Jump to content

Virus Problems


Recommended Posts

Sorry for jumping to it but I'm a bit worried.

Alright, in the past few weeks Security 2012 has been popping up, I've been removing it with Malwarebytes but it kept coming back. Also the ping virus has shown up recently. I was going to work on getting rid of these bugs soon but today something bigger seems to have hit my laptop. My wallpaper suddenly turned black and system errors started pouring onto my screen, causing it to reboot. I'm in Safe Mode with Networking now, but If I try to get on normally it just restarts after logging in.

I did run the dds as requested.

Hope you can help.

I'm not very tech/computer smart for the record. Can't even remember what my computer is, pretty sure its Vista but it might be XP. Sorry for the trouble.

dds.txt

attach.txt

Link to post
Share on other sites

Forgot the details. Before doing the dds I did run Malwarebytes and it got rid of a few infections but the ping and the large virus are still there.

I know its the holiday so I don't expect help anytime soon.

Merry Christmas.

.

DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK

Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_05

Run by Jason at 16:46:18 on 2011-12-24

Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.1917.1306 [GMT -8:00]

.

AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k rpcss

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\Explorer.EXE

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Program Files\Safari\Safari.exe

C:\Windows\system32\Taskmgr.exe

C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Windows\System32\ping.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uSearch Page = hxxp://www.charter.net/google/index.php?q=

uWindow Title = Powered by Charter Communications

uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=3081007

uStart Page = hxxp://youtube.com/

uInternet Settings,ProxyServer = 0.0.0.0:80

uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - c:\program files\ask.com\GenericAskToolbar.dll

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll

BHO: Charter Toolbar: {4e7bd74f-2b8d-469e-85ab-af21f3d9ae2f} - c:\progra~1\charte~1\CHARTE~1.DLL

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: Window Shopper: {74f475fa-6c75-43bd-aab9-ecda6184f600} - c:\program files\superfish\window shopper\SuperfishIEAddon.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - c:\program files\windows live\companion\companioncore.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll

BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "c:\program files\microsoft\bingbar\BingExt.dll"

BHO: FrostWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll

TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File

TB: Charter Toolbar: {4e7bd74f-2b8d-469e-85ab-af21f3d9ae2f} - c:\progra~1\charte~1\CHARTE~1.DLL

TB: FrostWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll

TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll"

TB: StartNow Toolbar: {5911488e-9d1e-40ec-8cbb-06b231cc153f} - c:\program files\startnow toolbar\Toolbar32.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messen~1\YahooMessenger.exe" -quiet

uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe

uRun: [iXknMUlTYDuNOvI.exe] c:\programdata\IXknMUlTYDuNOvI.exe

mRun: [ECenter] c:\dell\e-center\EULALauncher.exe

mRun: [Apoint] c:\program files\delltpad\Apoint.exe

mRun: [startCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe"

mRun: [broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe

mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup

mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"

mRun: [pccguide.exe] "c:\program files\trend micro\internet security 14\pccguide.exe"

mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"

mRun: [File Helper] "c:\program files\file helper\1.1.0.10\FileHelper.exe" --start-trayed

mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

mRun: [sigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe

mRun: [<NO NAME>]

mRun: [ApnUpdater] "c:\program files\ask.com\updater\Updater.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malwares\mbamgui.exe" /starttray

mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"

mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malwares\mbam.exe" /runcleanupscript

StartupFolder: c:\users\jason\appdata\roaming\micros~1\windows\startm~1\programs\startup\delldo~1.lnk - c:\program files\dell\delldock\DellDock.exe

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickset.lnk - c:\program files\dell\quickset\quickset.exe

mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - c:\program files\windows live\companion\companioncore.dll

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

IE: {A69A551A-1AAE-4B67-8C2E-52F8B8A19504} - {A69A551A-1AAE-4B67-8C2E-52F8B8A19504} - c:\program files\superfish\window shopper\SuperfishIEAddon.dll

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

LSP: mswsock.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 10.0.0.1

TCP: Interfaces\{C93CBCED-5078-4C77-AAD9-87663BA46D63} : DhcpNameServer = 10.0.0.1

Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll

Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll

AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

Hosts: 127.0.0.1 www.spywareinfo.com

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\users\jason\appdata\roaming\mozilla\firefox\profiles\m0oxadv4.default\

FF - prefs.js: browser.search.selectedEngine - Search

FF - prefs.js: browser.startup.homepage - hxxp://www.clickcritters.com/

FF - prefs.js: keyword.URL - hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=FWV5&o=14193&locale=en_US&apn_uid=da8fccf5-1f70-4e4a-8213-88158a6d8560&apn_ptnrs=FM&apn_sauid=4549DBF1-3587-4F14-A5D0-6FD4CE74CD9B&apn_dtid=TES002YYUS&q=

FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll

FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll

FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\nos\bin\np_gp.dll

FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll

FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll

FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

FF - plugin: c:\programdata\nexonus\ngm\npNxGameUS.dll

.

---- FIREFOX POLICIES ----

.

FF - user.js: browser.search.selectedEngine - Search

FF - user.js: keyword.URL - hxxp://www.gisly.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&rls=m0wqsbTG&q=

.

============= SERVICES / DRIVERS ===============

.

R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2008-10-6 280392]

S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-8-5 9968]

S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-8-5 74480]

S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2011-6-6 64952]

S2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\AEstSrv.exe [2008-10-6 73728]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 DockLoginService;Dock Login Service;c:\program files\dell\delldock\DockLogin.exe [2008-5-2 161048]

S2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-3 135664]

S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-11-3 2152152]

S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malwares\mbamservice.exe [2011-9-22 366152]

S2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2011-7-2 1153368]

S2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\trendm~1\intern~1\Tmntsrv.exe [2007-8-27 345432]

S2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\trendm~1\intern~1\TmPfw.exe [2007-8-27 923216]

S2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2008-10-6 36368]

S2 tmproxy;Trend Micro Proxy Service;c:\progra~1\trendm~1\intern~1\tmproxy.exe [2007-8-27 566872]

S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-2-14 24652]

S3 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-3-15 183560]

S3 dsiarhwprog;dsiarhwprog;c:\windows\system32\drivers\dsiarhwprog.sys [2011-3-11 29184]

S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2010-12-11 39272]

S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-9-23 1493352]

S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-10-6 30192]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-3 135664]

S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2011-11-3 15232]

S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]

S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]

S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-8-5 7408]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]

.

=============== Created Last 30 ================

.

2011-12-25 00:08:16 -------- d-----w- c:\users\jason\appdata\local\{77F6005B-F2DB-4013-92F3-1B7342AF8655}

2011-12-24 21:39:47 439040 ----a-w- c:\programdata\IXknMUlTYDuNOvI.exe

2011-12-24 21:37:04 30720 --sh--w- c:\users\jason\appdata\local\dplayx.dll

2011-12-14 01:04:34 -------- d-----w- c:\users\jason\appdata\local\{F8C8D08D-7408-42B6-B197-4F4FD7AF8215}

2011-12-14 01:03:56 -------- d-----w- c:\users\jason\appdata\local\{B298BA78-CB6C-425B-9ACB-27D047EC34E3}

2011-12-13 20:27:18 -------- d-s---w- C:\ComboFix

2011-12-13 20:25:59 98816 ----a-w- c:\windows\sed.exe

2011-12-13 20:25:59 518144 ----a-w- c:\windows\SWREG.exe

2011-12-13 20:25:59 256000 ----a-w- c:\windows\PEV.exe

2011-12-13 20:25:59 208896 ----a-w- c:\windows\MBR.exe

2011-12-12 08:24:41 6668624 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{3a2c57b7-7bed-47e0-ab5c-8418a308939b}\mpengine.dll

2011-12-12 08:16:05 -------- d-----w- c:\users\jason\appdata\local\{040F3A5B-3076-46C8-B3CC-0DDC66C3EF04}

2011-12-12 02:34:15 -------- d-----w- c:\users\jason\appdata\local\{F94D05CB-CAEE-4122-847B-3793417683FA}

2011-12-12 02:33:34 -------- d-----w- c:\users\jason\appdata\local\{441E1A34-1EC3-444A-A97A-F6B580452E23}

2011-12-12 02:29:51 -------- d-----w- c:\users\jason\appdata\local\{F102CA33-4D48-4B5B-9CBF-564F144B0CE1}

2011-12-12 02:29:04 -------- d-----w- c:\users\jason\appdata\local\{A6B8ED10-2F29-4C98-B6B7-9063F47A7C73}

2011-12-11 01:45:50 -------- d-----w- c:\users\jason\appdata\local\{262E4207-A4FB-4384-BD1D-5D8A95239CC6}

2011-12-10 02:20:03 -------- d-----w- c:\users\jason\appdata\local\{408C13BC-CDBF-49AF-AF2A-C7D0A4F52357}

2011-12-10 02:19:42 -------- d-----w- c:\users\jason\appdata\local\{DEB337D8-3A6A-49F3-9FF6-89CC06528D6F}

2011-12-01 19:07:23 -------- d-----w- c:\users\jason\appdata\local\{A78259AF-F7EE-40DE-AB3B-065BF0391660}

.

==================== Find3M ====================

.

2011-10-03 12:06:03 472808 ----a-w- c:\windows\system32\deployJava1.dll

.

============= FINISH: 16:50:29.59 ===============

Link to post
Share on other sites

:welcome:

Whether you wish to continue with cleaning or not, you should be aware that you may have been infected by a backdoor trojan. This type of program has the ability to steal passwords and other information from your system. If you are using your computer for sensitive purposes such as internet banking then I recommend you take the following steps immediately:

  • Use another, uninfected computer to change all your internet passwords, especially ones with financial implications such as banks, paypal, ebay, etc. You should also change the passwords for any other site you use.
  • Call your bank(s), credit card company or any other institution which may be affected and advise them that your login/password or credit card information may have been stolen and ask what steps to take with regard to your account.
  • Consider what other private information could possibly have been taken from your computer and take appropriate steps
  • Removing this infection can also disable the ability to connect to the internet.

This infection can almost certainly be cleaned, but as the malware could be configured to run any program a remote attacker requires, it will be impossible to be 100% sure that the machine is clean, if this is unacceptable to you then you should consider reformatting the system partition and reinstalling Windows as this is the only 100% sure answer.

Please post back to let me know how you wish to proceed.

Link to post
Share on other sites

So I need to change passwords for pretty much everything? That could take some time. As for another computer to use that'll have to wait.

As for banking I did use my debit card a few times and have a paypal account.

Re-installing windows, will that basically delete everything I have on this computer?

Yes and yes

The main passwords to change are financial ones.

Like your online banking account, if you do that, PayPal and your email password.

We can try to clean it, if you want.

Link to post
Share on other sites

Please do not attach the scan results from Combofx. Use copy/paste.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Download ComboFix from one of these locations:

Link 1

Link 2 If using this link, Right Click and select Save As.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
  • Double click on ComboFix.exe & follow the prompts.
    Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
    Note: If you have XP SP3, use the XP SP2 package.
    If Vista or Windows 7, skip the Recovery Console part
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RC1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.

Please do not attach the scan results from Combofx. Use copy/paste.

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

I got that. =P

ComboFix 11-12-28.03 - Jason 12/28/2011 13:35:33.1.2 - x86 NETWORK

Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.1917.1513 [GMT -8:00]

Running from: c:\users\Jason\Desktop\ComboFix.exe

AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}

SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

* Created a new restore point

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\program files\StartNow Toolbar

c:\program files\StartNow Toolbar\Resources\images\btn-msn.png

c:\program files\StartNow Toolbar\Resources\images\chevronButton.png

c:\program files\StartNow Toolbar\Resources\images\engine_images.png

c:\program files\StartNow Toolbar\Resources\images\engine_maps.png

c:\program files\StartNow Toolbar\Resources\images\engine_news.png

c:\program files\StartNow Toolbar\Resources\images\engine_videos.png

c:\program files\StartNow Toolbar\Resources\images\engine_web.png

c:\program files\StartNow Toolbar\Resources\images\icon_amazon.png

c:\program files\StartNow Toolbar\Resources\images\icon_ebay.png

c:\program files\StartNow Toolbar\Resources\images\icon_facebook.png

c:\program files\StartNow Toolbar\Resources\images\icon_games.png

c:\program files\StartNow Toolbar\Resources\images\icon_shopping.png

c:\program files\StartNow Toolbar\Resources\images\icon_travel.png

c:\program files\StartNow Toolbar\Resources\images\icon_twitter.png

c:\program files\StartNow Toolbar\Resources\images\separator.png

c:\program files\StartNow Toolbar\Resources\images\splitter.png

c:\program files\StartNow Toolbar\Resources\images\startnow_logo.png

c:\program files\StartNow Toolbar\Resources\installer.xml

c:\program files\StartNow Toolbar\Resources\protect\index.html

c:\program files\StartNow Toolbar\Resources\protect\NotIE6.css

c:\program files\StartNow Toolbar\Resources\protect\OnlyIE6.css

c:\program files\StartNow Toolbar\Resources\protect\SearchProtectIcon.png

c:\program files\StartNow Toolbar\Resources\protect\window.css

c:\program files\StartNow Toolbar\Resources\protect\window.js

c:\program files\StartNow Toolbar\Resources\reactivate\index.html

c:\program files\StartNow Toolbar\Resources\reactivate\LeftImage.png

c:\program files\StartNow Toolbar\Resources\reactivate\NotIE6.css

c:\program files\StartNow Toolbar\Resources\reactivate\OnlyIE6.css

c:\program files\StartNow Toolbar\Resources\reactivate\window.css

c:\program files\StartNow Toolbar\Resources\reactivate\window.js

c:\program files\StartNow Toolbar\Resources\searchbox\dropdown_button_normal.png

c:\program files\StartNow Toolbar\Resources\searchbox\searchbox_button_hover.png

c:\program files\StartNow Toolbar\Resources\searchbox\searchbox_button_normal.png

c:\program files\StartNow Toolbar\Resources\searchbox\searchbox_input_left.png

c:\program files\StartNow Toolbar\Resources\searchbox\searchbox_input_middle.png

c:\program files\StartNow Toolbar\Resources\toolbar.xml

c:\program files\StartNow Toolbar\Resources\toolbarbutton\hover_c.png

c:\program files\StartNow Toolbar\Resources\toolbarbutton\hover_l.png

c:\program files\StartNow Toolbar\Resources\toolbarbutton\hover_r.png

c:\program files\StartNow Toolbar\Resources\toolbarbutton\normal_c.png

c:\program files\StartNow Toolbar\Resources\toolbarbutton\normal_l.png

c:\program files\StartNow Toolbar\Resources\toolbarbutton\normal_r.png

c:\program files\StartNow Toolbar\Resources\update.xml

c:\program files\StartNow Toolbar\uninstall.dat

c:\programdata\787772d6t052h555r358d3lui8o1

c:\programdata\IXknMUlTYDuNOvI.exe

c:\users\Jason\AppData\Local\dplayx.dll

c:\users\Jason\AppData\Roaming\Microsoft\Windows\Templates\787772d6t052h555r358d3lui8o1

c:\users\Jason\AppData\Roaming\Mozilla\Firefox\Profiles\m0oxadv4.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}

c:\users\Jason\AppData\Roaming\Mozilla\Firefox\Profiles\m0oxadv4.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome.manifest

c:\users\Jason\AppData\Roaming\Mozilla\Firefox\Profiles\m0oxadv4.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\bar.js

c:\users\Jason\AppData\Roaming\Mozilla\Firefox\Profiles\m0oxadv4.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\bar.xul

c:\users\Jason\AppData\Roaming\Mozilla\Firefox\Profiles\m0oxadv4.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\buttons.js

c:\users\Jason\AppData\Roaming\Mozilla\Firefox\Profiles\m0oxadv4.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\constants.js

c:\users\Jason\AppData\Roaming\Mozilla\Firefox\Profiles\m0oxadv4.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\events.js

c:\users\Jason\AppData\Roaming\Mozilla\Firefox\Profiles\m0oxadv4.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\globals.js

c:\users\Jason\AppData\Roaming\Mozilla\Firefox\Profiles\m0oxadv4.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\img\btn-msn.png

c:\users\Jason\AppData\Roaming\Mozilla\Firefox\Profiles\m0oxadv4.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\img\engine_images.png

c:\users\Jason\AppData\Roaming\Mozilla\Firefox\Profiles\m0oxadv4.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\img\engine_maps.png

c:\users\Jason\AppData\Roaming\Mozilla\Firefox\Profiles\m0oxadv4.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\img\engine_news.png

c:\users\Jason\AppData\Roaming\Mozilla\Firefox\Profiles\m0oxadv4.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\img\engine_videos.png

c:\users\Jason\AppData\Roaming\Mozilla\Firefox\Profiles\m0oxadv4.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\img\engine_web.png

c:\users\Jason\AppData\Roaming\Mozilla\Firefox\Profiles\m0oxadv4.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\img\icon_amazon.png

c:\users\Jason\AppData\Roaming\Mozilla\Firefox\Profiles\m0oxadv4.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\img\icon_ebay.png

c:\users\Jason\AppData\Roaming\Mozilla\Firefox\Profiles\m0oxadv4.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\img\icon_facebook.png

c:\users\Jason\AppData\Roaming\Mozilla\Firefox\Profiles\m0oxadv4.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\img\icon_games.png

c:\users\Jason\AppData\Roaming\Mozilla\Firefox\Profiles\m0oxadv4.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\img\icon_shopping.png

c:\users\Jason\AppData\Roaming\Mozilla\Firefox\Profiles\m0oxadv4.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\img\icon_travel.png

c:\users\Jason\AppData\Roaming\Mozilla\Firefox\Profiles\m0oxadv4.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\img\icon_twitter.png

c:\users\Jason\AppData\Roaming\Mozilla\Firefox\Profiles\m0oxadv4.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\img\searchbox_button.png

c:\users\Jason\AppData\Roaming\Mozilla\Firefox\Profiles\m0oxadv4.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\img\startnow_logo.png

c:\users\Jason\AppData\Roaming\Mozilla\Firefox\Profiles\m0oxadv4.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\init.js

c:\users\Jason\AppData\Roaming\Mozilla\Firefox\Profiles\m0oxadv4.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\protect\index.html

c:\users\Jason\AppData\Roaming\Mozilla\Firefox\Profiles\m0oxadv4.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\protect\NotIE6.css

c:\users\Jason\AppData\Roaming\Mozilla\Firefox\Profiles\m0oxadv4.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\protect\OnlyIE6.css

c:\users\Jason\AppData\Roaming\Mozilla\Firefox\Profiles\m0oxadv4.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\protect\SearchProtectIcon.png

c:\users\Jason\AppData\Roaming\Mozilla\Firefox\Profiles\m0oxadv4.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\protect\window.css

c:\users\Jason\AppData\Roaming\Mozilla\Firefox\Profiles\m0oxadv4.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\protect\window.js

c:\users\Jason\AppData\Roaming\Mozilla\Firefox\Profiles\m0oxadv4.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\searchkeeper.js

c:\users\Jason\AppData\Roaming\Mozilla\Firefox\Profiles\m0oxadv4.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\searchkeeper.xul

c:\users\Jason\AppData\Roaming\Mozilla\Firefox\Profiles\m0oxadv4.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\xml\installer.xml

c:\users\Jason\AppData\Roaming\Mozilla\Firefox\Profiles\m0oxadv4.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\xml\toolbar.xml

c:\users\Jason\AppData\Roaming\Mozilla\Firefox\Profiles\m0oxadv4.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\locale\en-US\{F02577FF-29CE-4130-8171-B51D94ECA96E}.dtd

c:\users\Jason\AppData\Roaming\Mozilla\Firefox\Profiles\m0oxadv4.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\skin\butoon-hover-background.png

c:\users\Jason\AppData\Roaming\Mozilla\Firefox\Profiles\m0oxadv4.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\skin\overlay.css

c:\users\Jason\AppData\Roaming\Mozilla\Firefox\Profiles\m0oxadv4.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\skin\search.png

c:\users\Jason\AppData\Roaming\Mozilla\Firefox\Profiles\m0oxadv4.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\skin\searchBackground.png

c:\users\Jason\AppData\Roaming\Mozilla\Firefox\Profiles\m0oxadv4.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\skin\splitter.png

c:\users\Jason\AppData\Roaming\Mozilla\Firefox\Profiles\m0oxadv4.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\install.rdf

c:\users\Jason\AppData\Roaming\Mozilla\Firefox\Profiles\m0oxadv4.default\searchplugins\bing-zugo.xml

c:\users\Jason\Monster_truck_madness_2__.exe

.

Infected copy of c:\windows\system32\drivers\smb.sys was found and disinfected

Restored copy from - The cat found it :)

.

((((((((((((((((((((((((( Files Created from 2011-11-28 to 2011-12-28 )))))))))))))))))))))))))))))))

.

.

2011-12-28 21:52 . 2011-12-28 21:53 -------- d-----w- c:\users\Jason\AppData\Local\temp

2011-12-28 21:52 . 2011-12-28 21:52 -------- d-----w- c:\users\Default\AppData\Local\temp

2011-12-28 21:24 . 2009-04-11 04:45 66560 ----a-w- c:\windows\system32\drivers\smb.sys

2011-12-12 08:24 . 2011-10-07 03:48 6668624 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{3A2C57B7-7BED-47E0-AB5C-8418A308939B}\mpengine.dll

2011-12-01 19:55 . 2011-12-01 19:55 -------- d-----w- c:\program files\Apple Software Update

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-10-03 12:06 . 2011-05-30 07:25 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-11-05 06:53 . 2011-11-20 05:13 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

2010-09-09 01:29 . 2010-02-09 22:20 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-05-17 1490312]

.

[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4E7BD74F-2B8D-469E-85AB-AF21F3D9AE2F}]

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]

2011-05-17 20:29 1490312 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-05-17 1490312]

.

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-05-17 1490312]

.

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2009-11-10 5244216]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2008-02-29 17920]

"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-05-04 167936]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]

"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-07-03 3563520]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-09-09 30192]

"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]

"pccguide.exe"="c:\program files\Trend Micro\Internet Security 14\pccguide.exe" [2007-08-27 1807696]

"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-12-21 184320]

"File Helper"="c:\program files\File Helper\1.1.0.10\FileHelper.exe" [2010-01-23 583136]

"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-11-12 405504]

"ApnUpdater"="c:\program files\Ask.com\Updater\Updater.exe" [2011-05-17 395144]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malwares\mbamgui.exe" [2011-09-01 449608]

"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]

"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malwares\mbam.exe" [2011-09-01 1047208]

.

c:\users\Jason\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-7-15 1226024]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-10-6 50688]

McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]

QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2008-2-22 1193240]

.

c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-7-15 1226024]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableUIADesktopToggle"= 0 (0x0)

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-22 19:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]

2008-10-07 07:21 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GOEC62~1.DLL

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"mixer"=wdmaud.drv

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]

"DisableMonitoring"=dword:00000001

.

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-08-05 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-08-05 74480]

R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]

R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\aestsrv.exe [2007-11-12 73728]

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2008-05-02 161048]

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-04 135664]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2011-11-20 2152152]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malwares\mbamservice.exe [2011-09-01 366152]

R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]

R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [2007-08-27 345432]

R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [2007-08-27 923216]

R2 tmpreflt;tmpreflt;c:\windows\system32\DRIVERS\tmpreflt.sys [2008-11-27 36368]

R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [2007-08-27 566872]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]

R3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [2011-03-16 183560]

R3 dsiarhwprog;dsiarhwprog;c:\windows\system32\Drivers\dsiarhwprog.sys [2007-02-08 29184]

R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-09-09 30192]

R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-04 135664]

R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [2011-06-20 15232]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]

R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [x]

R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232]

R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2010-05-06 3596528]

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-08-05 7408]

R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]

R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 51040]

S3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\DRIVERS\TM_CFW.sys [2007-08-27 280392]

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc

LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

.

Contents of the 'Scheduled Tasks' folder

.

2011-12-18 c:\windows\Tasks\File Helper.job

- c:\program files\File Helper\1.1.0.10\FileHelper.exe [2010-02-07 02:25]

.

2011-12-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-04 07:04]

.

2011-12-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-04 07:04]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://youtube.com/

uInternet Settings,ProxyServer = 0.0.0.0:80

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

IE: {{A69A551A-1AAE-4B67-8C2E-52F8B8A19504} - {A69A551A-1AAE-4B67-8C2E-52F8B8A19504} - c:\program files\Superfish\Window Shopper\SuperfishIEAddon.dll

TCP: DhcpNameServer = 10.0.0.1

FF - ProfilePath - c:\users\Jason\AppData\Roaming\Mozilla\Firefox\Profiles\m0oxadv4.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.clickcritters.com/

FF - prefs.js: keyword.URL - hxxp://www.gisly.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&rls=m0wqsbTG&q=

FF - user.js: keyword.URL - hxxp://www.gisly.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&rls=m0wqsbTG&q=

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

HKCU-Run-IXknMUlTYDuNOvI.exe - c:\programdata\IXknMUlTYDuNOvI.exe

HKLM-Run-Malwarebytes Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-Malware\mbam.exe

AddRemove-StartNow Toolbar - c:\program files\StartNow Toolbar\StartNowToolbarUninstall.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-12-28 13:53

Windows 6.0.6002 Service Pack 2 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\npggsvc]

"ImagePath"="c:\windows\system32\GameMon.des -service"

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Smb]

"ImagePath"="s\00y\00s\00t\00e\00m\003\002\00\\00D\00R\00I\00V\00E\00R\00S\00\\00s\00m\00b\00.\00s\00y\00s"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

Completion time: 2011-12-28 13:57:05

ComboFix-quarantined-files.txt 2011-12-28 21:56

.

Pre-Run: 16,141,905,920 bytes free

Post-Run: 17,210,126,336 bytes free

.

- - End Of File - - CD0242C246CE42E65FB232E364419EA5

Link to post
Share on other sites

Copy/paste the text in the Codebox below into notepad:

Here's how to do that:

Click Start > Run type Notepad click OK.

This will open an empty notepad file:

Take your mouse, and place your cursor at the beginning of the text in the box below, then click and hold the left mouse button, while pulling your mouse over the text. This should highlight the text. Now release the left mouse button. Now, with the cursor over the highlighted text, right click the mouse for options, and select 'copy'. Now over the empty Notepad box, right click your mouse again, and select 'paste' and you will have copied and pasted the text.

KillAll::

DDS::
uInternet Settings,ProxyServer = 0.0.0.0:80

FireFox::
FF - ProfilePath - c:\users\Jason\AppData\Roaming\Mozilla\Firefox\Profiles\m0oxadv4.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.clickcritters.com/
FF - prefs.js: keyword.URL - hxxp://www.gisly.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&rls=m0wqsbTG&q=
FF - user.js: keyword.URL - hxxp://www.gisly.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&rls=m0wqsbTG&q=

Folder::
c:\program files\Ask.com

Registry::
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"=-
[-HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4E7BD74F-2B8D-469E-85AB-AF21F3D9AE2F}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"=-
[-HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[-HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"=-
[-HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[-HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;

2.Click Save As... Change the directory to your desktop;

3.Change the Save as type to "All Files";

4.Type in the file name: CFScript

5.Click Save ...

CFScriptB-4.gif

Drag CFScript.txt into ComboFix.exe

Then post the results log using Copy / Paste

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

ComboFix 11-12-28.03 - Jason 12/28/2011 16:01:53.1.2 - x86 NETWORK

Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.1917.1520 [GMT -8:00]

Running from: c:\users\Jason\Desktop\ComboFix.exe

Command switches used :: c:\users\Jason\Desktop\CFScript.txt

AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}

SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

* Created a new restore point

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\program files\Ask.com

c:\program files\Ask.com\assets\oobe\b.png

c:\program files\Ask.com\assets\oobe\bl.png

c:\program files\Ask.com\assets\oobe\br.png

c:\program files\Ask.com\assets\oobe\l.png

c:\program files\Ask.com\assets\oobe\pointer.png

c:\program files\Ask.com\assets\oobe\r.png

c:\program files\Ask.com\assets\oobe\t.png

c:\program files\Ask.com\assets\oobe\tl.png

c:\program files\Ask.com\assets\oobe\tr.png

c:\program files\Ask.com\cobrand.ico

c:\program files\Ask.com\config.xml

c:\program files\Ask.com\favicon.ico

c:\program files\Ask.com\fv_8804.ico

c:\program files\Ask.com\GenericAskToolbar.dll

c:\program files\Ask.com\mupcfg.xml

c:\program files\Ask.com\precache.exe

c:\program files\Ask.com\SaUpdate.exe

c:\program files\Ask.com\Updater\config.xml

c:\program files\Ask.com\Updater\Updater.exe

c:\program files\Ask.com\UpdateTask.exe

.

.

((((((((((((((((((((((((( Files Created from 2011-11-28 to 2011-12-29 )))))))))))))))))))))))))))))))

.

.

2011-12-29 00:14 . 2011-12-29 00:19 -------- d-----w- c:\users\Jason\AppData\Local\temp

2011-12-29 00:14 . 2011-12-29 00:14 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp

2011-12-29 00:14 . 2011-12-29 00:14 -------- d-----w- c:\users\Default\AppData\Loc

Link to post
Share on other sites

Oh so you want me to start up the computer normally instead of safe mode now? I didn't know it was done.

Wallpaper is still black. Other than that it looks like the virus is gone possibly. Though it feels a bit zoomed out probably just the settings messed up. also no documents show up when I hit the start button. Just empty space.

Link to post
Share on other sites

After running the unhide tool you may still be missing most of your start menu shortcuts… They can be found in a folder named smtmp inside:

(XP)- C:\Documents and Settings\Username\Local Settings\Temp

(W7)- C:\Users\Username\AppData\Local\Temp

C:\Windows\Temp

Example:

%Temp%\smtmp\1 "%AllUsersProfile%\Start Menu"

%Temp%\smtmp\2 "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch"

%Temp%\smtmp\3 "%AppData%\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar"

%Temp%\smtmp\4 "%AllUsersProfile%\Desktop

These will be there unless you have removed temp files / folders

There might be three numbered folders inside C:\Documents and Settings\Your User Name\Local Settings\Temp\smtmp folder. The folders will be numbered 1, 2 and 4.

Inside the 1 folder is a folder named “Programs.” This folder should be copied / pasted to (using XP) to C:\Documents and Settings\All Users\Start Menu, which will already have a folder named Programs but it is safe to overwrite it since Windows will replace the subfolders without creating duplicates.

Inside the 2 folder are the quick launch items specific for the user. Select ALL of these shortcuts and copy / paste to (using XP) C:\Documents and Settings\Your User Name\Application Data\Microsoft\Internet Explorer\Quick Launch.

Inside the 4 folder are the desktop items that should be copied to C:\Documents and Settings\All Users\Desktop.

Let me know if everything was there and how it's running now.

For Windows 7 users, the all users start menu is C:\ProgramData\Microsoft\Windows\Start Menu\Programs and the all users desktop folder is C:\Users\Public\Desktop

Also you can use this option With Windows 7 / Vista:

You can restore the Start menu to its original, default settings.

1.Open Taskbar and Start Menu Properties by clicking the Start button , clicking Control Panel, clicking Appearance and Personalization, and then clicking Taskbar and Start Menu.

2.Click the Start Menu tab, and then click Customize.

3.In the Customize Start Menu dialog box, click Use Default Settings, and then click OK.

Link to post
Share on other sites

You can restore the Start menu to its original, default settings.

1.Open Taskbar and Start Menu Properties by clicking the Start button , clicking Control Panel, clicking Appearance and Personalization, and then clicking Taskbar and Start Menu.

2.Click the Start Menu tab, and then click Customize.

3.In the Customize Start Menu dialog box, click Use Default Settings, and then click OK.

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.