Jump to content

Antiviruspro 2010


lwinkler

Recommended Posts

XP Home SP3

Symantec Antivirus 10.1.8 Enterprise

Infected 9/24/2009

Installed Malwarebytes and successfully updated 9/25/2009

Malwarebytes runs for 5 to 14 seconds and shuts down with no error information.

Installed HijackThis successfully.

Hijackthis ran 5 seconds and shut down with no error information.

Symantec QuickScan shows Trojan.Fakeavelt and Downloader cleaned... not so.

Normal Symantec not running.

Your computer is Infected! (Windows has detected spyware infection!) popup from notification area.

Trying to run Hijact this from Trend Micro folder results in message:

Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.

Please suggest next step.

Link to post
Share on other sites

Please save this file to your desktop.

Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK.

"%userprofile%\desktop\win32kdiag.exe" -f -r

When it's finished, there will be a log called Win32kDiag.txt on your desktop. It will take a while to generate.

Please open it with notepad and post the contents here. If the log generated OK then ignore the rest of the directions.

_______________

Only if win32kdiag.exe doesn't run, then download the program to a clean PC and transfer it to removable media (USB drive, CDROM) as follows

  • I want you to rename win32kdiag.exe as you download it to poof.pif
  • Then copy it to removable media and copy that file (poof.pif) to the desktop of the infected PC.

Notes:

  • It is very important that save the newly renamed PIF file to your desktop.
  • You must rename win32kdiag.exe as you download it and not after it is on your computer.
    You may have to modify your browser settings if you use Firefox, so you can rename it as you download it. To do that:
  • For Firefox
    • Open Firefox and click Tools -> Options -> Main
    • Under the downloads section check the button that says "Always ask me where to save files".
    • Click OK

    [*]For Internet Explorer:

    • When downloading, choose to save, not open the file
    • When prompted - save the file to your desktop, and rename it anything with an .exe extension on the end.

Now, launch the program poof.pif on the infected PC:

Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK.

"%userprofile%\desktop\poof.pif" -f -r

When it's finished, there will be a log called Win32kDiag.txt on your desktop. It will take a while to generate - be sure to let it finish.

Please open it with notepad and post the contents here.

If this is not clear tell me and I will expand upon it.

Link to post
Share on other sites

Running from: C:\Documents and Settings\Mika\desktop\win32kdiag.exe

Log file at : C:\Documents and Settings\Mika\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Found mount point : C:\WINDOWS\$hf_mig$\KB915865\KB915865

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB915865\KB915865

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1DE.tmp\ZAP1DE.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1DE.tmp\ZAP1DE.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP334.tmp\ZAP334.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP334.tmp\ZAP334.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP4C5.tmp\ZAP4C5.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP4C5.tmp\ZAP4C5.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP4F0.tmp\ZAP4F0.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP4F0.tmp\ZAP4F0.tmp

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\temp\temp

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\tmp\tmp

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Config\Config

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Found mount point : C:\WINDOWS\Debug\UserMode\UserMode

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Debug\UserMode\UserMode

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp\applets\applets

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp98\imejp98

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109440090400000000000F01FEC\12.0.6425\12.0.6425

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109440090400000000000F01FEC\12.0.6425\12.0.6425

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109510090400000000000F01FEC\12.0.6425\12.0.6425

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109510090400000000000F01FEC\12.0.6425\12.0.6425

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109711090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109711090400000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109910090400000000000F01FEC\12.0.6425\12.0.6425

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109910090400000000000F01FEC\12.0.6425\12.0.6425

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109A10090400000000000F01FEC\12.0.6425\12.0.6425

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109A10090400000000000F01FEC\12.0.6425\12.0.6425

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\classes\classes

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\trustlib\trustlib

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\msapps\msinfo\msinfo

Found mount point : C:\WINDOWS\mui\mui

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\mui\mui

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Found mount point : C:\WINDOWS\pchealth\helpctr\System\News\News

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\System\News\News

Found mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PIF\PIF

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\5b69967e31d1d0e20f5063cc728c883d\5b69967e31d1d0e20f5063cc728c883d

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\5b69967e31d1d0e20f5063cc728c883d\5b69967e31d1d0e20f5063cc728c883d

Found mount point : C:\WINDOWS\SoftwareDistribution\EventCache\EventCache

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\EventCache\EventCache

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Cannot access: C:\WINDOWS\system32\eventlog.dll

Attempting to restore permissions of : C:\WINDOWS\system32\eventlog.dll

[1] 2008-04-14 20:00:00 56320 C:\WINDOWS\system32\dllcache\eventlog.dll (Microsoft Corporation)

[1] 2008-04-14 20:00:00 61952 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-14 20:00:00 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)

Found mount point : C:\WINDOWS\Temp\MCE00000\MCE00000

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00000\MCE00000

Found mount point : C:\WINDOWS\Temp\MCE00001\MCE00001

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00001\MCE00001

Found mount point : C:\WINDOWS\Temp\MCE00002\MCE00002

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00002\MCE00002

Found mount point : C:\WINDOWS\Temp\MCE00003\MCE00003

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00003\MCE00003

Found mount point : C:\WINDOWS\Temp\MCE00004\MCE00004

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00004\MCE00004

Found mount point : C:\WINDOWS\Temp\SiteAdvisor\SiteAdvisor

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\SiteAdvisor\SiteAdvisor

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2

Finished!

Link to post
Share on other sites

Preparation steps for running Combofix:

Create a CFScript:

Open Notepad by hitting Start -> run, typing notepad into the Open: box, and then clicking OK.

On the Notepad menu, choose "Format" and make sure that Word Wrap is unchecked (disabled).

Copy/paste the text in the code box below into Notepad.

KillAll::

FMove::
C:\WINDOWS\system32\logevent.dll | C:\WINDOWS\system32\eventlog.dll

Save this to your desktop as CFScript.txt by selecting File -> Save as.

You'll be using the CFScript.txt file in combination with Combofix as described below:

Please download Combofix from one of these locations:

HERE or HERE

I want you to rename Combofix.exe as you download it to a name of your choice such as fixit.exe

Notes:

  • It is very important that save the newly renamed EXE file to your desktop.
  • You must rename Combofixe.exe as you download it and not after it is on your computer.
    You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that:
  • For Firefox
    • Open Firefox and click Tools -> Options -> Main
    • Under the downloads section check the button that says "Always ask me where to save files".
    • Click OK

    [*]For Internet Explorer:

    • When downloading, choose to save, not open the file
    • When prompted - save the file to your desktop, and rename it anything with an .exe extension on the end.

Here is a tutorial that describes how to download, install and run Combofix more thoroughly. Please review it before running Combofix.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Note: The above tutorial does not tell you to rename Combofix as I have instructed you to do in the above instructions, so make sure you complete the renaming step before launching Combofix.

Running Combofix:

Very Important! Temporarily disable your antivirus and antimalware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix and even remove onboard components so it is rendered ineffective:

http://www.bleepingcomputer.com/forums/topic114351.html

Also, disable your firewall!

You can enable the Window firewall in the interim, until the scan is complete.

Also, disable any task(s) scheduled to run automatically upon reboot, such as chkdskor any scanners. If Windows is in the middle of updating and it needs to reboot to finish the updating process, allow it to complete that first - before attempting to run Combofix.

CFScriptB-4.gif

Referring to the picture above, drag CFScript.txt into the renamed ComboFix.exe (Fixit.exe)

This action will cause ComboFix to launch and begin scanning.

Combofix may prompt you to install the Windows Recovery Console. If you have not done that already- please follow the prompts to install Recovery Console (Vista users need not do this).

Please post back the log that is opens when it finishes called C:\Combofix.txt.

You may re-enable your security programs.

Link to post
Share on other sites

Preparation steps for running Combofix:

Create a CFScript:

Open Notepad by hitting Start -> run, typing notepad into the Open: box, and then clicking OK.

On the Notepad menu, choose "Format" and make sure that Word Wrap is unchecked (disabled).

Copy/paste the text in the code box below into Notepad.

KillAll::

FMove::
C:\WINDOWS\system32\logevent.dll | C:\WINDOWS\system32\eventlog.dll

Save this to your desktop as CFScript.txt by selecting File -> Save as.

You'll be using the CFScript.txt file in combination with Combofix as described below:

Please download Combofix from one of these locations:

HERE or HERE

I want you to rename Combofix.exe as you download it to a name of your choice such as fixit.exe

Notes:

  • It is very important that save the newly renamed EXE file to your desktop.
  • You must rename Combofixe.exe as you download it and not after it is on your computer.
    You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that:
  • For Firefox
    • Open Firefox and click Tools -> Options -> Main
    • Under the downloads section check the button that says "Always ask me where to save files".
    • Click OK

    [*]For Internet Explorer:

    • When downloading, choose to save, not open the file
    • When prompted - save the file to your desktop, and rename it anything with an .exe extension on the end.

Here is a tutorial that describes how to download, install and run Combofix more thoroughly. Please review it before running Combofix.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Note: The above tutorial does not tell you to rename Combofix as I have instructed you to do in the above instructions, so make sure you complete the renaming step before launching Combofix.

Running Combofix:

Very Important! Temporarily disable your antivirus and antimalware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix and even remove onboard components so it is rendered ineffective:

http://www.bleepingcomputer.com/forums/topic114351.html

Also, disable your firewall!

You can enable the Window firewall in the interim, until the scan is complete.

Also, disable any task(s) scheduled to run automatically upon reboot, such as chkdskor any scanners. If Windows is in the middle of updating and it needs to reboot to finish the updating process, allow it to complete that first - before attempting to run Combofix.

CFScriptB-4.gif

Referring to the picture above, drag CFScript.txt into the renamed ComboFix.exe (Fixit.exe)

This action will cause ComboFix to launch and begin scanning.

Combofix may prompt you to install the Windows Recovery Console. If you have not done that already- please follow the prompts to install Recovery Console (Vista users need not do this).

Please post back the log that is opens when it finishes called C:\Combofix.txt.

You may re-enable your security programs.

Negster22..

I've disconnected this little Acer One from the Net..

Followed instructions ran Combofix. It had to reboot and found rootkit. It needed to download Restore software from MicroSoft. I had disabled my wireless and fortunately did not disable ethernet port. Plug cable in and combo downloaded restore point software. Combo rebooted. Ran for awhile and completed. Antivirus pro popped up... Didn't touch a thing. Just getting the text file to a thumb drive to send it to you from uncontaminated machine.

Thanks in advance for your help.

Combofix.txt log follows:

ComboFix 09-09-25.01 - Mika 09/27/2009 22:14.1.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1012.547 [GMT -7:00]

Running from: c:\documents and settings\Mika\Desktop\Fixit.exe

Command switches used :: c:\documents and settings\Mika\Desktop\CFScript.txt

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

AV: Webroot Internet Security Essentials *On-access scanning disabled* (Updated) {77E10C7F-2CCA-4187-9394-BDBC267AD597}

FW: Webroot Internet Security Essentials *disabled* {63671000-11A2-46DD-BADD-A084CABCDEAE}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\docume~1\Mika\LOCALS~1\Temp\csrss.exe

c:\documents and settings\All Users\Application Data\axiqiq.dl

c:\documents and settings\All Users\Application Data\orufaqo.dll

c:\documents and settings\All Users\Application Data\pokimy.reg

c:\documents and settings\Mika\Application Data\ekywax.exe

c:\documents and settings\Mika\Application Data\itobytuc.bat

c:\documents and settings\Mika\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusPro_2010.lnk

c:\documents and settings\Mika\Cookies\carotim.vbs

c:\documents and settings\Mika\Cookies\itajysa.dll

c:\documents and settings\Mika\Cookies\olapuki.scr

c:\documents and settings\Mika\Desktop\AntivirusPro_2010.lnk

c:\documents and settings\Mika\Local Settings\Application Data\ebixuv.exe

c:\documents and settings\Mika\Local Settings\Application Data\nubyfezy.dl

c:\documents and settings\Mika\Local Settings\Application Data\qoqu.com

c:\documents and settings\Mika\Local Settings\Temporary Internet Files\fuloxeti.bat

c:\documents and settings\Mika\Local Settings\Temporary Internet Files\igyxyja.ban

c:\documents and settings\Mika\Local Settings\Temporary Internet Files\ihyzemyd.exe

c:\documents and settings\Mika\Local Settings\Temporary Internet Files\vuxonan._sy

c:\documents and settings\Mika\Local Settings\Temporary Internet Files\zulim.reg

c:\documents and settings\Mika\Start Menu\Programs\AntivirusPro_2010

c:\documents and settings\Mika\Start Menu\Programs\AntivirusPro_2010\AntivirusPro_2010.lnk

c:\documents and settings\Mika\Start Menu\Programs\AntivirusPro_2010\Uninstall.lnk

c:\program files\AntivirusPro_2010

c:\program files\AntivirusPro_2010\AntivirusPro_2010.exe

c:\program files\Common Files\afoc._dl

c:\program files\Common Files\jiluzyfad.exe

c:\program files\Mozilla Firefox\AccessibleMarshal.dll

c:\program files\Mozilla Firefox\chrome\amba.jar

c:\program files\Mozilla Firefox\Components\browserdirprovider.dll

c:\program files\Mozilla Firefox\Components\brwsrcmp.dll

c:\program files\Mozilla Firefox\xpcom.dll

c:\program files\Mozilla Firefox\xul.dll

c:\program files\Shared

c:\program files\Shared\lib.sig

c:\windows\ifananyqyg.dll

c:\windows\mark_32.dll

c:\windows\msa.exe

c:\windows\system32\_scui.cpl

c:\windows\system32\1.tmp

c:\windows\system32\2.tmp

c:\windows\system32\bennuar.old

c:\windows\system32\bincd32.dat

c:\windows\system32\dddesot.dll

c:\windows\system32\desot.exe

c:\windows\system32\hehocofuxy.inf

c:\windows\system32\ijyp.inf

c:\windows\system32\images

c:\windows\system32\images\i1.gif

c:\windows\system32\images\i2.gif

c:\windows\system32\images\i3.gif

c:\windows\system32\images\j1.gif

c:\windows\system32\images\j2.gif

c:\windows\system32\images\j3.gif

c:\windows\system32\images\jj1.gif

c:\windows\system32\images\jj2.gif

c:\windows\system32\images\jj3.gif

c:\windows\system32\images\l1.gif

c:\windows\system32\images\l2.gif

c:\windows\system32\images\l3.gif

c:\windows\system32\images\pix.gif

c:\windows\system32\images\t1.gif

c:\windows\system32\images\t2.gif

c:\windows\system32\images\up1.gif

c:\windows\system32\images\up2.gif

c:\windows\system32\images\w1.gif

c:\windows\system32\images\w11.gif

c:\windows\system32\images\w2.gif

c:\windows\system32\images\w3.gif

c:\windows\system32\images\w3.jpg

c:\windows\system32\images\wt1.gif

c:\windows\system32\images\wt2.gif

c:\windows\system32\images\wt3.gif

c:\windows\system32\nzFIu3h78di.dll

c:\windows\system32\sonhelp.htm

c:\windows\system32\sysnet.dat

c:\windows\system32\wispex.html

c:\windows\system32\yvifyru.exe

.

--------------- FMove ---------------

c:\windows\system32\logevent.dll --> c:\windows\system32\eventlog.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}

((((((((((((((((((((((((( Files Created from 2009-08-28 to 2009-09-28 )))))))))))))))))))))))))))))))

.

2009-09-27 20:48 . 2009-09-27 20:48 -------- d-----w- c:\program files\Trend Micro

2009-09-27 01:29 . 2009-09-27 01:29 -------- d-----w- c:\program files\Ask.com

2009-09-27 01:28 . 2009-09-27 01:28 -------- d-----w- c:\program files\MSSOAP

2009-09-27 01:27 . 2009-09-27 01:27 -------- d-----w- c:\program files\Webroot

2009-09-26 21:22 . 2009-06-18 19:55 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys

2009-09-26 20:13 . 2009-09-26 20:14 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe

2009-09-26 20:11 . 2009-09-26 20:11 -------- d-----w- c:\program files\Sophos

2009-09-26 18:41 . 2009-09-26 18:41 18019 ----a-w- c:\windows\system32\exade.com

2009-09-26 18:41 . 2009-09-26 18:41 17711 ----a-w- c:\windows\system32\egewalix.dat

2009-09-26 18:37 . 2009-09-28 03:43 -------- d--h--w- c:\windows\PIF

2009-09-26 06:19 . 2009-09-26 06:19 -------- d-----w- c:\program files\WinASO

2009-09-26 05:50 . 2009-09-26 05:50 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3

2009-09-26 04:43 . 2009-09-26 04:43 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE

2009-09-26 03:42 . 2009-09-26 03:42 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2009-09-26 03:41 . 2009-09-26 03:47 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft

2009-09-26 03:41 . 2009-09-26 04:43 -------- d-----w- c:\documents and settings\Administrator

2009-09-25 20:06 . 2009-09-27 18:22 0 ----a-r- c:\windows\win32k.sys

2009-09-25 20:06 . 2009-09-25 23:43 -------- d-----w- c:\program files\Windows Police Prox

2009-09-25 20:06 . 2008-04-15 03:00 26112 ----a-w- c:\windows\system32\userinit.exe

2009-09-22 18:58 . 2009-09-22 18:58 -------- d-----w- c:\program files\Common Files\xing shared

2009-09-22 18:57 . 2009-09-22 18:57 -------- d-----w- c:\program files\Real

2009-09-22 18:57 . 2009-09-22 18:58 -------- d-----w- c:\program files\Common Files\Real

2009-09-10 20:01 . 2009-09-10 20:01 -------- d-----w- c:\windows\Sun

2009-09-10 20:00 . 2009-09-10 20:00 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-09-10 20:00 . 2009-09-10 20:00 -------- d-----w- c:\program files\Java

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-28 05:20 . 2009-01-19 05:00 -------- d-----w- c:\program files\Symantec AntiVirus

2009-09-28 05:01 . 2009-04-25 04:11 -------- d-----w- c:\documents and settings\Mika\Application Data\U3

2009-09-27 18:09 . 2009-09-26 06:00 230000 ----a-w- c:\documents and settings\Mika\Application Data\lizkavd.exe

2009-09-26 04:14 . 2009-09-26 04:14 329216 ----a-w- c:\documents and settings\Mika\Application Data\svcst.exe

2009-09-26 04:14 . 2009-09-26 04:14 329216 ----a-w- c:\documents and settings\Mika\Application Data\seres.exe

2009-09-26 03:47 . 2009-09-26 03:47 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-09-26 03:47 . 2009-09-26 03:47 -------- d-----w- c:\documents and settings\Administrator\Application Data\SiteAdvisor

2009-09-26 03:47 . 2009-09-26 03:47 -------- d-----w- c:\documents and settings\Administrator\Application Data\InstallShield

2009-09-22 18:57 . 2003-10-17 20:44 348160 ----a-w- c:\windows\system32\msvcr71.dll

2009-09-18 16:02 . 2009-05-18 08:47 664 ----a-w- c:\windows\system32\d3d9caps.dat

2009-09-10 07:29 . 2009-01-18 07:41 -------- d-----w- c:\program files\Microsoft Silverlight

2009-09-10 03:38 . 2008-08-15 18:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2009-08-19 05:30 . 2009-08-19 05:30 13708 ----a-w- c:\documents and settings\Mika\Local Settings\Application Data\rijupys.pif

2009-08-19 05:30 . 2009-08-19 05:30 13648 ----a-w- c:\documents and settings\Mika\Local Settings\Application Data\ufamaj.dll

2009-08-19 05:30 . 2009-08-19 05:30 11198 ----a-w- c:\documents and settings\Mika\Application Data\eluduzah.dat

2009-08-14 07:40 . 2009-01-19 04:57 93128 ----a-w- c:\documents and settings\Mika\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-11 04:12 . 2009-01-19 02:40 -------- d-----w- c:\program files\MSBuild

2009-08-11 04:12 . 2009-08-11 04:12 -------- d-----w- c:\program files\Reference Assemblies

2009-08-11 04:01 . 2008-08-15 18:18 -------- d-----w- c:\program files\Microsoft Works

2009-08-11 03:53 . 2009-08-11 03:53 -------- d-----w- c:\program files\Microsoft Office Outlook Connector

2009-08-11 03:52 . 2009-08-11 03:52 -------- d-----w- c:\program files\Windows Live

2009-08-11 03:51 . 2009-08-11 03:51 -------- d-----w- c:\program files\Windows Live SkyDrive

2009-08-11 03:51 . 2009-08-11 03:51 -------- d-----w- c:\program files\Microsoft Sync Framework

2009-08-11 03:51 . 2009-04-23 05:05 -------- d-----w- c:\program files\Microsoft

2009-08-05 09:01 . 2008-04-15 03:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-07-17 19:01 . 2008-04-15 03:00 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-14 06:43 . 2008-04-15 03:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll

2009-07-03 17:09 . 2007-08-14 01:54 915456 ----a-w- c:\windows\system32\wininet.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-02-09 764296]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-17 68856]

"mserv"="c:\documents and settings\Mika\Application Data\svcst.exe" [2009-09-26 329216]

"svchost"="c:\documents and settings\Mika\Application Data\svcst.exe" [2009-09-26 329216]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-15 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LaunchApp"="Alaunch" [X]

"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2008-10-01 125368]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-22 198160]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-25 1044480]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-10 149280]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]

"PLFSetL"="c:\windows\PLFSetL.exe" [2007-07-05 94208]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-15 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-15 455168]

"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]

"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-15 59392]

"LManager"="c:\progra~1\LAUNCH~1\QtZgAcer.EXE" [2008-05-14 821768]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-15 208952]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-01-17 24064]

"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2008-05-22 425984]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-06-25 53096]

"AzMixerSel"="c:\program files\Realtek\Audio\InstallShield\AzMixerSel.exe" [2006-07-17 53248]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]

"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-23 620152]

"Antivirus Pro 2010"="c:\program files\AntivirusPro_2010\AntivirusPro_2010.exe" [2009-09-28 230000]

"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-05-16 16862720]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat.exe [2009-1-18 295606]

Adobe Acrobat Synchronizer.lnk - c:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-23 734872]

InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2008-6-4 114688]

Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"ForceClassicControlPanel"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"FirewallDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"%windir%\\system32\\drivers\\svchost.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server

"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server

"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server

"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [9/26/2009 2:22 PM 18816]

R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [8/10/2009 8:52 PM 55152]

R2 wlidsvc;Windows Live ID Sign-in Assistant;c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE [3/30/2009 4:28 PM 1533808]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/28/2009 9:36 PM 102448]

S0 upxv;upxv;c:\windows\system32\drivers\zhxkkvhi.sys --> c:\windows\system32\drivers\zhxkkvhi.sys [?]

S2 AntipPolice_;AntiPol;c:\windows\svchast.exe --> c:\windows\svchast.exe [?]

S2 WRConsumerService;Webroot Client Service;"c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe" --> c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe [?]

S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2/6/2009 6:08 PM 533360]

S3 GoogleDesktopManager-080708-050100;Google Desktop Manager 5.7.808.7150;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [1/16/2009 10:36 PM 24064]

S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\3.tmp --> c:\windows\system32\3.tmp [?]

S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/30/2008 6:41 PM 116664]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

Contents of the 'Scheduled Tasks' folder

2009-09-28 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job

- c:\program files\Ask.com\UpdateTask.exe [2009-02-09 22:06]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

mStart Page = hxxp://www.google.com

uInternet Settings,ProxyOverride = *.local

IE: &Search

IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Mika\Application Data\Mozilla\Firefox\Profiles\15opvphf.default\

FF - prefs.js: browser.startup.homepage - hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0109&m=aoa150

FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-snp2uvc - c:\windows\vsnp2uvc.exe

HKLM-Run-realteks - c:\documents and settings\Mika\Application Data\Google\oidch15621553.exe

HKLM-Run-PC Antispyware 2010 - c:\program files\PC_Antispyware2010\PC_Antispyware2010.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-27 22:22

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\windows\system32\_scui.cpl 167424 bytes executable

c:\documents and settings\Mika\Application Data\yjosa.dat 17454 bytes

c:\documents and settings\Mika\Application Data\yvid.sys 15354 bytes

scan completed successfully

hidden files: 3

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]

"ImagePath"="\??\c:\windows\system32\3.tmp"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1984)

c:\windows\system32\WININET.dll

c:\program files\Windows Desktop Search\deskbar.dll

c:\program files\Windows Desktop Search\en-us\dbres.dll.mui

c:\program files\Windows Desktop Search\dbres.dll

c:\program files\Windows Desktop Search\wordwheel.dll

c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui

c:\program files\Windows Desktop Search\msnlExtRes.dll

c:\progra~1\WINDOW~2\wmpband.dll

c:\program files\iTunes\iTunesMiniPlayer.dll

c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll

c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Symantec Shared\ccSetMgr.exe

c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe

c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Symantec AntiVirus\DefWatch.exe

c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

c:\program files\Symantec AntiVirus\Rtvscan.exe

c:\windows\system32\searchindexer.exe

c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE

c:\windows\system32\igfxsrvc.exe

c:\program files\Symantec AntiVirus\DoScan.exe

c:\windows\system32\igfxext.exe

c:\documents and settings\Mika\Application Data\seres.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

c:\docume~1\Mika\LOCALS~1\temp\RtkBtMnt.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\rundll32.exe

.

**************************************************************************

.

Completion time: 2009-09-28 22:32 - machine was rebooted

ComboFix-quarantined-files.txt 2009-09-28 05:32

Pre-Run: 102,210,228,224 bytes free

Post-Run: 102,196,150,272 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

341 --- E O F --- 2009-09-10 03:42

Link to post
Share on other sites

Please download ATF Cleaner by Atribune

  • Close Internet Explorer and any other open browsers
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.

If you use Firefox browser

  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click
  • No at the prompt.

If you use Opera browser

  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

We have some more items to clean up that we will manually specify for deletion by using a Combofix script.

It is important that you follow the next set of instructions precisely.

Open Notepad by hitting Start -> run, type notepad into the Open: box, and then click OK.

On the Notepad menu, choose "Format" and make sure that Word Wrap is unchecked (disabled).

Copy/paste the text in the code box below into Notepad:

KillAll::

Driver::
yvid
upxv
AntipPolice_

File::
c:\documents and settings\Mika\Application Data\svcst.exe
c:\documents and settings\Mika\Application Data\seres.exe
c:\docume~1\Mika\LOCALS~1\temp\RtkBtMnt.exe
%windir%\system32\drivers\svchost.exe
c:\documents and settings\Mika\Application Data\lizkavd.exe
c:\windows\win32k.sys
c:\documents and settings\Mika\Local Settings\Application Data\rijupys.pif
c:\documents and settings\Mika\Local Settings\Application Data\ufamaj.dll
c:\documents and settings\Mika\Application Data\eluduzah.dat

Folder::
c:\program files\Windows Police Prox
c:\program files\AntivirusPro_2010

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mserv"=-
"svchost"=-
"Antivirus Pro 2010"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=-
"%windir%\\system32\\drivers\\svchost.exe"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000000
"FirewallDisableNotify"=dword:00000000
"UpdatesDisableNotify"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000000

Rootkit::
c:\windows\system32\_scui.cpl
c:\documents and settings\Mika\Application Data\yjosa.dat
c:\documents and settings\Mika\Application Data\yvid.sys
c:\windows\system32\drivers\zhxkkvhi.sys
c:\windows\svchast.exe

Save this to your desktop as CFScript.txt by selecting File -> Save as.

Very Important: Disable ALL security program active protection components at this time including any and all antispyware and antivirus monitor/guards you have running!!

Also, disable any task(s) scheduled to run automatically upon reboot, such as chkdsk, Windows Updates or any scanners. Then re-enable after you get the new Combofix report.

Referring to the picture below, drag CFScript.txt into ComboFix.exe (fixme.exe)

CFScriptB-4.gif

This will cause ComboFix to run again.

Please post back the log that is opens when it finishes.

After Combofix has produced a log:

1. Re-enable any temporarily disabled active protection

2. See if it is possible to run MBAM again. If so, update and and perform a quick scan.

Please post back C:\Combofix.txt and the MBAM log

Because you had a rootkit present, I'd like you to scan with this antirootkit program (ARK) to make sure no rootkits have survived -

Reboot

Next, download this Antirootkit Program to a folder that you create such as C:\ARK.

Disable the active protection component of your antivirus by following the directions that apply here:

http://www.bleepingcomputer.com/forums/topic114351.html

Next, please perform a rootkit scan:

  • Double-click the randomly name EXE located in the C:\ARK folder that you just downloaded to run the program.
  • When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.
  • When the "quick" scan is finished (a few seconds), copy the quick scan report to the windows clipboard and paste it in a reply back here
  • Now, relaunch the ARK program, and click the Rootkit/Malware tab,and then select the Scan button.
  • Leave your system completely idle while this longer scan is in progress.
  • When the scan is done, save the scan log to the Windows clipboard
  • Open Notepad or a similar text editor
  • Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
  • Exit the Program
  • Save the Scan log as ARK.txt and post it in your next reply. If the log is very long attach it please.

Link to post
Share on other sites

ComboFix 09-09-25.01 - Mika 09/28/2009 20:57.2.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1012.363 [GMT -7:00]

Running from: c:\documents and settings\Mika\Desktop\Fixit.exe

Command switches used :: c:\documents and settings\Mika\Desktop\CFScript.txt

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

AV: Webroot Internet Security Essentials *On-access scanning disabled* (Updated) {77E10C7F-2CCA-4187-9394-BDBC267AD597}

FW: Webroot Internet Security Essentials *disabled* {63671000-11A2-46DD-BADD-A084CABCDEAE}

FILE ::

"c:\docume~1\Mika\LOCALS~1\temp\RtkBtMnt.exe"

"c:\documents and settings\Mika\Application Data\eluduzah.dat"

"c:\documents and settings\Mika\Application Data\lizkavd.exe"

"c:\documents and settings\Mika\Application Data\seres.exe"

"c:\documents and settings\Mika\Application Data\svcst.exe"

"c:\documents and settings\Mika\Local Settings\Application Data\rijupys.pif"

"c:\documents and settings\Mika\Local Settings\Application Data\ufamaj.dll"

"c:\windows\system32\drivers\svchost.exe"

"c:\windows\win32k.sys"

Running MBM now. Running fine no objects infected yet....

will follow up as soon as it completes.

Len

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\docume~1\Mika\LOCALS~1\temp\RtkBtMnt.exe

c:\documents and settings\All Users\Documents\qizuci.reg

c:\documents and settings\All Users\Documents\rofepycap.dll

c:\documents and settings\Mika\Application Data\eluduzah.dat

c:\documents and settings\Mika\Application Data\lizkavd.exe

c:\documents and settings\Mika\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusPro_2010.lnk

c:\documents and settings\Mika\Application Data\seres.exe

c:\documents and settings\Mika\Application Data\svcst.exe

c:\documents and settings\Mika\Application Data\yvid.sys

c:\documents and settings\Mika\Desktop\AntivirusPro_2010.lnk

c:\documents and settings\Mika\Local Settings\Application Data\rijupys.pif

c:\documents and settings\Mika\Local Settings\Application Data\ufamaj.dll

c:\documents and settings\Mika\Local Settings\Temporary Internet Files\icesen.db

c:\documents and settings\Mika\Start Menu\Programs\AntivirusPro_2010

c:\documents and settings\Mika\Start Menu\Programs\AntivirusPro_2010\AntivirusPro_2010.lnk

c:\documents and settings\Mika\Start Menu\Programs\AntivirusPro_2010\Uninstall.lnk

c:\program files\AntivirusPro_2010

c:\program files\AntivirusPro_2010\AntivirusPro_2010.cfg

c:\program files\AntivirusPro_2010\AntivirusPro_2010.exe

c:\program files\Common Files\wywyw.bat

c:\program files\Windows Police Prox

c:\program files\Windows Police Prox\msvcm80.dll

c:\program files\Windows Police Prox\msvcp80.dll

c:\program files\Windows Police Prox\msvcr80.dll

c:\program files\Windows Police Prox\tmp\dbsinit.exe

c:\program files\Windows Police Prox\tmp\images\i1.gif

c:\program files\Windows Police Prox\tmp\images\i2.gif

c:\program files\Windows Police Prox\tmp\images\i3.gif

c:\program files\Windows Police Prox\tmp\images\j1.gif

c:\program files\Windows Police Prox\tmp\images\j2.gif

c:\program files\Windows Police Prox\tmp\images\j3.gif

c:\program files\Windows Police Prox\tmp\images\jj1.gif

c:\program files\Windows Police Prox\tmp\images\jj2.gif

c:\program files\Windows Police Prox\tmp\images\jj3.gif

c:\program files\Windows Police Prox\tmp\images\l1.gif

c:\program files\Windows Police Prox\tmp\images\l2.gif

c:\program files\Windows Police Prox\tmp\images\l3.gif

c:\program files\Windows Police Prox\tmp\images\pix.gif

c:\program files\Windows Police Prox\tmp\images\t1.gif

c:\program files\Windows Police Prox\tmp\images\t2.gif

c:\program files\Windows Police Prox\tmp\images\up1.gif

c:\program files\Windows Police Prox\tmp\images\up2.gif

c:\program files\Windows Police Prox\tmp\images\w1.gif

c:\program files\Windows Police Prox\tmp\images\w11.gif

c:\program files\Windows Police Prox\tmp\images\w2.gif

c:\program files\Windows Police Prox\tmp\images\w3.gif

c:\program files\Windows Police Prox\tmp\images\w3.jpg

c:\program files\Windows Police Prox\tmp\images\wt1.gif

c:\program files\Windows Police Prox\tmp\images\wt2.gif

c:\program files\Windows Police Prox\tmp\images\wt3.gif

c:\program files\Windows Police Prox\tmp\wispex.html

c:\program files\Windows Police Prox\windows Police Pro.exe

c:\windows\bihana.bat

c:\windows\mexuraxiby.dl

c:\windows\pivera.dll

c:\windows\system32\_scui.cpl

c:\windows\system32\nikut.exe

c:\windows\system32\ujirawiq.inf

c:\windows\ubaqezupar.pif

c:\windows\vudoxu.pif

c:\windows\win32k.sys

c:\windows\xihukuzo.exe

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_ANTIPPOLICE_

-------\Service_AntipPolice_

-------\Service_upxv

((((((((((((((((((((((((( Files Created from 2009-08-28 to 2009-09-29 )))))))))))))))))))))))))))))))

.

2009-09-27 20:48 . 2009-09-27 20:48 -------- d-----w- c:\program files\Trend Micro

2009-09-27 01:29 . 2009-09-27 01:29 -------- d-----w- c:\program files\Ask.com

2009-09-27 01:28 . 2009-09-27 01:28 -------- d-----w- c:\program files\MSSOAP

2009-09-27 01:27 . 2009-09-27 01:27 -------- d-----w- c:\program files\Webroot

2009-09-26 21:22 . 2009-06-18 19:55 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys

2009-09-26 20:13 . 2009-09-26 20:14 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe

2009-09-26 20:11 . 2009-09-26 20:11 -------- d-----w- c:\program files\Sophos

2009-09-26 18:41 . 2009-09-26 18:41 18019 ----a-w- c:\windows\system32\exade.com

2009-09-26 18:41 . 2009-09-26 18:41 17711 ----a-w- c:\windows\system32\egewalix.dat

2009-09-26 18:37 . 2009-09-28 03:43 -------- d--h--w- c:\windows\PIF

2009-09-26 06:19 . 2009-09-26 06:19 -------- d-----w- c:\program files\WinASO

2009-09-26 05:50 . 2009-09-26 05:50 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3

2009-09-26 04:43 . 2009-09-26 04:43 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE

2009-09-26 03:42 . 2009-09-26 03:42 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2009-09-26 03:41 . 2009-09-26 03:47 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft

2009-09-26 03:41 . 2009-09-26 04:43 -------- d-----w- c:\documents and settings\Administrator

2009-09-25 20:06 . 2008-04-15 03:00 26112 ------w- c:\windows\system32\userinit.exe

2009-09-22 18:58 . 2009-09-22 18:58 -------- d-----w- c:\program files\Common Files\xing shared

2009-09-22 18:57 . 2009-09-22 18:57 -------- d-----w- c:\program files\Real

2009-09-22 18:57 . 2009-09-22 18:58 -------- d-----w- c:\program files\Common Files\Real

2009-09-10 20:01 . 2009-09-10 20:01 -------- d-----w- c:\windows\Sun

2009-09-10 20:00 . 2009-09-10 20:00 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-09-10 20:00 . 2009-09-10 20:00 -------- d-----w- c:\program files\Java

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-29 04:09 . 2009-01-19 05:00 -------- d-----w- c:\program files\Symantec AntiVirus

2009-09-28 05:26 . 2009-09-28 05:26 12064 ----a-w- c:\program files\Common Files\ilyso.db

2009-09-28 05:01 . 2009-04-25 04:11 -------- d-----w- c:\documents and settings\Mika\Application Data\U3

2009-09-26 03:47 . 2009-09-26 03:47 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-09-26 03:47 . 2009-09-26 03:47 -------- d-----w- c:\documents and settings\Administrator\Application Data\SiteAdvisor

2009-09-26 03:47 . 2009-09-26 03:47 -------- d-----w- c:\documents and settings\Administrator\Application Data\InstallShield

2009-09-22 18:57 . 2003-10-17 20:44 348160 ----a-w- c:\windows\system32\msvcr71.dll

2009-09-18 16:02 . 2009-05-18 08:47 664 ----a-w- c:\windows\system32\d3d9caps.dat

2009-09-10 07:29 . 2009-01-18 07:41 -------- d-----w- c:\program files\Microsoft Silverlight

2009-09-10 03:38 . 2008-08-15 18:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2009-08-14 07:40 . 2009-01-19 04:57 93128 ----a-w- c:\documents and settings\Mika\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-11 04:12 . 2009-01-19 02:40 -------- d-----w- c:\program files\MSBuild

2009-08-11 04:12 . 2009-08-11 04:12 -------- d-----w- c:\program files\Reference Assemblies

2009-08-11 04:01 . 2008-08-15 18:18 -------- d-----w- c:\program files\Microsoft Works

2009-08-11 03:53 . 2009-08-11 03:53 -------- d-----w- c:\program files\Microsoft Office Outlook Connector

2009-08-11 03:52 . 2009-08-11 03:52 -------- d-----w- c:\program files\Windows Live

2009-08-11 03:51 . 2009-08-11 03:51 -------- d-----w- c:\program files\Windows Live SkyDrive

2009-08-11 03:51 . 2009-08-11 03:51 -------- d-----w- c:\program files\Microsoft Sync Framework

2009-08-11 03:51 . 2009-04-23 05:05 -------- d-----w- c:\program files\Microsoft

2009-08-05 09:01 . 2008-04-15 03:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-07-17 19:01 . 2008-04-15 03:00 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-14 06:43 . 2008-04-15 03:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll

2009-07-03 17:09 . 2007-08-14 01:54 915456 ------w- c:\windows\system32\wininet.dll

.

((((((((((((((((((((((((((((( SnapShot@2009-09-28_05.22.43 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-09-29 04:07 . 2009-09-29 04:07 16384 c:\windows\temp\Perflib_Perfdata_7b0.dat

+ 2009-01-17 05:41 . 2008-07-08 01:16 96856 c:\windows\system32\drivers\jmcr.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-02-09 764296]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-17 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LaunchApp"="Alaunch" [X]

"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2008-10-01 125368]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-22 198160]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-25 1044480]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-10 149280]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]

"PLFSetL"="c:\windows\PLFSetL.exe" [2007-07-05 94208]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-15 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-15 455168]

"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]

"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-15 59392]

"LManager"="c:\progra~1\LAUNCH~1\QtZgAcer.EXE" [2008-05-14 821768]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-15 208952]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-01-17 24064]

"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2008-05-22 425984]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-06-25 53096]

"AzMixerSel"="c:\program files\Realtek\Audio\InstallShield\AzMixerSel.exe" [2006-07-17 53248]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]

"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-23 620152]

"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-05-16 16862720]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat.exe [2009-1-18 295606]

Adobe Acrobat Synchronizer.lnk - c:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-23 734872]

InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2008-6-4 114688]

Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"ForceClassicControlPanel"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server

"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server

"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server

"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [9/26/2009 2:22 PM 18816]

R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [8/10/2009 8:52 PM 55152]

R2 wlidsvc;Windows Live ID Sign-in Assistant;c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE [3/30/2009 4:28 PM 1533808]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/28/2009 9:36 PM 102448]

S2 WRConsumerService;Webroot Client Service;"c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe" --> c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe [?]

S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2/6/2009 6:08 PM 533360]

S3 GoogleDesktopManager-080708-050100;Google Desktop Manager 5.7.808.7150;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [1/16/2009 10:36 PM 24064]

S3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [1/16/2009 10:41 PM 96856]

S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\3.tmp --> c:\windows\system32\3.tmp [?]

S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/30/2008 6:41 PM 116664]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

Contents of the 'Scheduled Tasks' folder

2009-09-28 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job

- c:\program files\Ask.com\UpdateTask.exe [2009-02-09 22:06]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

mStart Page = hxxp://www.google.com

uInternet Settings,ProxyOverride = *.local

IE: &Search

IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Mika\Application Data\Mozilla\Firefox\Profiles\15opvphf.default\

FF - prefs.js: browser.startup.homepage - hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0109&m=aoa150

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-28 21:08

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]

"ImagePath"="\??\c:\windows\system32\3.tmp"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2072)

c:\windows\system32\WININET.dll

c:\program files\Windows Desktop Search\deskbar.dll

c:\program files\Windows Desktop Search\en-us\dbres.dll.mui

c:\program files\Windows Desktop Search\dbres.dll

c:\program files\Windows Desktop Search\wordwheel.dll

c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui

c:\program files\Windows Desktop Search\msnlExtRes.dll

c:\progra~1\WINDOW~2\wmpband.dll

c:\program files\iTunes\iTunesMiniPlayer.dll

c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll

c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Symantec Shared\ccSetMgr.exe

c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe

c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Symantec AntiVirus\DefWatch.exe

c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

c:\program files\Symantec AntiVirus\Rtvscan.exe

c:\windows\system32\searchindexer.exe

c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE

c:\windows\system32\wscntfy.exe

c:\windows\system32\igfxsrvc.exe

c:\docume~1\Mika\LOCALS~1\temp\RtkBtMnt.exe

c:\windows\system32\igfxext.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

.

**************************************************************************

.

Completion time: 2009-09-29 21:15 - machine was rebooted

ComboFix-quarantined-files.txt 2009-09-29 04:15

ComboFix2.txt 2009-09-28 05:32

Pre-Run: 102,195,449,856 bytes free

Post-Run: 102,156,554,240 bytes free

305 --- E O F --- 2009-09-10 03:42

Link to post
Share on other sites

My Bad I ran full scan. Removed threats and rebooted.

ComboFix 09-09-25.01 - Mika 09/28/2009 20:57.2.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1012.363 [GMT -7:00]

Running from: c:\documents and settings\Mika\Desktop\Fixit.exe

Command switches used :: c:\documents and settings\Mika\Desktop\CFScript.txt

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

AV: Webroot Internet Security Essentials *On-access scanning disabled* (Updated) {77E10C7F-2CCA-4187-9394-BDBC267AD597}

FW: Webroot Internet Security Essentials *disabled* {63671000-11A2-46DD-BADD-A084CABCDEAE}

FILE ::

"c:\docume~1\Mika\LOCALS~1\temp\RtkBtMnt.exe"

"c:\documents and settings\Mika\Application Data\eluduzah.dat"

"c:\documents and settings\Mika\Application Data\lizkavd.exe"

"c:\documents and settings\Mika\Application Data\seres.exe"

"c:\documents and settings\Mika\Application Data\svcst.exe"

"c:\documents and settings\Mika\Local Settings\Application Data\rijupys.pif"

"c:\documents and settings\Mika\Local Settings\Application Data\ufamaj.dll"

"c:\windows\system32\drivers\svchost.exe"

"c:\windows\win32k.sys"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\docume~1\Mika\LOCALS~1\temp\RtkBtMnt.exe

c:\documents and settings\All Users\Documents\qizuci.reg

c:\documents and settings\All Users\Documents\rofepycap.dll

c:\documents and settings\Mika\Application Data\eluduzah.dat

c:\documents and settings\Mika\Application Data\lizkavd.exe

c:\documents and settings\Mika\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusPro_2010.lnk

c:\documents and settings\Mika\Application Data\seres.exe

c:\documents and settings\Mika\Application Data\svcst.exe

c:\documents and settings\Mika\Application Data\yvid.sys

c:\documents and settings\Mika\Desktop\AntivirusPro_2010.lnk

c:\documents and settings\Mika\Local Settings\Application Data\rijupys.pif

c:\documents and settings\Mika\Local Settings\Application Data\ufamaj.dll

c:\documents and settings\Mika\Local Settings\Temporary Internet Files\icesen.db

c:\documents and settings\Mika\Start Menu\Programs\AntivirusPro_2010

c:\documents and settings\Mika\Start Menu\Programs\AntivirusPro_2010\AntivirusPro_2010.lnk

c:\documents and settings\Mika\Start Menu\Programs\AntivirusPro_2010\Uninstall.lnk

c:\program files\AntivirusPro_2010

c:\program files\AntivirusPro_2010\AntivirusPro_2010.cfg

c:\program files\AntivirusPro_2010\AntivirusPro_2010.exe

c:\program files\Common Files\wywyw.bat

c:\program files\Windows Police Prox

c:\program files\Windows Police Prox\msvcm80.dll

c:\program files\Windows Police Prox\msvcp80.dll

c:\program files\Windows Police Prox\msvcr80.dll

c:\program files\Windows Police Prox\tmp\dbsinit.exe

c:\program files\Windows Police Prox\tmp\images\i1.gif

c:\program files\Windows Police Prox\tmp\images\i2.gif

c:\program files\Windows Police Prox\tmp\images\i3.gif

c:\program files\Windows Police Prox\tmp\images\j1.gif

c:\program files\Windows Police Prox\tmp\images\j2.gif

c:\program files\Windows Police Prox\tmp\images\j3.gif

c:\program files\Windows Police Prox\tmp\images\jj1.gif

c:\program files\Windows Police Prox\tmp\images\jj2.gif

c:\program files\Windows Police Prox\tmp\images\jj3.gif

c:\program files\Windows Police Prox\tmp\images\l1.gif

c:\program files\Windows Police Prox\tmp\images\l2.gif

c:\program files\Windows Police Prox\tmp\images\l3.gif

c:\program files\Windows Police Prox\tmp\images\pix.gif

c:\program files\Windows Police Prox\tmp\images\t1.gif

c:\program files\Windows Police Prox\tmp\images\t2.gif

c:\program files\Windows Police Prox\tmp\images\up1.gif

c:\program files\Windows Police Prox\tmp\images\up2.gif

c:\program files\Windows Police Prox\tmp\images\w1.gif

c:\program files\Windows Police Prox\tmp\images\w11.gif

c:\program files\Windows Police Prox\tmp\images\w2.gif

c:\program files\Windows Police Prox\tmp\images\w3.gif

c:\program files\Windows Police Prox\tmp\images\w3.jpg

c:\program files\Windows Police Prox\tmp\images\wt1.gif

c:\program files\Windows Police Prox\tmp\images\wt2.gif

c:\program files\Windows Police Prox\tmp\images\wt3.gif

c:\program files\Windows Police Prox\tmp\wispex.html

c:\program files\Windows Police Prox\windows Police Pro.exe

c:\windows\bihana.bat

c:\windows\mexuraxiby.dl

c:\windows\pivera.dll

c:\windows\system32\_scui.cpl

c:\windows\system32\nikut.exe

c:\windows\system32\ujirawiq.inf

c:\windows\ubaqezupar.pif

c:\windows\vudoxu.pif

c:\windows\win32k.sys

c:\windows\xihukuzo.exe

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_ANTIPPOLICE_

-------\Service_AntipPolice_

-------\Service_upxv

((((((((((((((((((((((((( Files Created from 2009-08-28 to 2009-09-29 )))))))))))))))))))))))))))))))

.

2009-09-27 20:48 . 2009-09-27 20:48 -------- d-----w- c:\program files\Trend Micro

2009-09-27 01:29 . 2009-09-27 01:29 -------- d-----w- c:\program files\Ask.com

2009-09-27 01:28 . 2009-09-27 01:28 -------- d-----w- c:\program files\MSSOAP

2009-09-27 01:27 . 2009-09-27 01:27 -------- d-----w- c:\program files\Webroot

2009-09-26 21:22 . 2009-06-18 19:55 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys

2009-09-26 20:13 . 2009-09-26 20:14 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe

2009-09-26 20:11 . 2009-09-26 20:11 -------- d-----w- c:\program files\Sophos

2009-09-26 18:41 . 2009-09-26 18:41 18019 ----a-w- c:\windows\system32\exade.com

2009-09-26 18:41 . 2009-09-26 18:41 17711 ----a-w- c:\windows\system32\egewalix.dat

2009-09-26 18:37 . 2009-09-28 03:43 -------- d--h--w- c:\windows\PIF

2009-09-26 06:19 . 2009-09-26 06:19 -------- d-----w- c:\program files\WinASO

2009-09-26 05:50 . 2009-09-26 05:50 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3

2009-09-26 04:43 . 2009-09-26 04:43 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE

2009-09-26 03:42 . 2009-09-26 03:42 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2009-09-26 03:41 . 2009-09-26 03:47 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft

2009-09-26 03:41 . 2009-09-26 04:43 -------- d-----w- c:\documents and settings\Administrator

2009-09-25 20:06 . 2008-04-15 03:00 26112 ------w- c:\windows\system32\userinit.exe

2009-09-22 18:58 . 2009-09-22 18:58 -------- d-----w- c:\program files\Common Files\xing shared

2009-09-22 18:57 . 2009-09-22 18:57 -------- d-----w- c:\program files\Real

2009-09-22 18:57 . 2009-09-22 18:58 -------- d-----w- c:\program files\Common Files\Real

2009-09-10 20:01 . 2009-09-10 20:01 -------- d-----w- c:\windows\Sun

2009-09-10 20:00 . 2009-09-10 20:00 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-09-10 20:00 . 2009-09-10 20:00 -------- d-----w- c:\program files\Java

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-29 04:09 . 2009-01-19 05:00 -------- d-----w- c:\program files\Symantec AntiVirus

2009-09-28 05:26 . 2009-09-28 05:26 12064 ----a-w- c:\program files\Common Files\ilyso.db

2009-09-28 05:01 . 2009-04-25 04:11 -------- d-----w- c:\documents and settings\Mika\Application Data\U3

2009-09-26 03:47 . 2009-09-26 03:47 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-09-26 03:47 . 2009-09-26 03:47 -------- d-----w- c:\documents and settings\Administrator\Application Data\SiteAdvisor

2009-09-26 03:47 . 2009-09-26 03:47 -------- d-----w- c:\documents and settings\Administrator\Application Data\InstallShield

2009-09-22 18:57 . 2003-10-17 20:44 348160 ----a-w- c:\windows\system32\msvcr71.dll

2009-09-18 16:02 . 2009-05-18 08:47 664 ----a-w- c:\windows\system32\d3d9caps.dat

2009-09-10 07:29 . 2009-01-18 07:41 -------- d-----w- c:\program files\Microsoft Silverlight

2009-09-10 03:38 . 2008-08-15 18:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2009-08-14 07:40 . 2009-01-19 04:57 93128 ----a-w- c:\documents and settings\Mika\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-11 04:12 . 2009-01-19 02:40 -------- d-----w- c:\program files\MSBuild

2009-08-11 04:12 . 2009-08-11 04:12 -------- d-----w- c:\program files\Reference Assemblies

2009-08-11 04:01 . 2008-08-15 18:18 -------- d-----w- c:\program files\Microsoft Works

2009-08-11 03:53 . 2009-08-11 03:53 -------- d-----w- c:\program files\Microsoft Office Outlook Connector

2009-08-11 03:52 . 2009-08-11 03:52 -------- d-----w- c:\program files\Windows Live

2009-08-11 03:51 . 2009-08-11 03:51 -------- d-----w- c:\program files\Windows Live SkyDrive

2009-08-11 03:51 . 2009-08-11 03:51 -------- d-----w- c:\program files\Microsoft Sync Framework

2009-08-11 03:51 . 2009-04-23 05:05 -------- d-----w- c:\program files\Microsoft

2009-08-05 09:01 . 2008-04-15 03:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-07-17 19:01 . 2008-04-15 03:00 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-14 06:43 . 2008-04-15 03:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll

2009-07-03 17:09 . 2007-08-14 01:54 915456 ------w- c:\windows\system32\wininet.dll

.

((((((((((((((((((((((((((((( SnapShot@2009-09-28_05.22.43 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-09-29 04:07 . 2009-09-29 04:07 16384 c:\windows\temp\Perflib_Perfdata_7b0.dat

+ 2009-01-17 05:41 . 2008-07-08 01:16 96856 c:\windows\system32\drivers\jmcr.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-02-09 764296]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-17 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LaunchApp"="Alaunch" [X]

"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2008-10-01 125368]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-22 198160]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-25 1044480]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-10 149280]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]

"PLFSetL"="c:\windows\PLFSetL.exe" [2007-07-05 94208]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-15 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-15 455168]

"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]

"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-15 59392]

"LManager"="c:\progra~1\LAUNCH~1\QtZgAcer.EXE" [2008-05-14 821768]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-15 208952]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-01-17 24064]

"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2008-05-22 425984]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-06-25 53096]

"AzMixerSel"="c:\program files\Realtek\Audio\InstallShield\AzMixerSel.exe" [2006-07-17 53248]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]

"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-23 620152]

"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-05-16 16862720]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat.exe [2009-1-18 295606]

Adobe Acrobat Synchronizer.lnk - c:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-23 734872]

InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2008-6-4 114688]

Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"ForceClassicControlPanel"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server

"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server

"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server

"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [9/26/2009 2:22 PM 18816]

R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [8/10/2009 8:52 PM 55152]

R2 wlidsvc;Windows Live ID Sign-in Assistant;c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE [3/30/2009 4:28 PM 1533808]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/28/2009 9:36 PM 102448]

S2 WRConsumerService;Webroot Client Service;"c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe" --> c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe [?]

S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2/6/2009 6:08 PM 533360]

S3 GoogleDesktopManager-080708-050100;Google Desktop Manager 5.7.808.7150;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [1/16/2009 10:36 PM 24064]

S3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [1/16/2009 10:41 PM 96856]

S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\3.tmp --> c:\windows\system32\3.tmp [?]

S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/30/2008 6:41 PM 116664]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

Contents of the 'Scheduled Tasks' folder

2009-09-28 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job

- c:\program files\Ask.com\UpdateTask.exe [2009-02-09 22:06]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

mStart Page = hxxp://www.google.com

uInternet Settings,ProxyOverride = *.local

IE: &Search

IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Mika\Application Data\Mozilla\Firefox\Profiles\15opvphf.default\

FF - prefs.js: browser.startup.homepage - hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0109&m=aoa150

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-28 21:08

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]

"ImagePath"="\??\c:\windows\system32\3.tmp"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2072)

c:\windows\system32\WININET.dll

c:\program files\Windows Desktop Search\deskbar.dll

c:\program files\Windows Desktop Search\en-us\dbres.dll.mui

c:\program files\Windows Desktop Search\dbres.dll

c:\program files\Windows Desktop Search\wordwheel.dll

c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui

c:\program files\Windows Desktop Search\msnlExtRes.dll

c:\progra~1\WINDOW~2\wmpband.dll

c:\program files\iTunes\iTunesMiniPlayer.dll

c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll

c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Symantec Shared\ccSetMgr.exe

c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe

c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Symantec AntiVirus\DefWatch.exe

c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

c:\program files\Symantec AntiVirus\Rtvscan.exe

c:\windows\system32\searchindexer.exe

c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE

c:\windows\system32\wscntfy.exe

c:\windows\system32\igfxsrvc.exe

c:\docume~1\Mika\LOCALS~1\temp\RtkBtMnt.exe

c:\windows\system32\igfxext.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

.

**************************************************************************

.

Completion time: 2009-09-29 21:15 - machine was rebooted

ComboFix-quarantined-files.txt 2009-09-29 04:15

ComboFix2.txt 2009-09-28 05:32

Pre-Run: 102,195,449,856 bytes free

Post-Run: 102,156,554,240 bytes free

305 --- E O F --- 2009-09-10 03:42

****************************

MBAM log

Malwarebytes' Anti-Malware 1.41

Database version: 2870

Windows 5.1.2600 Service Pack 3

9/28/2009 10:22:09 PM

mbam-log-2009-09-28 (22-21-58).txt

Scan type: Full Scan (C:\|E:\|)

Objects scanned: 214001

Time elapsed: 51 minute(s), 16 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 11

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\Windows Police Pro (Rogue.WindowsPolicePro) -> No action taken.

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> No action taken.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Qoobox\Quarantine\C\Program Files\AntivirusPro_2010\AntivirusPro_2010.exe.vir (Trojan.FakeAlert) -> No action taken.

C:\Qoobox\Quarantine\C\Program Files\Windows Police Prox\windows Police Pro.exe.vir (Antivirus2009) -> No action taken.

C:\Qoobox\Quarantine\C\WINDOWS\msa.exe.vir (Trojan.Downloader) -> No action taken.

C:\Qoobox\Quarantine\C\WINDOWS\system32\dddesot.dll.vir (Rogue.ASC-AntiSpyware) -> No action taken.

C:\Qoobox\Quarantine\C\WINDOWS\system32\desot.exe.vir (Trojan.FakeAlert) -> No action taken.

C:\Qoobox\Quarantine\C\WINDOWS\system32\eventlog.dll.vir (Trojan.Sirefef) -> No action taken.

C:\Qoobox\Quarantine\C\WINDOWS\system32\nzfiu3h78di.dll.vir (Trojan.Agent) -> No action taken.

C:\Qoobox\Quarantine\C\WINDOWS\system32\_scui.cpl.vir (Trojan.FakeAlert) -> No action taken.

C:\System Volume Information\_restore{D24A3BE8-4CBB-48D0-81AD-ACAFA6A6C48B}\RP1\A0000061.exe (Trojan.FakeAlert) -> No action taken.

C:\System Volume Information\_restore{D24A3BE8-4CBB-48D0-81AD-ACAFA6A6C48B}\RP1\A0000067.exe (Antivirus2009) -> No action taken.

C:\System Volume Information\_restore{D24A3BE8-4CBB-48D0-81AD-ACAFA6A6C48B}\RP1\A0000070.cpl (Trojan.FakeAlert) -> No action taken.

Link to post
Share on other sites

Rootkit log

GMER 1.0.15.15087 - http://www.gmer.net

Rootkit quick scan 2009-09-28 22:37:18

Windows 5.1.2600 Service Pack 3

Running: oj0f1djp.exe; Driver: C:\DOCUME~1\Mika\LOCALS~1\Temp\uxxcraob.sys

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)

AttachedDevice SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Tcp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Udp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

---- EOF - GMER 1.0.15 ----

Link to post
Share on other sites

Rootkit log

GMER 1.0.15.15087 - http://www.gmer.net

Rootkit quick scan 2009-09-28 22:37:18

Windows 5.1.2600 Service Pack 3

Running: oj0f1djp.exe; Driver: C:\DOCUME~1\Mika\LOCALS~1\Temp\uxxcraob.sys

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)

AttachedDevice SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Tcp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Udp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

---- EOF - GMER 1.0.15 ----

Last Ark.txtGMER 1.0.15.15087 - http://www.gmer.net

Rootkit scan 2009-09-29 07:12:30

Windows 5.1.2600 Service Pack 3

Running: oj0f1djp.exe; Driver: C:\DOCUME~1\Mika\LOCALS~1\Temp\uxxcraob.sys

---- System - GMER 1.0.15 ----

SSDT 860F9478 ZwAlertResumeThread

SSDT 86225090 ZwAlertThread

SSDT 86242718 ZwAllocateVirtualMemory

SSDT 861E2CF0 ZwConnectPort

SSDT 86230780 ZwCreateMutant

SSDT 86258FB0 ZwCreateThread

SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xAA138690]

SSDT 86272F58 ZwFreeVirtualMemory

SSDT 860F8520 ZwImpersonateAnonymousToken

SSDT 862A9480 ZwImpersonateThread

SSDT 8625F940 ZwMapViewOfSection

SSDT 861765E0 ZwOpenEvent

SSDT 860F34A0 ZwOpenProcessToken

SSDT 86294A80 ZwOpenThreadToken

SSDT 8620CEF0 ZwQueryValueKey

SSDT 860FC090 ZwResumeThread

SSDT 861008E8 ZwSetContextThread

SSDT 862305C8 ZwSetInformationProcess

SSDT 862A8F58 ZwSetInformationThread

SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xAA1388E0]

SSDT 861BC090 ZwSuspendProcess

SSDT 861E19A8 ZwSuspendThread

SSDT 86111730 ZwTerminateProcess

SSDT 861038E8 ZwTerminateThread

SSDT 86154D30 ZwUnmapViewOfSection

SSDT 86216738 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution + 406 804E4C40 5 Bytes [C8, 05, 23, 86, 58] {ENTER 0x2305, 0x86; POP EAX}

.text ntoskrnl.exe!ZwYieldExecution + 40C 804E4C46 2 Bytes [2A, 86]

.text ntoskrnl.exe!ZwYieldExecution + 47A 804E4CB4 5 Bytes [30, 17, 11, 86, E8]

.text ntoskrnl.exe!ZwYieldExecution + 480 804E4CBA 2 Bytes CALL 24D45CF7

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\SearchIndexer.exe[1516] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)

AttachedDevice SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Tcp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Udp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)

AttachedDevice fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

Link to post
Share on other sites

I have quickly scanned through your logs. The primary infections are gone. I will review them more thoroughly later and at that time we can remove any inactive remnants that may still exist. If this were my system, I would remove the Ask Toolbar which I see in the logs. It is often bundled with legitimate and favorable programs, unfortunately.

Link to post
Share on other sites

Please upload these two files to the Virus Total Scanner and then post back the urls to the scan reports:

c:\windows\system32\exade.com

c:\windows\system32\egewalix.dat

Your results are OK. The threats detected by MBAM are in System Volume Information and we'll purge those at the end of the cleanup. The rest of the detections are threats already quarantined by Combofix in its "Qoobox".

The only consideration remaining is whether you want to remove the Ask Toolbar or not. If so, first try the Add/Remove Programs route, and if it's not there then we can use the brute force approach:

http://www.threatexpert.com/report.aspx?md...f1614427193765f

It's up to you.

Link to post
Share on other sites

Please upload these two files to the Virus Total Scanner and then post back the urls to the scan reports:

c:\windows\system32\exade.com

c:\windows\system32\egewalix.dat

Your results are OK. The threats detected by MBAM are in System Volume Information and we'll purge those at the end of the cleanup. The rest of the detections are threats already quarantined by Combofix in its "Qoobox".

The only consideration remaining is whether you want to remove the Ask Toolbar or not. If so, first try the Add/Remove Programs route, and if it's not there then we can use the brute force approach:

http://www.threatexpert.com/report.aspx?md...f1614427193765f

It's up to you.

Negster22,

Thanks for all the help. I've uninstalled Ask Toolbar. I'll get to the Virus Total Scanner tonight. How do you guys do this. Kudos.

Len

Link to post
Share on other sites

Negster22,

Thanks for all the help. I've uninstalled Ask Toolbar. I'll get to the Virus Total Scanner tonight. How do you guys do this. Kudos.

Len

File exade.com received on 2009.10.01 02:07:50 (UTC)

http://www.virustotal.com/analisis/1b59e78...0871-1254362870

File egewalix.dat received on 2009.10.01 02:12:32 (UTC)

Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

http://www.virustotal.com/analisis/93768df...bc79-1254363152

Link to post
Share on other sites

You're welcome, Len.

Those files look OK.

I've been doing this since 2004. You just have to get used to knowing what belongs and what doesn't in a computer file system and the Windows registry. Eventually a tremendous "white list" builds up in your brain and it becomes pretty automatic. Then you have to know what tool or script to use to remove anything malicious that doesn't belong.

We have a few steps to finish up now:

You should update your version of the Sun Java Platform (JRE) to the newest version which is Java Runtime Environment (JRE) 6 Update 16, if you have not done that already.

You can check your currently installed JRE version here.

If you find you need to update to the Java Runtime Environment (JRE) 6 Update 16, then follow these steps:

1. Download the latest JRE version at the http://java.sun.com/javase/downloads/index.jsp Sun Microsystem's website

2. Select the option that says: "JRE 6 Update 16

This special release provides a few key fixes", and click Download button.

3. Select your platform: Windows, in the pull down menu.

4. Check the box that says: "I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement."

5. Click Continue.

6. Under the Windows Platform - Java SE Runtime Environment 6 Update 16 section, click on the link to download the Windows Offline Installation and save the installer to your desktop.

7. Close any programs you may have running - especially your web browser.

8. Next, remove all older versions of the Sun Java Platform using the Control Panel's Add/Remove Program feature (as they may contain security vulnerabilities).

9. Reboot your system

10. Then from your desktop double-click on jre-6u16-windows-i586-p.exe to install the newest version of the Sun Java Platform

12. If the Yahoo Toolbar is prechecked for installation be sure to UNCHECK it, if you do not care to have it, or already have it installed - it is not part of the JRE install and totally unnecessary.

13. You may verify that the current version installed properly by clicking http://java.com/en/download/installed.jsp here.

Now clear the Java cache:

After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)

  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
    • Trace and Log Files

    [*]Click OK on Delete Temporary Files Window

    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

    [*] Click OK to leave the Temporary Files Window

    [*]Click OK to leave the Java Control Panel.

-

If I asked you to download and run an ARK (Antirootkit program, then please uninstall it by doing the following:

  • Delete the contents of the folder C:\ARK
  • Delete the C:\ARK folder

Let's remove Combofix and all its associated files including those in quarantine:

Click start -> run, then copy and paste the following line into the Open box and click OK.

"%userprofile%\desktop\Fixit.exe" /u

This will do the following:

  • Uninstall Combofix and all its associated files and folders.
  • It will flush your system restore points and create a new restore point.
  • It will rehide your system files and folders
  • Reset your system clock

---

Here are some additional measures you should take to keep your system in good working order and ensure your continued security.

1. Scan your system for outdated versions of commonly used software applications that may also cause your PC be vulnerable, using the Secunia Online Software Inspector (OSI). This is very important because recent statistics confirm that an overwhelming majority of infections are aquired through application not Operating System flaws. Commonly used programs like Quicktime, Java, and Adobe Acrobat Reader, itunes, and many others are commonly targeted today. You can make your computer much more secure if you update to the most current versions of these programs and any others that Secunia alerts you to.

Just click the "Start Scanner" button to get a listing of all outdated and possibly insecure resident programs.

Note: If your firewall prompts you about access, allow it.

2. Keep MBAM as an on demand scanner because I highly recommend it, and the quick scan will find most all active malware in minutes. The Pro version offers IP protection from online threats, automatic updating and scheduled scanning.

3. You can reduce your startups by downloading Malwarebyte's StartUp Lite and saving it to a convenient location. Just double-click StartUpLite.exe. Then, check the options you would like based on the descriptions provided, then select continue. This will free up system resources because nonessential background programs will no longer be running when you start up your computer.

4. Download and install SpywareBlaster:

http://www.javacoolsoftware.com/spywareblaster.html

Update it and the enable protection for all unprotected items.

You will have to update the free version manually about once a month by clicking the Updates button. You can refer to the Calendar of Updates Website to see when SpywareBlaster and other programs that do not autoupdate have new definitions or program updates available.

You should visit the Windows Updates website, and obtain the most current Operating System updates/patches, and Internet Explorer released versions.

The easiest and fastest way to obtain Windows Updates is by clicking Control Panel -> Windows Updates.

However, setting your computer to download and install updates automatically will relieve you of the responsibility of doing this on a continual basis. It is important to periodically check that Windows Updates is functioning properly because many threats disable it as part of their strategy to compromise your system. Windows Updates are released on the second Tuesday of every month.

Finally, please follow the suggestions offered by Tony Klein in How did I get infected in the first place. so you can maintain a safe and secure computing environment.

Happy Surfing!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.