Danimals
-
Posts
6 -
Joined
-
Last visited
-
Hello friends, My name is Dan and i have virues =(. Here is my log, thanks for all the help "Scan ""Scheduled scan"" completed." "Infections";"8";"4";"4" "Warnings";"25";"25";"0" "Folders selected for scanning:";"Whole computer scan" "Scan started:";"Thursday, May 12, 2011, 3:56:07 PM" "Scan finished:";"Thursday, May 12, 2011, 4:02:08 PM (6 minute(s) )" "Total object scanned:";"444112" "User who launched the scan:";"SYSTEM" "Infections" "";"File";"Infection";"Result" "";"C:\WINDOWS\system32\wuauclt.exe (3432):\memory_001b0000";"Trojan horse Agent_r.XJ";"Object is inaccessible." "";"C:\WINDOWS\system32\wuauclt.exe (3432)";"Trojan horse Agent_r.XJ";"" "";"C:\WINDOWS\system32\svchost.exe (172):\memory_001a0000";"Trojan horse Agent_r.XJ";"Object is inaccessible." "";"C:\WINDOWS\system32\svchost.exe (172)";"Trojan horse Agent_r.XJ";"" "";"C:\WINDOWS\system32\csrss.exe (756):\memory_00270000";"Trojan horse Agent_r.XJ";"Object is inaccessible." "";"C:\WINDOWS\system32\csrss.exe (756)";"Trojan horse Agent_r.XJ";"" "";"C:\WINDOWS\explorer.exe (564):\memory_001a0000";"Trojan horse Agent_r.XJ";"Object is inaccessible." "";"C:\WINDOWS\explorer.exe (564)";"Trojan horse Agent_r.XJ";"" "Warnings" "";"File";"Infection";"Result" "";"C:\Documents and Settings\NetworkService\Cookies\system@ru4[4].txt:\ru4.com.5a5e0633";"Found Tracking cookie.Ru4";"Moved to Virus Vault" "";"C:\Documents and Settings\NetworkService\Cookies\system@ru4[4].txt";"Found Tracking cookie.Ru4";"Healed" "";"C:\Documents and Settings\NetworkService\Cookies\system@realmedia[5].txt:\realmedia.com.ef906bac";"Found Tracking cookie.Realmedia";"Moved to Virus Vault" "";"C:\Documents and Settings\NetworkService\Cookies\system@realmedia[5].txt:\realmedia.com.855b46d";"Found Tracking cookie.Realmedia";"Moved to Virus Vault" "";"C:\Documents and Settings\NetworkService\Cookies\system@realmedia[5].txt";"Found Tracking cookie.Realmedia";"Healed" "";"C:\Documents and Settings\NetworkService\Cookies\system@questionmarket[4].txt:\questionmarket.com.4dd5e426";"Found Tracking cookie.Questionmarket";"Moved to Virus Vault" "";"C:\Documents and Settings\NetworkService\Cookies\system@questionmarket[4].txt:\questionmarket.com.3eb5a9f1";"Found Tracking cookie.Questionmarket";"Moved to Virus Vault" "";"C:\Documents and Settings\NetworkService\Cookies\system@questionmarket[4].txt";"Found Tracking cookie.Questionmarket";"Healed" "";"C:\Documents and Settings\NetworkService\Cookies\system@atdmt[4].txt:\atdmt.com.b3e33b5f";"Found Tracking cookie.Atdmt";"Moved to Virus Vault" "";"C:\Documents and Settings\NetworkService\Cookies\system@atdmt[4].txt:\atdmt.com.7247c262";"Found Tracking cookie.Atdmt";"Moved to Virus Vault" "";"C:\Documents and Settings\NetworkService\Cookies\system@atdmt[4].txt";"Found Tracking cookie.Atdmt";"Healed" "";"C:\Documents and Settings\NetworkService\Cookies\system@advertising[4].txt:\advertising.com.f62113d5";"Found Tracking cookie.Advertising";"Moved to Virus Vault" "";"C:\Documents and Settings\NetworkService\Cookies\system@advertising[4].txt:\advertising.com.b624fa46";"Found Tracking cookie.Advertising";"Moved to Virus Vault" "";"C:\Documents and Settings\NetworkService\Cookies\system@advertising[4].txt:\advertising.com.203aa218";"Found Tracking cookie.Advertising";"Moved to Virus Vault" "";"C:\Documents and Settings\NetworkService\Cookies\system@advertising[4].txt:\advertising.com.1820df7a";"Found Tracking cookie.Advertising";"Moved to Virus Vault" "";"C:\Documents and Settings\NetworkService\Cookies\system@advertising[4].txt";"Found Tracking cookie.Advertising";"Healed" "";"C:\Documents and Settings\NetworkService\Cookies\system@adbrite[5].txt:\adbrite.com.ff6c09ff";"Found Tracking cookie.Adbrite";"Moved to Virus Vault" "";"C:\Documents and Settings\NetworkService\Cookies\system@adbrite[5].txt:\adbrite.com.f796fd05";"Found Tracking cookie.Adbrite";"Moved to Virus Vault" "";"C:\Documents and Settings\NetworkService\Cookies\system@adbrite[5].txt:\adbrite.com.e1f04284";"Found Tracking cookie.Adbrite";"Moved to Virus Vault" "";"C:\Documents and Settings\NetworkService\Cookies\system@adbrite[5].txt:\adbrite.com.d5e309c2";"Found Tracking cookie.Adbrite";"Moved to Virus Vault" "";"C:\Documents and Settings\NetworkService\Cookies\system@adbrite[5].txt:\adbrite.com.37283d89";"Found Tracking cookie.Adbrite";"Moved to Virus Vault" "";"C:\Documents and Settings\NetworkService\Cookies\system@adbrite[5].txt";"Found Tracking cookie.Adbrite";"Healed" "";"C:\Documents and Settings\NetworkService\Cookies\system@ad.yieldmanager[4].txt:\ad.yieldmanager.com.557bf2b0";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault" "";"C:\Documents and Settings\NetworkService\Cookies\system@ad.yieldmanager[4].txt:\ad.yieldmanager.com.539b0606";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault" "";"C:\Documents and Settings\NetworkService\Cookies\system@ad.yieldmanager[4].txt";"Found Tracking cookie.Yieldmanager";"Healed"
-
McMurphy. Thank you very much. Everything seems to work fine and back to normal. Please close thread and thank you again for all your assistance.
-
Yes sir! Mbam Log Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4391 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 8/6/2010 4:37:45 PM mbam-log-2010-08-06 (16-37-45).txt Scan type: Quick scan Objects scanned: 125077 Time elapsed: 6 minute(s), 28 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Kaspeysky -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7.0: scan report Friday, August 6, 2010 Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600) Kaspersky Online Scanner version: 7.0.26.13 Last database update: Friday, August 06, 2010 15:17:22 Records in database: 4134525 -------------------------------------------------------------------------------- Scan settings: scan using the following database: extended Scan archives: yes Scan e-mail databases: yes Scan area - My Computer: C:\ D:\ Scan statistics: Objects scanned: 54210 Threats found: 2 Infected objects found: 3 Suspicious objects found: 0 Scan duration: 01:21:00 File name / Threat / Threats count C:\Documents and Settings\Dan\Local Settings\Application Data\Mozilla\Firefox\Profiles\qfssyd2g.default\Cache(2)\61EF0409d01 Infected: Exploit.JS.Pdfka.cqu 2 C:\Qoobox\Quarantine\MBR_HardDisk0.mbr Infected: Trojan-Clicker.Win32.Wistler.a 1 Selected area has been scanned.
-
Hey McMurphy! Here is the log. Thank you sir ComboFix 10-08-06.01 - Dan 08/06/2010 12:36:31.1.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1683 [GMT -5:00] Running from: c:\documents and settings\Dan\My Documents\Downloads\ComboFix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . \\.\PhysicalDrive0 - Bootkit Whistler was found and disinfected . ((((((((((((((((((((((((( Files Created from 2010-07-06 to 2010-08-06 ))))))))))))))))))))))))))))))) . 2010-08-05 07:58 . 2010-08-05 07:58 -------- d-----w- c:\documents and settings\Dan\Application Data\Malwarebytes 2010-08-05 07:58 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-08-05 07:58 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-08-03 06:22 . 2010-08-03 06:22 360584 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys 2010-08-03 06:22 . 2010-08-03 06:22 333192 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgldx86.sys 2010-08-03 06:22 . 2010-08-03 06:22 28424 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgmfx86.sys 2010-08-03 06:22 . 2010-08-03 06:22 161800 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgrkx86.sys 2010-08-03 06:01 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe 2010-08-03 05:57 . 2010-08-03 05:57 503808 ----a-w- c:\documents and settings\Dan\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-6af2c823-n\msvcp71.dll 2010-08-03 05:57 . 2010-08-03 05:57 348160 ----a-w- c:\documents and settings\Dan\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-6af2c823-n\msvcr71.dll 2010-08-03 05:57 . 2010-08-03 05:57 61440 ----a-w- c:\documents and settings\Dan\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-78216ce4-n\decora-sse.dll 2010-08-03 05:57 . 2010-08-03 05:57 499712 ----a-w- c:\documents and settings\Dan\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-6af2c823-n\jmc.dll 2010-08-03 05:57 . 2010-08-03 05:57 12800 ----a-w- c:\documents and settings\Dan\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-78216ce4-n\decora-d3d.dll 2010-07-11 21:32 . 2010-08-03 05:49 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google 2010-07-11 21:25 . 2010-07-11 21:25 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE 2010-07-11 21:25 . 2010-07-11 21:25 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache 2010-07-11 21:24 . 2010-08-03 06:18 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-08-05 07:58 . 2010-08-03 04:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-08-05 07:55 . 2010-08-03 05:46 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9 2010-08-05 07:51 . 2009-11-07 06:47 0 ----a-w- c:\documents and settings\Dan\Local Settings\Application Data\prvlcl.dat 2010-08-03 06:12 . 2010-04-08 05:58 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar 2010-08-03 06:12 . 2010-06-28 18:20 877848 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe 2010-08-03 06:12 . 2010-06-22 04:51 610072 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe 2010-08-03 06:12 . 2010-06-22 04:51 1657112 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll 2010-08-03 06:12 . 2010-06-22 04:51 798488 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avginet.dll 2010-08-03 05:49 . 2010-08-03 05:49 -------- d-----w- c:\program files\SigmaTel 2010-08-03 05:49 . 2010-08-03 05:49 -------- d-----w- c:\program files\Common Files\Adobe 2010-08-03 05:49 . 2010-07-12 01:10 -------- d-----w- c:\program files\Common Files\Adobe(2) 2010-08-03 05:48 . 2009-07-13 16:36 -------- d-----w- c:\program files\Common Files\InstallShield 2010-08-03 05:46 . 2010-08-03 05:46 -------- d-----w- c:\documents and settings\Dan\Application Data\AVG9 2010-08-03 05:36 . 2010-07-12 02:08 25996 ----a-w- c:\windows\system32\drivers\sthdae.log 2010-08-03 04:41 . 2010-08-03 04:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-07-11 21:26 . 2009-07-14 01:42 -------- d-----w- c:\program files\Google 2010-06-14 14:31 . 2009-07-13 16:02 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe 2010-06-12 05:34 . 2010-06-12 05:34 -------- d-----w- c:\program files\Microsoft ActiveSync 2010-06-12 03:11 . 2010-05-21 05:00 -------- d-----w- c:\program files\Common Files\doubleTwist 2010-06-12 03:11 . 2010-05-21 05:00 -------- d-----w- c:\program files\doubleTwist 2.0 2010-06-10 01:07 . 2010-06-09 23:02 45 ----a-w- c:\documents and settings\Dan\jagex_runescape_preferences.dat 2010-06-10 01:06 . 2010-06-09 23:04 87 ----a-w- c:\documents and settings\Dan\jagex_runescape_preferences2.dat 2010-06-09 23:04 . 2010-06-09 23:04 0 ----a-w- c:\documents and settings\Dan\jagex__preferences3.dat 2010-05-25 06:10 . 2010-05-25 06:10 61440 ----a-w- c:\documents and settings\Dan\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-7407b1ce-n\decora-sse.dll 2010-05-25 06:10 . 2010-05-25 06:10 503808 ----a-w- c:\documents and settings\Dan\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6e2bd609-n\msvcp71.dll 2010-05-25 06:10 . 2010-05-25 06:10 499712 ----a-w- c:\documents and settings\Dan\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6e2bd609-n\jmc.dll 2010-05-25 06:10 . 2010-05-25 06:10 348160 ----a-w- c:\documents and settings\Dan\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6e2bd609-n\msvcr71.dll 2010-05-25 06:10 . 2010-05-25 06:10 12800 ----a-w- c:\documents and settings\Dan\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-7407b1ce-n\decora-d3d.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-07-14 39408] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless] 2005-07-23 02:46 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] 2009-02-27 22:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier] 2010-03-17 02:58 47392 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent] 2008-04-14 00:12 110592 ----a-w- c:\windows\system32\bthprops.cpl [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] 2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher] 2005-10-05 08:12 94208 ----a-w- c:\program files\Dell\Media Experience\DMXLauncher.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\doubleTwist] 2010-05-31 20:38 24576 ----a-w- c:\program files\doubleTwist 2.0\DoubleTwist.DeviceHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher] 2005-02-23 20:19 53248 ------w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray] 2005-08-05 17:56 64512 ----a-w- c:\windows\ehome\ehtray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent] 2006-11-13 18:39 1289000 ----a-w- c:\program files\Microsoft ActiveSync\wcescomm.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd] 2005-10-14 19:46 77824 ----a-w- c:\windows\system32\hkcmd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers] 2005-10-14 19:50 114688 ----a-w- c:\windows\system32\igfxpers.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray] 2005-10-14 19:49 94208 ----a-w- c:\windows\system32\igfxtray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless] 2005-07-23 02:47 385024 ----a-w- c:\program files\Intel\Wireless\Bin\iFrmewrk.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelZeroConfig] 2005-07-23 02:46 401408 ----a-w- c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2010-03-26 06:10 142120 ----a-w- c:\program files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] 2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2010-03-18 02:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp] 2006-03-24 21:30 282624 ----a-w- c:\windows\stsystra.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] 2010-01-11 21:21 246504 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg] 2009-07-14 01:42 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh] 2006-03-08 16:48 761947 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager "c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager "c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service R2 iPodDrv;iPodDrv;c:\windows\system32\drivers\iPodDrv.sys [3/9/2010 11:00 PM 6656] . Contents of the 'Scheduled Tasks' folder 2010-07-22 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34] 2010-08-06 c:\windows\Tasks\User_Feed_Synchronization-{D779D108-6EC6-4EE9-A16A-FF7D0ACCBB8A}.job - c:\windows\system32\msfeedssync.exe [2009-03-08 09:31] . . ------- Supplementary Scan ------- . uStart Page = hxxp://yahoo.com/ uInternet Settings,ProxyOverride = *.local FF - ProfilePath - c:\documents and settings\Dan\Application Data\Mozilla\Firefox\Profiles\qfssyd2g.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - yahoo.com FF - plugin: c:\program files\Common Files\doubleTwist\NPPodcast.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll FF - plugin: c:\program files\Veetle\Player\npvlc.dll FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll FF - plugin: c:\program files\Veetle\VLCBroadcast\npvbp.dll ---- FIREFOX POLICIES ---- FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5); c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45); c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr ef", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false); . - - - - ORPHANS REMOVED - - - - Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file) WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file) MSConfigStartUp-AVG9_TRAY - c:\progra~1\AVG\AVG9\avgtray.exe MSConfigStartUp-PCMService - c:\program files\Dell\Media Experience\PCMService.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-08-06 12:47 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences] @Denied: (2) (LocalSystem) "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,47,de,05,9f,78,ab,a2,42,96,27,2c,\ "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,47,de,05,9f,78,ab,a2,42,96,27,2c,\ . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(1040) c:\program files\Intel\Wireless\Bin\LgNotify.dll . Completion time: 2010-08-06 12:49:33 ComboFix-quarantined-files.txt 2010-08-06 17:49 Pre-Run: 60,176,535,552 bytes free Post-Run: 62,670,622,720 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect - - End Of File - - 079262C313635D078738162726FD2663
-
cool! Hi McMurphy how do you do? Here is my dds DDS (Ver_10-03-17.01) - NTFSx86 Run by Dan at 22:27:28.68 on Thu 08/05/2010 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1583 [GMT -5:00] ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe C:\WINDOWS\Explorer.EXE svchost.exe svchost.exe svchost.exe 4 C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe svchost.exe 4 svchost.exe C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe svchost.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Dan\My Documents\Downloads\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://yahoo.com/ uInternet Settings,ProxyOverride = *.local BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll BHO: PodcastBHO Class: {65134fdf-f8a5-4b3d-91d9-cdf273cfd578} - c:\program files\common files\doubletwist\IEPodcastPlugin.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe" IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~2\INetRepl.dll IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~2\INetRepl.dll DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll Notify: igfxcui - igfxdev.dll Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\dan\applic~1\mozilla\firefox\profiles\qfssyd2g.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - yahoo.com FF - plugin: c:\program files\common files\doubletwist\NPPodcast.dll FF - plugin: c:\program files\veetle\player\npvlc.dll FF - plugin: c:\program files\veetle\plugins\npVeetle.dll FF - plugin: c:\program files\veetle\vlcbroadcast\npvbp.dll FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} ---- FIREFOX POLICIES ---- FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true); c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true); c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32); c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5); c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45); c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false); c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5); c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr ef", true); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com"); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20); ============= SERVICES / DRIVERS =============== R2 iPodDrv;iPodDrv;c:\windows\system32\drivers\iPodDrv.sys [2010-3-9 6656] R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328] =============== Created Last 30 ================ 2010-08-05 07:58:22 0 d-----w- c:\docume~1\dan\applic~1\Malwarebytes 2010-08-05 07:58:15 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-08-05 07:58:14 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-08-03 06:01:41 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe 2010-08-03 05:49:57 0 d-----w- c:\windows\system32\wbem\Repository 2010-08-03 05:49:22 0 d-----w- c:\program files\SigmaTel 2010-08-03 05:46:18 0 d--h--w- C:\$AVG 2010-08-03 05:46:18 0 d-----w- c:\docume~1\dan\applic~1\AVG9 2010-08-03 05:46:18 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9 2010-08-03 04:41:07 0 d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-08-03 04:41:07 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes 2010-07-12 01:10:14 0 d-----w- c:\program files\common files\Adobe(2) ==================== Find3M ==================== 2010-06-10 01:07:12 45 ----a-w- c:\documents and settings\dan\jagex_runescape_preferences.dat 2010-06-10 01:06:34 87 ----a-w- c:\documents and settings\dan\jagex_runescape_preferences2.dat 2010-06-09 23:04:01 0 ----a-w- c:\documents and settings\dan\jagex__preferences3.dat ============= FINISH: 22:29:06.78 =============== Attach.txt
-
Hello, I have the iexplore hidden virus in my computer. I hope i followed the steps accordingly. Here is my gmer log. GMER 1.0.15.15281 - http://www.gmer.net Rootkit scan 2010-08-05 13:31:07 Windows 5.1.2600 Service Pack 3 Running: s6g6mzcb.exe; Driver: C:\DOCUME~1\Dan\LOCALS~1\Temp\kftoyfob.sys ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[444] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154C5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[444] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9AC9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[444] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD0ED C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[444] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB1C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[444] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25467C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[444] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E480F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[444] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4741 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[444] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E47AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[444] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4612 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[444] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4674 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[444] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E4872 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[444] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E46D6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[444] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2EDB78 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[444] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E4B77 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4068] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154C5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4068] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB1C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4068] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E480F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4068] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4741 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4068] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E47AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4068] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4612 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4068] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4674 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4068] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E4872 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4068] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E46D6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) Device \Driver\BTHUSB \Device\00000081 bthport.sys (Bluetooth Bus Driver/Microsoft Corporation) Device \Driver\BTHUSB \Device\0000007f bthport.sys (Bluetooth Bus Driver/Microsoft Corporation) ---- Processes - GMER 1.0.15 ---- Process C:\Program Files\Internet Explorer\IEXPLORE.EXE (*** hidden *** ) 444 Process C:\Program Files\Internet Explorer\IEXPLORE.EXE (*** hidden *** ) 4068 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0016414a34a7 Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0016414a34a7 (not active ControlSet) ---- EOF - GMER 1.0.15 ---- Here is my Mbam log Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4391 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 8/5/2010 3:54:27 AM mbam-log-2010-08-05 (03-54-27).txt Scan type: Full scan (C:\|) Objects scanned: 190396 Time elapsed: 47 minute(s), 4 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Thank you!