Root kit removal - Page 2

**dvk01** · 30-Dec-2009, 11:15 AM **#16**

Download the attached CFScript.txt and save it to your desktop ( click on the link underneath this post & if you are using internet explorer when the "File download" pop up comes press SAVE and choose desktop in the list of selections in that window & press save)

Disable any antivirus/antimalware/firewall realtime protection or script blocking in the same way you did previously before running combofix & remember to re-enable it when it has finished

Close any open browsers
Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply .

Note: these instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system and will not fix your problem. If you have a similar problem start your own topic in the malware fixing forum

then we want to see why combofix keeps deleting google updater (we restored it as part of this fix) so after the fix is done & computer reboots

Download suspicious file packer from http://www.safer-networking.org/en/tools/index.html (direct download http://www.safer-networking.org/files/sfp.zip )

Unzip it to desktop, open it & paste in the contents of the quote box below, press next & it will create an archive (zip/cab file) on desktop

please upload that to http://www.thespykiller.co.uk/index.php?board=1.0 so we can examine the files

Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, When the file is listed in the windows press send to upload the file

Quote:

c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe

MDunn984 · 30-Dec-2009, 02:22 PM **#17**

Here is the new ComboFix output:

ComboFix 09-12-29.05 - Molly 12/30/2009 14:09:04.3.2 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.1982.1242 [GMT -5:00]
Running from: c:\users\Molly\Desktop\ComboFix.exe
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\Drivers\gfjwiu.sys
.
---- Previous Run -------
.
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_GFJWIU
-------\Service_gfjwiu

((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-12-30 )))))))))))))))))))))))))))))))
.
2009-12-30 19:14 . 2009-12-30 19:14 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-12-30 19:14 . 2009-12-30 19:14 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-12-29 01:40 . 2009-12-29 01:40 0 ----a-w- c:\windows\system32\settings.dat
2009-12-28 23:43 . 2009-12-28 23:43 52224 ----a-w- c:\users\Molly\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS \SD10005.dll
2009-12-28 22:49 . 2009-12-28 23:43 117760 ----a-w- c:\users\Molly\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS \UIREPAIR.DLL
2009-12-28 22:49 . 2009-12-28 22:49 -------- d-----w- c:\progra~2\SUPERAntiSpyware.com
2009-12-28 22:49 . 2009-12-28 22:49 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-12-28 22:49 . 2009-12-28 22:49 -------- d-----w- c:\users\Molly\AppData\Roaming\SUPERAntiSpyware.com
2009-12-28 22:48 . 2009-12-28 22:48 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-27 21:58 . 2009-12-27 21:58 -------- d-----w- c:\users\Molly\AppData\Local\DigitalBlue
2009-12-27 15:26 . 2009-12-27 15:29 -------- d-----w- c:\users\Molly\AppData\Roaming\Disney Pix 3.1
2009-12-27 15:25 . 2008-02-21 15:11 41216 ----a-w- c:\windows\system32\drivers\Capt9052.sys
2009-12-27 15:25 . 2008-02-21 15:10 26624 ----a-w- c:\windows\system32\drivers\Camd9052.sys
2009-12-27 15:25 . 2009-12-27 15:25 -------- d-----w- c:\program files\Disney Micro
2009-12-27 15:23 . 2007-05-03 16:21 29056 ----a-w- c:\windows\system32\drivers\Capt905c.sys
2009-12-27 15:23 . 2007-05-03 16:21 25088 ----a-w- c:\windows\system32\drivers\Camd905c.sys
2009-12-27 15:23 . 2009-12-27 15:24 -------- d-----w- c:\program files\DB CIF Cam
2009-12-27 15:22 . 2009-12-27 15:22 -------- d-----w- c:\program files\WMV9_VCM
2009-12-22 00:08 . 2009-12-02 13:19 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-12-21 23:13 . 2009-12-02 13:19 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-12-21 23:12 . 2009-12-21 23:12 -------- dc-h--w- c:\progra~2\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2009-12-21 23:11 . 2009-12-21 23:13 -------- d-----w- c:\progra~2\Lavasoft
2009-12-21 23:11 . 2009-12-21 23:11 -------- d-----w- c:\program files\Lavasoft
2009-12-21 20:36 . 2009-12-21 20:36 -------- d-----w- c:\program files\Trend Micro
2009-12-21 15:59 . 2009-12-21 15:59 -------- d-----w- c:\windows\system32\Profiles
2009-12-21 15:03 . 2009-12-21 15:57 -------- d-----w- c:\program files\Free Window Registry Repair
2009-12-21 14:52 . 2009-12-21 14:52 -------- d-----w- c:\users\Molly\AppData\Roaming\Malwarebytes
2009-12-21 14:52 . 2009-12-03 21:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-21 14:52 . 2009-12-21 14:52 -------- d-----w- c:\progra~2\Malwarebytes
2009-12-21 14:52 . 2009-12-21 14:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-21 14:52 . 2009-12-03 21:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-17 16:32 . 2009-12-17 16:32 -------- d-----w- c:\users\Molly\AppData\Local\ElevatedDiagnostics
2009-12-17 16:26 . 2009-12-17 16:27 -------- d-----w- c:\program files\Microsoft ATS
2009-12-17 13:06 . 2009-11-24 23:48 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-12-17 13:06 . 2009-11-24 23:49 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-12-17 13:06 . 2009-11-24 23:50 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-12-17 13:06 . 2009-11-24 23:50 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-12-17 13:06 . 2009-11-24 23:47 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-12-17 13:06 . 2009-11-24 23:54 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2009-12-17 13:06 . 2009-11-24 23:49 53328 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2009-12-17 13:06 . 2009-12-17 13:06 -------- d-----w- c:\program files\Alwil Software
2009-12-15 01:52 . 2009-12-21 23:13 -------- dc----w- c:\windows\system32\DRVSTORE
2009-12-15 01:29 . 2009-12-16 13:02 -------- d-----w- c:\program files\Common Files\Authentium Shared
2009-12-12 08:01 . 2009-12-12 08:01 -------- d-----w- c:\users\Default\AppData\Local\Microsoft Help
2009-12-12 03:06 . 2009-12-12 03:06 -------- d-----w- c:\users\Molly\AppData\Local\WindowsUpdate
2009-12-09 20:13 . 2009-11-03 21:43 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-12-09 20:13 . 2009-11-03 21:42 30720 ----a-w- c:\windows\system32\httpapi.dll
2009-12-09 20:13 . 2009-11-03 19:41 411648 ----a-w- c:\windows\system32\drivers\http.sys
2009-12-02 08:18 . 2009-12-02 08:18 -------- d-----w- c:\program files\Windows Portable Devices
2009-12-02 08:01 . 2009-10-01 01:02 2537472 ----a-w- c:\windows\system32\wpdshext.dll
2009-12-01 18:21 . 2009-12-01 18:21 -------- d-----w- c:\windows\system32\ca-ES
2009-12-01 18:21 . 2009-12-01 18:21 -------- d-----w- c:\windows\system32\eu-ES
2009-12-01 18:21 . 2009-12-01 18:21 -------- d-----w- c:\windows\system32\vi-VN
2009-12-01 12:49 . 2009-12-01 12:49 -------- d-----w- c:\windows\system32\EventProviders
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-30 19:01 . 2008-01-22 02:25 12 ----a-w- c:\windows\bthservsdp.dat
2009-12-30 18:56 . 2009-01-11 23:17 -------- d-----w- c:\progra~2\Google Updater
2009-12-27 15:45 . 2008-01-24 16:46 85232 ----a-w- c:\users\Molly\AppData\Local\GDIPFONTCACHEV1.DAT
2009-12-27 15:26 . 2009-03-10 18:12 -------- d-----w- c:\program files\Disney
2009-12-27 15:25 . 2008-01-22 02:27 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-19 14:03 . 2008-01-25 00:59 -------- d-----w- c:\users\Molly\AppData\Roaming\LimeWire
2009-12-16 14:40 . 2009-11-30 12:29 -------- d-----w- c:\users\Molly\AppData\Roaming\KodakCredentialStore
2009-12-15 12:13 . 2008-02-01 15:07 7052 ----a-w- c:\users\Molly\AppData\Local\d3d9caps.dat
2009-12-13 20:16 . 2008-02-05 16:29 6422 ----a-w- c:\users\Molly\AppData\Roaming\wklnhst.dat
2009-12-12 23:58 . 2009-11-08 23:14 -------- d-----w- c:\progra~2\Microsoft Help
2009-12-12 23:56 . 2008-01-22 02:42 -------- d-----w- c:\program files\Microsoft Works
2009-12-09 21:36 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-12-02 08:18 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-12-02 08:18 . 2009-12-02 08:18 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
2009-12-02 08:18 . 2009-12-02 08:18 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-12-01 18:29 . 2009-05-02 20:31 -------- d-----w- c:\progra~2\NVIDIA
2009-12-01 18:22 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Calendar
2009-12-01 18:21 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Sidebar
2009-12-01 18:21 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Photo Gallery
2009-12-01 18:21 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Collaboration
2009-12-01 18:21 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Defender
2009-11-29 23:56 . 2009-11-29 23:56 -------- d-----w- c:\users\Molly\AppData\Roaming\Skinux
2009-11-29 23:55 . 2009-11-29 23:43 -------- d-----w- c:\progra~2\Kodak
2009-11-29 23:53 . 2009-11-29 23:53 -------- d-----w- c:\progra~2\ArcSoft
2009-11-29 23:53 . 2009-11-29 23:53 -------- d-----w- c:\users\Molly\AppData\Roaming\ArcSoft
2009-11-29 23:53 . 2009-11-29 23:52 -------- d-----w- c:\program files\Common Files\ArcSoft
2009-11-29 23:52 . 2009-11-29 23:52 -------- d-----w- c:\program files\ArcSoft
2009-11-29 23:51 . 2009-11-29 23:45 -------- d-----w- c:\program files\Kodak
2009-11-29 23:49 . 2009-11-29 23:47 -------- d-----w- c:\program files\Common Files\Kodak
2009-11-24 21:03 . 2008-01-22 02:32 -------- d-----w- c:\progra~2\Roxio
2009-11-21 06:40 . 2009-12-09 20:14 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 06:34 . 2009-12-09 20:14 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-11-21 06:34 . 2009-12-09 20:14 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-11-21 04:59 . 2009-12-09 20:14 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-08 23:16 . 2009-11-08 23:16 -------- d-----w- c:\program files\Microsoft.NET
2009-11-08 23:13 . 2009-11-08 22:17 -------- d-----w- c:\users\Molly\AppData\Roaming\GetRightToGo
2009-11-03 01:42 . 2009-10-03 12:17 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-29 09:17 . 2009-11-26 08:01 2048 ----a-w- c:\windows\system32\tzres.dll
2009-10-08 21:08 . 2009-12-02 08:01 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2009-10-08 21:08 . 2009-12-02 08:01 234496 ----a-w- c:\windows\system32\oleacc.dll
2009-10-08 21:07 . 2009-12-02 08:01 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2009-10-07 11:36 . 2009-12-09 20:14 243712 ----a-w- c:\windows\system32\rastls.dll
2008-01-22 10:08 . 2008-01-22 09:52 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-22 68856]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-12-16 2002160]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-12-13 30192]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-12-03 1394000]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-1-21 50688]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\syste m]
"EnableUIADesktopToggle"= 0 (0x0)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\Shell ExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavaso ft Ad-Aware Service]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDef end]
@="Service"
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
backup=c:\windows\pss\Kodak EasyShare software.lnk.CommonStartup
backupExtension=.CommonStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-06-12 06:38 34672 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft Connection Service]
2009-10-10 18:32 203264 ----a-w- c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
2007-04-04 01:50 1603152 ----a-w- c:\program files\Canon\MyPrinter\BJMYPRT.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
2009-05-21 14:55 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
2007-11-15 15:24 16384 ----a-w- c:\program files\Dell Support Center\gs_agent\custom\dsca.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter]
2007-05-25 06:03 17920 ----a-w- c:\dell\E-Center\EULALauncher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2006-10-03 17:37 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2008-05-03 04:16 13535776 ----a-w- c:\windows\System32\nvcpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2008-05-03 04:16 92704 ----a-w- c:\windows\System32\nvmctray.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2006-10-20 23:23 118784 ------w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2007-09-24 09:41 4452352 ----a-w- c:\windows\RtHDVCpl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Mobile Device Center]
2007-05-31 15:21 648072 ----a-w- c:\windows\WindowsMobile\wmdc.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"VistaSp2"=hex(b):0f,f9,8a,05,b4,72,ca,01
R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [12/21/2009 6:13 PM 64288]
R1 aswSP;avast! Self Protection;c:\windows\System32\drivers\aswSP.sys [12/17/2009 8:06 AM 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [12/16/2009 4:26 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/16/2009 4:26 PM 74480]
R2 aswFsBlk;aswFsBlk;c:\windows\System32\drivers\aswFsBlk.sys [12/17/2009 8:06 AM 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\System32\drivers\aswMonFlt.sys [12/17/2009 8:06 AM 53328]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [3/5/2008 7:56 PM 24652]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/16/2009 4:27 PM 7408]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/2/2009 8:19 AM 1181328]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [6/12/2008 2:56 PM 21504]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [1/21/2008 9:37 PM 30192]
S3 SQTECH9052;Disney Micro;c:\windows\System32\drivers\Capt9052.sys [12/27/2009 10:25 AM 41216]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
2009-12-30 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 23:23]
2009-12-30 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 23:23]
2009-12-30 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 23:23]
2009-12-30 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 23:23]
2009-12-30 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 23:23]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.armstrongmywire.com/
DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} - hxxp://files.authentium.com/synacor/syus/bin/wizard.exe
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-30 14:14
Windows 6.0.6002 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-12-30 14:15:52
ComboFix-quarantined-files.txt 2009-12-30 19:15
ComboFix2.txt 2009-12-30 15:32
Pre-Run: 206,427,873,280 bytes free
Post-Run: 206,412,677,120 bytes free
- - End Of File - - A8A0EC5BC1E26C6177EFBD0DBF8390B3

**dvk01** · 30-Dec-2009, 02:40 PM **#18**

it looks like it didn't replace the google updater

lets try this

Download the attached CFScript.txt and save it to your desktop ( click on the link underneath this post & if you are using internet explorer when the "File download" pop up comes press SAVE and choose desktop in the list of selections in that window & press save)

Disable any antivirus/antimalware/firewall realtime protection or script blocking in the same way you did previously before running combofix & remember to re-enable it when it has finished

Close any open browsers
Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

This will start ComboFix again and restore the file that was placed in quarantine Post the contents of the combofix-dequarantine.txt in your next reply .

Note: these instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system and will not fix your problem. If you have a similar problem start your own topic in the malware fixing forum

the try with sfp so we get a copy & see what is happening please

MDunn984 · 30-Dec-2009, 02:53 PM **#19**

I will do this as soon as I get a chance. What is the google updater for?
So you know whatever we did last did get rid of the driver that had the malware that kept being found, my computer is scanning clean as of now, and I was planning to check its internet connectivity in a few minutes.

MDunn984 · 30-Dec-2009, 03:15 PM **#20**

The DeQuarantine file

C:\Qoobox\Quarantine\C\program files\Google\Common\Google Updater\GoogleUpdaterService.exe.vir -> C:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe ( 183280 bytes )

**dvk01** · 30-Dec-2009, 03:39 PM **#21**

now please download SFP as I described in post #16 so we can get a copy of the google updater to see why CF keeps deleting it

**dvk01** · 30-Dec-2009, 04:41 PM **#22**

Thanks

for the file

how is the computer now? any further problems or is it all clear now

MDunn984 · 30-Dec-2009, 05:39 PM **#23**

malwarebytes is finding the quarantine file of the driver that was infected....can I tell it to delete that? Should I?

**dvk01** · 31-Dec-2009, 03:57 AM **#24**

*Follow these steps to uninstall Combofix and the other tools it downloaded to remove the malware*
* Click START then RUN
* Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the /U, it needs to be there.

This will also purge the restore folder and clear any malware that has been put in there. Now Empty Recycle bin on desktop Then reboot.

go here http://www.thespykiller.co.uk/index.php?page=3 for info on how to tighten your security settings and how to help prevent future attacks.

and scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer and update whatever it suggests

Then pay an urgent visit to windows update & make sure you are fully updated, that will help to plug the security holes that let these pests on in the first place

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Search
Search for:

Find the solution to yourcomputer problem!

Find the solution to your
computer problem!