Websites redirected, can't run Windows Update, can't install Malwarebytes

Inactive
By weety
Oct 3, 2012
  1. weety

    weety Newcomer, in training Topic Starter Posts: 60

    It's telling me I must be the administrator to run DeFogger. I thought I was the administrator, but I can't seem to get it to work...
  2. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Right-click on it and select Run as Administrator.

    Please do GMER again, if possible. Definitely SystemLook.
  3. weety

    weety Newcomer, in training Topic Starter Posts: 60

    I tried running as administrator using the password I log in with and it was rejected. I don't know if this is relevant, but I have never installed any CD emulation software on this computer. Is there an alternative to DeFogger?
  4. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    You have SPTD.sys, which is CD emulation driver...

    right-click on Defogger and select Run as administrator. That's what I was asking...
  5. weety

    weety Newcomer, in training Topic Starter Posts: 60

    When I right click and select run as administrator, I receive the error "The parameter is incorrect". (This is a different error to when I deliberately enter the wrong username/password).
  6. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Okay. Move on to SystemLook, please.
  7. weety

    weety Newcomer, in training Topic Starter Posts: 60

    SystemLook 30.07.11 by jpshortstuff
    Log created at 19:09 on 27/10/2012 by hmc05
    (Limited User)

    ========== filefind ==========

    Searching for "atapi.sys"
    C:\WINNT\erdnt\cache\atapi.sys --a---- 96512 bytes [03:31 25/09/2012] [12:00 14/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
    C:\WINNT\system32\dllcache\atapi.sys --a---- 96512 bytes [00:10 14/04/2008] [12:00 14/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
    C:\WINNT\system32\drivers\atapi.sys --a---- 96512 bytes [00:10 14/04/2008] [12:00 14/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674

    Searching for "usb*.sys"
    C:\DRIVERS\MISC\USBSCAN.SYS --a---- 8944 bytes [00:00 01/01/1980] [05:01 13/06/1998] 45F1636265B41F9ECC4F33A721A411E1
    C:\WINNT\system32\dllcache\usb101et.sys --a---- 32384 bytes [19:32 09/10/2012] [21:05 13/04/2008] 24BB6CA00ED8C91DAE2FD13E5F6EEC39
    C:\WINNT\system32\dllcache\usb8023.sys --a---- 12800 bytes [00:00 01/01/1980] [12:00 14/04/2008] BEE793D4A059CAEA55D6AC20E19B3A8F
    C:\WINNT\system32\dllcache\usb8023x.sys --a---- 12800 bytes [19:32 09/10/2012] [23:26 13/04/2008] B6CC50279D6CD28E090A5D33244ADC9A
    C:\WINNT\system32\dllcache\usbaudio.sys --a---- 60032 bytes [21:17 28/12/2011] [00:15 14/04/2008] E919708DB44ED8543A7C017953148330
    C:\WINNT\system32\dllcache\usbcamd.sys --a---- 25600 bytes [00:15 14/04/2008] [12:00 14/04/2008] 1C1A47B40C23358245AA8D0443B6935E
    C:\WINNT\system32\dllcache\usbcamd2.sys --a---- 25728 bytes [00:15 14/04/2008] [12:00 14/04/2008] CE97845D2E3F0D274B8BAC1ED07C6149
    C:\WINNT\system32\dllcache\usbccgp.sys --a---- 32128 bytes [21:16 28/12/2011] [00:15 14/04/2008] 173F317CE0DB8E21322E71B7E60A27E8
    C:\WINNT\system32\dllcache\usbd.sys --a---- 4736 bytes [14:03 17/08/2001] [12:00 14/04/2008] 596EB39B50D6EBD9B734DC4AE0544693
    C:\WINNT\system32\dllcache\usbehci.sys --a---- 30208 bytes [00:15 14/04/2008] [12:00 14/04/2008] 65DCF09D0E37D4C6B11B5B0B76D470A7
    C:\WINNT\system32\dllcache\usbhub.sys --a---- 59520 bytes [00:15 14/04/2008] [12:00 14/04/2008] 1AB3CDDE553B6E064D2E754EFE20285C
    C:\WINNT\system32\dllcache\usbintel.sys --a---- 15872 bytes [00:15 14/04/2008] [12:00 14/04/2008] 290913DC4F1125E5A82DE52579A44C43
    C:\WINNT\system32\dllcache\usbohci.sys --a---- 17152 bytes [19:32 09/10/2012] [23:15 13/04/2008] 0DAECCE65366EA32B162F85F07C6753B
    C:\WINNT\system32\dllcache\usbport.sys --a---- 143872 bytes [00:15 14/04/2008] [12:00 14/04/2008] 791912E524CC2CC6F50B5F2B52D1EB71
    C:\WINNT\system32\dllcache\usbprint.sys --a---- 25856 bytes [19:32 09/10/2012] [23:17 13/04/2008] A717C8721046828520C9EDF31288FC00
    C:\WINNT\system32\dllcache\usbscan.sys --a---- 15104 bytes [14:00 21/01/2010] [00:15 14/04/2008] A0B8CF9DEB1184FBDD20784A58FA75D4
    C:\WINNT\system32\dllcache\usbser.sys --a---- 26112 bytes [19:32 09/10/2012] [23:15 13/04/2008] 1C888B000C2F9492F4B15B5B6B84873E
    C:\WINNT\system32\dllcache\usbstor.sys --a---- 26368 bytes [15:02 17/11/2009] [00:15 14/04/2008] A32426D9B14A089EAA1D922E0C5801A9
    C:\WINNT\system32\dllcache\usbuhci.sys --a---- 20608 bytes [00:15 14/04/2008] [12:00 14/04/2008] 26496F9DEE2D787FC3E61AD54821FFE6
    C:\WINNT\system32\dllcache\usbvideo.sys --a---- 121984 bytes [21:17 28/12/2011] [00:16 14/04/2008] 63BBFCA7F390F4C49ED4B96BFB1633E0
    C:\WINNT\system32\drivers\usb8023.sys --a---- 12800 bytes [00:00 01/01/1980] [12:00 14/04/2008] BEE793D4A059CAEA55D6AC20E19B3A8F
    C:\WINNT\system32\drivers\USBAUDIO.sys --a---- 60032 bytes [21:17 28/12/2011] [00:15 14/04/2008] E919708DB44ED8543A7C017953148330
    C:\WINNT\system32\drivers\usbcamd.sys --a---- 25600 bytes [00:15 14/04/2008] [12:00 14/04/2008] 1C1A47B40C23358245AA8D0443B6935E
    C:\WINNT\system32\drivers\usbcamd2.sys --a---- 25728 bytes [00:15 14/04/2008] [12:00 14/04/2008] CE97845D2E3F0D274B8BAC1ED07C6149
    C:\WINNT\system32\drivers\usbccgp.sys --a---- 32128 bytes [21:16 28/12/2011] [00:15 14/04/2008] 173F317CE0DB8E21322E71B7E60A27E8
    C:\WINNT\system32\drivers\usbd.sys --a---- 4736 bytes [14:03 17/08/2001] [12:00 14/04/2008] 596EB39B50D6EBD9B734DC4AE0544693
    C:\WINNT\system32\drivers\usbehci.sys --a---- 30208 bytes [00:15 14/04/2008] [12:00 14/04/2008] 65DCF09D0E37D4C6B11B5B0B76D470A7
    C:\WINNT\system32\drivers\usbhub.sys --a---- 59520 bytes [00:15 14/04/2008] [12:00 14/04/2008] 1AB3CDDE553B6E064D2E754EFE20285C
    C:\WINNT\system32\drivers\usbintel.sys --a---- 15872 bytes [00:15 14/04/2008] [12:00 14/04/2008] 290913DC4F1125E5A82DE52579A44C43
    C:\WINNT\system32\drivers\usbport.sys --a---- 143872 bytes [00:15 14/04/2008] [12:00 14/04/2008] 791912E524CC2CC6F50B5F2B52D1EB71
    C:\WINNT\system32\drivers\usbscan.sys --a---- 15104 bytes [14:00 21/01/2010] [00:15 14/04/2008] A0B8CF9DEB1184FBDD20784A58FA75D4
    C:\WINNT\system32\drivers\USBSTOR.SYS --a---- 26368 bytes [15:02 17/11/2009] [00:15 14/04/2008] A32426D9B14A089EAA1D922E0C5801A9
    C:\WINNT\system32\drivers\usbuhci.sys --a---- 20608 bytes [00:15 14/04/2008] [12:00 14/04/2008] 26496F9DEE2D787FC3E61AD54821FFE6
    C:\WINNT\system32\drivers\usbvideo.sys --a---- 121984 bytes [21:17 28/12/2011] [00:16 14/04/2008] 63BBFCA7F390F4C49ED4B96BFB1633E0

    Searching for "spvu.*"
    No files found.

    -= EOF =-
  8. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    I was not aware of this:
    You must be on an administrator account in order to fully disinfect the system.

    No wonder why we can't get the system to cooperate. If you cannot get to an administrator account, we need to either create one, reinstall Windows, or I cannot be of anymore service. We'll just keep going around in circles in a limited account. :p
  9. weety

    weety Newcomer, in training Topic Starter Posts: 60

    In User Accounts, I'm listed under the group "Administrators". It says "Administrators have complete and unrestricted access to the computer/domain". I always thought I had an admin account... perhaps I should try to create a new one?
  10. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Please do, re-run above. I will be back later or tomorrow morning.
  11. weety

    weety Newcomer, in training Topic Starter Posts: 60

    Ok thanks very much!

    I'm now properly logged in with an Administrator account. Everything seems to work fine here (except I obviously can't access my files/desktop etc. so directly). To check original symptoms, I tried installing Malwarebytes and running Windows update. Both work fine.

    I guess this changes everything, but I'll complete the previous steps anyway.
  12. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

  13. weety

    weety Newcomer, in training Topic Starter Posts: 60

    First, here's the GMER log:

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2012-10-29 09:10:24
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-16 WDC_WD2500AAJS-60M0A0 rev.02.03E02
    Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\aflcapob.sys

    ---- System - GMER 1.0.15 ----
    SSDT dwprot.sys (Dr.Web Protection for Windows/Doctor Web, Ltd.) ZwAllocateVirtualMemory [0xB9CEB2D2]
    SSDT 8A133E10 ZwConnectPort
    SSDT spir.sys ZwCreateKey [0xB9EB50E0]
    SSDT dwprot.sys (Dr.Web Protection for Windows/Doctor Web, Ltd.) ZwCreateThread [0xB9CEC904]
    SSDT spir.sys ZwEnumerateKey [0xB9ECDDA4]
    SSDT spir.sys ZwEnumerateValueKey [0xB9ECE132]
    SSDT dwprot.sys (Dr.Web Protection for Windows/Doctor Web, Ltd.) ZwFreeVirtualMemory [0xB9CEB55E]
    SSDT spir.sys ZwOpenKey [0xB9EB50C0]
    SSDT dwprot.sys (Dr.Web Protection for Windows/Doctor Web, Ltd.) ZwOpenSection [0xB9CEB0F0]
    SSDT spir.sys ZwQueryKey [0xB9ECE20A]
    SSDT spir.sys ZwQueryValueKey [0xB9ECE08A]
    SSDT dwprot.sys (Dr.Web Protection for Windows/Doctor Web, Ltd.) ZwQueueApcThread [0xB9CECA0C]
    SSDT 8A330910 ZwResumeThread
    SSDT dwprot.sys (Dr.Web Protection for Windows/Doctor Web, Ltd.) ZwSetContextThread [0xB9CECA58]
    SSDT spir.sys ZwSetValueKey [0xB9ECE29C]
    SSDT dwprot.sys (Dr.Web Protection for Windows/Doctor Web, Ltd.) ZwSystemDebugControl [0xB9CEB006]
    SSDT dwprot.sys (Dr.Web Protection for Windows/Doctor Web, Ltd.) ZwWriteVirtualMemory [0xB9CEB66E]
    INT 0x62 ? 8A47FBF8
    INT 0x73 ? 8A47FBF8
    INT 0x73 ? 8A47FBF8
    INT 0x73 ? 8A47FBF8
    INT 0x73 ? 8A47FBF8
    INT 0x73 ? 8A47FBF8
    INT 0x82 ? 8A47FBF8
    INT 0x83 ? 8A16BBF8
    INT 0x83 ? 8A16BBF8
    INT 0x83 ? 8A16BBF8
    INT 0x83 ? 8A16BBF8
    INT 0x84 ? 8A16BBF8
    INT 0x84 ? 8A16BBF8
    INT 0x84 ? 8A16BBF8
    INT 0x84 ? 8A16BBF8
    INT 0x94 ? 8A16BBF8
    INT 0x94 ? 8A16BBF8
    INT 0x94 ? 8A16BBF8
    ---- Kernel code sections - GMER 1.0.15 ----
    ? spir.sys The system cannot find the file specified. !
    .text USBPORT.SYS!DllUnload B91C38AC 5 Bytes JMP 8A16B1D8
    ---- User code sections - GMER 1.0.15 ----
    .text C:\WINNT\system32\SearchIndexer.exe[820] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINNT\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
    ---- Kernel IAT/EAT - GMER 1.0.15 ----
    IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B9EB6042] spir.sys
    IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B9EB613E] spir.sys
    IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B9EB60C0] spir.sys
    IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B9EB6800] spir.sys
    IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B9EB66D6] spir.sys
    IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [B9EC5B90] spir.sys
    ---- User IAT/EAT - GMER 1.0.15 ----
    IAT C:\WINNT\Explorer.EXE[3232] @ C:\WINNT\Explorer.EXE [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[3232] @ C:\WINNT\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[3232] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[3232] @ C:\WINNT\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[3232] @ C:\WINNT\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[3232] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[3232] @ C:\WINNT\system32\msvcrt.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[3232] @ C:\WINNT\system32\ole32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[3232] @ C:\WINNT\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[3232] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[3232] @ C:\WINNT\system32\NETAPI32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[3232] @ C:\WINNT\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[3232] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[3232] @ C:\WINNT\system32\USERENV.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[3232] @ C:\WINNT\system32\ws2_32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[3232] @ C:\WINNT\system32\WS2HELP.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[3232] @ C:\WINNT\System32\iphlpapi.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[3232] @ C:\WINNT\system32\PSAPI.DLL [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
    ---- Devices - GMER 1.0.15 ----
    Device \FileSystem\Ntfs \Ntfs 8A4ED1F8
    AttachedDevice \FileSystem\Ntfs \Ntfs dwprot.sys (Dr.Web Protection for Windows/Doctor Web, Ltd.)
    AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Ip dwprot.sys (Dr.Web Protection for Windows/Doctor Web, Ltd.)
    Device \Driver\usbuhci \Device\USBPDO-0 8A1A5500
    Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A4EF1F8
    Device \Driver\dmio \Device\DmControl\DmConfig 8A4EF1F8
    Device \Driver\dmio \Device\DmControl\DmPnP 8A4EF1F8
    Device \Driver\dmio \Device\DmControl\DmInfo 8A4EF1F8
    Device \Driver\usbuhci \Device\USBPDO-1 8A1A5500
    Device \Driver\usbuhci \Device\USBPDO-2 8A1A5500
    Device \Driver\usbehci \Device\USBPDO-3 8A1A21F8
    Device \Driver\usbuhci \Device\USBPDO-4 8A1A5500
    AttachedDevice \Driver\Tcpip \Device\Tcp dwprot.sys (Dr.Web Protection for Windows/Doctor Web, Ltd.)
    AttachedDevice \Driver\Tcpip \Device\Tcp fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    Device \Driver\usbuhci \Device\USBPDO-5 8A1A5500
    Device \Driver\NetBT \Device\NetBT_Tcpip_{BA44147E-D188-421D-83F4-E51BBDEDA4DC} 89AC2500
    Device \Driver\usbuhci \Device\USBPDO-6 8A1A5500
    Device \Driver\Ftdisk \Device\HarddiskVolume1 8A4801F8
    Device \Driver\usbehci \Device\USBPDO-7 8A1A21F8
    Device \Driver\Cdrom \Device\CdRom0 8A2441F8
    Device \Driver\atapi \Device\Ide\IdePort0 [B9E09B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi \Device\Ide\IdePort1 [B9E09B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi \Device\Ide\IdePort2 [B9E09B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi \Device\Ide\IdePort3 [B9E09B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi \Device\Ide\IdePort4 [B9E09B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi \Device\Ide\IdePort5 [B9E09B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-16 [B9E09B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-7 [B9E09B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\NetBT \Device\NetBt_Wins_Export 89AC2500
    Device \Driver\NetBT \Device\NetbiosSmb 89AC2500
    AttachedDevice \Driver\Tcpip \Device\Udp dwprot.sys (Dr.Web Protection for Windows/Doctor Web, Ltd.)
    AttachedDevice \Driver\Tcpip \Device\Udp fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\RawIp dwprot.sys (Dr.Web Protection for Windows/Doctor Web, Ltd.)
    AttachedDevice \Driver\Tcpip \Device\RawIp fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    Device \Driver\usbuhci \Device\USBFDO-0 8A1A5500
    Device \Driver\usbuhci \Device\USBFDO-1 8A1A5500
    Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 89AC01F8
    Device \Driver\usbuhci \Device\USBFDO-2 8A1A5500
    Device \FileSystem\MRxSmb \Device\LanmanRedirector 89AC01F8
    Device \Driver\usbehci \Device\USBFDO-3 8A1A21F8
    Device \Driver\usbuhci \Device\USBFDO-4 8A1A5500
    Device \Driver\Ftdisk \Device\FtControl 8A4801F8
    Device \Driver\usbuhci \Device\USBFDO-5 8A1A5500
    Device \Driver\usbuhci \Device\USBFDO-6 8A1A5500
    Device \Driver\usbehci \Device\USBFDO-7 8A1A21F8
    Device \FileSystem\Cdfs \Cdfs 89AA9500
    ---- Registry - GMER 1.0.15 ----
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x02 0x47 0x65 0x45 ...
    ---- Files - GMER 1.0.15 ----
    File C:\cygwin\usr\include\xercesc\validators\schema\identity\FieldActivator.hpp 6989 bytes
    File C:\cygwin\usr\include\xercesc\validators\schema\identity\FieldValueMap.hpp 8122 bytes
    File C:\cygwin\usr\include\xercesc\validators\schema\identity\IC_Field.hpp 8219 bytes
    File C:\cygwin\usr\include\xercesc\validators\schema\identity\IC_Key.hpp 4536 bytes
    File C:\cygwin\usr\include\xercesc\validators\schema\identity\IC_KeyRef.hpp 4963 bytes
    File C:\cygwin\usr\include\xercesc\validators\schema\identity\IC_Selector.hpp 7901 bytes
    File C:\cygwin\usr\include\xercesc\validators\schema\identity\IC_Unique.hpp 4638 bytes
    File C:\cygwin\usr\include\xercesc\validators\schema\identity\IdentityConstraint.hpp 9161 bytes
    File C:\cygwin\usr\include\xercesc\validators\schema\identity\ValueStore.hpp 7442 bytes
    File C:\cygwin\usr\include\xercesc\validators\schema\identity\ValueStoreCache.hpp 8970 bytes
    File C:\cygwin\usr\include\xercesc\validators\schema\identity\XercesXPath.hpp 21872 bytes
    File C:\cygwin\usr\include\xercesc\validators\schema\identity\XPathException.hpp 3017 bytes
    File C:\cygwin\usr\include\xercesc\validators\schema\identity\XPathMatcher.hpp 8538 bytes
    File C:\cygwin\usr\include\xercesc\validators\schema\identity\XPathMatcherStack.hpp 6551 bytes
    File C:\cygwin\usr\include\xercesc\validators\schema\identity\XPathSymbols.hpp 4418 bytes
    File C:\cygwin\usr\info\enscript.info 0 bytes
    ---- EOF - GMER 1.0.15 ----
     
  14. weety

    weety Newcomer, in training Topic Starter Posts: 60

    And here's the ComboFix log:

    ComboFix 12-10-29.01 - Administrator 29/10/2012 9:28.9.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.3017.2338 [GMT 0:00]
    Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
    AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
    * Created a new restore point
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\winnt\EventSystem.log
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-09-28 to 2012-10-29 )))))))))))))))))))))))))))))))
    .
    .
    2012-10-27 18:52 . 2012-10-27 18:52 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
    2012-10-27 18:52 . 2012-10-27 18:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2012-10-27 18:51 . 2012-10-27 18:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-10-27 18:51 . 2012-09-29 18:54 22856 ----a-w- c:\winnt\system32\drivers\mbam.sys
    2012-10-27 18:50 . 2012-10-27 18:50 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
    2012-10-27 18:50 . 2012-10-27 18:50 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Identities
    2012-10-27 18:50 . 2012-10-27 18:50 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Desktop Search
    2012-10-27 18:49 . 2012-10-27 18:49 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Symantec
    2012-10-27 18:49 . 2012-10-27 18:49 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
    2012-10-27 18:48 . 2012-10-27 18:50 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft
    2012-10-26 18:26 . 2012-10-26 18:26 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro
    2012-10-25 16:36 . 2012-10-25 16:36 -------- d-----w- c:\documents and settings\hmc05\Local Settings\Application Data\Norman Malware Cleaner
    2012-10-24 11:23 . 2012-10-24 11:23 149272 ----a-w- c:\winnt\system32\drivers\dwprot.sys
    2012-10-23 18:20 . 2012-10-23 18:20 -------- d-----w- c:\documents and settings\hmc05\DoctorWeb
    2012-10-22 12:19 . 2012-10-22 12:19 -------- d-----w- c:\documents and settings\hmc05\Local Settings\Application Data\Temp
    2012-10-22 12:19 . 2012-10-22 12:19 -------- d-----w- c:\documents and settings\hmc05\Local Settings\Application Data\Adobe
    2012-10-19 18:01 . 2012-10-19 18:01 -------- d-----w- C:\Mozilla
    2012-10-19 18:01 . 2012-10-19 18:01 -------- d-----w- c:\documents and settings\hmc05\Local Settings\Application Data\Mozilla
    2012-10-19 17:08 . 2012-10-19 17:09 -------- d-----w- c:\documents and settings\hmc05\Local Settings\Application Data\Google
    2012-10-19 17:06 . 2012-10-19 17:06 -------- d-----w- c:\documents and settings\hmc05\Local Settings\Application Data\Identities
    2012-10-19 17:05 . 2012-10-19 17:05 -------- d-----w- c:\documents and settings\hmc05\Local Settings\Application Data\Symantec
    2012-10-19 17:02 . 2012-10-19 17:02 -------- d-----w- C:\_OTL
    2012-10-15 16:42 . 2012-10-15 16:42 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
    2012-10-10 08:16 . 2012-10-10 08:16 -------- d-----w- c:\winnt\ms
    2012-10-09 19:51 . 2012-10-09 19:51 -------- d-----w- c:\program files\Tweaking.com
    2012-10-09 19:41 . 2004-06-11 23:33 290304 ----a-w- C:\subinacl.exe
    2012-10-09 19:39 . 2012-10-09 19:39 -------- d-----w- C:\RegBackup
    2012-10-09 19:34 . 2008-04-14 04:42 116224 ----a-w- c:\winnt\system32\dllcache\xrxwiadr.dll
    2012-10-09 19:34 . 2001-08-17 21:36 23040 ----a-w- c:\winnt\system32\dllcache\xrxwbtmp.dll
    2012-10-09 19:34 . 2008-04-14 04:42 18944 ----a-w- c:\winnt\system32\dllcache\xrxscnui.dll
    2012-10-09 19:34 . 2001-08-17 21:37 27648 ----a-w- c:\winnt\system32\dllcache\xrxftplt.exe
    2012-10-09 19:34 . 2001-08-17 21:37 4608 ----a-w- c:\winnt\system32\dllcache\xrxflnch.exe
    2012-10-09 19:32 . 2008-04-13 21:04 11807 ----a-w- c:\winnt\system32\dllcache\wadv07nt.sys
    2012-10-09 19:31 . 2001-08-17 21:36 28160 ----a-w- c:\winnt\system32\dllcache\umaxu40.dll
    2012-10-09 19:30 . 2001-08-17 11:10 28232 ----a-w- c:\winnt\system32\dllcache\tos4mo.sys
    2012-10-09 19:29 . 2001-08-17 21:36 53248 ----a-w- c:\winnt\system32\dllcache\stlncoin.dll
    2012-10-09 19:28 . 2001-08-17 21:36 33792 ----a-w- c:\winnt\system32\dllcache\smb0w.dll
    2012-10-09 19:27 . 2008-04-13 23:15 11520 ----a-w- c:\winnt\system32\dllcache\scsiscan.sys
    2012-10-09 19:26 . 2001-08-17 11:19 3840 ----a-w- c:\winnt\system32\dllcache\rpfun.sys
    2012-10-09 19:25 . 2001-08-17 12:53 7168 ----a-w- c:\winnt\system32\dllcache\pnrmc.sys
    2012-10-09 19:24 . 2001-08-17 13:05 25088 ----a-w- c:\winnt\system32\dllcache\ovca.sys
    2012-10-09 19:23 . 2001-08-17 11:50 13664 ----a-w- c:\winnt\system32\dllcache\n9i128.sys
    2012-10-09 19:22 . 2001-08-17 12:52 6528 ----a-w- c:\winnt\system32\dllcache\miniqic.sys
    2012-10-09 19:21 . 2008-04-13 23:09 14592 ----a-w- c:\winnt\system32\dllcache\kbdhid.sys
    2012-10-09 19:20 . 2001-08-17 11:49 58592 ----a-w- c:\winnt\system32\dllcache\i740nt5.sys
    2012-10-09 19:19 . 2008-04-13 23:06 20352 ----a-w- c:\winnt\system32\dllcache\hidbatt.sys
    2012-10-09 19:18 . 2001-08-17 12:28 595647 ----a-w- c:\winnt\system32\dllcache\es56cvmp.sys
    2012-10-09 19:17 . 2001-08-17 11:11 29696 ----a-w- c:\winnt\system32\dllcache\dm9pci5.sys
    2012-10-09 19:16 . 2001-08-17 11:11 39936 ----a-w- c:\winnt\system32\dllcache\cnxt1803.sys
    2012-10-09 19:15 . 2008-04-14 04:41 377984 ----a-w- c:\winnt\system32\dllcache\ati2dvaa.dll
    2012-10-09 19:00 . 2012-10-09 20:14 181064 ----a-w- c:\winnt\PSEXESVC.EXE
    2012-10-09 18:59 . 2012-10-09 20:14 -------- d-----w- C:\Tweaking.com_Windows_Repair_Logs
    2012-10-08 20:54 . 2012-10-08 20:54 -------- d-----w- c:\winnt\Application Data
    2012-10-07 17:42 . 2012-10-07 17:42 -------- d-----w- c:\winnt\PIF
    2012-10-07 16:23 . 2012-10-07 16:23 -------- d-----w- c:\winnt\Profiles
    2012-10-05 17:13 . 2012-10-05 17:13 -------- d-----w- c:\program files\ESET
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-09-24 11:18 . 2012-04-27 14:50 696520 ----a-w- c:\winnt\system32\FlashPlayerApp.exe
    2012-09-24 11:18 . 2011-06-09 07:30 73416 ----a-w- c:\winnt\system32\FlashPlayerCPLApp.cpl
    2012-08-28 15:14 . 1980-01-01 00:00 916992 ----a-w- c:\winnt\system32\wininet.dll
    2012-08-28 15:14 . 1980-01-01 00:00 43520 ----a-w- c:\winnt\system32\licmgr10.dll
    2012-08-28 15:14 . 1980-01-01 00:00 1469440 ----a-w- c:\winnt\system32\inetcpl.cpl
    2012-08-28 12:07 . 1980-01-01 00:00 385024 ----a-w- c:\winnt\system32\html.iec
    2012-08-24 13:53 . 1980-01-01 00:00 177664 ----a-w- c:\winnt\system32\wintrust.dll
    2012-08-21 13:33 . 2008-04-14 00:54 2148864 ----a-w- c:\winnt\system32\ntoskrnl.exe
    2012-08-21 12:58 . 2008-04-14 00:01 2027520 ----a-w- c:\winnt\system32\ntkrnlpa.exe
    2005-10-12 15:04 . 2005-10-12 15:04 131072 ----a-w- c:\program files\internet explorer\plugins\LV80ActiveXControl.dll
    2012-04-21 01:18 . 2012-05-16 17:09 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IMJPMIG8.1"="c:\winnt\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
    "PHIME2002ASync"="c:\winnt\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
    "PHIME2002A"="c:\winnt\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
    "IgfxTray"="c:\winnt\system32\igfxtray.exe" [2008-10-16 150040]
    "HotKeysCmds"="c:\winnt\system32\hkcmd.exe" [2008-10-16 178712]
    "Persistence"="c:\winnt\system32\igfxpers.exe" [2008-10-16 150040]
    "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-07-08 1044480]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-11-17 180224]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
    "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2010-11-18 115560]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
    .
    c:\documents and settings\hmc05\Start Menu\Programs\Startup\
    Dropbox.lnk - c:\documents and settings\Administrator\Application Data\Dropbox\bin\Dropbox.exe [N/A]
    ICTprintservice.lnk - \\ICADS3\netlogon\clusters\common\ICTprintservice.cmd [N/A]
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Auto-sleep.lnk - c:\winnt\Installer\{F1F8CE7F-1D24-416F-BFA1-F7DD39D8A000}\mainicon.ico [2011-11-9 15086]
    Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "NoWelcomeScreen"= 1
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-243037206-41955558-561332275-166766\Scripts\Logoff\0\0]
    "Script"=userlog_logoff_3.04.bat
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-243037206-41955558-561332275-166766\Scripts\Logon\0\0]
    "Script"=%logonserver%\netlogon\user4-GPO.bat
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36.sys]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AllAlertsDisabled"=dword:00000001
    "TermService"=dword:00000001
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"= 3389:TCP:mad:xpsp2res.dll,-22009
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
    "AllowInboundEchoRequest"= 1 (0x1)
    .
    R0 DwProt;DrWeb Protection;c:\winnt\system32\drivers\dwprot.sys [24/10/2012 11:23 149272]
    R0 SFAUDIO;Sonic Focus DSP Driver;c:\winnt\system32\drivers\sfaudio.sys [01/01/1980 24064]
    R0 sptd;sptd;c:\winnt\system32\drivers\sptd.sys [17/12/2009 23:14 691696]
    R3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;c:\winnt\system32\drivers\e1k5132.sys [01/01/1980 144480]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [25/09/2012 08:28 106656]
    R3 IFXTPM;IFXTPM;c:\winnt\system32\drivers\ifxtpm.sys [01/01/1980 36352]
    S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\winnt\system32\Macromed\Flash\FlashPlayerUpdateService.exe [27/04/2012 14:50 250568]
    S3 COH_Mon;COH_Mon;c:\winnt\system32\drivers\COH_Mon.sys [03/07/2009 10:52 23888]
    S3 rkhdrv40;Rootkit Unhooker Driver; [x]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-10-29 c:\winnt\Tasks\Adobe Flash Player Updater.job
    - c:\winnt\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-27 11:18]
    .
    2012-10-29 c:\winnt\Tasks\MATLAB R2012a Startup Accelerator.job
    - c:\program files\MATLAB\R2012a\bin\win32\MATLABStartupAccelerator.exe [2012-03-22 03:08]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.imperial.ac.uk/
    uInternet Settings,ProxyOverride = <local>
    TCP: DhcpNameServer = 155.198.142.7 155.198.142.8
    DPF: {64A6114F-2976-4634-BE36-134BF84D369C} - hxxps://www3.imperial.ac.uk/eWebEditPro/ewebeditpro4.cab
    DPF: {A40B0AD4-B50E-4E58-8A1D-8544233807AD} - ftp://ftp.ni.com/pub/devzone/tut/cnx_lv8_runtime.exe
    DPF: {CAFECAFE-0013-0001-0023-ABCDEFABCDEF}
    FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\knuehkda.default\
    FF - prefs.js: browser.search.selectedEngine - Google.co.uk
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-10-29 09:37
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-343818398-507921405-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (Administrator)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f3,73,79,a0,0d,21,93,42,a8,9d,fe,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f3,73,79,a0,0d,21,93,42,a8,9d,fe,\
    .
    Completion time: 2012-10-29 09:39:45
    ComboFix-quarantined-files.txt 2012-10-29 09:39
    ComboFix2.txt 2012-10-19 01:05
    ComboFix3.txt 2012-10-04 05:10
    ComboFix4.txt 2012-10-03 03:36
    ComboFix5.txt 2012-10-29 09:26
    .
    Pre-Run: 197,775,917,056 bytes free
    Post-Run: 199,163,875,328 bytes free
    .
    - - End Of File - - 20A2BF5765F694CF06E3086D0ABFCDE8
  15. weety

    weety Newcomer, in training Topic Starter Posts: 60

    ComboFix ran way faster than before (a few mins compared to many hours). I logged back in to the affected user account to recheck the symptoms. Windows Update fails differently to before (the website loads but displays an error message on the page). The same problem remains with installing Malwarebytes (even though it is actually installed now).
  16. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Please do the following:

    • Download and run mbam-clean.exe from here
    • It will ask to restart your computer, please allow it to do so very important
    • After the computer restarts, temporarily disable your Anti-Virus and install the latest version of Malwarebytes' Anti-Malware from here
      • Note: You will need to reactivate the program using the license you were sent via email if using the Pro version
        [*]Launch the program and set the Protection and Registration. Then go to the UPDATE tab if not done during installation and check for updates.
        Restart the computer again and verify that MBAM is in the task tray if using the Pro version. Now setup any file exclusions as may be required in your Anti-Virus/Internet-Security/Firewall applications and restart your Anti-Virus/Internet-Security applications. You may use the guides posted in the FAQ's here or ask and we'll explain how to do it.
  17. weety

    weety Newcomer, in training Topic Starter Posts: 60

    I followed the steps. No change from before. Setup still completes fine in the Administrator account.
  18. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    But is MBAM working?

    How is the overall state of the PC?
  19. weety

    weety Newcomer, in training Topic Starter Posts: 60

    Yes MBAM looks fine. My point was that the MBAM installer cannot be run from the affected account (only the new, unaffected Administrator account). Similarly, Windows Update can only be run from the unaffected account.

    In fact, all of the original symptoms are more or less the same in the affected account, while the Administrator account works fine.
  20. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Okay. Transfer/backup all personal files (documents, pics, etc.) from the bad account, then delete and recreate the account. That should solve that.

    MBAM and Windows Update are made to be run by an administrator account only. Maybe that'll help free your mind. :)
  21. weety

    weety Newcomer, in training Topic Starter Posts: 60

    I've been running Windows Update (and installing/uninstalling/using any number of programs) for the past 3 years on that account (which is listed as an 'administrator' account under User Accounts).

    Still, what you say certainly makes sense, so I'll get on with it...
  22. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Okay. Let me know what happens/happened with it, and if it all worked out. :)


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.