Jump to content

Phony Antivirus makes computer unusable


Recommended Posts

Sunday morning I was surfing the web and all of a sudden I got a message about an error with Java and then the computer just started going crazy. A screen popped up telling me I had infections and I need to purchase this antivirus software to be protected. I was unable to open any programs or do anything at all. I get messages saying "Windows Security Alert" and when I try to run a scan or do anything I get a message saying the program is infected. Then it tries to open several different websites in IE. I rebooted in safe mode and ran MalwareBytes. Found and removed two items. Rebooted in normal mode and problem was still there. Repeated twice with same results. Any help would be greatly appreciated.

Thanks

Link to post
Share on other sites

  • Staff

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • 1.Please do not run any other tool untill instructed to do so!
    2.Please reply to this thread, do not start another!
    3.Please tell me about any problems that have occurred during the fix.
    4.Please tell me of any other symptoms you may be having as these can help also.
    5.Please try as much as possible not to run anything while executing a fix.

If you follow these instructions, everything should go smoothly.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

I would like to get a better look at your system, please do the following so I can get some more detailed logs.

DeFogger:

  • Please download
DeFogger to your desktop.
Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger may ask you to reboot the machine, if it does - click OK

Do not re-enable these drivers until otherwise instructed.

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Download DDS:

  • Please download DDS by sUBs from one of the links below and save it to your desktop:
    dds_scr.gif
    Download DDS and save it to your desktop
Link1
Link2
Link3
Please disable any anti-malware program that will block scripts from running before running DDS.
  • Double-Click on dds.scr and a command window will appear. This is normal.
  • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt

    [*]A window will open instructing you save & post the logs

    [*]Save the logs to a convenient place such as your desktop

    [*]Copy the contents of both logs & post in your next reply

Gmer

Download GMER Rootkit Scanner from here.

  • Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO
    GMER_2.png
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)

    [*]Then click the Scan button & wait for it to finish

    [*]Once done click on the [save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file

    [*]Save it where you can easily find it, such as your desktop, and post it in reply

**Caution**

Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Note: Do not run any programs while Gmer is running.

information and logs:

  • In your next post I need the following
    • 1.logs from DDS
      2.log from GMER
      3.let me know of any problems you may have had

Gringo

Link to post
Share on other sites

Had to do this in safe mode because when I tried in normal I got a message that said the program was infected and needed to be cleaned.

DDS.txt log

DDS (Ver_10-03-17.01) - NTFSx86 MINIMAL

Run by Nick at 13:38:16.34 on Tue 05/04/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.800 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\system32\svchost.exe -k netsvcs

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\WINDOWS\Explorer.EXE

C:\Documents and Settings\Nick\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6060913

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html

uInternet Settings,ProxyServer = http=127.0.0.1:5555

uInternet Settings,ProxyOverride = <local>

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com

mSearchAssistant = hxxp://www.google.com/ie

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe

uRun: [nmrxadbi] c:\documents and settings\nick\local settings\application data\unfhoyhav\ldodqqhtssd.exe

mRun: [ehTray] c:\windows\ehome\ehtray.exe

mRun: [igfxtray] c:\windows\system32\igfxtray.exe

mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe

mRun: [igfxpers] c:\windows\system32\igfxpers.exe

mRun: [broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [dla] c:\windows\system32\dla\tfswctrl.exe

mRun: [sigmatelSysTrayApp] stsystra.exe

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [basicsmssmenu] "c:\program files\seagate\basics\basics status\MaxMenuMgrBasics.exe"

mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [nmrxadbi] c:\documents and settings\nick\local settings\application data\unfhoyhav\ldodqqhtssd.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\imagem~1.lnk - c:\program files\pixela\imagemixer 3 se\CameraMonitor.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\imagem~1.lnk - c:\program files\pixela\imagemixer 3 se\CameraMonitor.exe

uPolicies-system: EnableProfileQuota = 1 (0x1)

IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - c:\program files\bodog poker\BPGame.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll

Trusted Zone: honda.com\www.in

Trusted Zone: intuit.com\ttlc

Trusted Zone: turbotax.com

DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab

DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab

DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab

DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} - hxxp://powerkatalyst.jdpower.com/download/CfxIEAx.cab

DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276}

DPF: {297DE2B6-509A-4B36-93C5-A65276606900} - hxxp://www.in.honda.com/rraaapps/rraasec/codebase/RRAAINAX/RraainAX.CAB

DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} - hxxp://i.dell.com/images/global/js/scanner/SysProExe.cab

DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab

DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} - hxxp://dl.tvunetworks.com/TVUAx.cab

DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} - hxxp://apps.corel.com/nos_dl_manager_dev/plugin/IEGetPlugin.ocx

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1197083800656

DPF: {7EC816D4-6FC3-4C58-A7DA-A770EE461602} - hxxp://www.wfcportal.com/webconnect%205.6/web/windows/ptdownloader.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab

DPF: {A8683C98-5341-421B-B23C-8514C05354F1} - hxxp://www.samsphotoclub.com/upload/FujifilmUploadClient.cab

DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab

DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {CB6B8C71-C228-11D3-BA80-00A024668F35} - hxxp://vaultview2.vaultview.com/vaultview2/xpage.cab

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll

Notify: avgrsstarter - avgrsstx.dll

Notify: igfxcui - igfxdev.dll

LSA: Notification Packages = scecli c:\windows\system32\kuyahere.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\nick\applic~1\mozilla\firefox\profiles\290yr2lv.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - about:blank

FF - component: c:\documents and settings\nick\application data\mozilla\firefox\profiles\290yr2lv.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll

FF - plugin: c:\documents and settings\nick\application data\move networks\plugins\npqmp071505000010.dll

FF - plugin: c:\documents and settings\nick\local settings\application data\yahoo!\browserplus\2.7.0\plugins\npybrowserplus_2.7.0.dll

FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-12-13 216200]

S1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-12-13 29512]

S1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-12-13 242896]

S2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-16 308064]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-5 135664]

S2 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [2007-3-21 2560]

S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\McrdSvc.exe [2005-10-20 96256]

S3 Ad-Watch Connect Filter;Ad-Watch Connect Kernel Filter;c:\windows\system32\drivers\NSDriver.sys [2008-4-29 15648]

=============== Created Last 30 ================

2010-05-04 16:31:45 0 ----a-w- c:\documents and settings\nick\defogger_reenable

2010-04-13 04:10:43 0 d-----w- c:\documents and settings\nick\dwhelper

==================== Find3M ====================

2010-04-25 12:44:12 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-03-30 04:46:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-03-30 04:45:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-16 20:33:51 12464 ----a-w- c:\windows\system32\avgrsstx.dll

2010-03-16 20:32:10 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll

2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\dllcache\vbscript.dll

2010-02-25 15:54:36 11070976 ----a-w- c:\windows\system32\dllcache\ieframe.dll

2010-02-24 13:11:07 455680 ------w- c:\windows\system32\dllcache\mrxsmb.sys

2010-02-24 09:54:25 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe

2010-02-17 13:10:28 2189952 ------w- c:\windows\system32\dllcache\ntoskrnl.exe

2010-02-16 14:08:49 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-02-16 14:08:49 2146304 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe

2010-02-16 13:25:04 2066816 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe

2010-02-16 13:25:04 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe

2010-02-16 13:25:04 2024448 ------w- c:\windows\system32\dllcache\ntkrpamp.exe

2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll

2010-02-12 04:33:11 100864 ------w- c:\windows\system32\dllcache\6to4svc.dll

2010-02-11 12:02:15 226880 ------w- c:\windows\system32\dllcache\tcpip6.sys

2007-09-19 18:41:21 88 --sh--r- c:\windows\system32\1676647898.sys

2007-09-19 18:41:22 3766 --sha-w- c:\windows\system32\KGyGaAvL.sys

2008-07-29 18:54:10 785 --sha-w- c:\windows\system32\mmf(10).sys

2008-07-28 22:00:08 785 --sha-w- c:\windows\system32\mmf(11).sys

2008-07-27 19:21:21 785 --sha-w- c:\windows\system32\mmf(12).sys

2008-07-27 17:18:36 785 --sha-w- c:\windows\system32\mmf(13).sys

2008-07-27 00:53:46 785 --sha-w- c:\windows\system32\mmf(14).sys

2008-07-25 18:54:55 785 --sha-w- c:\windows\system32\mmf(15).sys

2008-07-25 03:07:10 785 --sha-w- c:\windows\system32\mmf(16).sys

2008-07-25 02:50:54 785 --sha-w- c:\windows\system32\mmf(17).sys

2008-07-24 00:41:09 785 --sha-w- c:\windows\system32\mmf(18).sys

2008-07-23 19:45:18 785 --sha-w- c:\windows\system32\mmf(19).sys

2008-08-06 20:56:51 785 --sha-w- c:\windows\system32\mmf(2).sys

2008-07-21 23:10:35 785 --sha-w- c:\windows\system32\mmf(20).sys

2008-07-21 02:42:00 785 --sha-w- c:\windows\system32\mmf(21).sys

2008-07-20 03:51:56 785 --sha-w- c:\windows\system32\mmf(22).sys

2008-07-19 22:18:07 785 --sha-w- c:\windows\system32\mmf(23).sys

2008-07-19 20:41:37 785 --sha-w- c:\windows\system32\mmf(24).sys

2008-07-19 14:15:43 785 --sha-w- c:\windows\system32\mmf(25).sys

2008-07-19 03:40:35 785 --sha-w- c:\windows\system32\mmf(26).sys

2008-07-18 22:59:48 785 --sha-w- c:\windows\system32\mmf(27).sys

2008-07-17 18:12:24 785 --sha-w- c:\windows\system32\mmf(28).sys

2008-07-17 13:04:39 785 --sha-w- c:\windows\system32\mmf(29).sys

2008-08-06 02:12:15 785 --sha-w- c:\windows\system32\mmf(3).sys

2008-07-17 03:32:02 785 --sha-w- c:\windows\system32\mmf(30).sys

2008-07-17 01:32:11 785 --sha-w- c:\windows\system32\mmf(31).sys

2008-07-16 01:59:27 785 --sha-w- c:\windows\system32\mmf(32).sys

2008-07-15 12:48:37 785 --sha-w- c:\windows\system32\mmf(33).sys

2008-07-15 01:53:40 785 --sha-w- c:\windows\system32\mmf(34).sys

2008-07-13 21:29:13 785 --sha-w- c:\windows\system32\mmf(35).sys

2008-08-03 22:48:38 785 --sha-w- c:\windows\system32\mmf(4).sys

2008-08-03 21:21:07 785 --sha-w- c:\windows\system32\mmf(5).sys

2008-08-01 20:20:48 785 --sha-w- c:\windows\system32\mmf(6).sys

2008-08-01 19:22:38 785 --sha-w- c:\windows\system32\mmf(7).sys

2008-07-31 14:24:30 785 --sha-w- c:\windows\system32\mmf(8).sys

2008-07-29 22:52:10 785 --sha-w- c:\windows\system32\mmf(9).sys

2008-09-27 21:42:04 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092720080928\index.dat

============= FINISH: 13:39:22.53 ===============

Attach.txt log

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume2

Install Date: 9/20/2006 3:00:20 PM

System Uptime: 5/4/2010 1:32:38 PM (0 hours ago)

Motherboard: Dell Inc. | | 0KD882

Processor: Intel® Core2 CPU T7200 @ 2.00GHz | Microprocessor | 1995/166mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 51 GiB total, 3.046 GiB free.

D: is FIXED (NTFS) - 17 GiB total, 6.829 GiB free.

E: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP321: 9/10/2009 9:34:40 PM - Removed TMASOEDL

RP322: 9/10/2009 9:34:50 PM - Removed TMASOLDL

RP323: 9/10/2009 9:34:59 PM - Removed Trend Micro PC-cillin Internet Security 2007

RP324: 9/10/2009 10:00:15 PM - Installed Trend Micro Internet Security

RP325: 10/16/2009 4:33:57 PM - Software Distribution Service 3.0

RP326: 10/18/2009 12:05:08 AM - Removed Full Tilt Poker

RP327: 10/22/2009 4:35:23 PM - Software Distribution Service 3.0

RP328: 11/5/2009 4:00:19 AM - Software Distribution Service 3.0

RP329: 11/12/2009 10:13:53 PM - Software Distribution Service 3.0

RP330: 11/14/2009 12:30:27 AM - Software Distribution Service 3.0

RP331: 11/19/2009 12:45:33 PM - Installed Advanced Analyzer

RP332: 11/26/2009 3:00:28 AM - Software Distribution Service 3.0

RP333: 12/9/2009 12:42:39 AM - Removed Advanced Analyzer

RP334: 12/9/2009 12:48:14 AM - Software Distribution Service 3.0

RP335: 12/13/2009 1:39:51 PM - Removed Trend Micro Internet Security

RP336: 12/13/2009 1:44:12 PM - Removed Baseball Mogul 2008

RP337: 12/13/2009 9:15:59 PM - Installed AVG Free 9.0

RP338: 12/18/2009 7:34:18 PM - Avg8 Update

RP339: 12/23/2009 3:01:23 PM - Avg8 Update

RP340: 1/2/2010 2:57:38 PM - Avg8 Update

RP341: 1/12/2010 9:44:39 PM - Installed TurboTax 2009 wrapper

RP342: 1/12/2010 9:46:11 PM - Installed TurboTax 2009 WinPerReleaseEngine

RP343: 1/12/2010 9:48:36 PM - Installed TurboTax 2009 WinPerFedFormset

RP344: 1/12/2010 9:50:19 PM - Installed TurboTax 2009 WinPerTaxSupport

RP345: 1/13/2010 12:37:15 AM - Software Distribution Service 3.0

RP346: 1/17/2010 1:44:34 PM - Installed TurboTax 2009 wohiper

RP347: 1/18/2010 8:40:38 PM - Avg8 Update

RP348: 1/22/2010 12:39:51 AM - Software Distribution Service 3.0

RP349: 1/29/2010 1:35:01 PM - Avg8 Update

RP350: 1/31/2010 7:56:51 PM - Installed Adobe Reader 9.3.

RP351: 2/10/2010 11:40:21 PM - Software Distribution Service 3.0

RP352: 2/24/2010 12:31:36 AM - Software Distribution Service 3.0

RP353: 3/9/2010 12:32:28 AM - Software Distribution Service 3.0

RP354: 3/9/2010 10:57:41 PM - Installed Opera 10.50.

RP355: 3/11/2010 3:00:36 AM - Software Distribution Service 3.0

RP356: 3/15/2010 4:39:42 PM - Removed Opera 10.50.

RP357: 3/16/2010 4:29:13 PM - Avg8 Update

RP358: 3/16/2010 4:34:07 PM - Avg Update

RP359: 3/30/2010 4:22:02 PM - Software Distribution Service 3.0

RP360: 4/1/2010 2:21:49 PM - Avg Update

RP361: 4/1/2010 2:23:55 PM - Avg Update

RP362: 4/8/2010 10:20:28 AM - Avg Update

RP363: 4/13/2010 4:45:18 PM - Software Distribution Service 3.0

RP364: 4/25/2010 8:43:18 AM - Avg Update

RP365: 4/25/2010 8:44:21 AM - Avg Update

==== Installed Programs ======================

Adobe Flash Player 10 ActiveX

Adobe Flash Player 10 Plugin

Adobe Reader 8.1.1

Adobe Reader 9.3.2

Adobe SVG Viewer 3.0

Andrea VoiceCenter

AnswerWorks 4.0 Runtime - English

AnswerWorks 5.0 English Runtime

AOLIcon

Apple Mobile Device Support

Apple Software Update

AVG Free 9.0

Bodog Poker

Bonjour

Broadcom Management Programs

BurnAware Free 2.4.2

Canon Camera Access Library

Canon Camera Support Core Library

Canon RAW Image Task for ZoomBrowser EX

Canon Utilities CameraWindow

Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX

Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX

Canon Utilities EOS Utility

Canon Utilities MyCamera

Canon Utilities RemoteCapture Task for ZoomBrowser EX

Canon Utilities ZoomBrowser EX

Canon ZoomBrowser EX Memory Card Utility

CLSetup for Tiger Woods PGA Tour 07

Compatibility Pack for the 2007 Office system

Conexant HDA D110 MDC V.92 Modem

Creative MediaSource 5

Critical Update for Windows Media Player 11 (KB959772)

CutePDF Writer 2.7

Dell Digital Jukebox Driver

Dell Games

Dell System Restore

Dell Wireless WLAN Card

DellConnect

DellSupport

Digital Content Portal

Digital Line Detect

Documentation & Support Launcher

Drive Manager

DVD Shrink 3.2

DVDFab (Platinum/Gold/HD Decrypter) (Option: Mobile) 5.2.2.2

EducateU

ELIcon

ESPNMotion

FLV Player 2.0 (build 25)

Games, Music, & Photos Launcher

GemMaster Mystic

Glary Utilities 2.21.0.863

Google Toolbar for Internet Explorer

Google Update Helper

GPL MPEG-1/2 DirectShow Decoder Filter

Hotfix 2050 for SQL Server 2000 ENU (KB948110)

Hotfix 2055 for SQL Server 2000 ENU (KB960082)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB954550-v5)

Hotfix for Windows XP (KB961118)

Hotfix for Windows XP (KB970653-v3)

Hotfix for Windows XP (KB976098-v2)

Hotfix for Windows XP (KB979306)

ImageMixer 3 SE

ImagXpress

Intel® Graphics Media Accelerator Driver

InterVideo DeviceService

iTunes

Java 6 Update 13

Learn2 Player (Uninstall Only)

Lexmark X1100 Series

LightScribe 1.4.124.1

LiveUpdate 2.6 (Symantec Corporation)

Malwarebytes' Anti-Malware

Microsoft .NET Framework 1.0 Hotfix (KB953295)

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Security Update (KB953297)

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft Compression Client Pack 1.0 for Windows XP

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft Money 2007

Microsoft Money Shared Libraries

Microsoft National Language Support Downlevel APIs

Microsoft Office Outlook 2003 with Business Contact Manager Update

Microsoft Office Professional Edition 2003

Microsoft Office Small Business Edition 2003

Microsoft Plus! Digital Media Edition Installer

Microsoft Plus! Photo Story 2 LE

Microsoft Silverlight

Microsoft User-Mode Driver Framework Feature Pack 1.0

Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

Microsoft Visual C++ 2005 Redistributable

Microsoft Works

Microsoft XML Parser

Modem Helper

Move Media Player

Mozilla Firefox (3.6.3)

MSN Money Investment Toolbox

MSXML 4.0 SP2 (KB927978)

MSXML 4.0 SP2 (KB936181)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

MSXML 6.0 Parser (KB925673)

neroxml

NetWaiting

Options 360

Link to post
Share on other sites

  • Staff

Good afternoon echoboy

Try to run combofix in normal mode, if you get a popup that says it is infected just ignore it and leave the message open don't touch it.

Run Combofix:

  • Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
It is a simple procedure that will only take a few moments of your time.
Once installed, you should see a blue screen prompt that says:
  • The Recovery Console was successfully installed.

Please continue as follows:

  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the report in your next post:

C:\ComboFix.txt

"information and logs"

  • In your next post I need the following
  1. Log from Combofix
  2. let me know of any problems you may have had
  3. How is the computer doing now?

Gringo

Link to post
Share on other sites

I tried to run Combofix 5 times in normal mode. Everytime, it got so far as filling up a blue progress bar before it would suddenly shut down and a message would pop up saying a file (such as swreg.exe) was infected. I waited to see if anything else would happen and I just got the same "Antivirus software alert" messages about Win32/Nuqel.E or Bankerfox.A. What else can I do?

Thanks

Link to post
Share on other sites

  • Staff

Hello

If you have an active internet connection, copy/paste the links below into your browser, don't click them or the rogue might redirect. If you don't have an active internet connection, download the tools from another machine, and transfer them to the affected machine via USB flash drive.

There are 4 different versions. If one of them won't run then download and try to run the other one. You only need to get one of them to run, not all of them.

Vista and Win7 users need to right click and choose Run as Admin

http://download.bleepingcomputer.com/grinler/rkill.exe

http://download.bleepingcomputer.com/grinler/rkill.com

http://download.bleepingcomputer.com/grinler/rkill.scr

http://download.bleepingcomputer.com/grinler/rkill.pif

Note: You will likely see a message from this rogue telling you the file is infected. Ignore the message. Leave the message OPEN, do not close the message. Run rkill repeatedly until it's able to do it's job. This may take a few tries. You'll be able to tell rkill has done it's job when your desktop (explorer.exe) cycles off and then on again.

At this point, you should now be able to run combofix.

Once the tool has run, do NOT reboot the machine, and then try once again to run combofix

If for some reason the machine reboots, repeat the process. Again, try not to restart the machine.

gringo

Link to post
Share on other sites

Ran rkill and it stopped the popups which enabled me to run combofix. Here is the log from rkill:

This log file is located at C:\rkill.log.

Please post this only if requested to by the person helping you.

Otherwise you can close this log when you wish.

Ran as Nick on 05/05/2010 at 9:07:48.

Processes terminated by Rkill or while it was running:

C:\Documents and Settings\Nick\Local Settings\Application Data\unfhoyhav\ldodqqhtssd.exe

C:\Documents and Settings\Nick\Local Settings\Application Data\unfhoyhav\ldodqqhtssd.exe

C:\Documents and Settings\Nick\Desktop\rkill.com

C:\WINDOWS\system32\imapi.exe

Rkill completed on 05/05/2010 at 9:07:53.

Here is the combofix log:

ComboFix 10-05-04.04 - Nick 05/05/2010 9:31.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.500 [GMT -4:00]

Running from: c:\documents and settings\Nick\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

---- Previous Run -------

.

c:\documents and settings\Nick\Application Data\inst.exe

c:\documents and settings\Nick\Local Settings\Application Data\unfhoyhav\ldodqqhtssd.exe

c:\windows\inform.dat

-- Previous Run --

c:\windows\system32\proquota.exe was missing

Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

--------

.

((((((((((((((((((((((((( Files Created from 2010-04-05 to 2010-05-05 )))))))))))))))))))))))))))))))

.

2010-05-05 13:24 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe

2010-05-05 13:24 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe

2010-05-04 03:35 . 2010-05-04 03:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2010-05-04 03:33 . 2010-05-04 03:33 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2010-04-28 03:03 . 2010-03-26 14:33 1496064 ----a-w- c:\documents and settings\Nick\Application Data\Mozilla\Firefox\Profiles\290yr2lv.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll

2010-04-28 03:03 . 2010-03-26 14:33 43008 ----a-w- c:\documents and settings\Nick\Application Data\Mozilla\Firefox\Profiles\290yr2lv.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll

2010-04-28 03:03 . 2010-03-26 14:33 339456 ----a-w- c:\documents and settings\Nick\Application Data\Mozilla\Firefox\Profiles\290yr2lv.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll

2010-04-28 03:03 . 2010-03-26 14:32 346112 ----a-w- c:\documents and settings\Nick\Application Data\Mozilla\Firefox\Profiles\290yr2lv.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll

2010-04-25 12:44 . 2010-04-25 12:44 242696 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys

2010-04-25 12:43 . 2010-04-25 12:43 1689952 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll

2010-04-13 04:10 . 2010-04-13 04:16 -------- d-----w- c:\documents and settings\Nick\dwhelper

2010-04-08 14:20 . 2010-04-08 14:20 4255072 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-05-05 13:27 . 2007-03-21 18:44 785 --sha-w- c:\windows\system32\mmf.sys

2010-05-04 04:30 . 2008-10-31 04:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-05-04 04:10 . 2007-05-30 16:27 -------- d-----w- c:\documents and settings\Nick\Application Data\U3

2010-04-25 12:44 . 2009-12-14 02:16 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-04-02 17:25 . 2009-01-01 16:08 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2010-03-30 20:16 . 2010-03-30 20:16 -------- d-----w- c:\program files\FLV Player

2010-03-30 04:46 . 2008-10-31 04:19 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-03-30 04:45 . 2008-10-31 04:19 20824 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-26 16:26 . 2008-11-01 13:39 -------- d-----w- c:\program files\Glary Utilities

2010-03-16 21:04 . 2010-01-13 05:44 174976 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2010-03-16 20:33 . 2010-03-16 20:33 12464 ----a-w- c:\windows\system32\avgrsstx.dll

2010-03-16 20:33 . 2009-12-14 02:16 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2010-03-16 20:32 . 2009-12-14 02:16 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2010-03-15 20:39 . 2010-03-10 03:57 -------- d-----w- c:\program files\Opera

2010-03-10 06:15 . 2005-08-16 09:18 420352 ----a-w- c:\windows\system32\vbscript.dll

2010-02-25 06:24 . 2005-08-16 09:18 916480 ----a-w- c:\windows\system32\wininet.dll

2010-02-24 13:11 . 2005-08-16 09:18 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2010-02-16 14:08 . 2005-08-16 09:18 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-02-16 13:25 . 2004-08-04 03:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe

2010-02-12 04:33 . 2005-08-16 09:18 100864 ----a-w- c:\windows\system32\6to4svc.dll

2010-02-11 12:02 . 2005-08-16 09:18 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys

2007-09-19 18:41 . 2006-10-07 16:22 88 --sh--r- c:\windows\system32\1676647898.sys

2007-09-19 18:41 . 2006-10-07 16:22 3766 --sha-w- c:\windows\system32\KGyGaAvL.sys

2008-07-29 18:54 . 2007-03-21 18:44 785 --sha-w- c:\windows\system32\mmf(10).sys

2008-07-28 22:00 . 2007-03-21 18:44 785 --sha-w- c:\windows\system32\mmf(11).sys

2008-07-27 19:21 . 2007-03-21 18:44 785 --sha-w- c:\windows\system32\mmf(12).sys

2008-07-27 17:18 . 2007-03-21 18:44 785 --sha-w- c:\windows\system32\mmf(13).sys

2008-07-27 00:53 . 2007-03-21 18:44 785 --sha-w- c:\windows\system32\mmf(14).sys

2008-07-25 18:54 . 2007-03-21 18:44 785 --sha-w- c:\windows\system32\mmf(15).sys

2008-07-25 03:07 . 2007-03-21 18:44 785 --sha-w- c:\windows\system32\mmf(16).sys

2008-07-25 02:50 . 2007-03-21 18:44 785 --sha-w- c:\windows\system32\mmf(17).sys

2008-07-24 00:41 . 2007-03-21 18:44 785 --sha-w- c:\windows\system32\mmf(18).sys

2008-07-23 19:45 . 2007-03-21 18:44 785 --sha-w- c:\windows\system32\mmf(19).sys

2008-08-06 20:56 . 2007-03-21 18:44 785 --sha-w- c:\windows\system32\mmf(2).sys

2008-07-21 23:10 . 2007-03-21 18:44 785 --sha-w- c:\windows\system32\mmf(20).sys

2008-07-21 02:42 . 2007-03-21 18:44 785 --sha-w- c:\windows\system32\mmf(21).sys

2008-07-20 03:51 . 2007-03-21 18:44 785 --sha-w- c:\windows\system32\mmf(22).sys

2008-07-19 22:18 . 2007-03-21 18:44 785 --sha-w- c:\windows\system32\mmf(23).sys

2008-07-19 20:41 . 2007-03-21 18:44 785 --sha-w- c:\windows\system32\mmf(24).sys

2008-07-19 14:15 . 2007-03-21 18:44 785 --sha-w- c:\windows\system32\mmf(25).sys

2008-07-19 03:40 . 2007-03-21 18:44 785 --sha-w- c:\windows\system32\mmf(26).sys

2008-07-18 22:59 . 2007-03-21 18:44 785 --sha-w- c:\windows\system32\mmf(27).sys

2008-07-17 18:12 . 2007-03-21 18:44 785 --sha-w- c:\windows\system32\mmf(28).sys

2008-07-17 13:04 . 2007-03-21 18:44 785 --sha-w- c:\windows\system32\mmf(29).sys

2008-08-06 02:12 . 2007-03-21 18:44 785 --sha-w- c:\windows\system32\mmf(3).sys

2008-07-17 03:32 . 2007-03-21 18:44 785 --sha-w- c:\windows\system32\mmf(30).sys

2008-07-17 01:32 . 2007-03-21 18:44 785 --sha-w- c:\windows\system32\mmf(31).sys

2008-07-16 01:59 . 2007-03-21 18:44 785 --sha-w- c:\windows\system32\mmf(32).sys

2008-07-15 12:48 . 2007-03-21 18:44 785 --sha-w- c:\windows\system32\mmf(33).sys

2008-07-15 01:53 . 2007-03-21 18:44 785 --sha-w- c:\windows\system32\mmf(34).sys

2008-07-13 21:29 . 2007-03-21 18:44 785 --sha-w- c:\windows\system32\mmf(35).sys

2008-08-03 22:48 . 2007-03-21 18:44 785 --sha-w- c:\windows\system32\mmf(4).sys

2008-08-03 21:21 . 2007-03-21 18:44 785 --sha-w- c:\windows\system32\mmf(5).sys

2008-08-01 20:20 . 2007-03-21 18:44 785 --sha-w- c:\windows\system32\mmf(6).sys

2008-08-01 19:22 . 2007-03-21 18:44 785 --sha-w- c:\windows\system32\mmf(7).sys

2008-07-31 14:24 . 2007-03-21 18:44 785 --sha-w- c:\windows\system32\mmf(8).sys

2008-07-29 22:52 . 2007-03-21 18:44 785 --sha-w- c:\windows\system32\mmf(9).sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-10 68856]

"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]

"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-06-22 1384448]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]

"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]

"basicsmssmenu"="c:\program files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" [2007-10-09 169328]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

"VoiceCenter"="c:\program files\Creative\VoiceCenter\AndreaVC.exe" [2006-02-16 1118208]

"Lexmark X1100 Series"="c:\program files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 57344]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]

c:\documents and settings\Nick\Start Menu\Programs\Startup\

Shortcut to ComboFix.lnk - c:\documents and settings\Nick\Desktop\ComboFix.exe [2010-5-4 3946250]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

ImageMixer 3 SE Camera Monitor.lnk - c:\program files\PIXELA\ImageMixer 3 SE\CameraMonitor.exe [2008-10-24 253952]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2010-03-16 20:33 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AT&T Self Support Tool.lnk]

backup=c:\windows\pss\AT&T Self Support Tool.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]

backup=c:\windows\pss\Bluetooth.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]

backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]

backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ymetray.lnk]

backup=c:\windows\pss\ymetray.lnkCommon Startup

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GoBoingo

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mySI

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Pitstop Optimize Scheduler

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG9_TRAY]

2010-04-25 12:44 2064736 ----a-w- c:\progra~1\AVG\AVG9\avgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]

2003-09-10 07:24 20480 ------w- c:\program files\NetWaiting\netwaiting.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2008-11-04 15:30 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

2006-10-14 17:56 185784 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"CCALib8"=2 (0x2)

"Creative Labs Licensing Service"=2 (0x2)

"Creative Service for CDROM Access"=2 (0x2)

"IntuitUpdateService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

"c:\\Program Files\\Ericom Software\\PowerTerm WebConnect 5.6\\www.wfcportal.com\\PtRdp.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [12/13/2009 10:16 PM 216200]

R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [12/13/2009 10:16 PM 242896]

R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/16/2010 4:33 PM 308064]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/5/2010 12:53 AM 135664]

S2 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [3/21/2007 2:44 PM 2560]

.

Contents of the 'Scheduled Tasks' folder

2010-03-26 c:\windows\Tasks\GlaryInitialize.job

- c:\program files\Glary Utilities\initialize.exe [2008-11-01 17:03]

2010-03-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cac6b528f7c66c.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 04:53]

2009-05-27 c:\windows\Tasks\User_Feed_Synchronization-{2A7EF67F-402C-4009-9D58-58E4805F48B9}.job

- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html

uInternet Settings,ProxyServer = http=127.0.0.1:5555

uInternet Settings,ProxyOverride = <local>

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

Trusted Zone: honda.com\www.in

Trusted Zone: intuit.com\ttlc

Trusted Zone: turbotax.com

DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab

DPF: {297DE2B6-509A-4B36-93C5-A65276606900} - hxxp://www.in.honda.com/rraaapps/rraasec/codebase/RRAAINAX/RraainAX.CAB

DPF: {7EC816D4-6FC3-4C58-A7DA-A770EE461602} - hxxp://www.wfcportal.com/webconnect%205.6/web/windows/ptdownloader.cab

DPF: {CB6B8C71-C228-11D3-BA80-00A024668F35} - hxxp://vaultview2.vaultview.com/vaultview2/xpage.cab

FF - ProfilePath - c:\documents and settings\Nick\Application Data\Mozilla\Firefox\Profiles\290yr2lv.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - about:blank

FF - component: c:\documents and settings\Nick\Application Data\Mozilla\Firefox\Profiles\290yr2lv.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll

FF - plugin: c:\documents and settings\Nick\Application Data\Move Networks\plugins\npqmp071505000010.dll

FF - plugin: c:\documents and settings\Nick\Local Settings\Application Data\Yahoo!\BrowserPlus\2.7.0\Plugins\npybrowserplus_2.7.0.dll

FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-nmrxadbi - c:\documents and settings\Nick\Local Settings\Application Data\unfhoyhav\ldodqqhtssd.exe

HKLM-Run-nmrxadbi - c:\documents and settings\Nick\Local Settings\Application Data\unfhoyhav\ldodqqhtssd.exe

MSConfigStartUp-PCPitstop Optimize Registration Reminder - c:\program files\PCPitstop\Optimize\Reminder.exe

AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-05-05 09:36

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&y@^t! #^$ g9^$&pgb SDB36o \EC1A69D1C0948222]

"1"=hex:b0,cd,e0,26,42,20,9e,7c,08,f1,c1,23,e7,41,66,ec,c9,e0,20,43,a1,23,f2,

e3

"2"=hex:f1,df,16,de,80,08,0e,2a,78,a4,28,cb,d2,56,ff,58,a6,09,d8,fb,43,e9,d5,

e7,16,83,71,61,5d,be,d8,25

"3"=hex:b0,cd,e0,26,42,20,9e,7c,08,f1,c1,23,e7,41,66,ec,2b,92,4b,0d,22,14,9d,

cb,e3,f8,73,90,7d,a4,36,0d,7e,db,3a,16,4c,1a,45,81,b1,a5,77,31,f5,50,d6,e8

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&y@^t! #^$ g9^$&pgb SDB36o \EC1A69D1C0948222\B144CCE307E78EB6EE53CA2196E4D0A2]

"1"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2,

b0,36,d7,56,53,fe,9f,3d,f9

"2"=hex:8c,23,2d,03,75,bd,a0,cd

"3"=hex:a7,cb,5d,c3,74,f0,1b,16,15,74,c1,8d,97,da,f7,34,ae,4d,5a,74,13,03,8b,

64,d3,6d,a4,45,c0,0d,91,ed,85,d2,2e,4e,37,6a,d0,fc,57,0b,86,a1,6b,36,9f,70,\

"4"=hex:2f,ad,a2,e7,8a,bf,05,5e

"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,

1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\

"6"=hex:bf,e5,23,7b,b0,66,d6,fc,bc,64,22,fb,7e,d3,39,3e,a3,00,33,13,c0,21,f4,

51,6c,4e,0c,96,e2,dd,ad,8a,b6,c4,05,e8,5a,bd,9a,e9,d4,1a,3d,68,9d,00,32,20

"7"=hex:6b,96,68,24,0f,2f,9e,94,e8,ce,54,f3,3b,80,63,3a,1b,c3,e7,ed,44,3a,1d,

97,9f,f9,03,77,68,81,1b,0c,34,a2,88,30,12,be,09,a0

"8"=hex:9d,9e,b2,b9,a7,a5,f4,ae,4d,29,c2,a3,c0,78,c4,c5,73,7e,45,c6,9f,9e,10,

63,a0,2f,06,c2,a3,e9,62,70,90,4c,ec,d6,92,e1,28,ba,e5,5d,0d,25,ef,fb,b7,21,\

"9"=hex:81,20,8f,ab,28,6a,52,9c

"18"=hex:70,56,26,33,e3,20,f8,ab

"10"=hex:07,96,b3,35,9e,5a,1a,0b

"11"=hex:81,20,8f,ab,28,6a,52,9c

"12"=hex:81,20,8f,ab,28,6a,52,9c

"13"=hex:81,20,8f,ab,28,6a,52,9c

"14"=hex:81,20,8f,ab,28,6a,52,9c

"24"=hex:81,20,8f,ab,28,6a,52,9c

"26"=hex:81,20,8f,ab,28,6a,52,9c

"27"=hex:81,20,8f,ab,28,6a,52,9c

"19"=hex:81,20,8f,ab,28,6a,52,9c

"22"=hex:81,20,8f,ab,28,6a,52,9c

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(884)

c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(3632)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\mshtml.dll

c:\windows\system32\msls31.dll

c:\windows\IME\SPGRMR.DLL

c:\program files\Common Files\Microsoft Shared\INK\PENUSA.DLL

c:\windows\system32\webcheck.dll

.

Completion time: 2010-05-05 09:39:21

ComboFix-quarantined-files.txt 2010-05-05 13:39

Pre-Run: 3,278,409,728 bytes free

Post-Run: 3,221,245,952 bytes free

- - End Of File - - 88DD461527A628B3BDF146DB7D732D1A

Link to post
Share on other sites

  • Staff

Hello

How is the computer doing now?

uninstall some programs

  • 1. click on start
    2. then go to settings
    3. after that you need control panel
    4. look for the icon add/remove programs
    click on the following programs
    Adobe Reader 8.1.1
    Viewpoint Media Player
    and click on remove

Your Java is out of date.

It can be updated by the Java control panel

  • click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup) -> Update Tab -> Update Now.
  • An update should begin;
  • follow the prompts
  • After the update is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      • Applications and Applets
        Trace and Log Files

      [*]Click OK on Delete Temporary Files Window

      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

      [*]Click OK to leave the Temporary Files Window

      [*]Click OK to leave the Java Control Panel.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

File::
c:\windows\system32\mmf(10).sys
c:\windows\system32\mmf(11).sys
c:\windows\system32\mmf(12).sys
c:\windows\system32\mmf(13).sys
c:\windows\system32\mmf(14).sys
c:\windows\system32\mmf(15).sys
c:\windows\system32\mmf(16).sys
c:\windows\system32\mmf(17).sys
c:\windows\system32\mmf(18).sys
c:\windows\system32\mmf(19).sys
c:\windows\system32\mmf(2).sys
c:\windows\system32\mmf(20).sys
c:\windows\system32\mmf(21).sys
c:\windows\system32\mmf(22).sys
c:\windows\system32\mmf(23).sys
c:\windows\system32\mmf(24).sys
c:\windows\system32\mmf(25).sys
c:\windows\system32\mmf(26).sys
c:\windows\system32\mmf(27).sys
c:\windows\system32\mmf(28).sys
c:\windows\system32\mmf(29).sys
c:\windows\system32\mmf(3).sys
c:\windows\system32\mmf(30).sys
c:\windows\system32\mmf(31).sys
c:\windows\system32\mmf(32).sys
c:\windows\system32\mmf(33).sys
c:\windows\system32\mmf(34).sys
c:\windows\system32\mmf(35).sys
c:\windows\system32\mmf(4).sys
c:\windows\system32\mmf(5).sys
c:\windows\system32\mmf(6).sys
c:\windows\system32\mmf(7).sys
c:\windows\system32\mmf(8).sys

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
Trusted Zone: honda.com\www.in
Trusted Zone: intuit.com\ttlc
Trusted Zone: turbotax.com

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

CFScriptB-4.gif

This will let ComboFix run again.

Restart if you have to.

Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

NOTE**

  • When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will upload files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.

"information and logs"

  • In your next post I need the following
  1. report from conbofix
  2. let me know of any problems you may have had

  3. How is the computer doing now?

Gringo

Link to post
Share on other sites

No problems right now, other than the fonts on icons and in programs is very small. Everything else seems to be fine. No problems running Combofix.

Combofix log:

ComboFix 10-05-05.04 - Nick 05/05/2010 16:36:40.4.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.236 [GMT -4:00]

Running from: c:\documents and settings\Nick\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Nick\Desktop\cfscript.txt

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::

"c:\windows\system32\mmf(10).sys"

"c:\windows\system32\mmf(11).sys"

"c:\windows\system32\mmf(12).sys"

"c:\windows\system32\mmf(13).sys"

"c:\windows\system32\mmf(14).sys"

"c:\windows\system32\mmf(15).sys"

"c:\windows\system32\mmf(16).sys"

"c:\windows\system32\mmf(17).sys"

"c:\windows\system32\mmf(18).sys"

"c:\windows\system32\mmf(19).sys"

"c:\windows\system32\mmf(2).sys"

"c:\windows\system32\mmf(20).sys"

"c:\windows\system32\mmf(21).sys"

"c:\windows\system32\mmf(22).sys"

"c:\windows\system32\mmf(23).sys"

"c:\windows\system32\mmf(24).sys"

"c:\windows\system32\mmf(25).sys"

"c:\windows\system32\mmf(26).sys"

"c:\windows\system32\mmf(27).sys"

"c:\windows\system32\mmf(28).sys"

"c:\windows\system32\mmf(29).sys"

"c:\windows\system32\mmf(3).sys"

"c:\windows\system32\mmf(30).sys"

"c:\windows\system32\mmf(31).sys"

"c:\windows\system32\mmf(32).sys"

"c:\windows\system32\mmf(33).sys"

"c:\windows\system32\mmf(34).sys"

"c:\windows\system32\mmf(35).sys"

"c:\windows\system32\mmf(4).sys"

"c:\windows\system32\mmf(5).sys"

"c:\windows\system32\mmf(6).sys"

"c:\windows\system32\mmf(7).sys"

"c:\windows\system32\mmf(8).sys"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\mmf(10).sys

c:\windows\system32\mmf(11).sys

c:\windows\system32\mmf(12).sys

c:\windows\system32\mmf(13).sys

c:\windows\system32\mmf(14).sys

c:\windows\system32\mmf(15).sys

c:\windows\system32\mmf(16).sys

c:\windows\system32\mmf(17).sys

c:\windows\system32\mmf(18).sys

c:\windows\system32\mmf(19).sys

c:\windows\system32\mmf(2).sys

c:\windows\system32\mmf(20).sys

c:\windows\system32\mmf(21).sys

c:\windows\system32\mmf(22).sys

c:\windows\system32\mmf(23).sys

c:\windows\system32\mmf(24).sys

c:\windows\system32\mmf(25).sys

c:\windows\system32\mmf(26).sys

c:\windows\system32\mmf(27).sys

c:\windows\system32\mmf(28).sys

c:\windows\system32\mmf(29).sys

c:\windows\system32\mmf(3).sys

c:\windows\system32\mmf(30).sys

c:\windows\system32\mmf(31).sys

c:\windows\system32\mmf(32).sys

c:\windows\system32\mmf(33).sys

c:\windows\system32\mmf(34).sys

c:\windows\system32\mmf(35).sys

c:\windows\system32\mmf(4).sys

c:\windows\system32\mmf(5).sys

c:\windows\system32\mmf(6).sys

c:\windows\system32\mmf(7).sys

c:\windows\system32\mmf(8).sys

.

((((((((((((((((((((((((( Files Created from 2010-04-05 to 2010-05-05 )))))))))))))))))))))))))))))))

.

2010-05-05 20:20 . 2010-05-05 20:20 -------- d-----w- c:\program files\Common Files\Java

2010-05-05 20:20 . 2010-05-05 20:20 503808 ----a-w- c:\documents and settings\Nick\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-684f7790-n\msvcp71.dll

2010-05-05 20:20 . 2010-05-05 20:20 499712 ----a-w- c:\documents and settings\Nick\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-684f7790-n\jmc.dll

2010-05-05 20:20 . 2010-05-05 20:20 348160 ----a-w- c:\documents and settings\Nick\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-684f7790-n\msvcr71.dll

2010-05-05 20:20 . 2010-05-05 20:20 61440 ----a-w- c:\documents and settings\Nick\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-1888399d-n\decora-sse.dll

2010-05-05 20:20 . 2010-05-05 20:20 12800 ----a-w- c:\documents and settings\Nick\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-1888399d-n\decora-d3d.dll

2010-05-05 20:19 . 2010-04-12 21:29 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-05-05 14:30 . 2010-05-05 17:18 -------- d-----w- c:\windows\LastGood

2010-05-05 13:24 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe

2010-05-05 13:24 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe

2010-05-04 03:35 . 2010-05-04 03:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2010-05-04 03:33 . 2010-05-04 03:33 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2010-04-28 03:03 . 2010-03-26 14:33 1496064 ----a-w- c:\documents and settings\Nick\Application Data\Mozilla\Firefox\Profiles\290yr2lv.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll

2010-04-28 03:03 . 2010-03-26 14:33 43008 ----a-w- c:\documents and settings\Nick\Application Data\Mozilla\Firefox\Profiles\290yr2lv.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll

2010-04-28 03:03 . 2010-03-26 14:33 339456 ----a-w- c:\documents and settings\Nick\Application Data\Mozilla\Firefox\Profiles\290yr2lv.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll

2010-04-28 03:03 . 2010-03-26 14:32 346112 ----a-w- c:\documents and settings\Nick\Application Data\Mozilla\Firefox\Profiles\290yr2lv.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll

2010-04-25 12:44 . 2010-04-25 12:44 242696 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys

2010-04-25 12:43 . 2010-04-25 12:43 1689952 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll

2010-04-13 04:10 . 2010-04-13 04:16 -------- d-----w- c:\documents and settings\Nick\dwhelper

2010-04-08 14:20 . 2010-04-08 14:20 4255072 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-05-05 20:19 . 2006-09-13 19:58 -------- d-----w- c:\program files\Java

2010-05-05 20:11 . 2006-09-13 20:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint

2010-05-05 13:27 . 2007-03-21 18:44 785 --sha-w- c:\windows\system32\mmf.sys

2010-05-04 04:30 . 2008-10-31 04:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-05-04 04:10 . 2007-05-30 16:27 -------- d-----w- c:\documents and settings\Nick\Application Data\U3

2010-04-25 12:44 . 2009-12-14 02:16 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-04-02 17:25 . 2009-01-01 16:08 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2010-03-30 20:16 . 2010-03-30 20:16 -------- d-----w- c:\program files\FLV Player

2010-03-30 04:46 . 2008-10-31 04:19 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-03-30 04:45 . 2008-10-31 04:19 20824 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-26 16:26 . 2008-11-01 13:39 -------- d-----w- c:\program files\Glary Utilities

2010-03-16 21:04 . 2010-01-13 05:44 174976 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2010-03-16 20:33 . 2010-03-16 20:33 12464 ----a-w- c:\windows\system32\avgrsstx.dll

2010-03-16 20:33 . 2009-12-14 02:16 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2010-03-16 20:32 . 2009-12-14 02:16 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2010-03-15 20:39 . 2010-03-10 03:57 -------- d-----w- c:\program files\Opera

2010-03-10 06:15 . 2005-08-16 09:18 420352 ----a-w- c:\windows\system32\vbscript.dll

2010-02-25 06:24 . 2005-08-16 09:18 916480 ----a-w- c:\windows\system32\wininet.dll

2010-02-24 13:11 . 2005-08-16 09:18 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2010-02-16 14:08 . 2005-08-16 09:18 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-02-16 13:25 . 2004-08-04 03:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe

2010-02-12 04:33 . 2005-08-16 09:18 100864 ----a-w- c:\windows\system32\6to4svc.dll

2010-02-11 12:02 . 2005-08-16 09:18 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys

2007-09-19 18:41 . 2006-10-07 16:22 88 --sh--r- c:\windows\system32\1676647898.sys

2007-09-19 18:41 . 2006-10-07 16:22 3766 --sha-w- c:\windows\system32\KGyGaAvL.sys

2008-07-29 22:52 . 2007-03-21 18:44 785 --sha-w- c:\windows\system32\mmf(9).sys

.

((((((((((((((((((((((((((((( SnapShot@2010-05-05_13.36.52 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-05-05 20:19 . 2010-05-05 20:19 16384 c:\windows\Temp\Perflib_Perfdata_1218.dat

+ 2010-05-05 20:19 . 2010-04-12 21:29 153376 c:\windows\system32\javaws.exe

+ 2010-05-05 20:19 . 2010-04-12 21:29 145184 c:\windows\system32\javaw.exe

+ 2010-05-05 20:19 . 2010-04-12 21:29 145184 c:\windows\system32\java.exe

+ 2010-05-05 20:20 . 2010-05-05 20:20 180224 c:\windows\Installer\178b436.msi

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-10 68856]

"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]

"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-06-22 1384448]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]

"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]

"basicsmssmenu"="c:\program files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" [2007-10-09 169328]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

"VoiceCenter"="c:\program files\Creative\VoiceCenter\AndreaVC.exe" [2006-02-16 1118208]

"Lexmark X1100 Series"="c:\program files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 57344]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

c:\documents and settings\Nick\Start Menu\Programs\Startup\

Shortcut to ComboFix.lnk - c:\documents and settings\Nick\Desktop\ComboFix.exe [2010-5-4 3946853]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

ImageMixer 3 SE Camera Monitor.lnk - c:\program files\PIXELA\ImageMixer 3 SE\CameraMonitor.exe [2008-10-24 253952]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2010-03-16 20:33 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AT&T Self Support Tool.lnk]

backup=c:\windows\pss\AT&T Self Support Tool.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]

backup=c:\windows\pss\Bluetooth.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]

backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]

backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ymetray.lnk]

backup=c:\windows\pss\ymetray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG9_TRAY]

2010-04-25 12:44 2064736 ----a-w- c:\progra~1\AVG\AVG9\avgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]

2003-09-10 07:24 20480 ------w- c:\program files\NetWaiting\netwaiting.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2008-11-04 15:30 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

2006-10-14 17:56 185784 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"CCALib8"=2 (0x2)

"Creative Labs Licensing Service"=2 (0x2)

"Creative Service for CDROM Access"=2 (0x2)

"IntuitUpdateService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

"c:\\Program Files\\Ericom Software\\PowerTerm WebConnect 5.6\\www.wfcportal.com\\PtRdp.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [12/13/2009 10:16 PM 216200]

R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [12/13/2009 10:16 PM 242896]

R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/16/2010 4:33 PM 308064]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/5/2010 12:53 AM 135664]

S2 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [3/21/2007 2:44 PM 2560]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - JAVAQUICKSTARTERSERVICE

.

Contents of the 'Scheduled Tasks' folder

2010-05-05 c:\windows\Tasks\GlaryInitialize.job

- c:\program files\Glary Utilities\initialize.exe [2008-11-01 17:03]

2010-05-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cac6b528f7c66c.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 04:53]

2010-05-05 c:\windows\Tasks\User_Feed_Synchronization-{2A7EF67F-402C-4009-9D58-58E4805F48B9}.job

- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab

DPF: {297DE2B6-509A-4B36-93C5-A65276606900} - hxxp://www.in.honda.com/rraaapps/rraasec/codebase/RRAAINAX/RraainAX.CAB

DPF: {7EC816D4-6FC3-4C58-A7DA-A770EE461602} - hxxp://www.wfcportal.com/webconnect%205.6/web/windows/ptdownloader.cab

DPF: {CB6B8C71-C228-11D3-BA80-00A024668F35} - hxxp://vaultview2.vaultview.com/vaultview2/xpage.cab

FF - ProfilePath - c:\documents and settings\Nick\Application Data\Mozilla\Firefox\Profiles\290yr2lv.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - about:blank

FF - component: c:\documents and settings\Nick\Application Data\Mozilla\Firefox\Profiles\290yr2lv.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll

FF - plugin: c:\documents and settings\Nick\Application Data\Move Networks\plugins\npqmp071505000010.dll

FF - plugin: c:\documents and settings\Nick\Local Settings\Application Data\Yahoo!\BrowserPlus\2.7.0\Plugins\npybrowserplus_2.7.0.dll

FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-05-05 16:41

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&y@^t! #^$ g9^$&pgb SDB36o \EC1A69D1C0948222]

"1"=hex:b0,cd,e0,26,42,20,9e,7c,08,f1,c1,23,e7,41,66,ec,c9,e0,20,43,a1,23,f2,

e3

"2"=hex:f1,df,16,de,80,08,0e,2a,78,a4,28,cb,d2,56,ff,58,a6,09,d8,fb,43,e9,d5,

e7,16,83,71,61,5d,be,d8,25

"3"=hex:b0,cd,e0,26,42,20,9e,7c,08,f1,c1,23,e7,41,66,ec,2b,92,4b,0d,22,14,9d,

cb,e3,f8,73,90,7d,a4,36,0d,7e,db,3a,16,4c,1a,45,81,b1,a5,77,31,f5,50,d6,e8

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&y@^t! #^$ g9^$&pgb SDB36o \EC1A69D1C0948222\B144CCE307E78EB6EE53CA2196E4D0A2]

"1"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2,

b0,36,d7,56,53,fe,9f,3d,f9

"2"=hex:8c,23,2d,03,75,bd,a0,cd

"3"=hex:a7,cb,5d,c3,74,f0,1b,16,15,74,c1,8d,97,da,f7,34,ae,4d,5a,74,13,03,8b,

64,d3,6d,a4,45,c0,0d,91,ed,85,d2,2e,4e,37,6a,d0,fc,57,0b,86,a1,6b,36,9f,70,\

"4"=hex:2f,ad,a2,e7,8a,bf,05,5e

"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,

1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\

"6"=hex:bf,e5,23,7b,b0,66,d6,fc,bc,64,22,fb,7e,d3,39,3e,a3,00,33,13,c0,21,f4,

51,6c,4e,0c,96,e2,dd,ad,8a,b6,c4,05,e8,5a,bd,9a,e9,d4,1a,3d,68,9d,00,32,20

"7"=hex:6b,96,68,24,0f,2f,9e,94,e8,ce,54,f3,3b,80,63,3a,1b,c3,e7,ed,44,3a,1d,

97,9f,f9,03,77,68,81,1b,0c,34,a2,88,30,12,be,09,a0

"8"=hex:9d,9e,b2,b9,a7,a5,f4,ae,4d,29,c2,a3,c0,78,c4,c5,73,7e,45,c6,9f,9e,10,

63,a0,2f,06,c2,a3,e9,62,70,90,4c,ec,d6,92,e1,28,ba,e5,5d,0d,25,ef,fb,b7,21,\

"9"=hex:81,20,8f,ab,28,6a,52,9c

"18"=hex:70,56,26,33,e3,20,f8,ab

"10"=hex:07,96,b3,35,9e,5a,1a,0b

"11"=hex:81,20,8f,ab,28,6a,52,9c

"12"=hex:81,20,8f,ab,28,6a,52,9c

"13"=hex:81,20,8f,ab,28,6a,52,9c

"14"=hex:81,20,8f,ab,28,6a,52,9c

"24"=hex:81,20,8f,ab,28,6a,52,9c

"26"=hex:81,20,8f,ab,28,6a,52,9c

"27"=hex:81,20,8f,ab,28,6a,52,9c

"19"=hex:81,20,8f,ab,28,6a,52,9c

"22"=hex:81,20,8f,ab,28,6a,52,9c

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(884)

c:\windows\System32\BCMLogon.dll

.

Completion time: 2010-05-05 16:44:02

ComboFix-quarantined-files.txt 2010-05-05 20:43

ComboFix2.txt 2010-05-05 13:49

ComboFix3.txt 2010-05-05 13:39

Pre-Run: 6,103,236,608 bytes free

Post-Run: 6,061,850,624 bytes free

- - End Of File - - 382A58DA52FCE3532C7EDA66125E5DC2

Link to post
Share on other sites

  • Staff

Hello

Things are looking pretty good, lets go check to see if there is any left overs

TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.

Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

  • Please download
Malwarebytes' Anti-Malware to your desktop.
Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to
  • Update Malwarebytes' Anti-Malware
  • and Launch Malwarebytes' Anti-Malware

[*] then click Finish.

[*]If an update is found, it will download and install the latest version.

[*]Once the program has loaded, select Perform quick scan, then click Scan.

[*]When the scan is complete, click OK, then Show Results to view the results.

[*]Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.

[*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.

Click OK to either and let MBAM proceed with the disinfection process.

If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

:Kaspersky scan:

  • Please go to
Kaspersky website and perform an online antivirus scan.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases

    [*]Click on My Computer under Scan.

    [*]Once the scan is complete, it will display the results. Click on View Scan Report.

    [*]You will see a list of infected items there. Click on Save Report As....

    [*]Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.

    [*]Please post this log in your next reply.

"information and logs"

  • In your next post I need the following
  1. Log From MBAM
  2. Log From Kaspersky
  3. let me know of any problems you may have had
  4. How is the computer doing now?

Gringo

Link to post
Share on other sites

No problems with computer at this point.

MBAM log

Malwarebytes' Anti-Malware 1.45

www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

5/6/2010 10:59:03 PM

mbam-log-2010-05-06 (22-59-03).txt

Scan type: Quick scan

Objects scanned: 117001

Time elapsed: 6 minute(s), 17 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Kaspersky log

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7.0: scan report

Friday, May 7, 2010

Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)

Kaspersky Online Scanner version: 7.0.26.13

Last database update: Friday, May 07, 2010 00:26:07

Records in database: 4069116

--------------------------------------------------------------------------------

Scan settings:

scan using the following database: extended

Scan archives: yes

Scan e-mail databases: yes

Scan area - My Computer:

C:\

D:\

E:\

Scan statistics:

Objects scanned: 85533

Threats found: 1

Infected objects found: 2

Suspicious objects found: 0

Scan duration: 02:18:09

File name / Threat / Threats count

C:\Qoobox\Quarantine\C\Documents and Settings\Nick\Local Settings\Application Data\unfhoyhav\ldodqqhtssd.exe.vir Infected: Trojan.Win32.FraudPack.aunu 1

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP365\A0107862.exe Infected: Trojan.Win32.FraudPack.aunu 1

Selected area has been scanned.

Link to post
Share on other sites

  • Staff

Hello

Very well done!! This is my general post for when your logs show no more signs of malware :)- Please let me know if you still are having problems with your computer and what these problems are.

Kaspersky is only reporting backups created during the course of this fix, and items located in C:\System Volume Information\, which is where System Restore's cache is stored. Whatever is in there can't harm you unless you choose to perform a manual restore. Nevertheless, we shall be resetting/clearing the cache shortly.

The following procedure will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.

:Uninstall ComboFix:

  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box ComboFix /Uninstall and click OK.
  • Note the space between the X and the /Uninstall, it needs to be there.
  • CF-Uninstall.png

:DeFogger:

  • To re-enable your Emulation drivers, double click DeFogger to run the tool.
    • The application window will appear
    • Click the Re-enable button to re-enable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

Your Emulation drivers are now re-enabled.

:Make your Internet Explorer more secure:

  • please visit this page that gives instructions to do this
http://surfthenetsafely.com/ieseczone8.htm

:Turn On Automatic Updates:

  • Turn On Automatic Updates
    1. Click Start, click Run, type sysdm.cpl, and then press ENTER.
    2. Click the Automatic Updates tab, and then click to select one of the following options. We recommend that you select the Automatic (recommended) Automatically download recommended updates for my computer and install them
    If you click this setting, click to select the day and time for scheduled updates to occur. You can schedule Automatic Updates for any time of day. Remember, your computer must be on at the scheduled time for updates to be installed. After you set this option, Windows recognizes when you are online and uses your Internet connection to find updates on the Windows Update Web site or on the Microsoft Update Web site that apply to your computer. Updates are downloaded automatically in the background, and you are not notified or interrupted during this process. An icon appears in the notification area of your taskbar when the updates are being downloaded. You can point to the icon to view the download status. To pause or to resume the download, right-click the icon, and then click Pause or Resume. When the download is completed, another message appears in the notification area so that you can review the updates that are scheduled for installation. If you choose not to install at that time, Windows starts the installation on your set schedule.
    or visit
http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

:antispyware programs:

  • you have a couple of good antispyware programs on this computer but you still can try some of these others to see if you like them also
    I would reccomend the download and installation of some or all of the following programs (all free), and the updating of them regularly:
    • WinPatrol As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.
    • Malwarebytes' Anti-Malware - Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
      totally free but for real-time protection you will have to pay a small one-time fee.
    • Spyware Blaster - By altering your registry, this program stops harmful sites from installing things like ActiveX Controls on your machines.

please read this great article by miekiemoes How to prevent Malware:

and

this great article by Tony Klein So How Did I Get Infected In First Place

Now you have followed my advice - it's time to lodge a complaint against what you have suffered.........

Malware Complaints

If you were infected .... Stand Up and be Counted.

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here:btn_donate_SM.gif

Gringo

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.