PM - Software Distribution Service 3.0
    RP189: 12/03/2011 8:38:44 AM - System Checkpoint
    RP190: 14/03/2011 7:22:01 PM - System Checkpoint
    RP191: 15/03/2011 7:46:04 PM - System Checkpoint
    RP192: 21/03/2011 6:23:20 AM - System Checkpoint
    RP193: 22/03/2011 6:54:52 AM - System Checkpoint
    RP194: 23/03/2011 9:03:00 PM - System Checkpoint
    RP195: 24/03/2011 7:00:12 AM - Software Distribution Service 3.0
    RP196: 3/04/2011 8:11:28 AM - System Checkpoint
    RP197: 5/04/2011 7:17:22 AM - System Checkpoint
    RP198: 11/04/2011 8:01:22 AM - Installed Windows Internet Explorer 8.
    RP199: 11/04/2011 7:33:23 PM - Software Distribution Service 3.0
    RP200: 13/04/2011 7:06:01 AM - System Checkpoint
    RP201: 15/04/2011 8:45:53 AM - System Checkpoint
    RP202: 15/04/2011 9:10:06 PM - Software Distribution Service 3.0
    RP203: 16/04/2011 8:27:50 AM - Software Distribution Service 3.0
    RP204: 16/04/2011 3:32:49 PM - Software Distribution Service 3.0
    RP205: 17/04/2011 2:15:26 PM - Installed Dead Space™
    RP206: 17/04/2011 2:36:19 PM - Installed EA Download Manager
    RP207: 18/04/2011 5:27:00 PM - System Checkpoint
    RP208: 20/04/2011 2:54:14 PM - System Checkpoint
    RP209: 25/04/2011 5:39:59 PM - System Checkpoint
    RP210: 28/04/2011 7:48:20 PM - System Checkpoint
    RP211: 29/04/2011 7:26:10 AM - Software Distribution Service 3.0
    RP212: 1/05/2011 5:13:48 PM - System Checkpoint
    RP213: 3/05/2011 6:20:32 AM - System Checkpoint
    RP214: 5/05/2011 9:17:59 AM - System Checkpoint
    RP215: 6/05/2011 6:23:26 PM - System Checkpoint
    RP216: 8/05/2011 9:14:13 AM - System Checkpoint
    RP217: 10/05/2011 7:13:51 AM - System Checkpoint
    RP218: 11/05/2011 7:00:12 AM - Software Distribution Service 3.0
    RP219: 15/05/2011 8:25:02 AM - System Checkpoint
    RP220: 17/05/2011 8:52:55 PM - System Checkpoint
    RP221: 19/05/2011 7:05:51 AM - System Checkpoint
    RP222: 28/05/2011 10:52:17 PM - System Checkpoint
    RP223: 2/06/2011 7:11:57 PM - System Checkpoint
    RP224: 2/06/2011 10:26:13 PM - Restore Operation
    RP225: 3/06/2011 11:09:24 PM - System Checkpoint
    RP226: 5/06/2011 6:00:42 PM - System Checkpoint
    .
    ==== Installed Programs ======================
    .
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Reader 9.4.4
    Apple Application Support
    Apple Software Update
    ATI AVIVO Codecs
    ATI Catalyst Install Manager
    ATI Problem Report Wizard
    Avanquest update
    Avira AntiVir Personal - Free Antivirus
    Battlefield 2142
    Call of Duty Game of the Year Edition
    Call of Duty(R) - World at War(TM)
    Call of Duty(R) - World at War(TM) 1.1 Patch
    Call of Duty(R) - World at War(TM) 1.2 Patch
    Canon Camera Access Library
    Canon Camera Support Core Library
    Canon Digital Camera Solution Disk 34 Software Starter Guide
    Canon Direct Print User Guide
    Canon G.726 WMP-Decoder
    Canon MovieEdit Task for ZoomBrowser EX
    Canon MP Navigator EX 1.0
    Canon MP220 series
    Canon My Printer
    Canon PowerShot A470 Camera User Guide
    Canon RAW Image Task for ZoomBrowser EX
    Canon Utilities CameraWindow
    Canon Utilities CameraWindow DC
    Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX
    Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
    Canon Utilities Easy-PhotoPrint EX
    Canon Utilities EOS Utility
    Canon Utilities MyCamera
    Canon Utilities MyCamera DC
    Canon Utilities PhotoStitch
    Canon Utilities RemoteCapture Task for ZoomBrowser EX
    Canon Utilities Solution Menu
    Canon Utilities ZoomBrowser EX
    Canon ZoomBrowser EX Memory Card Utility
    Catalyst Control Center - Branding
    Catalyst Control Center Core Implementation
    Catalyst Control Center Graphics Full Existing
    Catalyst Control Center Graphics Full New
    Catalyst Control Center Graphics Light
    Catalyst Control Center Graphics Previews Common
    Catalyst Control Center HydraVision Full
    Catalyst Control Center Localization All
    ccc-core-preinstall
    ccc-core-static
    ccc-utility
    CCC Help Chinese Standard
    CCC Help Chinese Traditional
    CCC Help Czech
    CCC Help Danish
    CCC Help Dutch
    CCC Help English
    CCC Help Finnish
    CCC Help French
    CCC Help German
    CCC Help Greek
    CCC Help Hungarian
    CCC Help Italian
    CCC Help Japanese
    CCC Help Korean
    CCC Help Norwegian
    CCC Help Polish
    CCC Help Portuguese
    CCC Help Russian
    CCC Help Spanish
    CCC Help Swedish
    CCC Help Thai
    CCC Help Turkish
    CCleaner
    Crysis(R)
    Dead Space™
    DivX Setup
    Far Cry
    Far Cry (Patch 1.4)
    Far Cry 2
    GameSpy Comrade
    Google Toolbar for Internet Explorer
    Google Update Helper
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows XP (KB954550-v5)
    HydraVision
    Java Auto Updater
    Java(TM) 6 Update 20
    LG Bluetooth Drivers
    LG PC Suite IV
    LG United Mobile Drivers
    LG USB Modem Drivers
    Malwarebytes' Anti-Malware
    Medieval II Total War
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2416447)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft .NET Framework 4 Extended
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual J# .NET Redistributable Package 1.1
    Microsoft Works
    Motorola Phone Tools
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 4.0 SP2 Parser and SDK
    PCFriendly
    PIXMA Extended Survey Program
    Power Tab Editor 1.7
    Power Tab Librarian
    PunkBuster Services
    QuickTime
    Raptr
    Realtek AC'97 Audio
    Realtek High Definition Audio Driver
    Recuva
    ScanSoft OmniPage SE 4
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
    Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
    Security Update for Windows Internet Explorer 8 (KB2482017)
    Security Update for Windows Internet Explorer 8 (KB2497640)
    Security Update for Windows Internet Explorer 8 (KB2510531)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows XP (KB923789)
    Skins
    SUPERAntiSpyware Free Edition
    The Lord of the Rings FREE Trial
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 8 (KB976662)
    VC80CRTRedist - 8.0.50727.4053
    VIRGIN BROADBAND
    WebFldrs XP
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Internet Explorer 8
    Windows XP Service Pack 3
    WinRAR archiver
    World of Warcraft
    .
    ==== Event Viewer Messages From Past Week ========
    .
    8/06/2011 7:50:15 PM, error: Service Control Manager [7000] - The SASDIFSV service failed to start due to the following error: Cannot create a file when that file already exists.
    .
    ==== End Of File ===========================
    GMER 1.0.15.15640 - http://www.gmer.net
    Rootkit scan 2011-06-15 19:56:30
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-f SAMSUNG_HD501LJ rev.CR100-13
    Running: ujd3zmfq.exe; Driver: C:\DOCUME~1\ADAMLI~1\LOCALS~1\Temp\kwadrfob.sys

    INITc ...

    ---- System - GMER 1.0.15 ----

    SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xA479F620]

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    SSDT BA6DB630 ZwOpenProcess
    SSDT BA6DB635 ZwOpenThread
    SSDT BA6DB644 ZwCreateThread
    SSDT BA6DB64E ZwCreateKey
    SSDT BA6DB653 ZwDeleteKey
    SSDT BA6DB658 ZwSetValueKey
    SSDT BA6DB65D ZwDeleteValueKey
    SSDT BA6DB662 ZwLoadKey
    SSDT BA6DB667 ZwRestoreKey
    SSDT BA6DB66C ZwReplaceKey

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3136] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB5C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3136] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E517A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3136] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5117 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3136] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E50B4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3136] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154BD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3136] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4F7C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3136] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4F1A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3136] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E5049 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3136] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4FDE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3136] WININET.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 00B06B70
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3136] WININET.dll!HttpAddRequestHeadersW 3D94FE49 5 Bytes JMP 00B06D70
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3136] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00E0000A
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3136] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00DF000A
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3136] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 00E3000A
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3136] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 00E2000A
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3136] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00DE000A
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3136] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00B4000A
    .text C:\Program Files\Internet Explorer\iexplore.exe[3148] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB5C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3148] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E517A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3148] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5117 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3148] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E50B4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3148] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154BD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3148] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4F7C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3148] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4F1A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3148] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E5049 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3148] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4FDE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3148] WININET.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 00B06B70
    .text C:\Program Files\Internet Explorer\iexplore.exe[3148] WININET.dll!HttpAddRequestHeadersW 3D94FE49 5 Bytes JMP 00B06D70
    .text C:\Program Files\Internet Explorer\iexplore.exe[3148] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 0121000A
    .text C:\Program Files\Internet Explorer\iexplore.exe[3148] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00B4000A
    .text C:\Program Files\Internet Explorer\iexplore.exe[3148] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 0124000A
    .text C:\Program Files\Internet Explorer\iexplore.exe[3148] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 0123000A
    .text C:\Program Files\Internet Explorer\iexplore.exe[3148] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00B3000A
    .text C:\Program Files\Internet Explorer\iexplore.exe[3148] WS2_32.dll!send 71AB4C27 5 Bytes JMP 0122000A

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[3264] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3264] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 3E2EDBB8 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3264] ole32.dll!OleLoadFromStream 7752981B 5 Bytes JMP 3E3E547F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3264] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD125 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3264] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB5C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3264] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E517A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3264] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5117 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3264] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E50B4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3264] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154BD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3264] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4F7C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3264] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4F1A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3264] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E5049 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3264] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4FDE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3264] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9B01 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3264] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E254664 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3264] WININET.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 00B06B70
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3264] WININET.dll!HttpAddRequestHeadersW 3D94FE49 5 Bytes JMP 00B06D70
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3264] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00D0000A
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3264] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00CF000A
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3264] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 00D3000A
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3264] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 00D2000A
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3264] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00CE000A
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3264] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00D1000A

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\Program Files\Internet Explorer\iexplore.exe[3272] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Program Files\Internet Explorer\iexplore.exe[3272] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 3E2EDBB8 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3272] ole32.dll!OleLoadFromStream 7752981B 5 Bytes JMP 3E3E547F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3272] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD125 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3272] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB5C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3272] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E517A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3272] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5117 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3272] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E50B4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3272] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154BD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3272] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4F7C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3272] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4F1A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3272] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E5049 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3272] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4FDE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3272] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9B01 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3272] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E254664 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3272] WININET.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 00B06B70
    .text C:\Program Files\Internet Explorer\iexplore.exe[3272] WININET.dll!HttpAddRequestHeadersW 3D94FE49 5 Bytes JMP 00B06D70
    .text C:\Program Files\Internet Explorer\iexplore.exe[3272] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 0123000A
    .text C:\Program Files\Internet Explorer\iexplore.exe[3272] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 0122000A
    .text C:\Program Files\Internet Explorer\iexplore.exe[3272] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 0126000A
    .text C:\Program Files\Internet Explorer\iexplore.exe[3272] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 0125000A
    .text C:\Program Files\Internet Explorer\iexplore.exe[3272] WS2_32.dll!recv 71AB676F 5 Bytes JMP 0121000A
    .text C:\Program Files\Internet Explorer\iexplore.exe[3272] WS2_32.dll!send 71AB4C27 5 Bytes JMP 0124000A

    ---- Kernel code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB97F5000, 0x273B67, 0xE8000020]

    ---- User code sections - GMER 1.0.15 ----

    .text E:\Program Files\VIRGIN BROADBAND\VIRGIN BROADBAND.exe[2260] USER32.dll!EnableScrollBar 7E468005 7 Bytes JMP 00452230 E:\Program Files\VIRGIN BROADBAND\SkinMagicU.dll (SkinMagic Toolkit/Appspeed Inc.)
    .text E:\Program Files\VIRGIN BROADBAND\VIRGIN BROADBAND.exe[2260] USER32.dll!GetScrollInfo 7E42DFE2 7 Bytes JMP 00452270 E:\Program Files\VIRGIN BROADBAND\SkinMagicU.dll (SkinMagic Toolkit/Appspeed Inc.)
    .text E:\Program Files\VIRGIN BROADBAND\VIRGIN BROADBAND.exe[2260] USER32.dll!GetScrollPos 7E42F704 5 Bytes JMP 004522B0 E:\Program Files\VIRGIN BROADBAND\SkinMagicU.dll (SkinMagic Toolkit/Appspeed Inc.)
    .text E:\Program Files\VIRGIN BROADBAND\VIRGIN BROADBAND.exe[2260] USER32.dll!GetScrollRange 7E42F787 5 Bytes JMP 004522E0 E:\Program Files\VIRGIN BROADBAND\SkinMagicU.dll (SkinMagic Toolkit/Appspeed Inc.)
    .text E:\Program Files\VIRGIN BROADBAND\VIRGIN BROADBAND.exe[2260] USER32.dll!GetSysColor 7E418E78 5 Bytes JMP 00452430 E:\Program Files\VIRGIN BROADBAND\SkinMagicU.dll (SkinMagic Toolkit/Appspeed Inc.)
    .text E:\Program Files\VIRGIN BROADBAND\VIRGIN BROADBAND.exe[2260] USER32.dll!GetSysColorBrush 7E418EAB 5 Bytes JMP 00452490 E:\Program Files\VIRGIN BROADBAND\SkinMagicU.dll (SkinMagic Toolkit/Appspeed Inc.)
    .text E:\Program Files\VIRGIN BROADBAND\VIRGIN BROADBAND.exe[2260] USER32.dll!SetScrollInfo 7E419056 7 Bytes JMP 00452320 E:\Program Files\VIRGIN BROADBAND\SkinMagicU.dll (SkinMagic Toolkit/Appspeed Inc.)
    .text E:\Program Files\VIRGIN BROADBAND\VIRGIN BROADBAND.exe[2260] USER32.dll!SetScrollPos 7E42F750 5 Bytes JMP 00452360 E:\Program Files\VIRGIN BROADBAND\SkinMagicU.dll (SkinMagic Toolkit/Appspeed Inc.)
    .text E:\Program Files\VIRGIN BROADBAND\VIRGIN BROADBAND.exe[2260] USER32.dll!SetScrollRange 7E42F99B 5 Bytes JMP 004523A0 E:\Program Files\VIRGIN BROADBAND\SkinMagicU.dll (SkinMagic Toolkit/Appspeed Inc.)
    .text E:\Program Files\VIRGIN BROADBAND\VIRGIN BROADBAND.exe[2260] USER32.dll!ShowScrollBar 7E42F2F2 5 Bytes JMP 004523F0 E:\Program Files\VIRGIN BROADBAND\SkinMagicU.dll (SkinMagic Toolkit/Appspeed Inc.)

    ---- Threads - GMER 1.0.15 ----

    Thread System [4:124] 8A7F8E7A
    Thread System [4:128] 8A7FB008

    ---- Kernel code sections - GMER 1.0.15 ----

    INITc VolSnap.sys BA0D3BD0 4 Bytes [B0, A5, 53, 80]
    INITc VolSnap.sys BA0D3BF8 4 Bytes [B8, A1, 4F, 80]
    INITc VolSnap.sys BA0D3C20 4 Bytes [B6, AE, 4F, 80]
    INITc VolSnap.sys BA0D3C48 4 Bytes [30, FF, 4F, 80]
    INITc VolSnap.sys BA0D3C70 4 Bytes [7A, A8, 4F, 80]

    ---- EOF - GMER 1.0.15 ----
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I'll be glad to help you, but first you need to repeat Malwarebytes with the current version. If the database isn't current, it's not going to find the current malware. Please follow this link and uninstall the Mbam you now have on the system:

    [​IMG]
    Malwarebytes' Anti-Malware
    • Please download Malwarebytes' Anti-Malware from from HERE
    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to
      [o] Update Malwarebytes' Anti-Malware
      [o] and Launch Malwarebytes' Anti-Malware
    • then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform Quick scan, then click Scan.
      * When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. please attach this log with your reply
      [o] If you accidentally close it, the log file is saved here and will be named like this:
      [o] C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
    ========================
    Do you know what this running executable is> C:\Documents and Settings\Adam Livermore\Desktop\ujd3zmfq.exe
    ===========================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me.
    • Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    • Reminder to be patient
    If I have not replied for 2 days, you can send me a PM reminder. Include the URL of your thread. Please do not send me a PM to tell me your logs are up.
    If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
    =====================================
    As for the missing files, not to worry- there are several malware programs out now which 'hide' the files- they are not gone. We will handle that later.
     
  3. megabomination

    megabomination TS Booster Topic Starter Posts: 151

    Malwarebytes' Anti-Malware 1.51.0.1200
    www.malwarebytes.org

    Database version: 6863

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    16/06/2011 7:02:12 AM
    mbam-log-2011-06-16 (07-02-12).txt

    Scan type: Quick scan
    Objects scanned: 157826
    Time elapsed: 2 minute(s), 16 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    Downloaded new version ,updated and ran quick scan. Here are the results!
    "Do you know what this running executable is> C:\Documents and Settings\Adam Livermore\Desktop\ujd3zmfq.exe" Yes ,its the gmer program!

    So i shouldnt use avira or super anti spyware at all at the moment?
    Also, why only a quick scan using mbam? Thanks for your help!
     
  4. megabomination

    megabomination TS Booster Topic Starter Posts: 151

    I forgot to ask if i can use crap cleaner at the moment? Thanks.
     
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    No, please don't use CCleaner at this point. We'll clean out some files later.

    The reason you may not be able to access the Task Manager is this:
    uPolicies-system: DisableTaskMgr = 30

    This has most likely been done by the malware. We can fix this after you run Combofix as follows:
    Please note: If you have Combofix on the desktop already, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.

    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
    =====================================
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESETOnlineScan
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
      [o] Double click on the [​IMG]on your desktop.
    • Check 'Yes I accept terms of use.'
    • Click Start button
    • Accept any security warnings from your browser.
      [​IMG]
    • Uncheck 'Remove found threats'
    • Check 'Scan archives/
    • Leave remaining settings as is.
    • Press the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    • When the scan completes, press List of found threats
    • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    • Push the Back button
    • Push Finish

    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
     
  6. megabomination

    megabomination TS Booster Topic Starter Posts: 151

    ComboFix 11-06-16.01 - Adam Livermore 17/06/2011 7:38.2.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3583.3088 [GMT 10:00]
    Running from: c:\documents and settings\Adam Livermore\Desktop\ComboFix.exe
    AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\Adam Livermore\Start Menu\Programs\Windows XP Recovery
    F:\resycled
    .
    Infected copy of c:\windows\system32\drivers\volsnap.sys was found and disinfected
    Restored copy from - Kitty had a snack :p
    .
    ((((((((((((((((((((((((( Files Created from 2011-05-16 to 2011-06-16 )))))))))))))))))))))))))))))))
    .
    .
    2011-06-15 20:55 . 2011-05-28 23:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-06-03 10:19 . 2011-06-03 10:19 -------- d-----w- c:\program files\Recuva
    2011-05-29 20:27 . 2011-05-29 20:27 601048 ----a-w- c:\windows\system32\PerfStringBackup.TMP
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-04-17 04:36 . 2011-04-17 04:36 6264 ---ha-w- c:\windows\system32\ealregsnapshot1.reg
    2011-03-19 03:53 . 2010-04-29 14:33 137656 ---ha-w- c:\windows\system32\drivers\avipbb.sys
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-06-08 2424192]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-06-03 39408]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-07 281768]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 22:21 548352 ---ha-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2010-09-20 12:07 932288 ---ha-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2011-01-31 08:44 35760 ---ha-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
    2007-04-03 16:50 1603152 ---ha-w- c:\program files\Canon\MyPrinter\BJMYPRT.EXE
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]
    2007-05-14 16:01 644696 ---ha-w- c:\program files\Canon\SolutionMenu\CNSLMAIN.EXE
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2008-04-14 12:42 15360 ----a-w- c:\windows\system32\ctfmon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
    2010-06-03 00:50 1144104 ---ha-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LG LinkAir]
    2010-11-20 21:23 2440552 ---ha-w- c:\program files\LG Electronics\LG PC Suite IV\LinkAir\LinkAir.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-14 12:42 1695232 ------w- c:\program files\Messenger\msmsgs.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
    2007-02-04 02:02 79400 ---ha-w- c:\program files\ScanSoft\OmniPageSE4\OpWareSE4.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2010-03-18 04:53 421888 ---ha-w- c:\program files\QuickTime\QTTask.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Raptr]
    2010-12-16 21:53 53160 ---ha-w- c:\progra~1\Raptr\raptrstub.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
    2010-04-30 14:17 18782720 ---ha-w- c:\windows\RTHDCPL.EXE
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
    2006-10-24 23:03 210472 ---ha-w- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
    2009-09-18 10:25 98304 ---ha-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2010-02-18 18:43 248040 ---ha-w- c:\program files\Common Files\Java\Java Update\jusched.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
    2011-06-03 10:22 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "WMPNetworkSvc"=3 (0x3)
    "PnkBstrA"=2 (0x2)
    "JavaQuickStarterService"=2 (0x2)
    "IJPLMSVC"=2 (0x2)
    "idsvc"=3 (0x3)
    "IDriverT"=3 (0x3)
    "gusvc"=3 (0x3)
    "gupdate"=2 (0x2)
    "CCALib8"=2 (0x2)
    "Ati HotKey Poller"=2 (0x2)
    "LGScsiCommandService"=2 (0x2)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
    "c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
    "c:\\WINDOWS\\system32\\PnkBstrA.exe"=
    "c:\\WINDOWS\\system32\\PnkBstrB.exe"=
    "c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FarCry2.exe"=
    "c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Launcher.exe"=
    "c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Editor.exe"=
    "c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
    "c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
    "c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Raptr\\raptr.exe"=
    "c:\\Program Files\\Raptr\\raptr_im.exe"=
    "c:\\WINDOWS\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"= 3389:TCP:mad:xpsp2res.dll,-22009
    .
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [18/02/2010 4:25 AM 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [18/02/2010 4:15 AM 67656]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [30/04/2010 12:33 AM 136360]
    R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdXP3.sys [8/10/2010 8:57 PM 101904]
    R3 LgBttPort;LGE Bluetooth TransPort;c:\windows\system32\drivers\lgbtport.sys [29/09/2009 7:11 AM 12160]
    R3 lgbusenum;LG Bluetooth Bus Enumerator;c:\windows\system32\drivers\lgbtbus.sys [29/09/2009 7:11 AM 10496]
    R3 LGVMODEM;LGE Virtual Modem;c:\windows\system32\drivers\lgvmodem.sys [29/09/2009 7:11 AM 12928]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [19/03/2010 6:16 AM 130384]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/06/2011 8:22 PM 135664]
    S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [1/05/2010 12:18 AM 1684736]
    S3 PciCon;PciCon;\??\d:\pcicon.sys --> d:\PciCon.sys [?]
    S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [18/02/2010 4:15 AM 12872]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [19/03/2010 6:16 AM 753504]
    S4 LGScsiCommandService;LG SCSI command service;c:\windows\system32\LGScsiCommandService.exe [20/11/2010 5:28 PM 47616]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-06-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-06-03 10:22]
    .
    2011-06-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-06-03 10:22]
    .
    .
    ------- Supplementary Scan -------
    .
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
    IE: LG Air Sync (R-Click) - Save as Mobile Image - c:\program files\LG Electronics\LG PC Suite IV\LinkAir\IEContextMenu.dll/206
    IE: LG Air Sync (R-Click) - Save as Mobile Memo - c:\program files\LG Electronics\LG PC Suite IV\LinkAir\IEContextMenu.dll/208
    IE: LG Air Sync (R-Click) - Save as Mobile Text file - c:\program files\LG Electronics\LG PC Suite IV\LinkAir\IEContextMenu.dll/210
    IE: LG Air Sync (R-Click) - Set as Mobile Wallpaper - c:\program files\LG Electronics\LG PC Suite IV\LinkAir\IEContextMenu.dll/205
    IE: LG Air Sync Option - c:\program files\LG Electronics\LG PC Suite IV\LinkAir\IEContextMenu.dll/209
    TCP: Interfaces\{79FBAC50-0848-438F-A8BC-98C091237C9B}: NameServer = 123.200.191.17 123.200.191.18
    .
    - - - - ORPHANS REMOVED - - - -
    .
    MSConfigStartUp-UfQshXkFHeIUkQ - c:\documents and settings\All Users\Application Data\UfQshXkFHeIUkQ.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-06-17 07:40
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-436374069-1425521274-725345543-1003\Software\SecuROM\License information*]
    "datasecu"=hex:7a,b4,b8,c1,9f,e0,8d,20,bb,e6,a8,fd,33,18,a2,8f,68,67,aa,4b,33,
    f7,3b,84,14,30,69,4a,6b,29,63,f1,64,f7,55,a4,0a,8e,bf,d5,55,a5,b7,29,62,19,\
    "rkeysecu"=hex:39,cc,8a,da,7f,44,84,09,da,b7,e2,0c,b8,a9,a5,33
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(564)
    c:\program files\SUPERAntiSpyware\SASWINLO.dll
    c:\windows\system32\WININET.dll
    c:\windows\system32\Ati2evxx.dll
    c:\windows\system32\atiadlxx.dll
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
    .
    - - - - - - - > 'explorer.exe'(3400)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    .
    Completion time: 2011-06-17 07:45:07
    ComboFix-quarantined-files.txt 2011-06-16 21:45
    .
    Pre-Run: 424,917,725,184 bytes free
    Post-Run: 424,905,068,544 bytes free
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
    .
    - - End Of File - - C7DFD8D00732032086737DC7ED764535

    Ive yet to do the online scan, will do that this arvo! but allready pc is working much better, you guys are ace!
     
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Before I forget, if you start another thred in the future in this forum, please make the subject describe your problem. For instance> this one could have been: Redirects/no TaskManager/Missing files & Programs

    When I'm working on the thread, I can look at the top of the browser and see Redirects and can't use TaskManager. When I look up now, all I see is Mbam,gmer and DDS results! So while I'm helping you and 30 0ther memebers at the same time, I have to refer back to your 1st post to find the problem.
    ===================================
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    File::
    c:\windows\system32\PerfStringBackup.TMP
    d:\pcicon.sys
    DDS::
    uSearch Page = ${URL_SEARCHPAGE}
    uPolicies-system: DisableTaskMgr = 30
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    
    FileLook::
    c:\windows\system32\ealregsnapshot1.reg
    Driver::
    PciCon
    FCopy::
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
    Reboot the computer after Combofix. Can you access the Task Manager now? Are you still missing files and programs?

    Please post the Eset scan log when ready.
     
  8. megabomination

    megabomination TS Booster Topic Starter Posts: 151

    Thanks. Here are the results for combofix.Im trying to run the online scanner but when it is trying to download the 'signiture database' it gets about 10% done and wont go any more? It says 'unexpected error 2002'? I will try tomorrow as its currently prime time friday night and internet speeds are slow so im wondering if that could be it?
    ComboFix 11-06-16.01 - Adam Livermore 17/06/2011 20:48:51.3.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3583.3049 [GMT 10:00]
    Running from: c:\documents and settings\Adam Livermore\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Adam Livermore\Desktop\CFScript.txt
    AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
    .
    FILE ::
    "c:\windows\system32\PerfStringBackup.TMP"
    "d:\pcicon.sys"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\windows\system32\PerfStringBackup.TMP
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Legacy_PCICON
    -------\Service_PciCon
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-05-17 to 2011-06-17 )))))))))))))))))))))))))))))))
    .
    .
    2011-06-15 20:55 . 2011-05-28 23:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-06-03 10:19 . 2011-06-03 10:19 -------- d-----w- c:\program files\Recuva
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-04-17 04:36 . 2011-04-17 04:36 6264 ----a-w- c:\windows\system32\ealregsnapshot1.reg
    .
    .
    (((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    --- c:\windows\system32\ealregsnapshot1.reg ---
    Company: ------
    File Description: ------
    File Version: ------
    Product Name: ------
    Copyright: ------
    Original Filename: ------
    File size: 6264
    Created time: 2011-04-17 04:36
    Modified time: 2011-04-17 04:36
    MD5: C8AE9262AF7A65615849743C87AC1F88
    SHA1: B916120DB8291446D4096DF699C83536A238ED78
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-06-08 2424192]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-06-03 39408]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-07 281768]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2010-09-20 12:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2011-01-31 08:44 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
    2007-04-03 16:50 1603152 ----a-w- c:\program files\Canon\MyPrinter\BJMYPRT.EXE
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]
    2007-05-14 16:01 644696 ----a-w- c:\program files\Canon\SolutionMenu\CNSLMAIN.EXE
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2008-04-14 12:42 15360 ----a-w- c:\windows\system32\ctfmon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
    2010-06-03 00:50 1144104 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LG LinkAir]
    2010-11-20 21:23 2440552 ----a-w- c:\program files\LG Electronics\LG PC Suite IV\LinkAir\LinkAir.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-14 12:42 1695232 ------w- c:\program files\Messenger\msmsgs.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
    2007-02-04 02:02 79400 ----a-w- c:\program files\ScanSoft\OmniPageSE4\OpWareSE4.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2010-03-18 04:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Raptr]
    2010-12-16 21:53 53160 ----a-w- c:\progra~1\Raptr\raptrstub.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
    2010-04-30 14:17 18782720 ----a-w- c:\windows\RTHDCPL.EXE
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
    2006-10-24 23:03 210472 ----a-w- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
    2009-09-18 10:25 98304 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2010-02-18 18:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
    2011-06-03 10:22 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "WMPNetworkSvc"=3 (0x3)
    "PnkBstrA"=2 (0x2)
    "JavaQuickStarterService"=2 (0x2)
    "IJPLMSVC"=2 (0x2)
    "idsvc"=3 (0x3)
    "IDriverT"=3 (0x3)
    "gusvc"=3 (0x3)
    "gupdate"=2 (0x2)
    "CCALib8"=2 (0x2)
    "Ati HotKey Poller"=2 (0x2)
    "LGScsiCommandService"=2 (0x2)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
    "c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
    "c:\\WINDOWS\\system32\\PnkBstrA.exe"=
    "c:\\WINDOWS\\system32\\PnkBstrB.exe"=
    "c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FarCry2.exe"=
    "c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Launcher.exe"=
    "c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Editor.exe"=
    "c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
    "c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
    "c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Raptr\\raptr.exe"=
    "c:\\Program Files\\Raptr\\raptr_im.exe"=
    "c:\\WINDOWS\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"= 3389:TCP:mad:xpsp2res.dll,-22009
    .
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [18/02/2010 4:25 AM 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [18/02/2010 4:15 AM 67656]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [30/04/2010 12:33 AM 136360]
    R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdXP3.sys [8/10/2010 8:57 PM 101904]
    R3 LgBttPort;LGE Bluetooth TransPort;c:\windows\system32\drivers\lgbtport.sys [29/09/2009 7:11 AM 12160]
    R3 lgbusenum;LG Bluetooth Bus Enumerator;c:\windows\system32\drivers\lgbtbus.sys [29/09/2009 7:11 AM 10496]
    R3 LGVMODEM;LGE Virtual Modem;c:\windows\system32\drivers\lgvmodem.sys [29/09/2009 7:11 AM 12928]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [19/03/2010 6:16 AM 130384]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/06/2011 8:22 PM 135664]
    S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [1/05/2010 12:18 AM 1684736]
    S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [18/02/2010 4:15 AM 12872]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [19/03/2010 6:16 AM 753504]
    S4 LGScsiCommandService;LG SCSI command service;c:\windows\system32\LGScsiCommandService.exe [20/11/2010 5:28 PM 47616]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-06-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-06-03 10:22]
    .
    2011-06-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-06-03 10:22]
    .
    .
    ------- Supplementary Scan -------
    .
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
    IE: LG Air Sync (R-Click) - Save as Mobile Image - c:\program files\LG Electronics\LG PC Suite IV\LinkAir\IEContextMenu.dll/206
    IE: LG Air Sync (R-Click) - Save as Mobile Memo - c:\program files\LG Electronics\LG PC Suite IV\LinkAir\IEContextMenu.dll/208
    IE: LG Air Sync (R-Click) - Save as Mobile Text file - c:\program files\LG Electronics\LG PC Suite IV\LinkAir\IEContextMenu.dll/210
    IE: LG Air Sync (R-Click) - Set as Mobile Wallpaper - c:\program files\LG Electronics\LG PC Suite IV\LinkAir\IEContextMenu.dll/205
    IE: LG Air Sync Option - c:\program files\LG Electronics\LG PC Suite IV\LinkAir\IEContextMenu.dll/209
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-06-17 20:53
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-436374069-1425521274-725345543-1003\Software\SecuROM\License information*]
    "datasecu"=hex:7a,b4,b8,c1,9f,e0,8d,20,bb,e6,a8,fd,33,18,a2,8f,68,67,aa,4b,33,
    f7,3b,84,14,30,69,4a,6b,29,63,f1,64,f7,55,a4,0a,8e,bf,d5,55,a5,b7,29,62,19,\
    "rkeysecu"=hex:39,cc,8a,da,7f,44,84,09,da,b7,e2,0c,b8,a9,a5,33
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(568)
    c:\program files\SUPERAntiSpyware\SASWINLO.dll
    c:\windows\system32\WININET.dll
    c:\windows\system32\Ati2evxx.dll
    c:\windows\system32\atiadlxx.dll
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
    .
    - - - - - - - > 'explorer.exe'(3664)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Avira\AntiVir Desktop\avguard.exe
    c:\program files\Avira\AntiVir Desktop\avshadow.exe
    .
    **************************************************************************
    .
    Completion time: 2011-06-17 20:55:37 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-06-17 10:55
    ComboFix2.txt 2011-06-16 21:45
    .
    Pre-Run: 424,908,062,720 bytes free
    Post-Run: 424,827,142,144 bytes free
    .
    - - End Of File - - 0FB0D68DD9FED81C86C2B636330AA314
     
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Do you know what this is? c:\windows\system32\ealregsnapshot1.reg If you do not, do this:

    Right click on the Taskbar> Explore> Tools> Folder Options> View tab> Check 'show hidden files and folders> Uncheck 'hide system files (Recommended)> then click on My Computer> Windows> System 32> look for ealregsnapshot1 and do RIGHT click> Properties. Does it give any info?

    Please go back and rehide the files and folders when you have finished.

    There is a program called RegSnap that's a 'try and buy' tool- I don't see it installed on your system. I took a look into the file and found a VirSCAN had already been done with no malware showing. But the stats for what you have and the stats on the VirSCAN do not match.

    Has there been any change in our accessing the Task Manager?
     
  10. megabomination

    megabomination TS Booster Topic Starter Posts: 151

    1.No.I have no idea what this c:\windows\system32\ealregsnapshot1.reg is!?
    2.I found the file after following your instructions and the info under Properties>General tab is exactly that. It has a file size and date created etc.. and also a 'summary tab which is empty?How would i go about sending you the info on these tabs,short of typeing it out of course?
    3.Ive never heard of reg snap!
    4.Yes i can access task manager now and also all files in my documents and some other places are fully restored and IE8 is working correctly( no redirecting ). Some components of programs are still missing however! For example The CCC programme(catalyst cntrl cntre) for my NTI card is now showing in start>all programs>Catalyst control centre but when i mouse over it the pop up window is empty?There are many others like this also.
    5.AVIRA seems to be functioning correctly and has been detecting threats and asking me what to do, remove, ignore ect.. I have been simply closeing pop up for now as i wasnt sure?Is this correct or should i be removeing anything that it finds?
    6.Im currently 1/2 way through online scan and will post results immediatley when done!Thanks.
     
  11. megabomination

    megabomination TS Booster Topic Starter Posts: 151

    Hi.I just completed online scan.No threats found!?
    Avira threats found was Object A0044314.sys What should i do with this ?quarentine it?
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    For the moment, you can ignore Avira. The Eset scan was clean. The system AV will show entries no matter where they are, and where they are is what determines if they are active in the system. For instance, entries in the Qoobox, System Volume or Recycler have already be handled and are no longer active.

    I am reasonably certain that the location for Object A0044314.sys is System Volume. I will have you drop all the old restore points when we finish and set a new clean one.

    Regarding this:
    Can you clarify this for me? When you go to All Programs, have you tried actually opening the program, with the left click? If there is a > to the right of the program do you mean this is empty? Are the programs actually missing?
     
  13. megabomination

    megabomination TS Booster Topic Starter Posts: 151

    Yes i have tried opening programme to no avail.
    Yes there is a >to the right... this actually says the word(Empty)
    I have checked in (C:)>Programme files> The programme doesnt appear to be there!
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Run this and see if it 'restores' the programs:

    Download Unhide.exe and save to the desktop.
    • Double-click on Unhide.exe icon to run the program.
    • This program will remove the +H, or hidden, attribute from all the files on your hard drives.

    Let me know- there is no log to leave.
     
  15. megabomination

    megabomination TS Booster Topic Starter Posts: 151

    Hi. I ran programme and it hasnt seemed to have done anything? Some programmes that arent in start>all programmes are in c:>programme files but others arent?
     
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Open Windows Explorer> Windows key + E> Click on C:\Documents and Settings> All Users> Start Menu> Programs> do you see the program here? Then click on your Doc & Settings below that- such as 'Adam's docs' if you have named them that- Start Menu Programs. If the programs were in the All Users but not on yours, most likely one of the other users listed has the original Start Menu.

    Let me now about this please.
     
  17. megabomination

    megabomination TS Booster Topic Starter Posts: 151

    Yes this programme(CCC) is in the start menu under all users but not under Adams...?
    The CCC folder in all users>start menu>programmes is present but is empty! Some other examples of this are, WIN RAR, Microsoft works,etc..
    I should also point out that the popup window when you go start>all programmes has only about 3/4 the programmes that used to be there!? Thanks.
     
  18. megabomination

    megabomination TS Booster Topic Starter Posts: 151

    I just ran programme again with all anti virus etc.. swithced off and it still hasnt seemed to do anything? Im happy to download/reinstall the missing programmes if we're unable to restore them! The main things that i was concerned about were personal items in my documents and pictures which were restored/found after i ran combofix and i have allready backed these up. Is cleaning considered finished now or are there more steps?Thanks.
     
  19. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Try running the Unhide program again. If it does not work, do the following:

    You should log on under the user Adam
     
  20. megabomination

    megabomination TS Booster Topic Starter Posts: 151

    Tried all these steps , nothing? i typed ccc into the start>run utility and what do you know? the cntrl ctre opened and is fully usable but the programme doesnt seem to exist any where? I have also noticed,for example, that quicktime is running and its icon is in the tray in lower right corner of screen and all its associated files are in c:>programme files>quicktime but if you go into the start menu its start>all programmes>quicktime>(empty)!?
    I looked at you advise on dragging and dropping to re create shortcuts but from what i can see thats not the problem that im having its that my programmes are still hidden....i think lol.
    If you have any other thoughts that would be great.Thanks again!
     
  21. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    The programs are on the system- they wouldn't run if they weren't. You are just going to need to find them.

    Please right click on Start> Choose Open All Users> This should display the Program folder. Open it and see if the programs are there.
     
  22. megabomination

    megabomination TS Booster Topic Starter Posts: 151

    Tried this. Many programmes are there such as ccc but when you open that folder it is empty!
     
  23. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Where are you opening the folder? All Programs? All Users?

    Do a search for each of the programs. It has to be on the system because each one runs. See if you can find the location. You can also view hidden files and folders:
    Right click on Start> Explore> Tools> Folder Options> View tab> Check 'show hidden files and folders'> Uncheck 'hide system folders (Recommended)> Click on Apply and confirm Yes> OK

    No search for the programs. When you find them do a right click> Properties> If hide is checked, uncheck.
     
  24. megabomination

    megabomination TS Booster Topic Starter Posts: 151

    i was able to find some , the others i will just reinstall or download again. I dont mind doing that it will be quicker and easier i think for me any way to do it like that!Besides these missing programmes what is there else to do?
     
  25. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    This brings up the following points:
    1. You say the programs run- is that correct?
    2. If yes, it means they are on the computer.
    3. I had hoped that the search would show you where the program was located. For those you found, did you check the location of the file?
    4. If you download and install the same program again, you will then have 2 of the programs. This will take up hard drive 'space' and depending on what type of program it is, it could be using system resources x2.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...