1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Multiple Malware Including Antimalware Doctor

Discussion in 'Virus & Other Malware Removal' started by Box_Jockey, Jul 3, 2010.

Thread Status:
Not open for further replies.
Advertisement
  1. Box_Jockey

    Box_Jockey Thread Starter

    Joined:
    Jul 3, 2010
    Messages:
    10
    I first noticed problems when Antimalware Doctor started popping up. I have run both Malwarebytes and Super Anti Spyware in safe mode with system restore truned off. Both find trojans and i remove them all as well as the quaratine items. Once I reboot nothing has changed. If I go back into safe mode and re-scan, it finds what seems to be the same things again. I am at my whits end and I am not that savy so here is my hijack this log. Please let me know if I posted the log incorrectly, or if it is not the right log to post. Any help would be greatly appreciated!!

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 2:16:34 AM, on 7/3/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Safe mode
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - Default URLSearchHook is missing
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\kb127\SearchSettings.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: (no name) - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - (no file)
    O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
    O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
    O4 - HKLM\..\Run: [SearchSettings] C:\Program Files\Search Settings\SearchSettings.exe
    O4 - HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\update.exe -silent
    O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
    O4 - HKLM\..\Run: [UVS10 Preload] H:\Program Files\Video\uvPL.exe
    O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [skb] rundll32 "omldt.dll",,Run
    O4 - HKLM\..\Run: [Qligubacaxozab] rundll32.exe "C:\WINDOWS\ibutedap.dll",Startup
    O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKCU\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32
    O4 - HKCU\..\RunOnce: [NeroHomeFirstStart] "C:\Program Files\Common Files\Nero\Lib\NMFirstStart.exe"
    O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
    O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
    O4 - Global Startup: SATARaid.lnk = ?
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [JAVA_IBM] Java (IBM)
    O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
    O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
    O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Lavasoft Ad-Aware Service - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (file missing)
    O23 - Service: Syntek STK1160 Service (StkASSrv) - Syntek America Inc. - C:\WINDOWS\System32\StkASv2K.exe
    O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    --
    End of file - 6334 bytes
     
  2. Box_Jockey

    Box_Jockey Thread Starter

    Joined:
    Jul 3, 2010
    Messages:
    10
    My apologies, I forgot to mention that when I am in windows (not in safe mode) no internet browsers I have work (IE and Chrome.) In addition I cannot run Malware Bytes or Super Anti Spyware. I am unsure at this point if any other programs are effected.

    In addition I was reading forums for a different concern that led me to run services.msc. I was able to resolve that problem (windows audio had been disabled somehow.) However I noticed one thing called "Remote Registry" that was set to automatically startup. The description did not sound good to me so I have disabled it. I hope that wasnt not a bad choice and I dont know if it is related.
     
  3. Box_Jockey

    Box_Jockey Thread Starter

    Joined:
    Jul 3, 2010
    Messages:
    10
    Sorry for posting so much, but the instructions I have read said to have as much information as possible.

    Here are 3 malwarebytes logs. I did the following steps to obtain these. Reboot in safe mode, run full scan, then restart. Each time antimalware doctor appeared when windows was not in safe mode. The only thing that changed inbetween obtaining these logs was that I ran a full scan with Super Anti Spyware inbetween the 2nd and 3rd log.

    LOG 1

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4131

    Windows 5.1.2600 Service Pack 3 (Safe Mode)
    Internet Explorer 8.0.6001.18702

    7/2/2010 11:27:06 PM
    mbam-log-2010-07-02 (23-27-06).txt

    Scan type: Full scan (C:\|F:\|H:\|)
    Objects scanned: 199699
    Time elapsed: 1 hour(s), 15 minute(s), 10 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 4
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.225,93.188.166.205 -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{89033c2e-136c-4993-afc0-3709d186e3d8}\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.225,93.188.166.205 -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{f97804c9-6fd3-4773-a6ba-b344927353a6}\DhcpNameServer (Trojan.DNSChanger) -> Data: 93.188.162.225,93.188.166.205 -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{f97804c9-6fd3-4773-a6ba-b344927353a6}\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.225,93.188.166.205 -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\WINDOWS\Tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job (Trojan.Downloader) -> Quarantined and deleted successfully.



    LOG 2

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4131

    Windows 5.1.2600 Service Pack 3 (Safe Mode)
    Internet Explorer 8.0.6001.18702

    7/3/2010 12:01:18 AM
    mbam-log-2010-07-03 (00-01-18).txt

    Scan type: Quick scan
    Objects scanned: 124340
    Time elapsed: 11 minute(s), 50 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 4
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.225,93.188.166.205 -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{89033c2e-136c-4993-afc0-3709d186e3d8}\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.225,93.188.166.205 -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{f97804c9-6fd3-4773-a6ba-b344927353a6}\DhcpNameServer (Trojan.DNSChanger) -> Data: 93.188.162.225,93.188.166.205 -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{f97804c9-6fd3-4773-a6ba-b344927353a6}\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.225,93.188.166.205 -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\WINDOWS\Tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job (Trojan.Downloader) -> Quarantined and deleted successfully.



    LOG 3

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4131

    Windows 5.1.2600 Service Pack 3 (Safe Mode)
    Internet Explorer 8.0.6001.18702

    7/3/2010 10:09:47 AM
    mbam-log-2010-07-03 (10-09-47).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 178430
    Time elapsed: 1 hour(s), 2 minute(s), 22 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 1
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{f97804c9-6fd3-4773-a6ba-b344927353a6}\DhcpNameServer (Trojan.DNSChanger) -> Data: 93.188.162.225,93.188.166.205 -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    Again, sorry for so many posts.
     
  4. Rorschach112

    Rorschach112

    Joined:
    Oct 12, 2008
    Messages:
    2,392
    Download ComboFix here :

    Link 1
    Link 2


    * IMPORTANT !!! Save ComboFix.exe to your Desktop


    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Here is a guide on how to disable them

      Click me

    • Double click on ComboFix.exe & follow the prompts.

    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


    [​IMG]


    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    [​IMG]


    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.
     
  5. Box_Jockey

    Box_Jockey Thread Starter

    Joined:
    Jul 3, 2010
    Messages:
    10
    I can only do things in safe mode, so I will transfer combofix from my laptop to the infected computer. I am assuming in safemode I do not need to disable any scanners correct?
     
  6. Box_Jockey

    Box_Jockey Thread Starter

    Joined:
    Jul 3, 2010
    Messages:
    10
    I am not the sharpest knife in the drawer, but I am assuming that even in safe mode with networking this machine will not be able to connect to the internet as it is wifi only. I have rebooted to regular mode. The bad news, whatever this is blocks combofix. When I double click the file, you can see the first load bar pop up for a second and even the name combofix pops up in the task manager but then it disappears.
     
  7. Box_Jockey

    Box_Jockey Thread Starter

    Joined:
    Jul 3, 2010
    Messages:
    10
    I read an earlier post and downloaded VRT and ran it in safe mode. I was unable to save the log before it rebooted. However Antimalware Doctor did not appear on this reboot. As a result I can run combofix now so I will post the log shortly.
     
  8. Box_Jockey

    Box_Jockey Thread Starter

    Joined:
    Jul 3, 2010
    Messages:
    10
    I dont know if it needs mentioning. But when ComboFix first ran it said it found a rootkit and needed to reboot. It rebooted and scanned on startup and generated the log. Log is as follows


    ComboFix 10-07-01.02 - TBone 07/03/2010 12:31:35.1.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1024.741 [GMT -5:00]
    Running from: c:\documents and settings\TBone\Desktop\ComboFix.exe
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    c:\docume~1\TBone\LOCALS~1\Temp\install_flash_player.exe
    c:\program files\Search Settings
    c:\program files\Search Settings\kb127\SearchSettings.dll
    c:\program files\Search Settings\kb127\SearchSettingsRes409.dll
    c:\program files\Search Settings\SearchSettings.exe
    c:\windows\ibutedap.dll
    c:\windows\system32\logs
    c:\windows\system32\spool\prtprocs\w32x86\e5555.dll
    c:\windows\system32\spool\prtprocs\w32x86\eIQ317.dll
    c:\windows\system32\spool\prtprocs\w32x86\g55aA.dll
    c:\windows\system32\spool\prtprocs\w32x86\i17q31c9.dll
    c:\windows\system32\spool\prtprocs\w32x86\mYW5u.dll
    c:\windows\system32\spool\prtprocs\w32x86\qG55a.dll
    c:\windows\system32\spool\prtprocs\w32x86\u3mYWS17s.dll
    c:\windows\system32\spool\prtprocs\w32x86\wS5eI.dll
    Infected copy of c:\windows\system32\drivers\intelide.sys was found and disinfected
    Restored copy from - Kitty had a snack :p
    .
    ((((((((((((((((((((((((( Files Created from 2010-06-03 to 2010-07-03 )))))))))))))))))))))))))))))))
    .
    2010-07-03 16:41 . 2009-10-22 18:54 37392 ----a-w- c:\windows\system32\drivers\84094592.sys
    2010-07-03 16:41 . 2009-10-10 04:31 315408 ----a-w- c:\windows\system32\drivers\8409459.sys
    2010-07-03 16:41 . 2009-09-25 22:59 128016 ----a-w- c:\windows\system32\drivers\84094591.sys
    2010-07-03 07:16 . 2010-07-03 07:16 -------- d-----w- c:\program files\Trend Micro
    2010-07-03 05:23 . 2010-07-03 05:23 63488 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
    2010-07-03 05:23 . 2010-07-03 05:23 52224 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
    2010-07-03 05:23 . 2010-07-03 05:23 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
    2010-07-03 05:22 . 2010-07-03 05:22 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2010-07-03 05:22 . 2010-07-03 05:22 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
    2010-07-03 05:22 . 2010-07-03 05:22 -------- d-----w- c:\program files\SUPERAntiSpyware
    2010-07-03 02:47 . 2010-07-03 02:47 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
    2010-07-03 00:52 . 2010-07-03 00:52 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
    2010-07-03 00:47 . 2010-07-03 00:47 -------- d-----w- C:\spoolerlogs
    2010-07-03 00:47 . 2010-07-03 06:59 0 ----a-w- c:\windows\Pjerilojihumev.bin
    2010-07-03 00:47 . 2010-07-03 00:47 120 ----a-w- c:\windows\Kqukejided.dat
    2010-07-03 00:21 . 2010-07-03 00:21 -------- d-----w- c:\windows\system32\NtmsData
    2010-06-10 04:49 . 2010-06-10 04:54 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
    2010-06-10 04:24 . 2010-06-10 04:24 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
    2010-06-09 08:06 . 2010-06-09 08:06 976832 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\3884\AdobeARM.exe
    2010-06-09 08:06 . 2010-06-09 08:06 70584 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\3884\AdobeExtractFiles.dll
    2010-06-09 08:06 . 2010-06-09 08:06 331176 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\3884\ReaderUpdater.exe
    2010-06-09 08:06 . 2010-06-09 08:06 331176 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\3884\AcrobatUpdater.exe
    2010-06-08 23:33 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-07-03 02:46 . 2009-06-16 01:10 664 ----a-w- c:\windows\system32\d3d9caps.dat
    2010-06-10 04:54 . 2008-08-26 22:35 -------- d-----w- c:\program files\iTunes
    2010-06-10 04:51 . 2008-08-26 22:36 -------- d-----w- c:\program files\iPod
    2010-06-10 04:51 . 2008-08-26 22:24 -------- d-----w- c:\program files\Common Files\Apple
    2010-06-10 04:41 . 2008-08-26 22:31 -------- d-----w- c:\program files\QuickTime
    2010-06-10 04:31 . 2008-08-26 22:34 -------- d-----w- c:\program files\Bonjour
    2010-05-22 19:20 . 2010-05-22 19:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-05-22 19:20 . 2010-05-22 19:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-05-22 19:09 . 2009-04-24 03:17 -------- d-----w- c:\program files\Lavasoft
    2010-05-21 23:10 . 2008-08-23 21:21 -------- d-----w- c:\program files\Vuze
    2010-05-06 10:41 . 2008-04-23 00:16 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-05-02 05:22 . 2008-04-14 08:00 1851264 ----a-w- c:\windows\system32\win32k.sys
    2010-04-29 20:39 . 2010-05-22 19:20 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-04-29 20:39 . 2010-05-22 19:20 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-04-20 05:30 . 2008-04-14 08:00 285696 ----a-w- c:\windows\system32\atmfd.dll
    2010-04-16 13:33 . 2008-09-10 03:01 41472 ----a-w- c:\windows\system32\drivers\usbaapl.sys
    2010-04-16 13:33 . 2008-09-10 03:01 3003680 ----a-w- c:\windows\system32\usbaaplrc.dll
    2010-04-08 18:20 . 2010-04-08 18:20 91424 ----a-w- c:\windows\system32\dnssd.dll
    2010-04-08 18:20 . 2010-04-08 18:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
    .
    ------- Sigcheck -------
    [-] 2008-07-12 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "AtiTrayTools"="c:\program files\Ray Adams\ATI Tray Tools\atitray.exe" [2007-05-22 521128]
    "Google Update"="c:\documents and settings\TBone\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-06-05 133104]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-04-13 47392]
    "Media Codec Update Service"="c:\program files\Essentials Codec Pack\update.exe" [2007-04-08 303104]
    "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-11-23 344064]
    "UVS10 Preload"="h:\program files\Video\uvPL.exe" [2006-08-09 36864]
    "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-25 148888]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "nltide_2"="shell32" [X]
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\KEM.exe [2009-6-5 581632]
    SATARaid.lnk - c:\program files\Silicon Image\SiISATARaid\SATARaid.exe [2008-8-23 1060921]
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Logitech Touch Mouse Server\\iTouch-Server-Win.exe"=
    "c:\\Program Files\\Vuze\\Azureus.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\WINDOWS\\system32\\spoolsv.exe"=
    R0 84094592;84094592 Boot Guard Driver;c:\windows\system32\drivers\84094592.sys [7/3/2010 11:41 AM 37392]
    R0 SI3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [8/29/2007 3:04 AM 116264]
    R1 84094591;84094591;c:\windows\system32\drivers\84094591.sys [7/3/2010 11:41 AM 128016]
    R1 atitray;atitray;c:\program files\Ray Adams\ATI Tray Tools\atitray.sys [5/22/2007 4:04 AM 18088]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]
    R1 setup_9.0.0.722_03.07.2010_19-47drv;setup_9.0.0.722_03.07.2010_19-47drv;c:\windows\system32\drivers\8409459.sys [7/3/2010 11:41 AM 315408]
    S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\Lavasoft\Ad-Aware\AAWService.exe" --> c:\program files\Lavasoft\Ad-Aware\AAWService.exe [?]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    bdx REG_MULTI_SZ scan
    .
    Contents of the 'Scheduled Tasks' folder
    2010-06-30 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:34]
    2010-07-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1292428093-287218729-1606980848-1003Core.job
    - c:\documents and settings\TBone\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-05 22:20]
    2010-07-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1292428093-287218729-1606980848-1003UA.job
    - c:\documents and settings\TBone\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-05 22:20]
    2010-07-03 c:\windows\Tasks\WGASetup.job
    - c:\windows\system32\KB905474\wgasetup.exe [2009-04-22 03:18]
    .
    .
    ------- Supplementary Scan -------
    .
    uInternet Settings,ProxyOverride = <local>
    uInternet Settings,ProxyServer = http=127.0.0.1:5577
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    .
    - - - - ORPHANS REMOVED - - - -
    WebBrowser-{3041D03E-FD4B-44E0-B742-2D9B88305F98} - (no file)
    HKCU-Run-IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
    HKCU-Run-070700Setup.exe - c:\documents and settings\TBone\Application Data\1F8ED67881C41F573CEB4452712233E0\070700Setup.exe
    HKCU-Run-yrybptmr - c:\documents and settings\TBone\Local Settings\Application Data\bxqobhvqy\dsbjnugtssd.exe
    HKLM-Run-NBKeyScan - c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
    HKLM-Run-SearchSettings - c:\program files\Search Settings\SearchSettings.exe
    HKLM-Run-skb - omldt.dll
    HKLM-Run-Qligubacaxozab - c:\windows\ibutedap.dll
    AddRemove-$NtUninstallWTF1012$ - c:\program files\$NtUninstallWTF1012$\elUninstall.exe

    **************************************************************************
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-07-03 12:43
    Windows 5.1.2600 Service Pack 3 NTFS
    scanning hidden processes ...
    scanning hidden autostart entries ...
    scanning hidden files ...
    scan completed successfully
    hidden files: 0
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
    @DACL=(02 0000)
    @=""
    "Installed"="1"
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
    @DACL=(02 0000)
    @=""
    "Installed"="1"
    "NoChange"="1"
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
    @DACL=(02 0000)
    @=""
    "Installed"="1"
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Adapters\NdisWanIp]
    @DACL=(02 0000)
    "LLInterface"="WANARP"
    "IpConfig"=multi:"Tcpip\\Parameters\\Interfaces\\{FF51A973-0119-4851-BB25-02726FFDC503}\00Tcpip\\Parameters\\Interfaces\\{07005B54-D0AC-4E23-9871-01C5DE196FF9}\00\00"
    "NumInterfaces"=dword:00000002
    "IpInterfaces"=hex:73,a9,51,ff,19,01,51,48,bb,25,02,72,6f,fd,c5,03,54,5b,00,07,
    ac,d0,23,4e,98,71,01,c5,de,19,6f,f9
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Adapters\{7A4E7A1D-7992-4164-8C61-C41F36E141DB}]
    @DACL=(02 0000)
    "LLInterface"=""
    "IpConfig"=multi:"Tcpip\\Parameters\\Interfaces\\{7A4E7A1D-7992-4164-8C61-C41F36E141DB}\00\00"
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Adapters\{89033C2E-136C-4993-AFC0-3709D186E3D8}]
    @DACL=(02 0000)
    "LLInterface"=""
    "IpConfig"=multi:"Tcpip\\Parameters\\Interfaces\\{89033C2E-136C-4993-AFC0-3709D186E3D8}\00\00"
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Adapters\{F97804C9-6FD3-4773-A6BA-B344927353A6}]
    @DACL=(02 0000)
    "LLInterface"=""
    "IpConfig"=multi:"Tcpip\\Parameters\\Interfaces\\{F97804C9-6FD3-4773-A6BA-B344927353A6}\00\00"
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{07005B54-D0AC-4E23-9871-01C5DE196FF9}]
    @DACL=(02 0000)
    "UseZeroBroadcast"=dword:00000000
    "EnableDHCP"=dword:00000000
    "IPAddress"=multi:"0.0.0.0\00\00"
    "SubnetMask"=multi:"0.0.0.0\00\00"
    "DefaultGateway"=multi:"\00"
    "EnableDeadGWDetect"=dword:00000001
    "DontAddDefaultGateway"=dword:00000000
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{7A4E7A1D-7992-4164-8C61-C41F36E141DB}]
    @DACL=(02 0000)
    "UseZeroBroadcast"=dword:00000000
    "EnableDeadGWDetect"=dword:00000001
    "EnableDHCP"=dword:00000001
    "IPAddress"=multi:"0.0.0.0\00\00"
    "SubnetMask"=multi:"0.0.0.0\00\00"
    "DefaultGateway"=multi:"\00"
    "DefaultGatewayMetric"=multi:"\00"
    "NameServer"=""
    "Domain"=""
    "RegistrationEnabled"=dword:00000001
    "RegisterAdapterName"=dword:00000000
    "TCPAllowedPorts"=multi:"0\00\00"
    "UDPAllowedPorts"=multi:"0\00\00"
    "RawIPAllowedProtocols"=multi:"0\00\00"
    "NTEContextList"=multi:"0x00000003\00\00"
    "DhcpClassIdBin"=hex:
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{9DF96741-DACA-47F2-9849-018BED49A285}]
    @DACL=(02 0000)
    "UseZeroBroadcast"=dword:00000000
    "EnableDHCP"=dword:00000000
    "IPAddress"=multi:"0.0.0.0\00\00"
    "SubnetMask"=multi:"0.0.0.0\00\00"
    "DefaultGateway"=multi:"\00"
    "EnableDeadGWDetect"=dword:00000001
    "DontAddDefaultGateway"=dword:00000000
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{C23822FC-006F-4CCE-AD4F-20A4F5D806C3}]
    @DACL=(02 0000)
    "UseZeroBroadcast"=dword:00000000
    "EnableDHCP"=dword:00000000
    "IPAddress"=multi:"0.0.0.0\00\00"
    "SubnetMask"=multi:"0.0.0.0\00\00"
    "DefaultGateway"=multi:"\00"
    "EnableDeadGWDetect"=dword:00000001
    "DontAddDefaultGateway"=dword:00000000
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{E6A131C3-9175-47DD-87A6-AC4F4AD32DCA}]
    @DACL=(02 0000)
    "UseZeroBroadcast"=dword:00000000
    "EnableDHCP"=dword:00000000
    "IPAddress"=multi:"0.0.0.0\00\00"
    "SubnetMask"=multi:"0.0.0.0\00\00"
    "DefaultGateway"=multi:"\00"
    "EnableDeadGWDetect"=dword:00000001
    "DontAddDefaultGateway"=dword:00000000
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{FF51A973-0119-4851-BB25-02726FFDC503}]
    @DACL=(02 0000)
    "UseZeroBroadcast"=dword:00000000
    "EnableDHCP"=dword:00000000
    "IPAddress"=multi:"0.0.0.0\00\00"
    "SubnetMask"=multi:"0.0.0.0\00\00"
    "DefaultGateway"=multi:"\00"
    "EnableDeadGWDetect"=dword:00000001
    "DontAddDefaultGateway"=dword:00000000
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    - - - - - - - > 'winlogon.exe'(708)
    c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    c:\windows\system32\WININET.dll
    c:\windows\system32\Ati2evxx.dll
    .
    Completion time: 2010-07-03 12:48:33
    ComboFix-quarantined-files.txt 2010-07-03 17:48
    Pre-Run: 1,169,846,272 bytes free
    Post-Run: 1,839,304,704 bytes free
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
    - - End Of File - - 6803D5210B7F65B31AEBDE0BD325A6D0
     
  9. Rorschach112

    Rorschach112

    Joined:
    Oct 12, 2008
    Messages:
    2,392
    • Make sure to use Internet Explorer for this
    • Please go to VirSCAN.org FREE on-line scan service
    • Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:
      • c:\windows\system32\sfcfiles.dll
    • Click on the Upload button
    • If a pop-up appears saying the file has been scanned already, please select the ReScan button.
    • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
    • Paste the contents of the Clipboard in your next reply.



    Open notepad and copy/paste the text in the quotebox below into it:

    Code:
    http://forums.techguy.org/virus-other-malware-removal/933057-multiple-malware-including-antimalware-doctor.html
    
    Collect::
    c:\windows\Pjerilojihumev.bin
    c:\windows\Kqukejided.dat
    
    Suspect::
    Save this as CFScript.txt


    [​IMG]

    Refering to the picture above, drag CFScript.txt into ComboFix.exe

    When finished, it shall produce a log for you. Post that log in your next reply.

    **Note**

    When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
    • Ensure you are connected to the internet and click OK on the message box.
     
  10. Box_Jockey

    Box_Jockey Thread Starter

    Joined:
    Jul 3, 2010
    Messages:
    10
    Man im glad youre here, I have no idea what any of this means!

    VirScan Log

    VirSCAN.org Scanned Report :
    Scanned time : 2010/07/03 13:36:28 (CDT)
    Scanner results: Scanners did not find malware!
    File Name : sfcfiles.dll
    File Size : 1614848 byte
    File Type : PE32 executable for MS Windows (DLL) (console) Intel 80386 3
    MD5 : 362bc5af8eaf712832c58cc13ae05750
    SHA1 : c8c2d44f34115f27f10bc435dd986d4eff00fe3f
    Online report : http://virscan.org/report/3b0ed63b1c200c978350e95432d7e032.html
    Scanner Engine Ver Sig Ver Sig Date Time Scan result
    a-squared 5.0.0.13 20100703011713 2010-07-03 5.36 -
    AhnLab V3 2010.06.18.01 2010.06.18 2010-06-18 1.20 -
    AntiVir 8.2.4.2 7.10.8.247 2010-07-02 0.26 -
    Antiy 2.0.18 20100704.4827970 2010-07-04 0.12 -
    Arcavir 2009 201006281601 2010-06-28 0.01 -
    Authentium 5.1.1 201007031337 2010-07-03 1.27 -
    AVAST! 4.7.4 100703-0 2010-07-03 0.08 -
    AVG 8.5.793 271.1.1/2979 2010-07-03 0.24 -
    BitDefender 7.90123.6369113 7.32571 2010-07-04 3.82 -
    ClamAV 0.96.1 11317 2010-07-03 0.26 -
    Comodo 3.13.579 5303 2010-07-03 1.00 -
    CP Secure 1.3.0.5 2010.07.03 2010-07-03 0.43 -
    Dr.Web 5.0.2.3300 2010.07.04 2010-07-04 8.73 -
    F-Prot 4.4.4.56 20100703 2010-07-03 1.31 -
    F-Secure 7.02.73807 2010.07.03.01 2010-07-03 0.23 -
    Fortinet 4.1.133 12.112 2010-07-03 0.14 -
    GData 21.454/21.165 20100703 2010-07-03 6.99 -
    ViRobot 20100703 2010.07.03 2010-07-03 0.40 -
    Ikarus T3.1.01.84 2010.07.03.76188 2010-07-03 7.22 -
    JiangMin 13.0.900 2010.07.03 2010-07-03 1.48 -
    Kaspersky 5.5.10 2010.07.03 2010-07-03 0.09 -
    KingSoft 2009.2.5.15 2010.7.3.7 2010-07-03 0.62 -
    McAfee 5400.1158 6032 2010-07-03 17.26 -
    Microsoft 1.5902 2010.07.03 2010-07-03 6.79 -
    Norman 6.05.10 6.05.00 2010-07-02 6.01 -
    Panda 9.05.01 2010.06.30 2010-06-30 0.56 -
    Trend Micro 9.120-1004 7.282.10 2010-07-03 0.09 -
    Quick Heal 10.00 2010.06.30 2010-06-30 2.40 -
    Rising 20.0 22.54.04.04 2010-07-02 1.33 -
    Sophos 3.09.0 4.55 2010-07-04 3.61 -
    Sunbelt 3.9.2426.2 6538 2010-07-02 8.19 -
    Symantec 1.3.0.24 20100703.003 2010-07-03 0.19 -
    nProtect 20100703.02 8889503 2010-07-03 8.27 -
    The Hacker 6.5.2.1 v00307 2010-07-01 0.45 -
    VBA32 3.12.12.5 20100702.0840 2010-07-02 2.89 -
    VirusBuster 4.5.11.10 10.126.116/20447072010-07-04 2.42 -



    CF Log

    ComboFix 10-07-01.02 - TBone 07/03/2010 13:42:51.2.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1024.597 [GMT -5:00]
    Running from: c:\documents and settings\TBone\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\TBone\Desktop\CFScript.txt
    file zipped: c:\windows\Kqukejided.dat
    file zipped: c:\windows\Pjerilojihumev.bin
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    c:\windows\Kqukejided.dat
    c:\windows\Pjerilojihumev.bin
    .
    ((((((((((((((((((((((((( Files Created from 2010-06-03 to 2010-07-03 )))))))))))))))))))))))))))))))
    .
    2010-07-03 16:41 . 2009-10-22 18:54 37392 ----a-w- c:\windows\system32\drivers\84094592.sys
    2010-07-03 16:41 . 2009-10-10 04:31 315408 ----a-w- c:\windows\system32\drivers\8409459.sys
    2010-07-03 16:41 . 2009-09-25 22:59 128016 ----a-w- c:\windows\system32\drivers\84094591.sys
    2010-07-03 07:16 . 2010-07-03 07:16 -------- d-----w- c:\program files\Trend Micro
    2010-07-03 05:23 . 2010-07-03 05:23 63488 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
    2010-07-03 05:23 . 2010-07-03 05:23 52224 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
    2010-07-03 05:23 . 2010-07-03 05:23 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
    2010-07-03 05:22 . 2010-07-03 05:22 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2010-07-03 05:22 . 2010-07-03 05:22 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
    2010-07-03 05:22 . 2010-07-03 05:22 -------- d-----w- c:\program files\SUPERAntiSpyware
    2010-07-03 02:47 . 2010-07-03 02:47 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
    2010-07-03 00:52 . 2010-07-03 00:52 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
    2010-07-03 00:47 . 2010-07-03 00:47 -------- d-----w- C:\spoolerlogs
    2010-07-03 00:21 . 2010-07-03 00:21 -------- d-----w- c:\windows\system32\NtmsData
    2010-06-10 04:49 . 2010-06-10 04:54 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
    2010-06-10 04:24 . 2010-06-10 04:24 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
    2010-06-09 08:06 . 2010-06-09 08:06 976832 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\3884\AdobeARM.exe
    2010-06-09 08:06 . 2010-06-09 08:06 70584 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\3884\AdobeExtractFiles.dll
    2010-06-09 08:06 . 2010-06-09 08:06 331176 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\3884\ReaderUpdater.exe
    2010-06-09 08:06 . 2010-06-09 08:06 331176 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\3884\AcrobatUpdater.exe
    2010-06-08 23:33 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-07-03 02:46 . 2009-06-16 01:10 664 ----a-w- c:\windows\system32\d3d9caps.dat
    2010-06-10 04:54 . 2008-08-26 22:35 -------- d-----w- c:\program files\iTunes
    2010-06-10 04:51 . 2008-08-26 22:36 -------- d-----w- c:\program files\iPod
    2010-06-10 04:51 . 2008-08-26 22:24 -------- d-----w- c:\program files\Common Files\Apple
    2010-06-10 04:41 . 2008-08-26 22:31 -------- d-----w- c:\program files\QuickTime
    2010-06-10 04:31 . 2008-08-26 22:34 -------- d-----w- c:\program files\Bonjour
    2010-05-22 19:20 . 2010-05-22 19:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-05-22 19:20 . 2010-05-22 19:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-05-22 19:09 . 2009-04-24 03:17 -------- d-----w- c:\program files\Lavasoft
    2010-05-21 23:10 . 2008-08-23 21:21 -------- d-----w- c:\program files\Vuze
    2010-05-06 10:41 . 2008-04-23 00:16 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-05-02 05:22 . 2008-04-14 08:00 1851264 ----a-w- c:\windows\system32\win32k.sys
    2010-04-29 20:39 . 2010-05-22 19:20 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-04-29 20:39 . 2010-05-22 19:20 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-04-20 05:30 . 2008-04-14 08:00 285696 ----a-w- c:\windows\system32\atmfd.dll
    2010-04-16 13:33 . 2008-09-10 03:01 41472 ----a-w- c:\windows\system32\drivers\usbaapl.sys
    2010-04-16 13:33 . 2008-09-10 03:01 3003680 ----a-w- c:\windows\system32\usbaaplrc.dll
    2010-04-08 18:20 . 2010-04-08 18:20 91424 ----a-w- c:\windows\system32\dnssd.dll
    2010-04-08 18:20 . 2010-04-08 18:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
    .
    ------- Sigcheck -------
    [-] 2008-07-12 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "AtiTrayTools"="c:\program files\Ray Adams\ATI Tray Tools\atitray.exe" [2007-05-22 521128]
    "Google Update"="c:\documents and settings\TBone\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-06-05 133104]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-04-13 47392]
    "Media Codec Update Service"="c:\program files\Essentials Codec Pack\update.exe" [2007-04-08 303104]
    "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-11-23 344064]
    "UVS10 Preload"="h:\program files\Video\uvPL.exe" [2006-08-09 36864]
    "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-25 148888]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "nltide_2"="shell32" [X]
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\KEM.exe [2009-6-5 581632]
    SATARaid.lnk - c:\program files\Silicon Image\SiISATARaid\SATARaid.exe [2008-8-23 1060921]
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Logitech Touch Mouse Server\\iTouch-Server-Win.exe"=
    "c:\\Program Files\\Vuze\\Azureus.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\WINDOWS\\system32\\spoolsv.exe"=
    R0 84094592;84094592 Boot Guard Driver;c:\windows\system32\drivers\84094592.sys [7/3/2010 11:41 AM 37392]
    R0 SI3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [8/29/2007 3:04 AM 116264]
    R1 84094591;84094591;c:\windows\system32\drivers\84094591.sys [7/3/2010 11:41 AM 128016]
    R1 atitray;atitray;c:\program files\Ray Adams\ATI Tray Tools\atitray.sys [5/22/2007 4:04 AM 18088]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]
    R1 setup_9.0.0.722_03.07.2010_19-47drv;setup_9.0.0.722_03.07.2010_19-47drv;c:\windows\system32\drivers\8409459.sys [7/3/2010 11:41 AM 315408]
    S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\Lavasoft\Ad-Aware\AAWService.exe" --> c:\program files\Lavasoft\Ad-Aware\AAWService.exe [?]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    bdx REG_MULTI_SZ scan
    .
    Contents of the 'Scheduled Tasks' folder
    2010-06-30 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:34]
    2010-07-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1292428093-287218729-1606980848-1003Core.job
    - c:\documents and settings\TBone\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-05 22:20]
    2010-07-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1292428093-287218729-1606980848-1003UA.job
    - c:\documents and settings\TBone\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-05 22:20]
    2010-07-03 c:\windows\Tasks\WGASetup.job
    - c:\windows\system32\KB905474\wgasetup.exe [2009-04-22 03:18]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com
    uInternet Settings,ProxyOverride = <local>
    uInternet Settings,ProxyServer = http=127.0.0.1:5577
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    .
    **************************************************************************
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-07-03 13:52
    Windows 5.1.2600 Service Pack 3 NTFS
    scanning hidden processes ...
    scanning hidden autostart entries ...
    scanning hidden files ...
    scan completed successfully
    hidden files: 0
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
    @DACL=(02 0000)
    @=""
    "Installed"="1"
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
    @DACL=(02 0000)
    @=""
    "Installed"="1"
    "NoChange"="1"
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
    @DACL=(02 0000)
    @=""
    "Installed"="1"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    - - - - - - - > 'winlogon.exe'(708)
    c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    c:\windows\system32\WININET.dll
    c:\windows\system32\Ati2evxx.dll
    .
    Completion time: 2010-07-03 13:56:49
    ComboFix-quarantined-files.txt 2010-07-03 18:56
    ComboFix2.txt 2010-07-03 17:48
    Pre-Run: 1,782,427,648 bytes free
    Post-Run: 1,771,790,336 bytes free
    - - End Of File - - 37508B392BF75905680D7318CD0B7787
    Upload was successful
     
  11. Rorschach112

    Rorschach112

    Joined:
    Oct 12, 2008
    Messages:
    2,392
    nearly done now

    Download TFC to your desktop
    • Open the file and close any other windows.
    • It will close all programs itself when run, make sure to let it run uninterrupted.
    • Click the Start button to begin the process. The program should not take long to finish its job
    • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean




    Please download Malwarebytes' Anti-Malware from Here

    Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the entire report in your next reply.
    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.






    Go to Kaspersky website and perform an online antivirus scan.

    1. Read through the requirements and privacy statement and click on Accept button.
    2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    3. When the downloads have finished, click on Settings.
    4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      • Spyware, Adware, Dialers, and other potentially dangerous programs
        Archives
        Mail databases
    5. Click on My Computer under Scan.
    6. Once the scan is complete, it will display the results. Click on View Scan Report.
    7. You will see a list of infected items there. Click on Save Report As....
    8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.
     
  12. Box_Jockey

    Box_Jockey Thread Starter

    Joined:
    Jul 3, 2010
    Messages:
    10
    Sorry for the delay, kaspersky took 20 minutes shy of eight hours to run.

    Malwarebytes Log

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org
    Database version: 4278
    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702
    7/5/2010 12:12:38 PM
    mbam-log-2010-07-05 (12-12-38).txt
    Scan type: Quick scan
    Objects scanned: 130033
    Time elapsed: 14 minute(s), 4 second(s)
    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 2
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 4
    Files Infected: 1
    Memory Processes Infected:
    (No malicious items detected)
    Memory Modules Infected:
    (No malicious items detected)
    Registry Keys Infected:
    HKEY_CURRENT_USER\SOFTWARE\EWABQAF7KL (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Sky-Banners (Adware.Adrotator) -> Quarantined and deleted successfully.
    Registry Values Infected:
    (No malicious items detected)
    Registry Data Items Infected:
    (No malicious items detected)
    Folders Infected:
    C:\Documents and Settings\TBone\Application Data\Sky-Banners (Adware.Adrotator) -> Quarantined and deleted successfully.
    C:\Documents and Settings\TBone\Application Data\Sky-Banners\skb (Adware.Adrotator) -> Quarantined and deleted successfully.
    C:\Documents and Settings\TBone\Application Data\Street-Ads (Adware.Adrotator) -> Quarantined and deleted successfully.
    C:\Documents and Settings\TBone\Application Data\Street-Ads\sta (Adware.Adrotator) -> Quarantined and deleted successfully.
    Files Infected:
    C:\Documents and Settings\TBone\Application Data\Sky-Banners\skb\log.xml (Adware.Adrotator) -> Quarantined and deleted successfully.


    Kaspersky Log

    --------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER 7.0: scan report
    Monday, July 5, 2010
    Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
    Kaspersky Online Scanner version: 7.0.26.13
    Last database update: Monday, July 05, 2010 13:23:12
    Records in database: 4243559
    --------------------------------------------------------------------------------
    Scan settings:
    scan using the following database: extended
    Scan archives: yes
    Scan e-mail databases: yes
    Scan area - My Computer:
    A:\
    C:\
    D:\
    E:\
    F:\
    H:\
    Scan statistics:
    Objects scanned: 86804
    Threats found: 6
    Infected objects found: 23
    Suspicious objects found: 0
    Scan duration: 07:42:53

    File name / Threat / Threats count
    C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\intelide.sys.vir Infected: Rootkit.Win32.TDSS.ap 1
    C:\Qoobox\Quarantine\C\WINDOWS\system32\spool\prtprocs\w32x86\e5555.dll.vir Infected: Backdoor.Win32.TDSS.tu 1
    C:\Qoobox\Quarantine\C\WINDOWS\system32\spool\prtprocs\w32x86\eIQ317.dll.vir Infected: Backdoor.Win32.TDSS.tu 1
    C:\Qoobox\Quarantine\C\WINDOWS\system32\spool\prtprocs\w32x86\g55aA.dll.vir Infected: Backdoor.Win32.TDSS.tu 1
    C:\Qoobox\Quarantine\C\WINDOWS\system32\spool\prtprocs\w32x86\i17q31c9.dll.vir Infected: Backdoor.Win32.TDSS.tu 1
    C:\Qoobox\Quarantine\C\WINDOWS\system32\spool\prtprocs\w32x86\mYW5u.dll.vir Infected: Backdoor.Win32.TDSS.tu 1
    C:\Qoobox\Quarantine\C\WINDOWS\system32\spool\prtprocs\w32x86\qG55a.dll.vir Infected: Backdoor.Win32.TDSS.tu 1
    C:\Qoobox\Quarantine\C\WINDOWS\system32\spool\prtprocs\w32x86\u3mYWS17s.dll.vir Infected: Backdoor.Win32.TDSS.tu 1
    C:\Qoobox\Quarantine\C\WINDOWS\system32\spool\prtprocs\w32x86\wS5eI.dll.vir Infected: Backdoor.Win32.TDSS.tu 1
    C:\System Volume Information\_restore{8A2AA8EA-8D4E-47CB-854D-46409B102E90}\RP1\A0000007.dll Infected: Backdoor.Win32.TDSS.tu 1
    C:\System Volume Information\_restore{8A2AA8EA-8D4E-47CB-854D-46409B102E90}\RP1\A0000009.exe Infected: Trojan-Dropper.Win32.FrauDrop.auj 1
    C:\System Volume Information\_restore{8A2AA8EA-8D4E-47CB-854D-46409B102E90}\RP1\A0000010.exe Infected: Backdoor.Win32.TDSS.tt 1
    C:\System Volume Information\_restore{8A2AA8EA-8D4E-47CB-854D-46409B102E90}\RP1\A0000011.dll Infected: Trojan-Spy.Win32.Zbot.alaf 1
    C:\System Volume Information\_restore{8A2AA8EA-8D4E-47CB-854D-46409B102E90}\RP1\A0000150.sys Infected: Rootkit.Win32.TDSS.ap 1
    C:\System Volume Information\_restore{8A2AA8EA-8D4E-47CB-854D-46409B102E90}\RP1\A0000193.dll Infected: Backdoor.Win32.TDSS.tu 1
    C:\System Volume Information\_restore{8A2AA8EA-8D4E-47CB-854D-46409B102E90}\RP1\A0000194.dll Infected: Backdoor.Win32.TDSS.tu 1
    C:\System Volume Information\_restore{8A2AA8EA-8D4E-47CB-854D-46409B102E90}\RP1\A0000195.dll Infected: Backdoor.Win32.TDSS.tu 1
    C:\System Volume Information\_restore{8A2AA8EA-8D4E-47CB-854D-46409B102E90}\RP1\A0000196.dll Infected: Backdoor.Win32.TDSS.tu 1
    C:\System Volume Information\_restore{8A2AA8EA-8D4E-47CB-854D-46409B102E90}\RP1\A0000197.dll Infected: Backdoor.Win32.TDSS.tu 1
    C:\System Volume Information\_restore{8A2AA8EA-8D4E-47CB-854D-46409B102E90}\RP1\A0000198.dll Infected: Backdoor.Win32.TDSS.tu 1
    C:\System Volume Information\_restore{8A2AA8EA-8D4E-47CB-854D-46409B102E90}\RP1\A0000199.dll Infected: Backdoor.Win32.TDSS.tu 1
    C:\System Volume Information\_restore{8A2AA8EA-8D4E-47CB-854D-46409B102E90}\RP1\A0000200.dll Infected: Backdoor.Win32.TDSS.tu 1
    F:\Music\Alternative\Ben Folds Five\The Unauthorized Biography of Reinhold Messner\hospital song ben folds five.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1
    Selected area has been scanned.
     
  13. Rorschach112

    Rorschach112

    Joined:
    Oct 12, 2008
    Messages:
    2,392
    delete this file

    F:\Music\Alternative\Ben Folds Five\The Unauthorized Biography of Reinhold Messner\hospital song ben folds five.mp3



    Your logs are clean


    Follow these steps to uninstall Combofix and tools used in the removal of malware

    Uninstall ComboFix

    Remove Combofix now that we're done with it.
    • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
    • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")
      [​IMG]
    • Please follow the prompts to uninstall Combofix.
    • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.


    • Download OTC to your desktop and run it
    • Click Yes to beginning the Cleanup process and remove these components, including this application.
    • You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.



    • Please read my guide on how to prevent malware and about safe computing here
    Thank you for your patience, and performing all of the procedures requested.
     
  14. Box_Jockey

    Box_Jockey Thread Starter

    Joined:
    Jul 3, 2010
    Messages:
    10
    Thank you so much for taking the time to help me with this! I will definitely be adopting some of the programs you mention in the link. I wish there were more people like you out there helping and less making malicious programs!!
     
  15. Rorschach112

    Rorschach112

    Joined:
    Oct 12, 2008
    Messages:
    2,392
    no problem
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/933057

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice