Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Zoombli Trojan

Started by I_Need_a_Geek , Oct 18 2009 04:26 PM

  • Please log in to reply

#16
I_Need_a_Geek
Posted 08 November 2009 - 06:51 PM

I_Need_a_Geek

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
I thought I had disabled Avast since right-clicking only gives me the option to START On-Access Protection. So I tried to run ComboFix (Gotya), and I got some scary warning messages about having to disable Avast.

I ended the Combofix processes in Task Manager since I couldn't disable Avast, then I tried just removing Avast altogether from Add/Remove Programs. When I try to get rid of it, every time I get this error message:

A setiface error has occurred: 536870929
Try to reinstall or contact support, please.

Now, maybe something I should've mentioned earlier: this version of Avast expired just before all this happened. Which is why we are where we are; my mother was fooled into purchasing what she thought was an anti-virus, and it left us with Zoombli.

Is there a removal tool for Avast that I can download like we did for AVG? Until I somehow eliminate Avast, I can't run Combofix because I'm risking "possible machine damage," according to the warning messages.
  • 0

Advertisements

#17
emeraldnzl
Posted 08 November 2009 - 06:54 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts

I can't run Combofix because I'm risking "possible machine damage," according to the warning messages.


I think your machine would probably be OK but try this:

To uninstall Avast download the removal tool from here
  • 0

#18
I_Need_a_Geek
Posted 08 November 2009 - 08:32 PM

I_Need_a_Geek

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
here's the combofix log report

ComboFix 09-11-08.03 - Annette 11/08/2009 20:58.1.2 - NTFSx86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.478.141 [GMT -5:00]
Running from: c:\users\Annette\Desktop\gotya.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-3061465669-755507561-164504389-500

.
((((((((((((((((((((((((( Files Created from 2009-10-09 to 2009-11-09 )))))))))))))))))))))))))))))))
.

2009-11-09 02:15 . 2009-11-09 02:16 -------- d-----w- c:\users\Annette\AppData\Local\temp
2009-11-09 02:15 . 2009-11-09 02:15 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-11-09 00:25 . 2009-11-09 00:25 -------- d-----w- C:\_OTL
2009-11-08 23:44 . 2009-11-08 23:43 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-07 19:39 . 2009-09-10 14:58 310784 ----a-w- c:\windows\system32\unregmp2.exe
2009-11-07 19:39 . 2009-09-10 14:59 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-11-07 19:38 . 2009-09-04 11:41 60928 ----a-w- c:\windows\system32\msasn1.dll
2009-11-07 19:38 . 2009-09-10 16:48 218624 ----a-w- c:\windows\system32\msv1_0.dll
2009-11-07 19:38 . 2009-08-04 12:34 3548216 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-11-07 19:38 . 2009-08-04 12:34 3600456 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-11-07 19:34 . 2009-09-14 09:29 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-11-07 19:34 . 2009-05-08 12:53 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL
2009-10-24 22:06 . 2009-10-24 22:06 -------- d-----w- c:\users\Annette\AppData\Roaming\Malwarebytes
2009-10-24 22:04 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-24 22:04 . 2009-10-24 22:04 -------- d-----w- c:\programdata\Malwarebytes
2009-10-24 22:04 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-24 22:04 . 2009-10-24 22:38 4096 d-----w- c:\program files\Malwarebytes' Anti-Malware

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-09 01:34 . 2008-07-07 15:15 -------- d-----w- c:\program files\Alwil Software
2009-11-09 01:31 . 2006-12-18 14:25 12 ----a-w- c:\windows\bthservsdp.dat
2009-11-09 00:14 . 2007-07-02 01:18 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-09 00:05 . 2007-07-02 01:18 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-11-08 20:42 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-11-08 20:22 . 2006-12-18 14:37 -------- d-----w- c:\program files\Microsoft Works
2009-11-03 01:42 . 2009-10-03 22:49 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-03 22:22 . 2009-07-27 18:45 -------- d-----w- c:\programdata\HP Product Assistant
2009-09-28 16:54 . 2007-07-02 20:38 13119 ----a-w- c:\users\Annette\AppData\Roaming\nvModes.dat
2009-09-27 19:52 . 2007-07-20 12:14 -------- d-----w- c:\users\Annette\AppData\Roaming\HP
2009-09-27 19:00 . 2009-09-27 17:47 4096 d-----w- c:\program files\Advanced Registry Optimizer
2009-09-27 18:48 . 2009-09-27 18:14 -------- d-----w- c:\program files\Hard Disk Tune-Up
2009-09-27 18:35 . 2009-09-27 18:35 -------- d-----w- c:\program files\MemTurbo 4
2009-09-27 18:14 . 2009-09-27 17:47 -------- d-----w- c:\users\Annette\AppData\Roaming\Sammsoft
2009-09-20 17:45 . 2006-12-18 15:13 -------- d-----w- c:\program files\Java
2009-08-29 00:27 . 2009-09-02 22:09 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-29 00:14 . 2009-09-02 22:09 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-27 05:22 . 2009-11-07 19:37 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-27 05:17 . 2009-11-07 19:37 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-08-27 05:17 . 2009-11-07 19:37 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-08-27 03:42 . 2009-11-07 19:37 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-08-19 18:12 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-08-14 16:27 . 2009-09-09 23:12 904776 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-08-14 15:53 . 2009-09-09 23:11 17920 ----a-w- c:\windows\system32\netevent.dll
2009-08-14 13:49 . 2009-09-09 23:11 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-08-14 13:49 . 2009-09-09 23:11 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-08-14 13:49 . 2009-09-09 23:11 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-08-14 13:49 . 2009-09-09 23:11 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-08-14 13:49 . 2009-09-09 23:11 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-08-14 13:49 . 2009-09-09 23:11 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-08-14 13:49 . 2009-09-09 23:11 10240 ----a-w- c:\windows\system32\finger.exe
2009-08-14 13:48 . 2009-09-09 23:11 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2009-08-14 13:48 . 2009-09-09 23:11 105984 ----a-w- c:\windows\system32\netiohlp.dll
2009-07-06 19:18 . 2009-07-06 19:18 22 --sha-w- c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2005-02-17 221184]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-15 815104]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-02-27 90191]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-02-27 7770112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-02-27 81920]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-10-03 480560]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-08 149280]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2006-11-08 44128]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-10-16 214360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders schannel.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"VistaSp2"=hex(b):be,fd,cc,5a,fa,20,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2814986292-3480064556-1129061586-1000]
"EnableNotifications"=dword:00000001
"EnableNotificationsRef"=dword:00000001


--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*NewlyCreated* - PROCEXP113
*Deregistered* - mbr
*Deregistered* - PROCEXP113

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-10-24 c:\windows\Tasks\WebReg HP Photosmart C4500 series.job
- c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2008-10-16 23:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1251053490&rver=5.5.4177.0&wp=MBI&wreply=http:%2F%2Fmail.live.com%2Fdefault.aspx&lc=1033&id=64855&mkt=en-US
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=laptop
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Annette\AppData\Roaming\Mozilla\Firefox\Profiles\gzyc4mwd.default\
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
pref(dom.disable_open_during_load, true);.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-08 21:15
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-11-09 21:29
ComboFix-quarantined-files.txt 2009-11-09 02:29

Pre-Run: 38,900,301,824 bytes free
Post-Run: 39,115,444,224 bytes free

- - End Of File - - C40CCDFAF589D2FE2AEDD3279F065AA1
  • 0

#19
emeraldnzl
Posted 08 November 2009 - 09:08 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Hello I_Need_a_Geek,

I see Windows Defender is showing as enabled. I wonder if you overlooked turning it off.

How to turn Windows Defender on or off

Applies to all editions of Windows Vista.

1. Open Windows Defender by clicking the Start button , clicking All Programs, and then clicking Windows Defender.

2. Click Tools, and then click Options.

3. Under Administrator options, select or clear the Use Windows Defender check box, and then click Save.

Administrator permission required. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.

Now

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

KillAll::

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=""

Reboot::


Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt. Please post that here for further review.

Next

Please uninstall your copy of Malwarebytes and then download a new version of Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy & Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

So when you return please post
  • ComboFix.txt
  • MBAM log
  • 0

#20
I_Need_a_Geek
Posted 08 November 2009 - 09:13 PM

I_Need_a_Geek

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts

Hello I_Need_a_Geek,

I see Windows Defender is showing as enabled. I wonder if you overlooked turning it off.


No, it's definitely turned off. It says so when I go to open it. I did exactly as you instructed earlier. Is there something else I should do to ensure it's turned off? Can I delete it from Vista? I'm not a fan of Defender anyway...
  • 0

#21
emeraldnzl
Posted 08 November 2009 - 09:20 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Not to worry... leave it for now. We can come back to that later if you wish.

Just proceed with the other actions. :)
  • 0

#22
I_Need_a_Geek
Posted 09 November 2009 - 10:26 PM

I_Need_a_Geek

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
here's that combofix log report

ComboFix 09-11-08.03 - Annette 11/09/2009 22:27.2.2 - NTFSx86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.478.74 [GMT -5:00]
Running from: c:\users\Annette\Desktop\gotya.exe
Command switches used :: c:\users\Annette\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2009-10-10 to 2009-11-10 )))))))))))))))))))))))))))))))
.

2009-11-10 03:40 . 2009-11-10 04:02 -------- d-----w- c:\users\Annette\AppData\Local\temp
2009-11-10 03:40 . 2009-11-10 03:40 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-11-10 03:40 . 2009-11-10 03:40 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-11-09 00:25 . 2009-11-09 00:25 -------- d-----w- C:\_OTL
2009-11-08 23:44 . 2009-11-08 23:43 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-07 19:39 . 2009-09-10 14:58 310784 ----a-w- c:\windows\system32\unregmp2.exe
2009-11-07 19:39 . 2009-09-10 14:59 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-11-07 19:38 . 2009-09-04 11:41 60928 ----a-w- c:\windows\system32\msasn1.dll
2009-11-07 19:38 . 2009-09-10 16:48 218624 ----a-w- c:\windows\system32\msv1_0.dll
2009-11-07 19:38 . 2009-08-04 12:34 3548216 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-11-07 19:38 . 2009-08-04 12:34 3600456 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-11-07 19:34 . 2009-09-14 09:29 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-11-07 19:34 . 2009-05-08 12:53 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL
2009-10-24 22:06 . 2009-10-24 22:06 -------- d-----w- c:\users\Annette\AppData\Roaming\Malwarebytes
2009-10-24 22:04 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-24 22:04 . 2009-10-24 22:04 -------- d-----w- c:\programdata\Malwarebytes
2009-10-24 22:04 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-24 22:04 . 2009-10-24 22:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-10 03:42 . 2006-12-18 14:25 12 ----a-w- c:\windows\bthservsdp.dat
2009-11-09 01:34 . 2008-07-07 15:15 -------- d-----w- c:\program files\Alwil Software
2009-11-09 00:14 . 2007-07-02 01:18 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-09 00:05 . 2007-07-02 01:18 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-11-08 20:42 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-11-08 20:22 . 2006-12-18 14:37 53248 d-----w- c:\program files\Microsoft Works
2009-11-03 01:42 . 2009-10-03 22:49 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-03 22:22 . 2009-07-27 18:45 4096 d-----w- c:\programdata\HP Product Assistant
2009-09-28 16:54 . 2007-07-02 20:38 13119 ----a-w- c:\users\Annette\AppData\Roaming\nvModes.dat
2009-09-27 19:52 . 2007-07-20 12:14 -------- d-----w- c:\users\Annette\AppData\Roaming\HP
2009-09-27 19:00 . 2009-09-27 17:47 4096 d-----w- c:\program files\Advanced Registry Optimizer
2009-09-27 18:48 . 2009-09-27 18:14 -------- d-----w- c:\program files\Hard Disk Tune-Up
2009-09-27 18:35 . 2009-09-27 18:35 -------- d-----w- c:\program files\MemTurbo 4
2009-09-27 18:14 . 2009-09-27 17:47 -------- d-----w- c:\users\Annette\AppData\Roaming\Sammsoft
2009-09-20 17:45 . 2006-12-18 15:13 -------- d-----w- c:\program files\Java
2009-08-29 00:27 . 2009-09-02 22:09 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-29 00:14 . 2009-09-02 22:09 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-27 05:22 . 2009-11-07 19:37 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-27 05:17 . 2009-11-07 19:37 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-08-27 05:17 . 2009-11-07 19:37 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-08-27 03:42 . 2009-11-07 19:37 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-08-19 18:12 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-08-14 16:27 . 2009-09-09 23:12 904776 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-08-14 15:53 . 2009-09-09 23:11 17920 ----a-w- c:\windows\system32\netevent.dll
2009-08-14 13:49 . 2009-09-09 23:11 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-08-14 13:49 . 2009-09-09 23:11 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-08-14 13:49 . 2009-09-09 23:11 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-08-14 13:49 . 2009-09-09 23:11 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-08-14 13:49 . 2009-09-09 23:11 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-08-14 13:49 . 2009-09-09 23:11 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-08-14 13:49 . 2009-09-09 23:11 10240 ----a-w- c:\windows\system32\finger.exe
2009-08-14 13:48 . 2009-09-09 23:11 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2009-08-14 13:48 . 2009-09-09 23:11 105984 ----a-w- c:\windows\system32\netiohlp.dll
2009-07-06 19:18 . 2009-07-06 19:18 22 --sha-w- c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-11-09_02.16.03 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-12-18 14:11 . 2009-11-10 04:02 68704 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:02 . 2009-11-10 04:03 57066 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2006-11-02 13:02 . 2009-11-09 01:47 57066 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2007-06-30 03:08 . 2009-11-10 04:03 21276 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2814986292-3480064556-1129061586-1000_UserData.bin
+ 2009-11-10 03:44 . 2009-11-10 03:44 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-11-09 01:36 . 2009-11-09 01:36 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-11-10 03:44 . 2009-11-10 03:44 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-11-09 01:36 . 2009-11-09 01:36 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2005-02-17 221184]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-15 815104]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-02-27 90191]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-02-27 7770112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-02-27 81920]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-10-03 480560]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-08 149280]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2006-11-08 44128]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-10-16 214360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders schannel.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"VistaSp2"=hex(b):be,fd,cc,5a,fa,20,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2814986292-3480064556-1129061586-1000]
"EnableNotifications"=dword:00000001
"EnableNotificationsRef"=dword:00000001


--- Other Services/Drivers In Memory ---

*Deregistered* - mbr

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-10-24 c:\windows\Tasks\WebReg HP Photosmart C4500 series.job
- c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2008-10-16 23:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1251053490&rver=5.5.4177.0&wp=MBI&wreply=http:%2F%2Fmail.live.com%2Fdefault.aspx&lc=1033&id=64855&mkt=en-US
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=laptop
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Annette\AppData\Roaming\Mozilla\Firefox\Profiles\gzyc4mwd.default\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
pref(dom.disable_open_during_load, true);.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-09 23:03
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\users\Annette\AppData\Local\Temp\catchme.dll 53248 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\program files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\HP\QuickPlay\Kernel\TV\CLSched.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\System32\rundll32.exe
c:\program files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
c:\program files\Hewlett-Packard\Shared\HpqToaster.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
.
**************************************************************************
.
Completion time: 2009-11-10 23:20 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-10 04:20
ComboFix2.txt 2009-11-09 02:29

Pre-Run: 39,044,460,544 bytes free
Post-Run: 39,006,633,984 bytes free

- - End Of File - - C6F491DED751AB4A3A6C0C0248D035E8
  • 0

#23
emeraldnzl
Posted 10 November 2009 - 12:38 AM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Hello I_Need_a_Geek,

Is the Malwarebytes one coming?

See post #19 :)
  • 0

#24
I_Need_a_Geek
Posted 10 November 2009 - 01:11 AM

I_Need_a_Geek

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
sometime tomorrow. didn't have enough time for each and every headache that arose tonight, but thanks for your patience. I need a week of Saturdays!!!
  • 0

#25
emeraldnzl
Posted 10 November 2009 - 02:06 AM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts

sometime tomorrow. didn't have enough time for each and every headache that arose tonight, but thanks for your patience. I need a week of Saturdays!!!


Know the feeling. :)

Just post it when your ready. Plenty of time.

I'm not going anywhere. :)
  • 0

Advertisements

Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP