daosbox Posted July 15, 2010 ID:284565 Share Posted July 15, 2010 Hi, Can someone please help me? I think that I have the Ilomo Bug. My computer's symptoms are the Wave in the Master Volume Control turns all the way down by itself, Internet Explorer will pop up with some random ads, sometimes I'll hear advertisements and it will say IEXPLORE.EXE is running even though i'm not using it.Here is my Hijack this Log. Please help.Logfile of Trend Micro HijackThis v2.0.3 (BETA)Scan saved at 1:08:03 AM, on 7/15/2010Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v8.00 (8.00.6001.18702)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\Ati2evxx.exeC:\Program Files\AVG\AVG9\avgchsvx.exeC:\Program Files\AVG\AVG9\avgrsx.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\AVG\AVG9\avgcsrvx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\AVG\AVG9\avgwdsvc.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Canon\IJPLM\IJPLMSVC.EXEC:\WINDOWS\System32\svchost.exeC:\Program Files\Wireless-G PCI Adapter with RangeBooster\WLService.exeC:\Program Files\Wireless-G PCI Adapter with RangeBooster\WMP54GR.exeC:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exeC:\PROGRA~1\AVG\AVG9\avgtray.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Logitech\SetPoint\SetPoint.exeC:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXEC:\Program Files\AVG\AVG9\avgnsx.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\AIM7\aim.exeC:\Program Files\Internet Explorer\IEXPLORE.EXEC:\Program Files\Internet Explorer\IEXPLORE.EXEC:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exeC:\Program Files\Malwarebytes' Anti-Malware\mbam.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exeC:\Program Files\Microsoft Office\Office10\OUTLOOK.EXEC:\Program Files\AVG\AVG9\avgcsrvx.exeC:\Program Files\Microsoft Office\Office10\WINWORD.EXEC:\Program Files\TrendMicro\HiJackThis\HiJackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBRR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBRR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sfgate.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBRR3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllO2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllO2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dllO2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dllO2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dllO2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dllO2 - BHO: MSN Toolbar BHO - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN Toolbar\Platform\4.0.0379.0\npwinext.dllO3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllO3 - Toolbar: MSN Toolbar - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\MSN Toolbar\Platform\4.0.0379.0\npwinext.dllO3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dllO4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"O4 - HKLM\..\Run: [iJNetworkScanUtility] C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exeO4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exeO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exeO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXEO8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspxO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.htmlO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\Office12\REFIEBAR.DLLO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO15 - Trusted Zone: http://download.windowsupdate.comO16 - DPF: {03DF0933-6E10-4D32-9835-B9A815622831} - https://gopublic.wspan.com/secure/DLLs/WSSy...Information.cabO16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cabO16 - DPF: {297DE2B6-509A-4B36-93C5-A65276606900} (RRAAINAX_02.RRAAINAX) - http://www.in.honda.com/rraaapps/rraasec/c...AX/RraainAX.CABO16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cabO16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cabO16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cabO16 - DPF: {4C68DACE-E6BC-4650-9C7E-D036720CA729} (Nps Control) - http://kr.gameguard.nprotect.com/inca/onscan//tyscan/nps.cabO16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1263281124421O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cabO16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1263281116109O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - https://inside.sfsu.edu/mail05b/dwa7W.cabO16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cabO18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dllO20 - AppInit_DLLs: WIKI.DLLO20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dllO22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dllO23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exeO23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exeO23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exeO23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: Canon Inkjet Printer/Scanner/Fax Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXEO23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exeO23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)O23 - Service: WMP54GRSVC - GEMTEKS - C:\Program Files\Wireless-G PCI Adapter with RangeBooster\WLService.exe--End of file - 9569 bytesThanks,Dao Link to post Share on other sites More sharing options...
RPMcMurphy Posted July 16, 2010 ID:285263 Share Posted July 16, 2010 Hello, doasbox and welcome to Malwarebytes. Please follow these guidelines while we work on your PC:[*]Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I Link to post Share on other sites More sharing options...
daosbox Posted July 18, 2010 Author ID:286409 Share Posted July 18, 2010 Dear RPMcMurphy, Thank you for your time on this. Ever since I posted this topic, I have removed AVG from my system (sorry!). Here is my new HiJack this scan:Logfile of Trend Micro HijackThis v2.0.3 (BETA)Scan saved at 4:48:29 PM, on 7/18/2010Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v8.00 (8.00.6001.18702)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Canon\IJPLM\IJPLMSVC.EXEC:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Wireless-G PCI Adapter with RangeBooster\WLService.exeC:\Program Files\Wireless-G PCI Adapter with RangeBooster\WMP54GR.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Logitech\SetPoint\SetPoint.exeC:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXEC:\WINDOWS\System32\svchost.exeC:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exeC:\Program Files\Internet Explorer\IEXPLORE.EXEC:\Program Files\TrendMicro\HiJackThis\HiJackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBRR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBRR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sfgate.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBRR3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllO2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllO2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dllO2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dllO2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dllO2 - BHO: MSN Toolbar BHO - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN Toolbar\Platform\4.0.0379.0\npwinext.dllO3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllO3 - Toolbar: MSN Toolbar - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\MSN Toolbar\Platform\4.0.0379.0\npwinext.dllO3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dllO4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"O4 - HKLM\..\Run: [iJNetworkScanUtility] C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exeO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exeO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXEO8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspxO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.htmlO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\Office12\REFIEBAR.DLLO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO15 - Trusted Zone: http://download.windowsupdate.comO16 - DPF: {03DF0933-6E10-4D32-9835-B9A815622831} - https://gopublic.wspan.com/secure/DLLs/WSSy...Information.cabO16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cabO16 - DPF: {297DE2B6-509A-4B36-93C5-A65276606900} (RRAAINAX_02.RRAAINAX) - http://www.in.honda.com/rraaapps/rraasec/c...AX/RraainAX.CABO16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cabO16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cabO16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cabO16 - DPF: {4C68DACE-E6BC-4650-9C7E-D036720CA729} (Nps Control) - http://kr.gameguard.nprotect.com/inca/onscan//tyscan/nps.cabO16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1263281124421O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cabO16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1263281116109O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - https://inside.sfsu.edu/mail05b/dwa7W.cabO16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cabO20 - AppInit_DLLs: WIKI.DLLO22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dllO22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dllO23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exeO23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exeO23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: Canon Inkjet Printer/Scanner/Fax Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXEO23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exeO23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)O23 - Service: WMP54GRSVC - GEMTEKS - C:\Program Files\Wireless-G PCI Adapter with RangeBooster\WLService.exe--End of file - 8524 bytes Link to post Share on other sites More sharing options...
RPMcMurphy Posted July 18, 2010 ID:286411 Share Posted July 18, 2010 Hello,Please run the scans I asked for in my last post (DDS, GMER and MBRCheck). Link to post Share on other sites More sharing options...
daosbox Posted July 19, 2010 Author ID:286489 Share Posted July 19, 2010 Attached are the files you've requested.PS: I'm going to travel for work on Tuesday to Saturday and will jump back on this thread when I return. Please don't close the thread.Thanks a lot!Dao___DDS (Ver_10-03-17.01) - NTFSx86 Run by Dao at 16:46:12.21 on Sun 07/18/2010Internet Explorer: 8.0.6001.18702Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.426 [GMT -7:00]============== Running Processes ===============C:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcssvchost.exeC:\WINDOWS\system32\Ati2evxx.exesvchost.exeC:\WINDOWS\system32\spoolsv.exesvchost.exesvchost.exe 4C:\Program Files\Canon\IJPLM\IJPLMSVC.EXEC:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exeC:\WINDOWS\System32\svchost.exe -k imgsvcC:\Program Files\Wireless-G PCI Adapter with RangeBooster\WLService.exeC:\Program Files\Wireless-G PCI Adapter with RangeBooster\WMP54GR.exesvchost.exe 4C:\WINDOWS\Explorer.EXEC:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Logitech\SetPoint\SetPoint.exeC:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXEC:\WINDOWS\System32\svchost.exe -k HTTPFilterC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exeC:\Program Files\Internet Explorer\IEXPLORE.EXEC:\Program Files\Malwarebytes' Anti-Malware\mbam.exeC:\Documents and Settings\Dao\My Documents\Downloads\o6c92ryp.exeC:\Program Files\Internet Explorer\IEXPLORE.EXEC:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32Info.exeC:\Documents and Settings\Dao\My Documents\Downloads\dds.scr============== Pseudo HJT Report ===============uStart Page = hxxp://www.sfgate.com/uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dllBHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dllBHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dllBHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dllBHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dllBHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dllBHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dllBHO: MSN Toolbar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\4.0.0379.0\npwinext.dllTB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dllTB: MSN Toolbar: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\4.0.0379.0\npwinext.dllTB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dllEB: {32683183-48a0-441b-a342-7c2a440a9478} - No FileEB: &Discuss: {bdeade7f-c265-11d0-bced-00a0c90ab50f} - shdocvw.dlluRun: [ctfmon.exe] c:\windows\system32\ctfmon.exemRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"mRun: [iJNetworkScanUtility] c:\program files\canon\canon ij network scan utility\CNMNSUT.exeStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exeStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXEIE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspxIE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.htmlIE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exeIE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exeIE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\ssv.dllIE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mic273~1\office12\REFIEBAR.DLLTrusted Zone: microsoft.com\*.updateTrusted Zone: windowsupdate.com\downloadDPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cabDPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cabDPF: {03DF0933-6E10-4D32-9835-B9A815622831} - hxxps://gopublic.wspan.com/secure/DLLs/WSSystemInformation.cabDPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cabDPF: {15B782AF-55D8-11D1-B477-006097098764} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/authorware/awswaxd.cabDPF: {297DE2B6-509A-4B36-93C5-A65276606900} - hxxp://www.in.honda.com/rraaapps/rraasec/codebase/RRAAINAX/RraainAX.CABDPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - hxxp://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cabDPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www2.snapfish.com/SnapfishActivia.cabDPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - hxxp://www.linkedin.com/cab/LinkedInContactFinderControl.cabDPF: {4C68DACE-E6BC-4650-9C7E-D036720CA729} - hxxp://kr.gameguard.nprotect.com/inca/onscan//tyscan/nps.cabDPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cabDPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1263281124421DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://go.divx.com/plugin/DivXBrowserPlugin.cabDPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1263281116109DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cabDPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cabDPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cabDPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cabDPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} - hxxps://inside.sfsu.edu/mail05b/dwa7W.cabDPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cabNotify: AtiExtEvent - Ati2evxx.dllNotify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dllAppInit_DLLs: WIKI.DLLSSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll================= FIREFOX ===================FF - ProfilePath - c:\docume~1\dao\applic~1\mozilla\firefox\profiles\ygu28402.default\FF - prefs.js: browser.startup.homepage - hxxp://www.onelastcheck.com/FF - component: c:\program files\microsoft\search enhancement pack\search helper\firefoxextension\searchhelperextension\components\SEPsearchhelperff.dllFF - plugin: c:\documents and settings\dao\application data\mozilla\firefox\profiles\ygu28402.default\extensions\{4d144bc3-23fb-47de-90c5-63ccb0139ccf}\plugins\npww.dllFF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dllFF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dllFF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dllFF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dllFF - plugin: c:\program files\msn toolbar\platform\4.0.0379.0\npwinext.dllFF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dllFF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\---- FIREFOX POLICIES ----FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);============= SERVICES / DRIVERS ===============R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2010-6-1 10384]R2 WMP54GRSVC;WMP54GRSVC;c:\program files\wireless-g pci adapter with rangebooster\WLService.exe [2008-9-8 53307]R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-7-6 38224]R3 StreamSurge;StreamSurge Driver (miniport);c:\windows\system32\drivers\ss.sys [2008-9-8 19968]S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-29 135664]S3 cpuz132;cpuz132;\??\c:\docume~1\dao\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\dao\locals~1\temp\cpuz132\cpuz132_x32.sys [?]S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]=============== Created Last 30 ================2010-07-16 00:50:28 0 d-----w- c:\docume~1\alluse~1\applic~1\Norton2010-07-15 06:20:20 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys2010-07-15 02:29:18 0 d-----w- c:\program files\AVG2010-07-14 03:30:54 593920 ------w- c:\windows\system32\ati2sgag.exe2010-07-14 03:29:59 0 d-----w- c:\program files\ATI Technologies2010-07-14 02:50:17 10 ----a-w- c:\windows\WININIT.INI2010-07-14 02:08:22 0 d-----w- c:\program files\MSN Toolbar2010-07-14 02:07:55 0 d-----w- c:\program files\MSN Toolbar Installer2010-07-14 02:07:54 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Drivers HeadQuarters2010-07-14 00:43:14 0 d-----w- c:\program files\USB TV2010-07-07 06:32:06 0 d-----w- c:\docume~1\dao\applic~1\Malwarebytes2010-07-07 06:31:58 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2010-07-07 06:31:52 20952 ----a-w- c:\windows\system32\drivers\mbam.sys2010-07-07 06:31:52 0 d-----w- c:\program files\Malwarebytes' Anti-Malware2010-07-07 06:31:52 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes==================== Find3M ====================2010-06-01 21:21:20 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf2010-06-01 21:21:19 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf2010-06-01 21:21:10 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LUsbFilt_01005.Wdf2010-06-01 21:21:07 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll============= FINISH: 16:46:52.65 ===============Gmer.txtAttach.txtMBRCheck_07.18.10_17.06.31.txt Link to post Share on other sites More sharing options...
RPMcMurphy Posted July 19, 2010 ID:286702 Share Posted July 19, 2010 doasbox,Thanks for letting me know. Here is the first thing I need you to do: Download ComboFix from one of the following locations:Link 1 Link 2 VERY IMPORTANT !!! Save ComboFix.exe to your Desktop * IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here Double click on ComboFix.exe & follow the prompts.As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:Click on Yes, to continue scanning for malware.When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.Notes:1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.Please include the following in your next post:ComboFix log Link to post Share on other sites More sharing options...
daosbox Posted July 20, 2010 Author ID:286993 Share Posted July 20, 2010 Hi RPMcMurphy, Attached is the combofix.logThanks again,DaoComboFix.txt Link to post Share on other sites More sharing options...
RPMcMurphy Posted July 20, 2010 ID:287091 Share Posted July 20, 2010 doasbox,Your ComboFix log show over 100 open ports. Is there any reason for that? Here is the next step: Earlier on ComboFix installed the Recovery Console. We're going to use that now. Please print and read the instructions and ask any questions you have before you start:Reboot your machine and when the Boot Menu flashes up - select "Microsoft Windows Recovery Console"(you need to be very fast with the arrow key as you only have a couple of seconds before it defaults to the windows XP bootup)When you get to the above screen, take note of the number that references your operating system.If it's '1' like the picture above, type 1 and press EnterIt will then prompt you for the Administrator's password. If there is no password, simply press enter. Otherwise type in the password and then press enter.Next type FIXMBRIf it ask if you're sure you want to write a new MBR, answer 'Y'Then type EXIT to reboot the machine. Run MBRCheck againDouble click the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt)A window similar to this should open on your desktop:if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.If nothing unusual is found just press EnterA .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your deskop. Please post the contents of that file.Please include the following in your next post:MBRCheck log Link to post Share on other sites More sharing options...
daosbox Posted July 20, 2010 Author ID:287092 Share Posted July 20, 2010 Hi Murphy, I didn't know that I had over 100 ports open.Please see the attached MBR file.Thanks,DaoMBRCheck_07.19.10_21.37.22.txt Link to post Share on other sites More sharing options...
RPMcMurphy Posted July 20, 2010 ID:287095 Share Posted July 20, 2010 doasbox,That worked well. Please run this next: Open Notepad Go to Start> All Programs> Accessories> Notepad ( this will only work with Notepad ) and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above Registry::Registry::[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]"32943:TCP"=- "54308:TCP"=- "19914:TCP"=- "34242:TCP"=- "49324:TCP"=- "49011:TCP"=- "13926:TCP"=- "60004:TCP"=- "48137:TCP"=- "8566:TCP"=- "11691:TCP"=- "37555:TCP"=- "11523:TCP"=- "32707:TCP"=- "61933:TCP"=- "64574:TCP"=- "21332:TCP"=- "55918:TCP"=- "35683:TCP"=- "62699:TCP"=- "5398:TCP"=- "58758:TCP"=- "44808:TCP"=- "36004:TCP"=- "56447:TCP"=- "57566:TCP"=- "53523:TCP"=- "65277:TCP"=- "28914:TCP"=- "17070:TCP"=- "16754:TCP"=- "55508:TCP"=- "37875:TCP"=- "35970:TCP"=- "56355:TCP"=- "38511:TCP"=- "32617:TCP"=- "50790:TCP"=- "55996:TCP"=- "21047:TCP"=- "54789:TCP"=- "19164:TCP"=- "52726:TCP"=- "39240:TCP"=- "41520:TCP"=- "33715:TCP"=- "55726:TCP"=- "51625:TCP"=- "46101:TCP"=- "44680:TCP"=- "15685:TCP"=- "54551:TCP"=- "7289:TCP"=- "49574:TCP"=- "20090:TCP"=- "36406:TCP"=- "11395:TCP"=- "62789:TCP"=- "6836:TCP"=- "13641:TCP"=- "52781:TCP"=- "10101:TCP"=- "34110:TCP"=- "33433:TCP"=- "13184:TCP"=- "62726:TCP"=- "12445:TCP"=- "40652:TCP"=- "12273:TCP"=- "44340:TCP"=- "58652:TCP"=- "48402:TCP"=- "38735:TCP"=- "29066:TCP"=- "6233:TCP"=- "30840:TCP"=- "64621:TCP"=- "6220:TCP"=- "59683:TCP"=- "62695:TCP"=- "43836:TCP"=- "30309:TCP"=- "39630:TCP"=- "48251:TCP"=- "22977:TCP"=- "45090:TCP"=- "58113:TCP"=- "39575:TCP"=- "13618:TCP"=- "50766:TCP"=- "17714:TCP"=- "46150:TCP"=- "6728:TCP"=- "65371:TCP"=- "38636:TCP"=- "36332:TCP"=- "24117:TCP"=- "14575:TCP"=- "50094:TCP"=- "57575:TCP"=- "15555:TCP"=- "52158:TCP"=- "39523:TCP"=- "41789:TCP"=- "23808:TCP"=- "39980:TCP"=- "42340:TCP"=- "23215:TCP"=- "9778:TCP"=- "46652:TCP"=- "45418:TCP"=- "11211:TCP"=- "12414:TCP"=- "51751:TCP"=- "24090:TCP"=- "52699:TCP"=- "48469:TCP"=- "39516:TCP"=- "35027:TCP"=- "53148:TCP"=- "19273:TCP"=-RegLock::[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]Save this as CFScript to your desktop.Then drag the CFScript into ComboFix.exe as you see in the screenshot below.This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.Please include the following in your next post:ComboFix log Link to post Share on other sites More sharing options...
daosbox Posted July 20, 2010 Author ID:287106 Share Posted July 20, 2010 Hi Murphy, Please see the attached file.Thanks,DaoComboFix.txt Link to post Share on other sites More sharing options...
RPMcMurphy Posted July 20, 2010 ID:287109 Share Posted July 20, 2010 doa,Your logs are looking better. How is it running now? Please run these for me next: You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.Open MBAMClick the Update tabClick Check for UpdatesIf an update is found, it will download and install the latest version.The program will close to update and reopen.Once the program has loaded, select "Perform Quick Scan", then click Scan.The scan may take some time to finish,so please be patient.When the scan is complete, click OK, then Show Results to view the results.Make sure that everything is checked, and click Remove Selected.When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.Copy&Paste the entire report in your next reply.Extra Note:If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly. Using Internet Explorer or Firefox, visit Kaspersky Online Scanner 1. Click Accept, when prompted to download and install the program files and database of malware definitions.2. To optimize scanning time and produce a more sensible report for review:Close any open programsTurn off the real time scanner of any existing antivirus program while performing the online scan. Click HERE to see how to disable the most common antivirus programs.3. Click Run at the Security prompt.The program will then begin downloading and installing and will also update the database.Please be patient as this can take quite a long time to download.Once the update is complete, click on Settings.Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:Spyware, adware, dialers, and other riskwareArchivesE-mail databases[*]Click on My Computer under the green Scan bar to the left to start the scan. [*]Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. [*]Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined. [*]Click View report... at the bottom.[*] Click the Save report... button.[*] Change the Files of type dropdown box to Text file (.txt) and name the file KasReport.txt to save the file to your desktop so that you may post it in your next replyPlease include the following in your next post:MBAM logKaspersky log Link to post Share on other sites More sharing options...
daosbox Posted July 20, 2010 Author ID:287135 Share Posted July 20, 2010 Hi Murphy, It seems better. Here is the quick scan from MBAM:Malwarebytes' Anti-Malware 1.46www.malwarebytes.orgDatabase version: 4329Windows 5.1.2600 Service Pack 3Internet Explorer 8.0.6001.187027/19/2010 11:09:38 PMmbam-log-2010-07-19 (23-09-38).txtScan type: Quick scanObjects scanned: 145535Time elapsed: 6 minute(s), 36 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)I'll do the Kaspersky scan when I come back. It's taking a while to DL and I must sleep soon.Thank you so much for all of your time.I'll reply when I come back.Sincerely,Dao Link to post Share on other sites More sharing options...
RPMcMurphy Posted July 20, 2010 ID:287338 Share Posted July 20, 2010 OK, Dao. I'll keep the thread open. Link to post Share on other sites More sharing options...
daosbox Posted July 26, 2010 Author ID:290442 Share Posted July 26, 2010 Dear Murphy, I'm back! Thanks for keeping the thread open. Please find the Kaspersky scan results attached. The MBAM was posted in my previous reply.Thanks like always,DaoKasReport.txt Link to post Share on other sites More sharing options...
RPMcMurphy Posted July 26, 2010 ID:290612 Share Posted July 26, 2010 doa,Welcome back! Open notepad and then copy and paste the contents of the code box below into it. Go to File > save as and name the file Link to post Share on other sites More sharing options...
daosbox Posted July 27, 2010 Author ID:290960 Share Posted July 27, 2010 Dear Murphy, Thank you for your time with me on this. I'll let you know how everything goes.Best Regards,Dao Link to post Share on other sites More sharing options...
RPMcMurphy Posted July 27, 2010 ID:291002 Share Posted July 27, 2010 You're welcome. Take care. Link to post Share on other sites More sharing options...
Recommended Posts