MalwareBytes won't install, error running Defogger, GMER crashes

[screen317]

Hi,

On the Dell, please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and Paste the entire report in your next reply along with a fresh HijackThis log.
  

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

It appears as though whatever infections were present previously are now gone, unless you have evidence which indicates otherwise?

-screen317

[david888m]

Hi,

On the Dell, please download Malwarebytes' Anti-Malware from Here or Here

It appears as though whatever infections were present previously are now gone, unless you have evidence which indicates otherwise?

-screen317

I've been running Malwarebytes almost every day since reformatting Dell over 2 weeks ago. I posted logs from many tools on Mar 29 2010, 11:10 PM, Post #11. The Combofix log reported 3 infected system files. The same 3 system files were reported to be infected in the newer Combofix log done on April 7th below. However, Malwarebytes never found any infection in the past 2 1/2 weeks; I'm posting the most recent log (showing no infection) below the Combofix log. Dr. Web and Trendmicro hasn't found anything also, but Avira found and removed 2 other viruses on Dell in the last 2 1/2 weeks. Thanks.

ComboFix 10-04-05.06 - Administrator 04/07/2010 0:27.2.1 - FAT32x86

Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.254.148 [GMT -4:00]

Running from: c:\documents and settings\Administrator\Desktop\TEMP\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\winnt\system32\comres.dll . . . is infected!!

c:\winnt\system32\qmgr.dll . . . is infected!!

c:\winnt\system32\comres.dll . . . is infected!!

.

((((((((((((((((((((((((( Files Created from 2010-03-07 to 2010-04-07 )))))))))))))))))))))))))))))))

.

2010-04-07 04:38 . 2010-04-07 04:38 16384 ----a-w- c:\winnt\system32\Perflib_Perfdata_4e0.dat

2010-04-06 23:31 . 2010-04-06 23:31 -------- d-----w- C:\WUTemp

2010-04-06 22:26 . 2010-04-06 22:26 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer

2010-04-06 22:23 . 2010-04-06 22:23 -------- d-----w- c:\program files\QuickTime

2010-04-06 22:23 . 2010-04-06 22:23 -------- d-----w- c:\program files\Apple Software Update

2010-04-06 22:22 . 2010-04-06 22:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer

2010-04-05 02:41 . 2010-04-05 02:41 -------- d-----w- c:\program files\ToniArts

2010-04-05 02:41 . 2010-04-05 02:41 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-04-03 18:33 . 2010-04-03 18:33 -------- d-----w- C:\FOUND.000

2010-03-31 16:27 . 2010-03-31 16:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!

2010-03-31 16:26 . 2010-03-31 16:26 -------- d-----w- c:\program files\Yahoo!

2010-03-30 20:43 . 2010-03-30 20:43 -------- d-s---w- c:\documents and settings\Administrator\UserData

2010-03-30 05:46 . 2010-03-30 05:46 -------- d-----w- c:\program files\NetZero

2010-03-30 05:46 . 2010-03-30 05:46 -------- d-----w- c:\documents and settings\All Users\Application Data\NetZero

2010-03-30 05:46 . 2010-03-30 05:46 -------- d-----w- C:\NetZeroInstaller

2010-03-29 04:52 . 2010-03-29 04:52 -------- d-----w- c:\program files\FXDD - MetaTrader 4

2010-03-28 21:56 . 1999-12-06 20:00 12560 ----a-w- c:\winnt\system32\dllcache\chtbrkr.dll

2010-03-28 21:56 . 1999-12-06 20:00 12560 ----a-w- c:\winnt\system32\chtbrkr.dll

2010-03-28 21:56 . 1999-12-06 20:00 1577216 ----a-w- c:\winnt\system32\dllcache\cjime.exe

2010-03-28 21:56 . 1999-12-06 20:00 1577216 ----a-w- c:\winnt\system32\cjime.exe

2010-03-28 21:55 . 1999-12-06 20:00 1409792 ----a-w- c:\winnt\system32\phime.exe

2010-03-28 21:55 . 1999-12-06 20:00 1409792 ----a-w- c:\winnt\system32\dllcache\phime.exe

2010-03-28 21:36 . 1999-08-05 20:11 290816 ----a-w- c:\winnt\system32\IMEPAD.DLL

2010-03-28 21:36 . 1999-08-05 20:11 290816 ----a-w- c:\winnt\system32\dllcache\imepad.dll

2010-03-28 21:25 . 2010-03-28 21:25 -------- d-----w- c:\documents and settings\Administrator\Application Data\Canon

2010-03-28 20:52 . 2010-03-28 20:52 -------- d-----w- c:\documents and settings\Administrator\Application Data\Foxit Software

2010-03-28 20:51 . 2010-03-28 20:51 -------- d-----w- c:\program files\Foxit Software

2010-03-28 20:51 . 2010-03-28 20:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\Foxit

2010-03-28 20:20 . 2010-03-28 20:21 -------- d-----w- c:\program files\IZArc

2010-03-28 20:18 . 2010-03-28 20:18 -------- d-----w- c:\winnt\ShellNew

2010-03-28 20:16 . 2010-03-28 20:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\Microsoft Web Folders

2010-03-28 19:35 . 2010-03-28 19:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\SogouPY.users

2010-03-28 19:34 . 2010-03-28 19:34 -------- d-----w- c:\program files\SogouInput

2010-03-28 19:34 . 2010-03-28 19:34 -------- d-----w- c:\documents and settings\Administrator\Application Data\SogouPY

2010-03-28 19:31 . 1999-12-06 20:00 12560 ----a-w- c:\winnt\system32\dllcache\chsbrkr.dll

2010-03-28 19:31 . 1999-12-06 20:00 12560 ----a-w- c:\winnt\system32\chsbrkr.dll

2010-03-28 19:31 . 1999-12-06 20:00 3442432 ----a-w- c:\winnt\system32\pyime.exe

2010-03-28 19:31 . 1999-12-06 20:00 3442432 ----a-w- c:\winnt\system32\dllcache\pyime.exe

2010-03-28 10:08 . 2007-10-23 13:27 110592 ----a-w- c:\documents and settings\Administrator\Application Data\U3\temp\cleanup.exe

2010-03-28 10:01 . 1998-10-29 20:45 306688 ----a-w- c:\winnt\IsUninst.exe

2010-03-28 09:57 . 2008-05-02 14:41 3493888 ---ha-w- c:\documents and settings\Administrator\Application Data\U3\temp\Launchpad Removal.exe

2010-03-28 09:56 . 2010-03-28 09:56 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3

2010-03-28 09:53 . 2010-03-28 09:53 -------- d-----w- C:\dell

2010-03-28 09:43 . 1996-01-09 14:38 283648 ----a-w- c:\winnt\uninst.exe

2010-03-28 09:10 . 2010-03-28 09:10 2829 ----a-w- c:\documents and settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Quattro.pif

2010-03-28 06:47 . 2010-03-28 06:47 -------- d-----w- c:\winnt\system32\Macromed

2010-03-28 06:18 . 2010-03-28 06:18 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Microsoft

2010-03-28 00:05 . 2010-03-28 00:05 -------- d-----w- c:\documents and settings\Administrator\DoctorWeb

2010-03-27 18:57 . 2010-03-30 07:57 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2010-03-27 18:54 . 2010-03-27 18:55 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2010-03-27 17:58 . 2010-03-27 17:58 -------- d-----w- c:\program files\Avira

2010-03-27 17:58 . 2010-03-27 17:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2010-03-27 17:58 . 2009-03-30 13:32 97512 ----a-w- c:\winnt\system32\drivers\avipbb.sys

2010-03-27 17:58 . 2009-03-24 19:07 65240 ----a-w- c:\winnt\system32\drivers\avgntflt.sys

2010-03-27 17:58 . 2009-02-13 15:28 18520 ----a-w- c:\winnt\system32\drivers\avgntmgr.sys

2010-03-27 17:58 . 2009-02-13 15:16 64488 ----a-w- c:\winnt\system32\drivers\avgntdd.sys

2010-03-27 17:58 . 2010-03-27 17:58 -------- d-----w- c:\winnt\winsxs

2010-03-27 17:54 . 2010-03-27 17:54 -------- d-----w- c:\winnt\system32\Windows Media

2010-03-27 17:53 . 2010-03-27 17:54 -------- d--h--w- c:\winnt\$NtUpdateRollupPackUninstall$

2010-03-27 17:53 . 2010-03-27 17:54 -------- d-----w- c:\winnt\msiinst.tmp

2010-03-27 17:52 . 2010-03-27 17:52 -------- d-----w- c:\winnt\ime

2010-03-27 17:52 . 2010-03-27 17:52 -------- d-----w- c:\winnt\system32\Microsoft

2010-03-27 17:47 . 2010-03-27 17:47 -------- d-----w- c:\winnt\system32\ie_de

2010-03-27 17:47 . 2010-03-27 17:47 -------- d-----w- c:\winnt\system32\CertSrv

2010-03-27 17:47 . 2010-03-27 17:47 -------- d-----w- c:\winnt\ServicePackFiles

2010-03-27 17:46 . 2003-06-19 16:05 3856 ------w- c:\winnt\system32\SVCPACK1.DLL

2010-03-27 17:44 . 2003-06-19 18:05 977680 ----a-w- c:\winnt\system32\vfpodbc.dll

2010-03-27 17:43 . 2003-06-19 18:05 85776 ----a-w- c:\winnt\system32\smlogsvc.exe

2010-03-27 17:42 . 2003-06-19 18:05 444176 ----a-w- c:\winnt\system32\oieng400.dll

2010-03-27 17:41 . 2003-06-19 18:05 33616 ------w- c:\winnt\system32\drivers\fips.sys

2010-03-27 17:40 . 2003-06-19 18:05 305664 ----a-w- c:\winnt\system32\msihnd.dll

2010-03-27 17:40 . 2003-09-20 01:53 64512 ----a-w- c:\winnt\system32\msiexec.exe

2010-03-27 17:40 . 2003-06-19 18:05 2017792 ----a-w- c:\winnt\system32\msi.dll

2010-03-27 17:40 . 2004-07-19 23:56 319760 ----a-w- c:\winnt\system32\msexcl40.dll

2010-03-27 17:40 . 2003-09-26 07:42 512272 ----a-w- c:\winnt\system32\msexch40.dll

2010-03-27 17:40 . 2003-06-19 18:05 4126 ----a-w- c:\winnt\system32\msdxmlc.dll

2010-03-27 17:37 . 2003-06-19 18:05 74000 ----a-w- c:\winnt\system32\uniime.dll

2010-03-27 17:37 . 2003-06-19 18:05 74000 ----a-w- c:\winnt\system32\dllcache\uniime.dll

2010-03-27 17:35 . 2003-06-19 18:05 206096 ----a-w- c:\winnt\system32\infosoft.dll

2010-03-27 17:34 . 2004-03-11 18:29 97552 ----a-w- c:\winnt\system32\comrepl.dll

2010-03-27 17:33 . 2010-03-27 17:33 0 ----a-w- c:\winnt\nsreg.dat

2010-03-27 17:33 . 2010-03-27 17:33 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla

2010-03-27 17:10 . 2010-03-30 04:46 38224 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys

2010-03-27 17:10 . 2010-03-30 04:45 19160 ----a-w- c:\winnt\system32\drivers\mbam.sys

2010-03-27 17:10 . 2010-03-27 17:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-03-27 17:10 . 2010-03-27 17:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-03-27 16:52 . 2010-03-27 16:52 -------- d-----w- C:\UNINST

2010-03-27 08:44 . 2010-03-27 08:44 -------- d-----w- C:\UTIL

2010-03-27 08:43 . 2010-03-27 08:43 -------- d-----w- c:\program files\SSH Communications Security

2010-03-27 08:43 . 2010-03-27 08:43 -------- d-----w- c:\program files\RegClean

2010-03-27 08:43 . 2010-03-27 08:43 -------- d-----w- c:\program files\QPRO

2010-03-27 08:42 . 2010-03-27 08:42 -------- d-----w- c:\program files\ATF Cleaner

2010-03-27 08:35 . 2010-03-27 08:35 -------- d-----w- c:\program files\Juno

2010-03-27 08:33 . 2010-04-04 17:24 -------- d-----r- C:\MYDOCS

2010-03-27 08:33 . 2010-03-27 08:33 -------- d-----w- C:\juno2

2010-03-27 08:33 . 2010-03-27 08:33 -------- d-----w- C:\juno1

2010-03-27 08:33 . 2010-03-27 08:33 -------- d-----w- C:\Index

2010-03-27 08:33 . 2010-03-27 08:33 -------- d-----w- C:\Futures

2010-03-27 08:33 . 2010-03-27 08:33 -------- d-----w- C:\FOREX

2010-03-27 08:33 . 2010-03-27 08:33 -------- d-----w- C:\EXPORT

2010-03-27 08:32 . 2010-03-27 08:32 -------- d-----w- C:\COMM

2010-03-27 08:32 . 2010-03-27 08:32 -------- d-----w- C:\BAT

2010-03-27 08:32 . 2010-03-27 08:32 -------- d-----w- C:\antbar

2010-03-27 08:29 . 2010-03-27 08:29 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Scansoft

2010-03-27 08:15 . 2006-09-13 04:00 74240 ----a-w- c:\documents and settings\All Users\Application Data\CanonBJ\IJPrinter\CNMWINNT\Canon MP160 Printer\LanguageModules\0409\CNMsr83.dll

2010-03-27 08:15 . 2006-09-13 04:00 73216 ----a-w- c:\documents and settings\All Users\Application Data\CanonBJ\IJPrinter\CNMWINNT\Canon MP160 Printer\LanguageModules\0411\CNMlr83.dll

2010-03-27 08:15 . 2006-09-13 04:00 42496 ----a-w- c:\documents and settings\All Users\Application Data\CanonBJ\IJPrinter\CNMWINNT\Canon MP160 Printer\LanguageModules\0411\CNMsr83.dll

2010-03-27 08:15 . 2006-09-13 04:00 334848 ----a-w- c:\documents and settings\All Users\Application Data\CanonBJ\IJPrinter\CNMWINNT\Canon MP160 Printer\LanguageModules\0409\CNMur83.dll

2010-03-27 08:15 . 2006-09-13 04:00 249344 ----a-w- c:\documents and settings\All Users\Application Data\CanonBJ\IJPrinter\CNMWINNT\Canon MP160 Printer\LanguageModules\0411\CNMur83.dll

2010-03-27 08:15 . 2006-09-13 04:00 130048 ----a-w- c:\documents and settings\All Users\Application Data\CanonBJ\IJPrinter\CNMWINNT\Canon MP160 Printer\LanguageModules\0409\CNMlr83.dll

2010-03-27 08:15 . 2003-06-19 18:05 12592 ----a-w- c:\winnt\system32\drivers\usbscan.sys

2010-03-27 08:15 . 2010-03-27 08:15 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield

2010-03-27 08:15 . 2010-03-27 08:15 -------- d-----w- c:\documents and settings\Administrator\Application Data\ScanSoft

2010-03-27 08:14 . 2010-03-27 08:14 -------- d-----w- c:\program files\Common Files\ScanSoft Shared

2010-03-27 08:14 . 2010-03-27 08:14 -------- d-----w- c:\documents and settings\All Users\Application Data\ScanSoft

2010-03-27 08:14 . 2010-03-27 08:14 -------- d-----w- c:\program files\ScanSoft

2010-03-27 08:13 . 2010-03-27 08:13 -------- d-----w- c:\program files\Common Files\InstallShield

2010-03-27 08:13 . 2010-03-27 08:13 -------- d--h--w- c:\documents and settings\All Users\Application Data\CanonBJ

2010-03-27 08:13 . 2006-09-13 04:00 69632 ----a-w- c:\winnt\system32\Spool\prtprocs\w32x86\CNMPP83.DLL

2010-03-27 08:13 . 2006-09-13 04:00 27136 ----a-w- c:\winnt\system32\Spool\prtprocs\w32x86\CNMPD83.DLL

2010-03-27 08:13 . 2006-09-13 04:00 197632 ----a-w- c:\winnt\system32\CNMLM83.DLL

2010-03-27 08:13 . 2010-03-27 08:13 -------- d--h--w- c:\winnt\system32\CanonIJ Uninstaller Information

2010-03-27 08:12 . 2006-05-26 09:54 135168 ----a-w- c:\winnt\system32\CNCL160.DLL

2010-03-27 08:12 . 2006-04-13 15:22 73728 ----a-w- c:\winnt\system32\CNCU160.DLL

2010-03-27 08:12 . 2010-03-27 08:12 -------- d--h--w- c:\program files\CanonBJ

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-03-28 21:25 . 2010-03-28 21:25 5058 ----a-w- c:\winnt\Help\hhcolreg.dat

2010-03-27 07:42 . 2010-03-27 07:42 -------- d-----w- c:\program files\microsoft frontpage

2010-03-27 07:41 . 2010-03-27 07:41 558142 ----a-w- c:\winnt\java\Packages\4LBHFJ9J.ZIP

2010-03-27 07:41 . 2010-03-27 07:41 2678 ----a-w- c:\winnt\java\Packages\Data\6QB53FP3.DAT

2010-03-27 07:41 . 2010-03-27 07:41 2474 ----a-w- c:\winnt\java\Packages\Data\31FP37D7.DAT

2010-03-27 07:41 . 2010-03-27 07:41 2678 ----a-w- c:\winnt\java\Packages\Data\9JZ13T7H.DAT

2010-03-27 07:41 . 2010-03-27 07:41 2474 ----a-w- c:\winnt\java\Packages\Data\3PFFHBNZ.DAT

2010-03-27 07:41 . 2010-03-27 07:41 156441 ----a-w- c:\winnt\java\Packages\LVLZZVF5.ZIP

2010-03-27 07:41 . 2010-03-27 07:40 2678 ----a-w- c:\winnt\java\Packages\Data\TVF5BRTV.DAT

2010-03-27 07:41 . 2010-03-27 07:40 2678 ----a-w- c:\winnt\java\Packages\Data\NDZLZ7H7.DAT

2010-03-27 07:41 . 2010-03-27 07:40 2678 ----a-w- c:\winnt\java\Packages\Data\L31VFPJX.DAT

2010-03-27 07:40 . 2010-03-27 07:40 21952 ---h--w- c:\program files\folder.htt

2010-03-27 07:39 . 2010-03-27 07:39 15012 ----a-w- c:\winnt\system32\emptyregdb.dat

2010-03-27 07:38 . 2010-03-27 07:38 -------- d-----w- c:\program files\Accessories

.

((((((((((((((((((((((((((((( SnapShot@2010-04-05_04.31.08 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-03-27 07:30 . 2010-04-06 21:23 99048 c:\winnt\system32\FNTCACHE.DAT

- 2010-03-27 07:30 . 2010-04-04 20:57 99048 c:\winnt\system32\FNTCACHE.DAT

+ 2010-04-06 22:23 . 2010-04-06 22:23 24064 c:\winnt\Installer\{A260B422-70E1-41E2-957D-F76FA21266D5}\AppleSoftwareUpdateIco.exe

+ 2010-03-27 17:42 . 2003-06-19 18:05 244224 c:\winnt\system32\dllcache\qmgr.dll

+ 2010-04-06 22:23 . 2010-04-06 22:23 7424000 c:\winnt\Installer\4b5e8.msi

+ 2010-04-06 22:23 . 2010-04-06 22:23 1527808 c:\winnt\Installer\4b5e4.msi

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NetZero_uoltray"="c:\program files\NetZero\exec.exe" [2009-10-05 1779712]

"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Synchronization Manager"="mobsync.exe" [2003-06-19 111376]

"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2006-10-17 1197648]

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 185896]

"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 75304]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [2003-06-19 186640]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

.

Contents of the 'Scheduled Tasks' folder

2010-04-06 c:\winnt\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 19:42]

.

.

------- Supplementary Scan -------

.

uSearchURL,(Default) = hxxp://my.netzero.net/s/search?r=minisearch

IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm

LSP: %SystemRoot%\system32\msafd.dll

DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ort6yxoa.default\

FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-04-07 00:38

Windows 5.0.2195 Service Pack 4 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(164)

c:\winnt\system32\wzcdlg.dll

c:\winnt\system32\WZCSAPI.DLL

- - - - - - - > 'explorer.exe'(324)

c:\winnt\AppPatch\AcLayers.DLL

c:\program files\ScanSoft\OmniPageSE4.0\OpHookSE4.dll

c:\winnt\system32\msi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Avira\AntiVir Desktop\sched.exe

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\winnt\system32\regsvc.exe

c:\winnt\system32\MSTask.exe

c:\winnt\system32\stisvc.exe

c:\winnt\System32\WBEM\WinMgmt.exe

.

**************************************************************************

.

Completion time: 2010-04-07 00:41:37 - machine was rebooted

ComboFix-quarantined-files.txt 2010-04-07 04:41

ComboFix2.txt 2010-04-05 04:33

Pre-Run: 763,559,936 bytes free

Post-Run: 815,276,032 bytes free

- - End Of File - - F40A69E0183B7F3235CFFAE566600581

Malwarebytes' Anti-Malware 1.45

www.malwarebytes.org

Database version: 3970

Windows 5.0.2195 Service Pack 4

Internet Explorer 6.0.2600.0000

4/12/2010 6:26:21 AM

mbam-log-2010-04-12 (06-26-21).txt

Scan type: Full scan (C:\|D:\|)

Objects scanned: 138863

Time elapsed: 3 hour(s), 6 minute(s), 41 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

[screen317]

The infected files reported by ComboFix appear to not exist. I will report it to the developer.

Dr. Web and Trendmicro hasn't found anything also, but Avira found and removed 2 other viruses on Dell in the last 2 1/2 weeks. Thanks.

Has anything been detected recently, and is the computer experiencing any symptoms of infection?

[david888m]

The infected files reported by ComboFix appear to not exist. I will report it to the developer.

Has anything been detected recently, and is the computer experiencing any symptoms of infection?

I was browsing early last week when the Dell froze with a blue screen. After rebooting, I lost my DSL. The DSL network icon is gone. The modem icons are present, but modified and nonfunctional. The modem and nics are gone from Device Manager. These are some of the symptoms (ie. disabling of device drivers and disappearance of the icons) I had before, but everything came back after some fiddling around this time unlike before. I haven't had any problems since the icons came back.

[david888m]

I was browsing early last week when the Dell froze with a blue screen. After rebooting, I lost my DSL. The DSL network icon is gone. The modem icons are present, but modified and nonfunctional. The modem and nics are gone from Device Manager. These are some of the symptoms (ie. disabling of device drivers and disappearance of the icons) I had before, but everything came back after some fiddling around this time unlike before. I haven't had any problems since the icons came back.

When the Dell was definitely infected, there was no blue screen crash preceding the disappearance of the icons.

[david888m]

When the Dell was definitely infected, there was no blue screen crash preceding the disappearance of the icons.

Avira found HTML/Infected.WebPage.Gen earlier today. I quarantined it.

[david888m]

Has anything been detected recently, and is the computer experiencing any symptoms of infection?

I'm having trouble reinstalling XP (as an additional boot OS) on Dell's d: hard drive while running 2k on 3 attempts. After I accepted "download updated install files", I got the message "Cannot Complete the Windows XP Setup Wizard". However, I had been able to reinstall win 2k on Dell's c: drive after flashing the bios, fixing the boot sector, fdisking, and high formatting.

Reinstalling and/or repairing 2K and XP repeatedly aborted on 2 computers at various points when the virus(es) infected my boot sectors and my bioses.

I'm now trying to install XP using a 98 boot floppy and running winnt.exe to see whether I can bypass the problem.

[david888m]

I'm now trying to install XP using a 98 boot floppy and running winnt.exe to see whether I can bypass the problem.

That worked the first time.

Do you think that Dell is still infected? Thanks.

[screen317]

I was browsing early last week when the Dell froze with a blue screen. After rebooting, I lost my DSL. The DSL network icon is gone. The modem icons are present, but modified and nonfunctional. The modem and nics are gone from Device Manager. These are some of the symptoms (ie. disabling of device drivers and disappearance of the icons) I had before, but everything came back after some fiddling around this time unlike before. I haven't had any problems since the icons came back.

That worked the first time.

Do you think that Dell is still infected? Thanks.

No I do not believe it is infected. The symptoms you describe much more strongly point to an issue with a failing hard drive than malware. I would recommend getting a new hard drive and starting from scratch.

(ie. disabling of device drivers and disappearance of the icons) I had before, but everything came back after some fiddling around this time unlike before. I haven't had any problems since the icons came back.

And this points to more hardware failure; if not the hard drive, then some other piece of hardware. How old is this computer?

[david888m]

No I do not believe it is infected. The symptoms you describe much more strongly point to an issue with a failing hard drive than malware. I would recommend getting a new hard drive and starting from scratch.

And this points to more hardware failure; if not the hard drive, then some other piece of hardware. How old is this computer?

Dell's motherboard, case, power supply are 7-8 years old, but I swap the hard disks and other components in and out of

of various computers.

It seems strange that these symptoms started on the same day on 2 computers when viruses were definitely detected. Also, my DSL access was eventually disabled (one of the symptoms) on a third computer (the Asus), which was restored by System Restore.

One of my floppies is still infected with the boot virus that was detected on 2 computers. Avira identifies it as simply Boot.1 virus, but it's not in their database. Dr. Web reported for another computer: "A: Boot Sector" and status as "NYB". The reports on the symptoms and virulence of the "NYB" virus are inconsistent. The bios of a computer warned me of a boot virus. None of the numerous other antimalware solutions could detect anything. Is there any way I can submit the virus on the floppy? Perhaps I need to send the floppy itself.

Thanks.

[screen317]

Stop inserting the infected floppy.

...

Please download mbr.exe from here and save it to your Desktop, and click the downloaded file to run the scan (a window will open briefly, then close). The scan will create a mbr.log on your Desktop. Please copy and paste the contents of that log in your next reply.

[david888m]

Stop inserting the infected floppy.

...

Please download mbr.exe from here and save it to your Desktop, and click the downloaded file to run the scan (a window will open briefly, then close). The scan will create a mbr.log on your Desktop. Please copy and paste the contents of that log in your next reply.

I haven't inserted the infected floppy for several weeks. Should I toss it or send it to one of the many antimalware firms that couldn't detect it? The mbr scans for both the DELL and ASUS are below:

for the DELL:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

kernel: MBR read successfully

user & kernel MBR OK

for the AUSU:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

kernel: MBR read successfully

user & kernel MBR OK

Thanks.

[david888m]

I haven't inserted the infected floppy for several weeks. Should I toss it or send it to one of the many antimalware firms that couldn't detect it? The mbr scans for both the DELL and ASUS are below:

for the DELL:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

kernel: MBR read successfully

user & kernel MBR OK

for the AUSU:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

kernel: MBR read successfully

user & kernel MBR OK

Thanks.

For the 3rd computer, the mbr scan gave the same results as DELL and ASUS. The 3rd computer never had any of the symptoms that DELL and ASUS had.

Thanks.

[screen317]

I haven't inserted the infected floppy for several weeks. Should I toss it or send it to one of the many antimalware firms that couldn't detect it? The mbr scans for both the DELL and ASUS are below:

The floppy may be useful to our developers. I will ask and get back to you on that.

The Master Boot Records to not appear to be infected currently.

Again, the issue with your DSL/network appears to be a hardware issue. There really is not anything evident in your logs that would point to a malware issue being the cause. You stated that the DSL issues began at the same time as the infection. It may very well have been a coincidence that they occurred simultaneously. If you haven't already done so, try swapping out your network card with another to see if it's the issue. If not, then the port itself may be defective and would require attention by the manufacturer.

Edit: Actually use Internet Explorer and give the Microsoft Fix It Tool a try; it may be able to repair software damage related to your network issues:

http://fixitcenter.support.microsoft.com/Portal/

[david888m]

The floppy may be useful to our developers. I will ask and get back to you on that.

The Master Boot Records to not appear to be infected currently.

Again, the issue with your DSL/network appears to be a hardware issue. There really is not anything evident in your logs that would point to a malware issue being the cause. You stated that the DSL issues began at the same time as the infection. It may very well have been a coincidence that they occurred simultaneously. If you haven't already done so, try swapping out your network card with another to see if it's the issue. If not, then the port itself may be defective and would require attention by the manufacturer.

Edit: Actually use Internet Explorer and give the Microsoft Fix It Tool a try; it may be able to repair software damage related to your network issues:

http://fixitcenter.support.microsoft.com/Portal/

Actually, the DSL problem on DELL began immediately upon clicking on a link at Avira; I did this after the Avira rescue CD detected but could not remove the boot virus. The DSL and 3 modem icons also disappeared and could not be recreated. My DSL services on 2 other computers on the same networked were knocked out soon afterward, but were restored (temporarily for 1 computer) with System Restore.

I did try swapping in 3 different network cards.

All 6 network cards that were affected, some repeatedly, are now fine.

Thanks.

[david888m]

My DSL services on 2 other computers on the same networked were knocked out soon afterward, but were restored (temporarily for 1 computer) with System Restore.

The Avira rescue CD detected, but couldn't remove the same boot virus on the computer for which DSL service was temporarily restored with System Restore. Either high formatting or swapping in 2 other network cards also restored DSL service temporarily. BIOS flashing, MBR repair, fdisking, and high formatting were all needed to make DSL service restoration more than temporary for all 3 network cards and elimination of other symptoms.

The DSL service was restored with System Restore and running over 5 weeks without interruption on the Asus, which never had any other symptoms and the same boot virus was never detected.

[david888m]

First, I see the Ask Toolbar in your log.

I strongly recommend you remove Ask Toolbar from your computer because:

* It promotes its toolbars on sites targeted at kids.

* It promotes its toolbars through ads that appear to be part of other companies' sites.

* It promotes its toolbars through other companies' spyware.

* It is Installed without any disclosure whatsoever and without any consent from the user whatsoever.

* It Solicits installations via "deceptive door openers" that do not accurately describe the offer; failing to affirmatively show a license agreement; linking to a EULA via an off-screen link.

* It makes confusing changes to user's browsers -- increasing Ask's revenues while taking users to pages they didn't intend to visit.

You can read more about Ask.com here

To remove it:

Click Start-->Control Panel-->Programs and Features

Click on the program name AskBarDis to highlight it

From the menu at the top, select Uninstall or Remove.

Please reboot the computer.

I reported earlier that nothing related to "Ask" was in my program list on Asus and therefore couldn't remove it. I believe it sneaked in with Foxit. The Ask.com toolbar is doing something once an hour from a Panda scan:

04/23/2010 11:12 TaskName: Scheduled Update for Ask Toolbar

04/23/2010 11:12 Next Run Time: 12:01:00, 4/23/2010

04/23/2010 11:12 Status:

04/23/2010 11:12 Last Run Time: 11:01:00, 4/23/2010

04/23/2010 11:12 Last Result: 0

04/23/2010 11:12 Creator: aida

04/23/2010 11:12 Schedule: Every 1 hour(s) from 1:01 AM for 24 hour(s) every day, starting 1/1/2008

04/23/2010 11:12 Task To Run: C:\Program Files\Ask.com\UpdateTask.exe

04/23/2010 11:12 Start In: N/A

04/23/2010 11:12 Comment: N/A

04/23/2010 11:12 Scheduled Task State: Enabled

04/23/2010 11:12 Scheduled Type: Hourly

04/23/2010 11:12 Start Time: 01:01:00

04/23/2010 11:12 Start Date: 1/1/2008

04/23/2010 11:12 End Date: N/A

04/23/2010 11:12 Days: Everyday

04/23/2010 11:12 Months: N/A

04/23/2010 11:12 Run As User: ADMIN\aida

04/23/2010 11:12 Delete Task If Not Rescheduled: Disabled

04/23/2010 11:12 Stop Task If Runs X Hours and X Mins: 72:0

04/23/2010 11:12 Repeat: Every: 1 Hour(s)

04/23/2010 11:12 Repeat: Until: Time: None

04/23/2010 11:12 Repeat: Until: Duration: 24 Hour(s): 0 Minute(s)

04/23/2010 11:12 Repeat: Stop If Still Running: Disabled

04/23/2010 11:12 Idle Time: Disabled

04/23/2010 11:12 Power Management: No Start On Batteries

[screen317]

Actually, the DSL problem on DELL began immediately upon clicking on a link at Avira; I did this after the Avira rescue CD detected but could not remove the boot virus. The DSL and 3 modem icons also disappeared and could not be recreated. My DSL services on 2 other computers on the same networked were knocked out soon afterward, but were restored (temporarily for 1 computer) with System Restore.

I did try swapping in 3 different network cards.

All 6 network cards that were affected, some repeatedly, are now fine.

Thanks.

Interesting your mention the bolded part. Now I'm heavily leaning toward the idea of a false positive by Avira; not only that, but that their rescue CD damaged network components. That only seems unlikely because of the occurrence on your other computers, which points directly to an ISP issue.

All 6 network cards that were affected, some repeatedly, are now fine.

Then what issues remain??

[david888m]

Interesting your mention the bolded part. Now I'm heavily leaning toward the idea of a false positive by Avira; not only that, but that their rescue CD damaged network components. That only seems unlikely because of the occurrence on your other computers, which points directly to an ISP issue.

Then what issues remain??

I doubt that the boot virus was a false positive by Avira because Dr. Web detected a boot virus with status "NYB". Avira, Dr. Web and the BIOS of 2 computers warned of the same boot viruses on several floppies. I reformatted all but one of the infected floppies. Have you found out whether your developers want the remaining infected floppy yet?

If it was an ISP issue, I believe it should have affected all my computers at the same time and duration on the network; DSL access was never disabled on one computer.

Using the recently installed XP on the Dell, I scanned with Trend Micro's Housecalls. It detected and fixed a rootkit identified as "HIDDEN PROC" that is not in their database.

I'm using multiple scanners every day. I believe that all the infections are gone. Thanks.

[screen317]

I doubt that the boot virus was a false positive by Avira because Dr. Web detected a boot virus with status "NYB". Avira, Dr. Web and the BIOS of 2 computers warned of the same boot viruses on several floppies. I reformatted all but one of the infected floppies. Have you found out whether your developers want the remaining infected floppy yet?

Haven't heard back yet. I'll let you know as soon as I do.

I'm using multiple scanners every day. I believe that all the infections are gone. Thanks.

Is there anything else I can help you with?

[david888m]

Haven't heard back yet. I'll let you know as soon as I do.

Is there anything else I can help you with?

If I try to go to youtube.com on the Dell, Firefox goes to myfreevideos.info instead. However, the latter page cannot be loaded.

[david888m]

If I try to go to youtube.com on the Dell, Firefox goes to myfreevideos.info instead. However, the latter page cannot be loaded.

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4170

Windows 5.0.2195 Service Pack 4

Internet Explorer 5.00.3700.1000

6/6/2010 1:54:41 AM

mbam-log-2010-06-06 (01-54-41).txt

Scan type: Full scan (C:\|D:\|E:\|G:\|H:\|I:\|U:\|)

Objects scanned: 203894

Time elapsed: 4 hour(s), 19 minute(s), 44 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

[screen317]

Hi,

Please post a fresh DDS log and we will take it from there.

Do you recall when you began experiencing that symptom?

[screen317]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!