Jump to content

google redirect, ie won't work, clock keeps resetting to military time


Recommended Posts

Topic describe what is going on. Lots of issues. Can't seem to shake it all off. Only firefox works and aol/ie explorer no longer connect to internet. Clock after resetting to normal time with change all of a sudden to military time.

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

5/26/2010 7:38:50 AM

mbam-log-2010-05-26 (07-38-50).txt

Scan type: Quick scan

Objects scanned: 138229

Time elapsed: 4 hour(s), 21 minute(s), 26 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 4

Registry Values Infected: 0

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemRoot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuauserv\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemroot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

DDS (Ver_10-03-17.01) - NTFSx86

Run by Stephanie at 7:42:22.16 on Wed 05/26/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1330 [GMT -4:00]

AV: AntiVir Desktop *On-access scanning enabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE

C:\WINDOWS\system32\svchost -k DcomLaunch

C:\WINDOWS\system32\svchost -k rpcss

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\svchost.exe -k NetworkService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

C:\Program Files\Flip Video\FlipShare\FlipShareService.exe

C:\Program Files\Google\Update\GoogleUpdate.exe

C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\ehome\mcrdsvc.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\system32\wbem\unsecapp.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\WINDOWS\system32\wbem\unsecapp.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\Program Files\Microsoft IntelliPoint\point32.exe

C:\Program Files\Common Files\AOL\1154786924\ee\AOLSoftware.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Microsoft Location Finder\LocationFinder.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\Program Files\StreamTorrent 1.0\StreamTorrent.exe

C:\Program Files\Common Files\AOL\1154786924\ee\aexplore.exe

C:\Documents and Settings\Stephanie\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com

uInternet Settings,ProxyOverride = <local>

uInternet Settings,ProxyServer = http=127.0.0.1:5555

mSearchAssistant = hxxp://www.google.com

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll

EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [Microsoft Location Finder] "c:\program files\microsoft location finder\LocationFinder.exe"

uRun: [Advanced SystemCare 3] "c:\program files\iobit\advanced systemcare 3\AWC.exe" /startup

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

uRun: [unHackMe Monitor] c:\program files\unhackme\hackmon.exe

mRun: [DXDllRegExe] dxdllreg.exe

mRun: [intelliPoint] "c:\program files\microsoft intellipoint\point32.exe"

mRun: [HostManager] c:\program files\common files\aol\1154786924\ee\AOLSoftware.exe

mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall

mRun: [iObit Security 360] "c:\program files\iobit\iobit security 360\IS360tray.exe" /autostart

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

mRun: [QuickTime Task] "c:\program files\quicktime\QTTASK.EXE" -atboottime

mRun: [HitmanPro35] "c:\program files\hitman pro 3.5\HitmanPro35[1].exe" /scan:boot

mRun: [TrojanScanner] c:\program files\trojan remover\Trjscan.exe /boot

mRun: [spyHunter Security Suite] c:\program files\enigma software group\spyhunter\SpyHunter4.exe

mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent

dRun: [vilupvqv] c:\documents and settings\stephanie\local settings\application data\guiaxjsbw\ylcfltvtssd.exe

dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE

uPolicies-system: EnableProfileQuota = 1 (0x1)

IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html

IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html

IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll

DPF: {0e5f0222-96b9-11d3-8997-00104bd12d94} - hxxp://pcpitstop.com/betapit/PCPitStop.CAB

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {230C3D02-DA27-11D2-8612-00A0C93EEA3C} - hxxp://www.winkflash.com/photo/loaders/SAXFile.cab

DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} - hxxp://disney.go.com/games/downloads/hardwarecontrol/DIGHardwareControl.cab

DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www1.snapfish.com/SnapfishActivia.cab

DPF: {40F8967E-34A6-474A-837A-CEC1E7DAC54C} - hxxps://accounting.quickbooks.com/c1/v15.585/qboax9.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1143830753165

DPF: {843EE768-3A97-455C-9076-741BA3AD7B62} - hxxps://accounting.quickbooks.com/c12/v16.607/qboax10.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {8CE3BAE6-AB66-40B6-9019-41E5282FF1E2} - hxxps://accounting.quickbooks.com/c1/v15.582/qboax8.cab

DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab

DPF: {9732FB42-C321-11D1-836F-00A0C993F125} - hxxp://www.pcpitstop.com/mhLbl.cab

DPF: {A27C56D2-3F58-4ABB-AA31-1168EDA6636F} - hxxp://utilities.pcpitstop.com/Nirvana/controls/pcmatic.cab

DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {d4003189-95b1-4a2f-9a87-f2b03665960d} - hxxp://www.vexcast.com/download/vexcast.cab

DPF: {E9A7F56F-C40F-4928-8C6F-7A72F2A25222} - hxxp://www.imagestation.com/common/classes/SonyISUpload.cab?v=1,0,0,37

Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll

Notify: igfxcui - igfxdev.dll

Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll

Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\stepha~1\applic~1\mozilla\firefox\profiles\ptrag0e3.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com/

FF - component: c:\program files\siber systems\ai roboform\firefox\components\rfproxy_31.dll

FF - plugin: c:\documents and settings\stephanie\application data\idm\bin\flash\platform\winnt\plugins\npidmdcp.dll

FF - plugin: c:\documents and settings\stephanie\application data\move networks\plugins\071802000001\npqmp071802000001.dll

FF - plugin: c:\documents and settings\stephanie\application data\move networks\plugins\npqmp071503000010.dll

FF - plugin: c:\documents and settings\stephanie\application data\move networks\plugins\npqmp071701000002.dll

FF - plugin: c:\documents and settings\stephanie\application data\mozilla\firefox\profiles\ptrag0e3.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll

FF - plugin: c:\program files\nbc direct\npDirectPlayerMozilla.dll

FF - plugin: c:\program files\veetle\player\npvlc.dll

FF - plugin: c:\program files\veetle\plugins\npVeetle.dll

FF - plugin: c:\program files\veetle\vlcbroadcast\npvbp.dll

FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

FF - HiddenExtension: XUL Cache: {A96CB97C-6766-4FDE-A49A-6EA1936EFEE0} - c:\documents and settings\stephanie\local settings\application data\{A96CB97C-6766-4FDE-A49A-6EA1936EFEE0}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

FF - user.js: browser.cache.memory.capacity - 65536

FF - user.js: browser.chrome.favicons - false

FF - user.js: browser.display.show_image_placeholders - true

FF - user.js: browser.turbo.enabled - true

FF - user.js: browser.urlbar.autocomplete.enabled - true

FF - user.js: browser.urlbar.autofill - true

FF - user.js: content.interrupt.parsing - true

FF - user.js: content.max.tokenizing.time - 2250000

FF - user.js: content.notify.backoffcount - 5

FF - user.js: content.notify.interval - 750000

FF - user.js: content.notify.ontimer - true

FF - user.js: content.switch.threshold - 750000

FF - user.js: network.http.max-connections - 48

FF - user.js: network.http.max-connections-per-server - 16

FF - user.js: network.http.max-persistent-connections-per-proxy - 16

FF - user.js: network.http.max-persistent-connections-per-server - 8

FF - user.js: network.http.pipelining - true

FF - user.js: network.http.pipelining.firstrequest - true

FF - user.js: network.http.pipelining.maxrequests - 8

FF - user.js: network.http.proxy.pipelining - true

FF - user.js: network.http.request.max-start-delay - 0

FF - user.js: nglayout.initialpaint.delay - 0

FF - user.js: plugin.expose_full_path - true

FF - user.js: ui.submenuDelay - 0

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-10-18 64288]

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-4-25 11608]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-4-25 135336]

R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-4-25 267432]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-4-25 60936]

R2 lavasoft ad-aware service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-9-24 1181328]

R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]

R2 SpyHunter 4 Service;SpyHunter 4 Service;c:\progra~1\enigma~1\spyhun~1\SH4SER~1.EXE [2010-3-24 323992]

S0 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [2010-4-30 35816]

S1 59fd5f9f;59fd5f9f;c:\windows\system32\drivers\59fd5f9f.sys [2009-9-20 0]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-28 136176]

S2 IS360service;IS360service;c:\program files\iobit\iobit security 360\is360srv.exe [2010-4-25 311568]

S3 RegGuard;RegGuard;c:\windows\system32\drivers\regguard.sys [2010-4-30 24416]

S4 PCPitstop Scheduling;PCPitstop Scheduling;c:\program files\pcpitstop\PCPitstopScheduleService.exe [2010-4-25 85504]

=============== Created Last 30 ================

2010-05-26 11:40:23 0 ----a-w- c:\documents and settings\stephanie\defogger_reenable

2010-05-25 11:16:03 244 ---ha-w- C:\aaw7boot.cmd

2010-04-30 22:05:16 24416 ----a-w- c:\windows\system32\drivers\regguard.sys

2010-04-30 21:58:51 2 --shatr- c:\windows\winstart.bat

2010-04-30 21:58:46 37600 ----a-w- c:\windows\system32\Partizan.exe

2010-04-30 21:58:46 35816 ----a-w- c:\windows\system32\drivers\Partizan.sys

2010-04-30 21:58:27 12752 ----a-w- c:\windows\system32\drivers\UnHackMeDrv.sys

2010-04-30 21:58:21 0 d-----w- c:\program files\UnHackMe

2010-04-28 01:16:44 0 d-----w- C:\sh4ldr

2010-04-28 01:16:44 0 d-----w- c:\program files\Enigma Software Group

2010-04-28 01:14:24 0 d-----w- c:\windows\61D3AAE1D5214CD7939B37813DE8F955.TMP

2010-04-28 01:14:21 0 d-----w- c:\program files\common files\Wise Installation Wizard

2010-04-28 00:47:40 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-04-27 23:31:07 77312 ----a-w- c:\windows\system32\ztvunace26.dll

2010-04-27 23:31:07 75264 ----a-w- c:\windows\system32\unacev2.dll

2010-04-27 23:31:07 69632 ----a-w- c:\windows\system32\ztvcabinet.dll

2010-04-27 23:31:07 162304 ----a-w- c:\windows\system32\ztvunrar36.dll

2010-04-27 23:31:07 153088 ----a-w- c:\windows\system32\UNRAR3.dll

2010-04-27 23:30:56 0 d-----w- c:\program files\Trojan Remover

2010-04-27 23:30:56 0 d-----w- c:\docume~1\stepha~1\applic~1\Simply Super Software

2010-04-27 23:30:56 0 d-----w- c:\docume~1\alluse~1\applic~1\Simply Super Software

2010-04-27 03:02:38 12872 ----a-w- c:\windows\system32\bootdelete.exe

2010-04-27 02:52:01 0 d-----w- c:\docume~1\alluse~1\applic~1\avG

2010-04-27 02:50:07 0 d-----w- c:\program files\Hitman Pro 3.5

2010-04-27 02:50:01 0 d-----w- c:\program files\CCleaner

==================== Find3M ====================

2010-05-12 21:54:08 3766 --sha-w- c:\windows\system32\KGyGaAvL.sys

2010-05-01 03:39:15 162816 ----a-w- c:\windows\system32\drivers\netbt.sys

2010-05-01 03:39:15 162816 ----a-w- c:\windows\system32\dllcache\netbt.sys

2010-04-30 22:21:48 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2010-04-29 19:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 19:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-28 00:58:10 96512 ----a-w- c:\windows\system32\drivers\atapi.sys

2010-04-27 03:58:15 15880 ----a-w- c:\windows\system32\lsdelete.exe

2010-04-17 17:28:57 19838 ----a-w- c:\docume~1\stepha~1\applic~1\wklnhst.dat

2009-07-31 23:32:26 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009073120090801\index.dat

============= FINISH: 7:44:55.40 ===============

ark.zip

Attach.zip

Link to post
Share on other sites

Hi crazywheelz And

:D

Can't seem to shake it all off. Only firefox works and aol/ie explorer no longer connect to internet. Clock after resetting to normal time with change all of a sudden to military time.

Here's what we have. Your PC has a rootkit that has replaced your ide driver file with malware.

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

---------------------------------------------------------------------------------------------

  1. Download ComboFix from below:
    Combofix download
    * IMPORTANT !!! Place combofix.exe on your Desktop
  2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  3. Double click on combofix.exe & follow the prompts.
  4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    cfRC_screen_1.png
    The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.
    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
    Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.
    ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.
    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:
    The Recovery Console was successfully installed.
    cfRC_screen_2.png
    Click on Yes, to continue scanning for malware.
  5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  6. When finished, it shall produce a log for you. Post that log in your next reply
    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
    ---------------------------------------------------------------------------------------------
  7. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
    ---------------------------------------------------------------------------------------------

Link to post
Share on other sites

Hi crazywheelz And

:D

Here's what we have. Your PC has a rootkit that has replaced your ide driver file with malware.

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

---------------------------------------------------------------------------------------------

  1. Download ComboFix from below:
    Combofix download
    * IMPORTANT !!! Place combofix.exe on your Desktop
  2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  3. Double click on combofix.exe & follow the prompts.
  4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    cfRC_screen_1.png
    The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.
    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
    Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.
    ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.
    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:
    The Recovery Console was successfully installed.
    cfRC_screen_2.png
    Click on Yes, to continue scanning for malware.
  5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  6. When finished, it shall produce a log for you. Post that log in your next reply
    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
    ---------------------------------------------------------------------------------------------
  7. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
    ---------------------------------------------------------------------------------------------

ComboFix 10-05-28.08 - Stephanie 05/29/2010 12:30:57.2.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1460 [GMT -4:00]

Running from: c:\documents and settings\Stephanie\Desktop\ComboFix.exe

AV: AntiVir Desktop *On-access scanning enabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\_000111_.tmp.dll

c:\windows\system32\bszip.dll

Infected copy of c:\windows\system32\drivers\netbt.sys was found and disinfected

Restored copy from - Kitty had a snack :D

c:\windows\system32\proquota.exe was missing

Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.

((((((((((((((((((((((((( Files Created from 2010-04-28 to 2010-05-29 )))))))))))))))))))))))))))))))

.

2010-05-29 16:40 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe

2010-05-29 16:40 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe

2010-05-25 11:16 . 2010-05-25 11:16 244 ---ha-w- C:\aaw7boot.cmd

2010-05-02 02:45 . 2010-05-16 14:28 -------- d-----w- c:\documents and settings\Stephanie\Local Settings\Application Data\guiaxjsbw

2010-04-30 22:05 . 2010-05-23 03:47 24416 ----a-w- c:\windows\system32\drivers\regguard.sys

2010-04-30 21:58 . 2010-04-30 21:58 2 --shatr- c:\windows\winstart.bat

2010-04-30 21:58 . 2010-03-23 21:34 12752 ----a-w- c:\windows\system32\drivers\UnHackMeDrv.sys

2010-04-30 21:58 . 2010-05-07 23:19 -------- d-----w- c:\program files\UnHackMe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-05-29 14:49 . 2009-09-25 00:17 1 ----a-w- c:\documents and settings\Stephanie\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys

2010-05-28 01:18 . 2006-01-19 23:42 -------- d-----w- c:\program files\Common Files\Adobe

2010-05-26 00:05 . 2009-10-10 21:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-05-16 19:33 . 2010-03-29 01:21 -------- d-----w- c:\program files\Google

2010-05-15 14:14 . 2009-09-23 00:17 -------- d-----w- c:\program files\AceMoney

2010-05-12 21:54 . 2006-01-24 03:45 3766 --sha-w- c:\windows\system32\KGyGaAvL.sys

2010-05-12 21:54 . 2006-01-24 03:45 56 --sh--r- c:\windows\system32\4A3D0C9573.sys

2010-05-01 03:39 . 2005-08-16 10:18 162816 ----a-w- c:\windows\system32\drivers\netbt.sys

2010-04-30 22:21 . 2010-04-26 01:14 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2010-04-29 19:39 . 2009-10-10 21:02 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 19:39 . 2009-10-10 21:02 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-28 01:16 . 2010-04-28 01:16 110080 ----a-r- c:\documents and settings\Stephanie\Application Data\Microsoft\Installer\{61D3AAE1-D521-4CD7-939B-37813DE8F955}\IconF7A21AF7.exe

2010-04-28 01:16 . 2010-04-28 01:16 110080 ----a-r- c:\documents and settings\Stephanie\Application Data\Microsoft\Installer\{61D3AAE1-D521-4CD7-939B-37813DE8F955}\IconD7F16134.exe

2010-04-28 01:16 . 2010-04-28 01:16 -------- d-----w- c:\program files\Enigma Software Group

2010-04-28 01:14 . 2010-04-28 01:14 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2010-04-28 01:07 . 2010-04-27 23:33 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-04-28 00:58 . 2004-08-04 04:59 96512 ----a-w- c:\windows\system32\drivers\atapi.sys

2010-04-28 00:48 . 2010-04-28 00:48 503808 ----a-w- c:\documents and settings\Stephanie\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-47a2ed2c-n\msvcp71.dll

2010-04-28 00:48 . 2010-04-28 00:48 499712 ----a-w- c:\documents and settings\Stephanie\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-47a2ed2c-n\jmc.dll

2010-04-28 00:48 . 2010-04-28 00:48 348160 ----a-w- c:\documents and settings\Stephanie\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-47a2ed2c-n\msvcr71.dll

2010-04-28 00:47 . 2005-12-07 20:54 -------- d-----w- c:\program files\Common Files\Java

2010-04-28 00:47 . 2010-04-28 00:47 61440 ----a-w- c:\documents and settings\Stephanie\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-2bb76ed1-n\decora-sse.dll

2010-04-28 00:47 . 2010-04-28 00:47 12800 ----a-w- c:\documents and settings\Stephanie\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-2bb76ed1-n\decora-d3d.dll

2010-04-28 00:47 . 2005-12-07 20:54 -------- d-----w- c:\program files\Java

2010-04-28 00:26 . 2010-04-25 13:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-04-27 23:31 . 2010-04-27 23:30 -------- d-----w- c:\program files\Trojan Remover

2010-04-27 23:30 . 2010-04-27 23:30 -------- d-----w- c:\documents and settings\Stephanie\Application Data\Simply Super Software

2010-04-27 23:30 . 2010-04-27 23:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software

2010-04-27 03:58 . 2009-10-18 13:55 15880 ----a-w- c:\windows\system32\lsdelete.exe

2010-04-27 03:02 . 2010-04-26 01:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro

2010-04-27 03:02 . 2010-04-27 03:02 12872 ----a-w- c:\windows\system32\bootdelete.exe

2010-04-27 02:52 . 2010-04-27 02:52 -------- d-----w- c:\documents and settings\All Users\Application Data\avG

2010-04-27 02:50 . 2010-04-27 02:50 -------- d-----w- c:\program files\Hitman Pro 3.5

2010-04-27 02:50 . 2010-04-27 02:50 -------- d-----w- c:\program files\CCleaner

2010-04-26 19:05 . 2006-01-24 03:45 77016 ----a-w- c:\documents and settings\Stephanie\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-04-25 23:05 . 2010-04-25 23:05 -------- d-----w- c:\documents and settings\Stephanie\Application Data\Avira

2010-04-25 22:07 . 2010-04-25 04:58 -------- d-----w- c:\documents and settings\Stephanie\Application Data\IObit

2010-04-25 21:58 . 2010-04-25 16:43 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit

2010-04-25 21:54 . 2010-04-25 21:39 -------- d-----w- c:\documents and settings\All Users\Application Data\PCPitstop

2010-04-25 21:39 . 2010-04-25 21:39 -------- d-----w- c:\program files\PCPitstop

2010-04-25 21:20 . 2010-04-25 21:20 -------- d-----w- c:\program files\Avira

2010-04-25 21:20 . 2010-04-25 21:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2010-04-25 21:18 . 2005-12-07 21:16 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2010-04-25 17:35 . 2005-12-07 21:06 -------- d-----w- c:\program files\Common Files\AOL

2010-04-25 17:35 . 2005-12-28 08:16 -------- d-----w- c:\documents and settings\Stephanie\Application Data\AOL

2010-04-25 17:35 . 2005-12-07 21:06 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL

2010-04-25 16:43 . 2010-04-25 04:58 -------- d-----w- c:\program files\IObit

2010-04-25 15:12 . 2010-04-25 13:27 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-04-17 17:28 . 2006-03-30 20:14 19838 ----a-w- c:\documents and settings\Stephanie\Application Data\wklnhst.dat

2010-04-12 21:29 . 2010-04-28 00:47 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-04-10 00:10 . 2010-04-10 00:10 -------- d-----w- c:\documents and settings\Stephanie\Application Data\StreamTorrent

2010-04-10 00:10 . 2010-04-10 00:10 -------- d-----w- c:\program files\StreamTorrent 1.0

2010-03-06 01:33 . 2009-09-01 22:18 144053 ----a-w- c:\documents and settings\Stephanie\Application Data\Move Networks\uninstall.exe

2010-03-06 01:33 . 2010-02-11 19:31 5640640 ----a-w- c:\documents and settings\Stephanie\Application Data\Move Networks\plugins\071802000001\npqmp071802000001.dll

2010-03-06 01:31 . 2010-03-06 01:30 827290 ----a-w- c:\documents and settings\Stephanie\Application Data\Move Networks\MoveMediaPlayerWin_071802000001.exe

2010-03-01 14:05 . 2010-04-25 21:20 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Microsoft Location Finder"="c:\program files\Microsoft Location Finder\LocationFinder.exe" [2005-08-24 101080]

"Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2010-03-29 2343120]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-16 282624]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2005-06-10 217088]

"HostManager"="c:\program files\Common Files\AOL\1154786924\ee\AOLSoftware.exe" [2007-10-08 41824]

"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]

"IObit Security 360"="c:\program files\IOBIT\IOBIT SECURITY 360\IS360tray.exe" [2009-12-24 1280272]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]

"QuickTime Task"="c:\program files\QUICKTIME\QTTASK.EXE" [2007-02-16 282624]

"TrojanScanner"="c:\program files\Trojan Remover\Trjscan.exe" [2010-02-28 1165192]

"SpyHunter Security Suite"="c:\program files\Enigma Software Group\SpyHunter\SpyHunter4.exe" [2010-04-08 3021208]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]

2004-09-07 22:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\lavasoft ad-aware service]

@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk

backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk

backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk

backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\c:^documents and settings^stephanie^start menu^programs^startup^openoffice.org 3.1.lnk]

path=c:\documents and settings\Stephanie\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk

backup=c:\windows\pss\OpenOffice.org 3.1.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]

2004-09-13 22:33 155648 -c--a-w- c:\program files\Apoint\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]

2005-08-31 17:06 106496 -c--a-w- c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]

2005-09-01 23:24 684032 -c--a-w- c:\program files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]

2005-05-15 08:04 332800 ----a-w- c:\program files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\directplayercore]

2009-09-24 21:45 1150016 ----a-w- c:\program files\NBC Direct\DirectPlayerCore.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]

2004-12-06 07:05 127035 -c--a-w- c:\windows\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]

2005-02-23 22:19 53248 -c----w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]

2005-09-29 20:01 67584 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hp component manager]

2005-01-12 18:54 241664 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hp software update]

2005-02-17 04:11 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]

2005-07-20 05:06 77824 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]

2005-07-20 05:10 114688 ----a-w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]

2005-07-20 05:09 94208 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]

2004-10-30 20:59 385024 ----a-w- c:\program files\Intel\Wireless\Bin\iFrmewrk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]

2005-06-10 16:44 249856 -c--a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]

2005-06-10 16:44 81920 -c--a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ituneshelper]

2007-03-14 23:05 257088 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]

2005-09-09 01:20 8192 ----a-w- c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]

2005-09-09 01:20 110592 ----a-w- c:\progra~1\MUSICM~1\MUSICM~3\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]

2005-08-12 22:16 1121792 ----a-w- c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msmsgs]

2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QBReminderFlash]

2004-11-11 16:26 26112 ----a-w- c:\program files\Intuit\QuickBooks 2005\Atom\QBReminder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2007-02-16 14:54 282624 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]

2005-12-07 21:07 26112 ----a-w- c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\roboform]

2009-08-01 00:19 160592 ----a-w- c:\program files\Siber Systems\AI RoboForm\robotaskbaricon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Common Files\\AOL\\1154786924\\ee\\aolsoftware.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [10/18/2009 1:25 AM 64288]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [4/25/2010 5:20 PM 135336]

R2 lavasoft ad-aware service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 7:17 AM 1181328]

R2 SpyHunter 4 Service;SpyHunter 4 Service;c:\progra~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE [3/24/2010 6:48 PM 323992]

S1 59fd5f9f;59fd5f9f;c:\windows\system32\drivers\59fd5f9f.sys [9/20/2009 1:51 PM 0]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/28/2010 9:21 PM 136176]

S2 IS360service;IS360service;c:\program files\IObit\IObit Security 360\is360srv.exe [4/25/2010 12:43 PM 311568]

S3 RegGuard;RegGuard;c:\windows\system32\drivers\regguard.sys [4/30/2010 6:05 PM 24416]

S4 PCPitstop Scheduling;PCPitstop Scheduling;c:\program files\PCPitstop\PCPitstopScheduleService.exe [4/25/2010 5:39 PM 85504]

--- Other Services/Drivers In Memory ---

*Deregistered* - UnHackMeDrv

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

getPlusHelper REG_MULTI_SZ getPlusHelper

vvdsvc REG_MULTI_SZ vvdsvc

.

Contents of the 'Scheduled Tasks' folder

2010-05-29 c:\windows\Tasks\Ad-Aware Update (Daily 1).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 03:56]

2010-05-29 c:\windows\Tasks\Ad-Aware Update (Daily 2).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 03:56]

2010-05-29 c:\windows\Tasks\Ad-Aware Update (Daily 3).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 03:56]

2010-05-29 c:\windows\Tasks\Ad-Aware Update (Daily 4).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 03:56]

2010-05-29 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 03:56]

2010-05-28 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 19:42]

2010-05-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-29 01:21]

2010-05-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-29 01:21]

.

.

------- Supplementary Scan -------

.

uInternet Settings,ProxyOverride = <local>

uInternet Settings,ProxyServer = http=127.0.0.1:5555

DPF: {A27C56D2-3F58-4ABB-AA31-1168EDA6636F} - hxxp://utilities.pcpitstop.com/Nirvana/controls/pcmatic.cab

FF - ProfilePath - c:\documents and settings\Stephanie\Application Data\Mozilla\Firefox\Profiles\ptrag0e3.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com/

FF - component: c:\program files\Siber Systems\AI RoboForm\Firefox\components\rfproxy_31.dll

FF - plugin: c:\documents and settings\Stephanie\Application Data\IDM\bin\flash\platform\WINNT\plugins\npidmdcp.dll

FF - plugin: c:\documents and settings\Stephanie\Application Data\Move Networks\plugins\071802000001\npqmp071802000001.dll

FF - plugin: c:\documents and settings\Stephanie\Application Data\Move Networks\plugins\npqmp071701000002.dll

FF - plugin: c:\documents and settings\Stephanie\Application Data\Mozilla\Firefox\Profiles\ptrag0e3.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll

FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll

FF - plugin: c:\program files\NBC Direct\npDirectPlayerMozilla.dll

FF - plugin: c:\program files\Veetle\Player\npvlc.dll

FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll

FF - plugin: c:\program files\Veetle\VLCBroadcast\npvbp.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

FF - HiddenExtension: XUL Cache: {A96CB97C-6766-4FDE-A49A-6EA1936EFEE0} - c:\documents and settings\Stephanie\Local Settings\Application Data\{A96CB97C-6766-4FDE-A49A-6EA1936EFEE0}

---- FIREFOX POLICIES ----

FF - user.js: browser.cache.memory.capacity - 65536

FF - user.js: browser.chrome.favicons - false

FF - user.js: browser.display.show_image_placeholders - true

FF - user.js: browser.turbo.enabled - true

FF - user.js: browser.urlbar.autocomplete.enabled - true

FF - user.js: browser.urlbar.autofill - true

FF - user.js: content.interrupt.parsing - true

FF - user.js: content.max.tokenizing.time - 2250000

FF - user.js: content.notify.backoffcount - 5

FF - user.js: content.notify.interval - 750000

FF - user.js: content.notify.ontimer - true

FF - user.js: content.switch.threshold - 750000

FF - user.js: network.http.max-connections - 48

FF - user.js: network.http.max-connections-per-server - 16

FF - user.js: network.http.max-persistent-connections-per-proxy - 16

FF - user.js: network.http.max-persistent-connections-per-server - 8

FF - user.js: network.http.pipelining - true

FF - user.js: network.http.pipelining.firstrequest - true

FF - user.js: network.http.pipelining.maxrequests - 8

FF - user.js: network.http.proxy.pipelining - true

FF - user.js: network.http.request.max-start-delay - 0

FF - user.js: nglayout.initialpaint.delay - 0

FF - user.js: plugin.expose_full_path - true

FF - user.js: ui.submenuDelay - 0

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

.

- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)

HKLM-Run-DXDllRegExe - dxdllreg.exe

HKU-Default-Run-vilupvqv - c:\documents and settings\Stephanie\Local Settings\Application Data\guiaxjsbw\ylcfltvtssd.exe

SafeBoot-klmdb.sys

MSConfigStartUp-MPFExe - c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe

MSConfigStartUp-MSKAGENTEXE - c:\progra~1\McAfee\SPAMKI~1\MskAgent.exe

MSConfigStartUp-OASClnt - c:\program files\McAfee.com\VSO\oasclnt.exe

MSConfigStartUp-skype - c:\program files\Skype\Phone\Skype.exe

MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe

AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb

AddRemove-octoshape add-in for adobe flash player - c:\documents and settings\Stephanie\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-05-29 12:41

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\

Link to post
Share on other sites

As you seen Combofix replaced the driver with a clean copy...... :D I know things are much better now. We still have some work to do.

IObit was recently accused by Malwarebytes, for stealing the MBAM database. I recommend to remove all of IObit. Also, Registry cleaners do more harm than good:

http://miekiemoes.blogspot.com/2008/02/reg...weaking_13.html

Note: You should remove LimeWire. P2P (peer-to-peer) using P2P software is very risky, because it makes you very susceptible to infection, attack, exposure of personal or company information. But this is up to you to remove LimeWire

And spyhunter is not recommend:

http://en.wikipedia.org/wiki/SpyHunter

Please remove these entries from Add/Remove Programs in the Control Panel

Advanced SystemCare 3

LimeWire 5.4.6

IObit Security 360

Java 2 Runtime Environment, SE v1.4.2_03

Spyhunter

Next

Run CFScript

  • Close any open browsers.
  • Open Notepad by click start
  • Click Run
  • Type notepad into the box and click enter
  • Notepad will open
  • Copy and Paste everything from the Code box into Notepad:

File::
c:\windows\system32\4A3D0C9573.sys
c:\windows\system32\drivers\59fd5f9f.sys

Driver::
59fd5f9f

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

sfxdaw.jpg

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

Link to post
Share on other sites

ComboFix 10-05-28.08 - Stephanie 05/30/2010 11:16:02.3.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1429 [GMT -4:00]

Running from: c:\documents and settings\Stephanie\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Stephanie\Desktop\CFScript.txt

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

FILE ::

"c:\windows\system32\4A3D0C9573.sys"

"c:\windows\system32\drivers\59fd5f9f.sys"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Stephanie\Local Settings\Application Data\{A96CB97C-6766-4FDE-A49A-6EA1936EFEE0}

c:\documents and settings\Stephanie\Local Settings\Application Data\{A96CB97C-6766-4FDE-A49A-6EA1936EFEE0}\chrome.manifest

c:\documents and settings\Stephanie\Local Settings\Application Data\{A96CB97C-6766-4FDE-A49A-6EA1936EFEE0}\chrome\content\_cfg.js

c:\documents and settings\Stephanie\Local Settings\Application Data\{A96CB97C-6766-4FDE-A49A-6EA1936EFEE0}\chrome\content\overlay.xul

c:\documents and settings\Stephanie\Local Settings\Application Data\{A96CB97C-6766-4FDE-A49A-6EA1936EFEE0}\install.rdf

c:\windows\system32\4A3D0C9573.sys

c:\windows\system32\drivers\59fd5f9f.sys

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_59fd5f9f

((((((((((((((((((((((((( Files Created from 2010-04-28 to 2010-05-30 )))))))))))))))))))))))))))))))

.

2010-05-30 15:07 . 2010-05-30 15:07 -------- d-----w- c:\windows\LastGood.Tmp

2010-05-29 16:40 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe

2010-05-29 16:40 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe

2010-05-25 11:16 . 2010-05-25 11:16 244 ---ha-w- C:\aaw7boot.cmd

2010-05-02 02:45 . 2010-05-16 14:28 -------- d-----w- c:\documents and settings\Stephanie\Local Settings\Application Data\guiaxjsbw

2010-04-30 22:05 . 2010-05-23 03:47 24416 ----a-w- c:\windows\system32\drivers\regguard.sys

2010-04-30 21:58 . 2010-04-30 21:58 2 --shatr- c:\windows\winstart.bat

2010-04-30 21:58 . 2010-03-23 21:34 12752 ----a-w- c:\windows\system32\drivers\UnHackMeDrv.sys

2010-04-30 21:58 . 2010-05-07 23:19 -------- d-----w- c:\program files\UnHackMe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-05-30 15:08 . 2005-12-07 20:54 -------- d-----w- c:\program files\Common Files\Java

2010-05-30 15:06 . 2006-01-03 21:53 -------- d-----w- c:\program files\LimeWire

2010-05-29 14:49 . 2009-09-25 00:17 1 ----a-w- c:\documents and settings\Stephanie\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys

2010-05-28 01:18 . 2006-01-19 23:42 -------- d-----w- c:\program files\Common Files\Adobe

2010-05-26 00:05 . 2009-10-10 21:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-05-16 19:33 . 2010-03-29 01:21 -------- d-----w- c:\program files\Google

2010-05-15 14:14 . 2009-09-23 00:17 -------- d-----w- c:\program files\AceMoney

2010-05-12 21:54 . 2006-01-24 03:45 3766 --sha-w- c:\windows\system32\KGyGaAvL.sys

2010-05-01 03:39 . 2005-08-16 10:18 162816 ----a-w- c:\windows\system32\drivers\netbt.sys

2010-04-30 22:21 . 2010-04-26 01:14 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2010-04-29 19:39 . 2009-10-10 21:02 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 19:39 . 2009-10-10 21:02 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-28 01:16 . 2010-04-28 01:16 -------- d-----w- c:\program files\Enigma Software Group

2010-04-28 01:14 . 2010-04-28 01:14 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2010-04-28 01:07 . 2010-04-27 23:33 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-04-28 00:58 . 2004-08-04 04:59 96512 ----a-w- c:\windows\system32\drivers\atapi.sys

2010-04-28 00:48 . 2010-04-28 00:48 503808 ----a-w- c:\documents and settings\Stephanie\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-47a2ed2c-n\msvcp71.dll

2010-04-28 00:48 . 2010-04-28 00:48 499712 ----a-w- c:\documents and settings\Stephanie\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-47a2ed2c-n\jmc.dll

2010-04-28 00:48 . 2010-04-28 00:48 348160 ----a-w- c:\documents and settings\Stephanie\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-47a2ed2c-n\msvcr71.dll

2010-04-28 00:47 . 2010-04-28 00:47 61440 ----a-w- c:\documents and settings\Stephanie\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-2bb76ed1-n\decora-sse.dll

2010-04-28 00:47 . 2010-04-28 00:47 12800 ----a-w- c:\documents and settings\Stephanie\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-2bb76ed1-n\decora-d3d.dll

2010-04-28 00:47 . 2005-12-07 20:54 -------- d-----w- c:\program files\Java

2010-04-28 00:26 . 2010-04-25 13:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-04-27 23:31 . 2010-04-27 23:30 -------- d-----w- c:\program files\Trojan Remover

2010-04-27 23:30 . 2010-04-27 23:30 -------- d-----w- c:\documents and settings\Stephanie\Application Data\Simply Super Software

2010-04-27 23:30 . 2010-04-27 23:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software

2010-04-27 03:58 . 2009-10-18 13:55 15880 ----a-w- c:\windows\system32\lsdelete.exe

2010-04-27 03:02 . 2010-04-26 01:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro

2010-04-27 03:02 . 2010-04-27 03:02 12872 ----a-w- c:\windows\system32\bootdelete.exe

2010-04-27 02:52 . 2010-04-27 02:52 -------- d-----w- c:\documents and settings\All Users\Application Data\avG

2010-04-27 02:50 . 2010-04-27 02:50 -------- d-----w- c:\program files\Hitman Pro 3.5

2010-04-27 02:50 . 2010-04-27 02:50 -------- d-----w- c:\program files\CCleaner

2010-04-26 19:05 . 2006-01-24 03:45 77016 ----a-w- c:\documents and settings\Stephanie\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-04-25 23:05 . 2010-04-25 23:05 -------- d-----w- c:\documents and settings\Stephanie\Application Data\Avira

2010-04-25 22:07 . 2010-04-25 04:58 -------- d-----w- c:\documents and settings\Stephanie\Application Data\IObit

2010-04-25 21:58 . 2010-04-25 16:43 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit

2010-04-25 21:54 . 2010-04-25 21:39 -------- d-----w- c:\documents and settings\All Users\Application Data\PCPitstop

2010-04-25 21:39 . 2010-04-25 21:39 -------- d-----w- c:\program files\PCPitstop

2010-04-25 21:20 . 2010-04-25 21:20 -------- d-----w- c:\program files\Avira

2010-04-25 21:20 . 2010-04-25 21:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2010-04-25 21:18 . 2005-12-07 21:16 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2010-04-25 17:35 . 2005-12-07 21:06 -------- d-----w- c:\program files\Common Files\AOL

2010-04-25 17:35 . 2005-12-28 08:16 -------- d-----w- c:\documents and settings\Stephanie\Application Data\AOL

2010-04-25 17:35 . 2005-12-07 21:06 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL

2010-04-25 16:43 . 2010-04-25 04:58 -------- d-----w- c:\program files\IObit

2010-04-25 15:12 . 2010-04-25 13:27 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-04-17 17:28 . 2006-03-30 20:14 19838 ----a-w- c:\documents and settings\Stephanie\Application Data\wklnhst.dat

2010-04-12 21:29 . 2010-04-28 00:47 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-04-10 00:10 . 2010-04-10 00:10 -------- d-----w- c:\documents and settings\Stephanie\Application Data\StreamTorrent

2010-04-10 00:10 . 2010-04-10 00:10 -------- d-----w- c:\program files\StreamTorrent 1.0

2010-03-06 01:33 . 2009-09-01 22:18 144053 ----a-w- c:\documents and settings\Stephanie\Application Data\Move Networks\uninstall.exe

2010-03-06 01:33 . 2010-02-11 19:31 5640640 ----a-w- c:\documents and settings\Stephanie\Application Data\Move Networks\plugins\071802000001\npqmp071802000001.dll

2010-03-06 01:31 . 2010-03-06 01:30 827290 ----a-w- c:\documents and settings\Stephanie\Application Data\Move Networks\MoveMediaPlayerWin_071802000001.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Microsoft Location Finder"="c:\program files\Microsoft Location Finder\LocationFinder.exe" [2005-08-24 101080]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-16 282624]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2005-06-10 217088]

"HostManager"="c:\program files\Common Files\AOL\1154786924\ee\AOLSoftware.exe" [2007-10-08 41824]

"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]

"QuickTime Task"="c:\program files\QUICKTIME\QTTASK.EXE" [2007-02-16 282624]

"TrojanScanner"="c:\program files\Trojan Remover\Trjscan.exe" [2010-02-28 1165192]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]

2004-09-07 22:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\lavasoft ad-aware service]

@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk

backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk

backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk

backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\c:^documents and settings^stephanie^start menu^programs^startup^openoffice.org 3.1.lnk]

path=c:\documents and settings\Stephanie\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk

backup=c:\windows\pss\OpenOffice.org 3.1.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]

2004-09-13 22:33 155648 -c--a-w- c:\program files\Apoint\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]

2005-08-31 17:06 106496 -c--a-w- c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]

2005-09-01 23:24 684032 -c--a-w- c:\program files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]

2005-05-15 08:04 332800 ----a-w- c:\program files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\directplayercore]

2009-09-24 21:45 1150016 ----a-w- c:\program files\NBC Direct\DirectPlayerCore.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]

2004-12-06 07:05 127035 -c--a-w- c:\windows\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]

2005-02-23 22:19 53248 -c----w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]

2005-09-29 20:01 67584 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hp component manager]

2005-01-12 18:54 241664 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hp software update]

2005-02-17 04:11 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]

2005-07-20 05:06 77824 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]

2005-07-20 05:10 114688 ----a-w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]

2005-07-20 05:09 94208 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]

2004-10-30 20:59 385024 ----a-w- c:\program files\Intel\Wireless\Bin\iFrmewrk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]

2005-06-10 16:44 249856 -c--a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]

2005-06-10 16:44 81920 -c--a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ituneshelper]

2007-03-14 23:05 257088 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]

2005-09-09 01:20 8192 ----a-w- c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]

2005-09-09 01:20 110592 ----a-w- c:\progra~1\MUSICM~1\MUSICM~3\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]

2005-08-12 22:16 1121792 ----a-w- c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msmsgs]

2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QBReminderFlash]

2004-11-11 16:26 26112 ----a-w- c:\program files\Intuit\QuickBooks 2005\Atom\QBReminder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2007-02-16 14:54 282624 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]

2005-12-07 21:07 26112 ----a-w- c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\roboform]

2009-08-01 00:19 160592 ----a-w- c:\program files\Siber Systems\AI RoboForm\robotaskbaricon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Common Files\\AOL\\1154786924\\ee\\aolsoftware.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [10/18/2009 1:25 AM 64288]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [4/25/2010 5:20 PM 135336]

R2 lavasoft ad-aware service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 7:17 AM 1181328]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/28/2010 9:21 PM 136176]

S3 esgiguard;esgiguard;\??\c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys --> c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [?]

S3 RegGuard;RegGuard;c:\windows\system32\drivers\regguard.sys [4/30/2010 6:05 PM 24416]

S4 PCPitstop Scheduling;PCPitstop Scheduling;c:\program files\PCPitstop\PCPitstopScheduleService.exe [4/25/2010 5:39 PM 85504]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - HITMANPRO35

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

getPlusHelper REG_MULTI_SZ getPlusHelper

vvdsvc REG_MULTI_SZ vvdsvc

.

Contents of the 'Scheduled Tasks' folder

2010-05-30 c:\windows\Tasks\Ad-Aware Update (Daily 1).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 03:56]

2010-05-30 c:\windows\Tasks\Ad-Aware Update (Daily 2).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 03:56]

2010-05-29 c:\windows\Tasks\Ad-Aware Update (Daily 3).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 03:56]

2010-05-29 c:\windows\Tasks\Ad-Aware Update (Daily 4).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 03:56]

2010-05-30 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 03:56]

2010-05-28 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 19:42]

2010-05-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-29 01:21]

2010-05-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-29 01:21]

.

.

------- Supplementary Scan -------

.

uInternet Settings,ProxyOverride = <local>

uInternet Settings,ProxyServer = http=127.0.0.1:5555

DPF: {A27C56D2-3F58-4ABB-AA31-1168EDA6636F} - hxxp://utilities.pcpitstop.com/Nirvana/controls/pcmatic.cab

FF - ProfilePath - c:\documents and settings\Stephanie\Application Data\Mozilla\Firefox\Profiles\ptrag0e3.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com/

FF - component: c:\program files\Siber Systems\AI RoboForm\Firefox\components\rfproxy_31.dll

FF - plugin: c:\documents and settings\Stephanie\Application Data\IDM\bin\flash\platform\WINNT\plugins\npidmdcp.dll

FF - plugin: c:\documents and settings\Stephanie\Application Data\Move Networks\plugins\071802000001\npqmp071802000001.dll

FF - plugin: c:\documents and settings\Stephanie\Application Data\Mozilla\Firefox\Profiles\ptrag0e3.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll

FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll

FF - plugin: c:\program files\NBC Direct\npDirectPlayerMozilla.dll

FF - plugin: c:\program files\Veetle\Player\npvlc.dll

FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll

FF - plugin: c:\program files\Veetle\VLCBroadcast\npvbp.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----

FF - user.js: browser.cache.memory.capacity - 65536

FF - user.js: browser.chrome.favicons - false

FF - user.js: browser.display.show_image_placeholders - true

FF - user.js: browser.turbo.enabled - true

FF - user.js: browser.urlbar.autocomplete.enabled - true

FF - user.js: browser.urlbar.autofill - true

FF - user.js: content.interrupt.parsing - true

FF - user.js: content.max.tokenizing.time - 2250000

FF - user.js: content.notify.backoffcount - 5

FF - user.js: content.notify.interval - 750000

FF - user.js: content.notify.ontimer - true

FF - user.js: content.switch.threshold - 750000

FF - user.js: network.http.max-connections - 48

FF - user.js: network.http.max-connections-per-server - 16

FF - user.js: network.http.max-persistent-connections-per-proxy - 16

FF - user.js: network.http.max-persistent-connections-per-server - 8

FF - user.js: network.http.pipelining - true

FF - user.js: network.http.pipelining.firstrequest - true

FF - user.js: network.http.pipelining.maxrequests - 8

FF - user.js: network.http.proxy.pipelining - true

FF - user.js: network.http.request.max-start-delay - 0

FF - user.js: nglayout.initialpaint.delay - 0

FF - user.js: plugin.expose_full_path - true

FF - user.js: ui.submenuDelay - 0

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-05-30 11:25

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\

Link to post
Share on other sites

Very good Job crazywheelz! Were almost done...

ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however may need to disable your current installed Anti-Virus, how to do so can be read here.

  • Please go here then click on: EOLS1.gif
  • Select the option YES, I accept the Terms of Use then click on: EOLS2.gif
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:

    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology

[*]Now click on: EOLS3.gif

[*]The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.

[*]When completed the Online Scan will begin automatically.

[*]Do not touch either the Mouse or keyboard during the scan otherwise it may stall.

[*]When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!

[*]Now click on: EOLS4.gif

[*]Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.

[*]Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

Next

Download Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

In your next reply, please include these log(s):

EsetOnlineScanner\log.txt

checkup.txt

Also, please let me know how things are running now and if you encountered any problems while you were following the instructions I posted.

Link to post
Share on other sites

Very good Job crazywheelz! Were almost done...

ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however may need to disable your current installed Anti-Virus, how to do so can be read here.

  • Please go here then click on: EOLS1.gif
  • Select the option YES, I accept the Terms of Use then click on: EOLS2.gif
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:

    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology

[*]Now click on: EOLS3.gif

[*]The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.

[*]When completed the Online Scan will begin automatically.

[*]Do not touch either the Mouse or keyboard during the scan otherwise it may stall.

[*]When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!

[*]Now click on: EOLS4.gif

[*]Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.

[*]Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

Next

Download Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

In your next reply, please include these log(s):

EsetOnlineScanner\log.txt

checkup.txt

Also, please let me know how things are running now and if you encountered any problems while you were following the instructions I posted.

Ok so as of Sunday morning everything looked and appeared to be ok but after running ESET it looks like that is not the case. Also when I returned to my computer yesterday evening Avira Anti-virus had detected a trojan and malware. Also military time was back. So looks like something else still needs cleaned up.

ESETSmartInstaller@High as downloader log:

all ok

# version=7

# OnlineScannerApp.exe=1.0.0.1

# OnlineScanner.ocx=1.0.0.6211

# api_version=3.0.2

# EOSSerial=7ab99a621695ef45ab10291a5d077c4a

# end=finished

# remove_checked=false

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2010-05-31 08:51:47

# local_time=2010-05-31 04:51:47 (-0500, Eastern Daylight Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=1797 16775141 100 93 0 33426175 52484 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=85468

# found=2

# cleaned=0

# scan_time=19628

C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\0\43120580-7dffd18f a variant of Java/TrojanDownloader.Agent.NAN trojan 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\netbt.sys.vir Win32/Olmarik.ZC trojan 00000000000000000000000000000000 I

Results of screen317's Security Check version 0.99.4

Windows XP Service Pack 3

Internet Explorer 8

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Enabled!

Avira AntiVir Personal - Free Antivirus

ESET Online Scanner v3

Antivirus up to date! (On Access scanning disabled!)

```````````````````````````````

Anti-malware/Other Utilities Check:

Ad-Aware

Malwarebytes' Anti-Malware

CCleaner

Java 6 Update 20

Adobe Flash Player 9 (Out of date Flash Player installed!)

Adobe Flash Player 10.0.32.18

Adobe Reader 9.3

````````````````````````````````

Process Check:

objlist.exe by Laurent

Ad-Aware AAWService.exe

Ad-Aware AAWTray.exe

Avira Antivir avgnt.exe

Avira Antivir avguard.exe

````````````````````````````````

DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

``````````End of Log````````````

Link to post
Share on other sites

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete this Folder

C:\Documents and Settings\NetworkService\Application Data\Sun\Java

Be sure to use Secunia software inspector & update checker. For Out of date Flash Player installed.

Your Computer is Clean

CLEAN-1.jpg

Some final items:

Follow these steps to uninstall Combofix and tools used in the removal of malware

  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the x and /)
    CF_Uninstall-1.jpg
  • Please follow the prompts to uninstall Combofix.
  • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.

This will uninstall Combofix and anything assoicated with it.

Here are some additional links for you to check out to help you with your computer security.

Browsers

Just because your computer came loaded with Internet Explorer doesn't mean that you have to use it, there are other free alternatives, FIREFOX and OPERA, both are free to use and are more secure than IE.

If you are using firefox you can stay more secure by adding NoScript and WOT (Web Of Trust)

NoScript stops Java scripts from starting on a web page unless you give permission for them, and WOT (Web Of Trust) has a comprehensive list of ratings for different websites allowing you to easily see if a website that you are about to go to has a bad reputation; in fact it will warn you to check if you are sure that you want to continue to a bad website.

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialize and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.

Additional Security Measures

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

SpywareBlaster- SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

Cookienator- Scans your PC for tracking cookies in multiple browsers as well as in Adobe Flash.

Winpatrol Download and install the free version of Winpatrol. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.

Secunia software inspector & update checker

My Blog Malware And Spyware Tips

Also, see here for system improvement: Help! My computer is slow!

It was a pleasure working with you crazywheelz

6567E80CC55576485246E130E48A9FA8.png

Link to post
Share on other sites

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete this Folder

C:\Documents and Settings\NetworkService\Application Data\Sun\Java

Be sure to use Secunia software inspector & update checker. For Out of date Flash Player installed.

Your Computer is Clean

CLEAN-1.jpg

Some final items:

Follow these steps to uninstall Combofix and tools used in the removal of malware

  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the x and /)
    CF_Uninstall-1.jpg
  • Please follow the prompts to uninstall Combofix.
  • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.

This will uninstall Combofix and anything assoicated with it.

Here are some additional links for you to check out to help you with your computer security.

Browsers

Just because your computer came loaded with Internet Explorer doesn't mean that you have to use it, there are other free alternatives, FIREFOX and OPERA, both are free to use and are more secure than IE.

If you are using firefox you can stay more secure by adding NoScript and WOT (Web Of Trust)

NoScript stops Java scripts from starting on a web page unless you give permission for them, and WOT (Web Of Trust) has a comprehensive list of ratings for different websites allowing you to easily see if a website that you are about to go to has a bad reputation; in fact it will warn you to check if you are sure that you want to continue to a bad website.

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialize and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.

Additional Security Measures

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

SpywareBlaster- SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

Cookienator- Scans your PC for tracking cookies in multiple browsers as well as in Adobe Flash.

Winpatrol Download and install the free version of Winpatrol. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.

Secunia software inspector & update checker

My Blog Malware And Spyware Tips

Also, see here for system improvement: Help! My computer is slow!

It was a pleasure working with you crazywheelz

6567E80CC55576485246E130E48A9FA8.png

Kenny,

Thanks for your help on all this! However I'm still afraid something else is out there based off that last scan I had. Are you saying these are now gone? It looked like some symptoms were back last night. Thanks a bunch just want to make sure I'm 100% clean.

C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\0\43120580-7dffd18f a variant of Java/TrojanDownloader.Agent.NAN trojan 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\netbt.sys.vir Win32/Olmarik.ZC trojan 00000000000000000000000000000000 I

Link to post
Share on other sites

I had asked to Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete this Folder

C:\Documents and Settings\NetworkService\Application Data\Sun\Java

to remove this in post #8

And the other one is part of Combofix. When you Uninstall Combofix this will be gone.

Link to post
Share on other sites

  • 4 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.