Cannot Connect to Internet After Running MalwareBytes

[omoplata]

Hi, After being infected with a virus that redirected me to other pages when I clicked on Google links, I ran Malwarebytes and it looked like I had cleaned the computer (a Dell Laptop running Windows XP). However, I can now not connect to the internet. I see all the wireless networks around me and when I try to connect to my personal wireless router, it says "connected" yet no pages will open up. A friend who is a computer technician took a quick look (he didn't have time to fully fix it) and told me that it was a registry file problem. I have tried restoring to an earlier restoration point, like a month ago (this problem occured only 3 days ago)but that did not work either. Also, the keyboard and touchpad on the infected laptop do not work. I am using an external mouse, which is luckily working. Thanks a ton Below please find the MalwareBytes Log (NOTE that this trojan reactivaes itself even when I try to remove it via Malwarebytes. It keps coming back in the next scan). I am also attaching the tests of a few other diagnostics a friend ran for me; I hope they are useful... Thank you very much in advance Malwarebytes Anti-Malware (Trial) 1.60.1.1000 www.malwarebytes.org Database version: v2012.03.31.03 Windows XP Service Pack 3 x86 FAT Internet Explorer 8.0.6001.18702 owner :: OWNER-8C54A1712 [administrator] Protection: Disabled 4/7/2012 11:19:39 AM mbam-log-2012-04-07 (12-06-59).txt Scan type: Full scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 237843 Time elapsed: 42 minute(s), 17 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 1 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.EXE (Trojan.Agent) -> No action taken. Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 1 C:\WINDOWS\Temp\lyqscs\setup.exe (Trojan.Agent) -> No action taken. (end)

Attachments removed

Edited April 10, 2012 by LDTate
Attachments removed

[LDTate]

 
attaching the tests of a few other diagnostics a friend ran for me; I hope they are useful...

Have you opened those attachments?

Strange looking diags

[omoplata]

Actually, I just ran Combofix and the problem has now been fixed. Below is the log from Combofix. I can now connect to the internet and am also able to use the keyboard and touchpad. Please let me know if you have suggestions as to what i shall do now to minimize the chance of the same problem recurring.

I know that I should perhaps not ran Combofix before being instructed to do so, but as this is my only work computer, I had to do something ASAP to get back to work. Thank you very much for your help

ComboFix 12-04-10.01 - owner 04/10/2012 13:03:40.1.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.580 [GMT -4:00]

Running from: D:\ComboFix.exe

AV: Microsoft Security Essentials *Enabled/Outdated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

.

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\windows\$NtUninstallKB28261$

c:\windows\$NtUninstallKB28261$\3947948117

c:\windows\system32\dds_trash_log.cmd

c:\windows\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll

.

c:\windows\system32\midimap.dll . . . is infected!!

.

c:\windows\system32\drivers\afd.sys was missing

Restored copy from - c:\windows\system32\dllcache\afd.sys

.

c:\windows\system32\drivers\netbt.sys was missing

Restored copy from - c:\system volume information\_restore{D1DB89F9-08BB-4D5F-B4C6-43084932DB38}\RP204\A0030184.sys

.

c:\windows\system32\drivers\cdrom.sys was missing

Restored copy from - c:\system volume information\_restore{D1DB89F9-08BB-4D5F-B4C6-43084932DB38}\RP203\A0030175.sys

.

c:\windows\system32\drivers\i8042prt.sys was missing

Restored copy from - c:\system volume information\_restore{D1DB89F9-08BB-4D5F-B4C6-43084932DB38}\RP204\A0030183.sys

.

c:\windows\system32\drivers\ipsec.sys was missing

Restored copy from - c:\system volume information\_restore{D1DB89F9-08BB-4D5F-B4C6-43084932DB38}\RP204\A0030180.sys

.

.

((((((((((((((((((((((((( Files Created from 2012-03-10 to 2012-04-10 )))))))))))))))))))))))))))))))

.

.

2012-04-10 17:17 . 2012-04-10 17:18 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7B950B6B-7756-42FE-9C9B-38EDB02952A8}\offreg.dll

2012-04-10 17:13 . 2008-04-14 12:00 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys

2012-04-10 17:13 . 2008-04-14 12:00 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys

2012-04-10 17:13 . 2009-06-13 17:29 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys

2012-04-10 17:13 . 2008-04-14 12:00 162816 ----a-w- c:\windows\system32\drivers\netbt.sys

2012-04-10 17:13 . 2011-08-17 13:41 138496 ----a-w- c:\windows\system32\drivers\afd.sys

2012-04-02 03:36 . 2012-04-02 03:36 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro

2012-04-02 02:06 . 2012-04-02 02:13 -------- d-----w- c:\program files\Free Window Registry Repair

2012-04-02 00:42 . 2012-04-02 00:42 4536 ----a-w- c:\windows\system32\PerfStringBackup.TMP

2012-04-02 00:40 . 2001-08-17 22:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys

2012-04-02 00:37 . 2012-03-14 02:15 6582328 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7B950B6B-7756-42FE-9C9B-38EDB02952A8}\mpengine.dll

2012-04-02 00:36 . 2012-04-02 00:36 -------- d-----w- c:\windows\system32\wbem\Repository

2012-04-01 23:44 . 2012-04-02 00:35 -------- d-s---w- c:\documents and settings\Administrator

2012-04-01 03:40 . 2012-04-02 00:35 -------- d-----w- c:\program files\Apoint

2012-04-01 03:40 . 2012-04-01 03:40 -------- d-----w- c:\program files\InstallShield Installation Information

2012-04-01 03:40 . 2012-04-01 03:40 -------- d-----w- C:\Dell

2012-03-31 09:14 . 2012-03-31 09:14 42960 ----a-w- c:\windows\system32\drivers\xrwspmai.sys

2012-03-31 08:58 . 2012-03-31 08:58 42960 ----a-w- c:\windows\system32\drivers\vlgjdybs.sys

2012-03-31 08:42 . 2012-03-31 08:42 42960 ----a-w- c:\windows\system32\drivers\bymdfjzl.sys

2012-03-31 08:26 . 2012-03-31 08:26 42960 ----a-w- c:\windows\system32\drivers\vfqosvsc.sys

2012-03-31 08:10 . 2012-03-31 08:10 42960 ----a-w- c:\windows\system32\drivers\kswcfnwa.sys

2012-03-31 07:54 . 2012-03-31 07:54 42960 ----a-w- c:\windows\system32\drivers\pwmvxikh.sys

2012-03-31 07:42 . 2012-03-31 07:42 42960 ----a-w- c:\windows\system32\drivers\cyrdbwha.sys

2012-03-30 15:36 . 2012-03-30 15:36 583528 ----a-w- c:\windows\svcs.exe

2012-03-30 01:08 . 2012-03-30 02:06 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-03-23 18:32 . 2012-03-23 18:32 -------- d-----w- c:\documents and settings\owner\Application Data\Malwarebytes

2012-03-23 18:30 . 2012-03-23 18:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2012-03-23 18:30 . 2011-12-10 19:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-03-23 18:30 . 2012-03-23 18:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-03-30 02:06 . 2011-12-19 18:29 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-03-14 02:15 . 2011-12-21 11:43 6582328 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2012-02-03 09:26 . 2009-06-13 17:30 1869184 ----a-w- c:\windows\system32\win32k.sys

2012-01-31 12:44 . 2011-12-19 18:30 237072 ------w- c:\windows\system32\MpSigStub.exe

2012-01-11 19:06 . 2012-02-15 14:36 3072 ------w- c:\windows\system32\iacenc.dll

2012-03-20 14:00 . 2012-03-20 14:00 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

------- Sigcheck -------

Note: Unsigned files aren't necessarily malware.

.

[-] 2009-06-13 . 038CA45522FE9B756EFB90DBFA9141EA . 361600 . . [5.1.2600.5649] . . c:\windows\system32\drivers\tcpip.sys

[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys

.

[-] 2009-06-13 17:49 . 29BDA2E8766D49E5D37CA9DDD61D24FC . 1449472 . . [2001.12.4414.700] . . c:\windows\system32\comres.dll

.

[-] 2009-06-13 . 3D1ABDC3009D6B7CA7F9E66769C126CA . 568832 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe

.

[-] 2009-06-13 . 99C1ACB1B8F0F2CECC56515E502B5120 . 575488 . . [5.1.2600.5512] . . c:\windows\system32\user32.dll

.

[-] 2009-06-13 . 7C20A150945965CC47E8289636BF4346 . 2117632 . . [6.00.2900.5634] . . c:\windows\explorer.exe

.

[-] 2008-04-14 . 599DF882C3C000D69DF3C780AC064CD0 . 208896 . . [5.1.2600.5512] . . c:\windows\regedit.exe

.

[-] 2009-06-13 . CBF5945651C96E471B3A004BBDC36864 . 37376 . . [5.1.2600.5512] . . c:\windows\system32\ctfmon.exe

.

.

[-] 2009-06-13 . 448937CF6D5D4A4009532DF67B205F92 . 32256 . . [5.1.2600.5512] . . c:\windows\system32\midimap.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2012-01-03 1514152]

.

[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]

2012-01-03 21:31 1514152 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2012-01-03 1514152]

.

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2012-01-03 1514152]

.

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]

"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-10-13 19550344]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2009-06-13 37376]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]

"ApnUpdater"="c:\program files\Ask.com\Updater\Updater.exe" [2012-01-03 1391272]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-04 37296]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2011-07-27 434080]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"_nltide_3"="advpack.dll" [2009-06-13 128512]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]

2005-08-05 21:56 64512 ----a-w- c:\windows\ehome\ehtray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]

2009-02-26 23:36 30040 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]

2005-10-14 22:46 77824 ----a-w- c:\windows\system32\hkcmd.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]

2005-10-14 22:50 114688 ----a-w- c:\windows\system32\igfxpers.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]

2005-10-14 22:49 94208 ----a-w- c:\windows\system32\igfxtray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RocketDock]

2007-09-02 21:58 495616 ----a-w- c:\program files\RocketDock\RocketDock.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]

2009-05-07 23:02 1277440 ----a-w- c:\program files\Windows Sidebar\sidebar.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2011-06-09 21:06 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]

2008-05-02 08:15 15872 ----a-w- c:\program files\Unlocker\UnlockerAssistant.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VistaDrive]

2006-10-06 04:56 280779 ----a-w- c:\windows\VistaDrive\VistaDrive.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"ose"=3 (0x3)

"odserv"=3 (0x3)

"Microsoft Office Groove Audit Service"=3 (0x3)

"idsvc"=3 (0x3)

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\eMule\\emule.exe"=

.

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/27/2011 7:19 PM 136176]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [12/27/2011 7:19 PM 136176]

S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 8:49 AM 227232]

S3 WUSB54GV4SRV;Linksys Wireless-G USB Network Adapter Driver;c:\windows\system32\drivers\rt2500usb.sys [12/17/2011 12:53 PM 79616]

.

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{D58F39FF-953E-4F45-898F-59F243B9A523}]

2009-06-13 17:34 128512 ----a-w- c:\windows\system32\advpack.dll

.

Contents of the 'Scheduled Tasks' folder

.

2012-04-10 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-30 02:06]

.

2012-04-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2011-12-27 23:18]

.

2012-04-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2011-12-27 23:18]

.

2012-04-10 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 23:39]

.

2012-04-10 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job

- c:\program files\Ask.com\UpdateTask.exe [2012-01-03 21:31]

.

.

------- Supplementary Scan -------

.

uStart Page = https://login.yahoo.com/config/login_verify2?&.src=ym

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

TCP: DhcpNameServer = 192.168.2.1 207.69.188.185 207.69.188.186 207.69.188.187

FF - ProfilePath - c:\documents and settings\owner\Application Data\Mozilla\Firefox\Profiles\7cnm3g98.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.ask.com/?l=dis&o=41648106&gct=hp

FF - prefs.js: keyword.URL - hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=FTB&o=41648106&locale=en_US&apn_uid=03A15077-896D-4E0F-8026-F560778A98D5&apn_ptnrs=9C&apn_sauid=C3EEF60E-5265-489B-95C3-8FE76BC2929A&apn_dtid=YYYYYYYYUS&&q=

.

- - - - ORPHANS REMOVED - - - -

.

AddRemove-Adobe Flash Player Plugin - c:\windows\system32\Macromed\Flash\FlashUtil11f_Plugin.exe

AddRemove-Google Chrome - c:\program files\Google\Chrome\Application\17.0.963.56\Installer\setup.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-04-10 13:17

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(520)

c:\windows\system32\SETUPAPI.dll

c:\windows\system32\cscui.dll

.

- - - - - - - > 'lsass.exe'(592)

c:\windows\system32\setupapi.dll

.

- - - - - - - > 'explorer.exe'(2064)

c:\windows\system32\SHDOCVW.dll

c:\windows\system32\WININET.dll

c:\windows\system32\msctfime.ime

c:\windows\system32\COMRes.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll

c:\windows\System32\cscui.dll

c:\windows\system32\msi.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\SETUPAPI.dll

c:\windows\system32\credui.dll

c:\windows\system32\MSVCP60.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe

c:\windows\eHome\ehRecvr.exe

c:\windows\eHome\ehSched.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\ehome\mcrdsvc.exe

c:\windows\system32\dllhost.exe

c:\windows\system32\msdtc.exe

.

**************************************************************************

.

Completion time: 2012-04-10 13:24:45 - machine was rebooted

ComboFix-quarantined-files.txt 2012-04-10 17:24

.

Pre-Run: 4,403,978,240 bytes free

Post-Run: 6,541,897,728 bytes free

.

- - End Of File - - 3397A561F45B5DD481EC6D226A7E407B

[LDTate]

Copy/paste the text in the Codebox below into notepad:

Here's how to do that:

Click Start > Run type Notepad click OK.

This will open an empty notepad file:

Take your mouse, and place your cursor at the beginning of the text in the box below, then click and hold the left mouse button, while pulling your mouse over the text. This should highlight the text. Now release the left mouse button. Now, with the cursor over the highlighted text, right click the mouse for options, and select 'copy'. Now over the empty Notepad box, right click your mouse again, and select 'paste' and you will have copied and pasted the text.

KillAll::

File::
c:\windows\system32\drivers\xrwspmai.sys
c:\windows\system32\drivers\vlgjdybs.sys
c:\windows\system32\drivers\bymdfjzl.sys
c:\windows\system32\drivers\vfqosvsc.sys
c:\windows\system32\drivers\kswcfnwa.sys
c:\windows\system32\drivers\pwmvxikh.sys
c:\windows\system32\drivers\cyrdbwha.sys

Folder::
c:\program files\Ask.com

ClearJavaCache::

FireFox::
FF - ProfilePath - c:\documents and settings\owner\Application Data\Mozilla\Firefox\Profiles\7cnm3g98.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.ask.com/?l=dis&o=41648106&gct=hp
FF - prefs.js: keyword.URL - hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=FTB&o=41648106&locale=en_US&apn_uid=03A15077-896D-4E0F-8026-F560778A98D5&apn_ptnrs=9C&apn_sauid=C3EEF60E-5265-489B-95C3-8FE76BC2929A&apn_dtid=YYYYYYYYUS&&q=

Driver::
vlgjdybs.sys
bymdfjzl.sys
vfqosvsc.sys
kswcfnwa.sys
pwmvxikh.sys
cyrdbwha.sys
xrwspmai.sys

Registry::
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"=-
[-HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"=-
[-HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[-HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"=-
[-HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[-HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;

2.Click Save As... Change the directory to your desktop;

3.Change the Save as type to "All Files";

4.Type in the file name: CFScript

5.Click Save ...

Drag CFScript.txt into ComboFix.exe

Then post the results log using Copy / Paste

Also please describe how your computer behaves at the moment.

[LDTate]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!