Jump to content

Fairly certain I have a rootkit infection


Recommended Posts

I believe I have a rootkit infection that began about 3 weeks ago. I ran MBam (Free vsn) multiple times but it persists. Unfortunately, I also tried to clean it up with my free anti-virus Avast program. I'm afraid Avast made the problem worse by disabling many installed programs including itself?. I cannot run or un-install some programs but I do seem to be able to reinstall some of them but not all.

Problems that continue are all browser search links are redirected. I can still manually type them in and go directly where I want. Also, Mbam finds and removes HKey_Local_Machine_Software\Microsoft\DbgMgr. The next scan will usually come up clean but will usually find the infection within the next run or two (later that day or the next).

Per your instructions:

1) Ran Defogger

2) Ran DDS.com

3) Ran GMER

4) Attach and Ark are zipped and attached

5) Finally, here are the DDS.txt file and the latest MBAM log. Looking forward to working with you. Hope we (you) can sort this out! Thanks in advance, understand how busy all of you are so you have my patience and appreciation ....

DDS (Ver_10-03-17.01) - NTFSx86

Run by NAU at 13:51:41.52 on Mon 08/30/2010

Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_20

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.322 [GMT -7:00]

AV: avast! antivirus 4.8.1368 [VPS 100808-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\WINDOWS\system32\MsPMSPSv.exe

C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\devldr32.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Documents and Settings\NAU\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

uInternet Connection Wizard,ShellNext = iexplore

mURLSearchHooks: H - No File

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File

TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe

mRunServices: [~TM5E.tmp] c:\windows\temp\~tm5e.tmp

mRunServices: [ModuleIUser] c:\program files\common files\installshield\engine\6\intel 32\ikernelobjectps3.01.392.exe

mRunServices: [icwconn1ICWRMIND] c:\program files\internet explorer\connection wizard\icwdloperating.exe

mRunServices: [pssqempavoe] c:\program files\panda security\activescan 2.0\vplatprcpskavs.exe

mRunServices: [~TMC.tmp] c:\windows\temp\~TMC.tmp

mRunServices: [icwconn1Microsoft] c:\program files\internet explorer\connection wizard\icwdloperating.exe

mRunServices: [PSKMFSpavexcom] c:\program files\panda security\activescan 2.0\vplatprcpskavs.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB

DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} -

Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} -

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SSODL: Btmchk - {DAAC11DD-3AD7-4BE4-B2B8-8A2C0FF2C1D1} - c:\documents and settings\nau\local settings\temp\adobe\AdobeRdrPlug.dll

Hosts: 84.16.244.55 www.google.com

Hosts: 84.16.244.55 us.search.yahoo.com

Hosts: 84.16.244.55 uk.search.yahoo.com

Hosts: 84.16.244.55 search.yahoo.com

Hosts: 84.16.244.55 www.google.com.br

Note: multiple HOSTS entries found. Please refer to Attach.txt

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\nau\applic~1\mozilla\firefox\profiles\gjvszn7m.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.search.selectedEngine - mamma

FF - prefs.js: browser.startup.homepage - hxxp://tucson.cox.net/cci/home

FF - plugin: c:\documents and settings\nau\application data\move networks\plugins\npqmp071505000011.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2010-5-25 28552]

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-12-8 114768]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2008-9-3 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-9-3 67656]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-12-8 20560]

R3 ndisrd;WinpkFilter Service;c:\windows\system32\drivers\ndisrd.sys [2009-10-29 20480]

R3 TNET1130;802.11 WLAN;c:\windows\system32\drivers\TNET1130.sys [2008-3-22 386688]

S2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-12-8 138680]

S2 MSWA-c935c299;MSWA-c935c299;c:\windows\system32\c935c299.exe --> c:\windows\system32\c935c299.exe [?]

S2 MSWA-f36decbb;MSWA-f36decbb;c:\windows\system32\f36decbb.exe --> c:\windows\system32\f36decbb.exe [?]

S2 zokxqs;zokxqs;\??\c:\windows\system32\drivers\xqqulnp.sys --> c:\windows\system32\drivers\xqqulnp.sys [?]

S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-12-8 254040]

S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-12-8 352920]

S3 ngrpci;NETGEAR FA310TX Fast Ethernet Adapter Driver;c:\windows\system32\drivers\Ngrpci.sys [2008-10-20 32840]

S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-9-3 12872]

=============== Created Last 30 ================

2010-08-30 20:45:15 20 ----a-w- c:\documents and settings\nau\defogger_reenable

2010-08-27 02:04:24 397 ----a-w- c:\documents and settings\nau\exe.js

2010-08-19 18:09:48 77312 ----a-w- c:\windows\system32\ztvunace26.dll

2010-08-19 18:09:48 75264 ----a-w- c:\windows\system32\unacev2.dll

2010-08-19 18:09:48 69632 ----a-w- c:\windows\system32\ztvcabinet.dll

2010-08-19 18:09:48 162304 ----a-w- c:\windows\system32\ztvunrar36.dll

2010-08-19 18:09:47 153088 ----a-w- c:\windows\system32\UNRAR3.dll

2010-08-19 18:09:45 0 d-----w- c:\program files\Trojan Remover

2010-08-19 18:09:45 0 d-----w- c:\docume~1\nau\applic~1\Simply Super Software

2010-08-19 18:09:45 0 d-----w- c:\docume~1\alluse~1\applic~1\Simply Super Software

2010-08-13 07:06:01 0 d-----w- c:\windows\system32\wbem\Repository

2010-08-13 07:05:23 0 d-----w- c:\windows\ShellNew

2010-08-13 07:05:19 0 d-----w- c:\program files\Microsoft ActiveSync

2010-08-13 07:02:59 0 d-----w- c:\program files\Roxio

2010-08-13 06:05:00 0 d-----w- c:\program files\Roxio(2)

2010-08-13 05:46:20 61440 ----a-w- c:\windows\system32\cdrtc.dll

2010-08-13 05:46:20 45056 ----a-w- c:\windows\system32\cdral.dll

2010-08-13 04:56:41 0 d-----w- c:\windows\SHELLNEW(2)

2010-08-09 20:54:09 0 d-----w- c:\docume~1\alluse~1\applic~1\FirmTools

2010-08-09 20:54:04 0 d-----w- c:\program files\FirmTools

2010-08-05 15:27:08 0 d-----w- c:\program files\riva

2010-08-05 15:27:00 0 d-----w- c:\program files\Microsoft

==================== Find3M ====================

2010-08-30 20:49:15 18 ----a-w- c:\program files\common files\winafx.log

2010-08-30 20:48:06 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs

2010-08-30 20:48:04 0 ----a-w- c:\windows\system32\drivers\logiflt.iad

2010-08-05 15:26:39 1744 ----a-w- c:\windows\system32\d3d9caps.dat

2010-07-13 17:59:44 20 ----a-w- c:\docume~1\nau\applic~1\hvyacl.dat

2010-07-09 18:50:20 0 ----a-w- c:\documents and settings\nau\GoToAssistDownloadHelper.exe

2010-06-10 14:23:30 1632 ----a-w- c:\windows\system32\d3d8caps.dat

============= FINISH: 13:52:29.06 ===============

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4509

Windows 5.1.2600 Service Pack 2

Internet Explorer 7.0.5730.13

8/30/2010 10:59:10 AM

mbam-log-2010-08-30 (10-59-10).txt

Scan type: Full scan (C:\|)

Objects scanned: 259003

Time elapsed: 58 minute(s), 2 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DbgMgr (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

THANKS AGAIN!

Attach.zip

ark.zip

Link to post
Share on other sites

Thank you Screen317

here is the DDS.txt you asked for.

DDS (Ver_10-03-17.01) - NTFSx86

Run by NAU at 18:56:49.75 on Mon 08/30/2010

Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_20

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.287 [GMT -7:00]

AV: avast! antivirus 4.8.1368 [VPS 100808-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\WINDOWS\system32\MsPMSPSv.exe

C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\devldr32.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Documents and Settings\NAU\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

uInternet Connection Wizard,ShellNext = iexplore

mURLSearchHooks: H - No File

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File

TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe

mRunServices: [~TM5E.tmp] c:\windows\temp\~tm5e.tmp

mRunServices: [ModuleIUser] c:\program files\common files\installshield\engine\6\intel 32\ikernelobjectps3.01.392.exe

mRunServices: [icwconn1ICWRMIND] c:\program files\internet explorer\connection wizard\icwdloperating.exe

mRunServices: [pssqempavoe] c:\program files\panda security\activescan 2.0\vplatprcpskavs.exe

mRunServices: [~TMC.tmp] c:\windows\temp\~TMC.tmp

mRunServices: [icwconn1Microsoft] c:\program files\internet explorer\connection wizard\icwdloperating.exe

mRunServices: [PSKMFSpavexcom] c:\program files\panda security\activescan 2.0\vplatprcpskavs.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB

DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} -

Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} -

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SSODL: Btmchk - {DAAC11DD-3AD7-4BE4-B2B8-8A2C0FF2C1D1} - c:\documents and settings\nau\local settings\temp\adobe\AdobeRdrPlug.dll

Hosts: 84.16.244.55 www.google.com

Hosts: 84.16.244.55 us.search.yahoo.com

Hosts: 84.16.244.55 uk.search.yahoo.com

Hosts: 84.16.244.55 search.yahoo.com

Hosts: 84.16.244.55 www.google.com.br

Note: multiple HOSTS entries found. Please refer to Attach.txt

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\nau\applic~1\mozilla\firefox\profiles\gjvszn7m.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.search.selectedEngine - mamma

FF - prefs.js: browser.startup.homepage - hxxp://tucson.cox.net/cci/home

FF - plugin: c:\documents and settings\nau\application data\move networks\plugins\npqmp071505000011.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2010-5-25 28552]

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-12-8 114768]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2008-9-3 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-9-3 67656]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-12-8 20560]

R3 ndisrd;WinpkFilter Service;c:\windows\system32\drivers\ndisrd.sys [2009-10-29 20480]

R3 TNET1130;802.11 WLAN;c:\windows\system32\drivers\TNET1130.sys [2008-3-22 386688]

S2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-12-8 138680]

S2 MSWA-c935c299;MSWA-c935c299;c:\windows\system32\c935c299.exe --> c:\windows\system32\c935c299.exe [?]

S2 MSWA-f36decbb;MSWA-f36decbb;c:\windows\system32\f36decbb.exe --> c:\windows\system32\f36decbb.exe [?]

S2 zokxqs;zokxqs;\??\c:\windows\system32\drivers\xqqulnp.sys --> c:\windows\system32\drivers\xqqulnp.sys [?]

S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-12-8 254040]

S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-12-8 352920]

S3 ngrpci;NETGEAR FA310TX Fast Ethernet Adapter Driver;c:\windows\system32\drivers\Ngrpci.sys [2008-10-20 32840]

S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-9-3 12872]

=============== Created Last 30 ================

2010-08-30 20:45:15 20 ----a-w- c:\documents and settings\nau\defogger_reenable

2010-08-27 02:04:24 397 ----a-w- c:\documents and settings\nau\exe.js

2010-08-19 18:09:48 77312 ----a-w- c:\windows\system32\ztvunace26.dll

2010-08-19 18:09:48 75264 ----a-w- c:\windows\system32\unacev2.dll

2010-08-19 18:09:48 69632 ----a-w- c:\windows\system32\ztvcabinet.dll

2010-08-19 18:09:48 162304 ----a-w- c:\windows\system32\ztvunrar36.dll

2010-08-19 18:09:47 153088 ----a-w- c:\windows\system32\UNRAR3.dll

2010-08-19 18:09:45 0 d-----w- c:\program files\Trojan Remover

2010-08-19 18:09:45 0 d-----w- c:\docume~1\nau\applic~1\Simply Super Software

2010-08-19 18:09:45 0 d-----w- c:\docume~1\alluse~1\applic~1\Simply Super Software

2010-08-13 07:06:01 0 d-----w- c:\windows\system32\wbem\Repository

2010-08-13 07:05:23 0 d-----w- c:\windows\ShellNew

2010-08-13 07:05:19 0 d-----w- c:\program files\Microsoft ActiveSync

2010-08-13 07:02:59 0 d-----w- c:\program files\Roxio

2010-08-13 06:05:00 0 d-----w- c:\program files\Roxio(2)

2010-08-13 05:46:20 61440 ----a-w- c:\windows\system32\cdrtc.dll

2010-08-13 05:46:20 45056 ----a-w- c:\windows\system32\cdral.dll

2010-08-13 04:56:41 0 d-----w- c:\windows\SHELLNEW(2)

2010-08-09 20:54:09 0 d-----w- c:\docume~1\alluse~1\applic~1\FirmTools

2010-08-09 20:54:04 0 d-----w- c:\program files\FirmTools

2010-08-05 15:27:08 0 d-----w- c:\program files\riva

2010-08-05 15:27:00 0 d-----w- c:\program files\Microsoft

==================== Find3M ====================

2010-08-30 20:49:15 18 ----a-w- c:\program files\common files\winafx.log

2010-08-30 20:48:06 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs

2010-08-30 20:48:04 0 ----a-w- c:\windows\system32\drivers\logiflt.iad

2010-08-05 15:26:39 1744 ----a-w- c:\windows\system32\d3d9caps.dat

2010-07-13 17:59:44 20 ----a-w- c:\docume~1\nau\applic~1\hvyacl.dat

2010-07-09 18:50:20 0 ----a-w- c:\documents and settings\nau\GoToAssistDownloadHelper.exe

2010-06-10 14:23:30 1632 ----a-w- c:\windows\system32\d3d8caps.dat

============= FINISH: 18:57:09.65 ===============

Link to post
Share on other sites

Ok, thanks for taking a look ... I ran into some challenges

1) Not sure if Windows Firewall needed to be stopped before running ComboFix or just the third-party firewalls. Anyway I went ahead and tried to go into windows firewall and got a message

"Windows firewall settings cannot be displayed because the associated service is not running. Do you want to start the Windows Firewall / ICS service?"

I said yes, then disabled the windows firewall. If this is not needed I won't do it on the next attempt to run ComboFix.

2) Started ComboFix but it sees Avast! Antivirus 4.8.1368 [VPS 100808-0] as running and wants me to disable it before clicking OK. As I said in my first post, I cannot do anything with Avast at this point. I go to Control panel / Add Remove Program and try to remove the program. When I click on the add/remove button, the screen flashes once with no other action (even in Safe Mode). I go into msconfig / startup and uncheck AshDisp and apply the change but it is always rechecked after rebooting. I also get the following message after restarting the computer:

"AshDisp.exe - This application failed to start because aswCmn05.dll was not found. Re-installing the application may fix the problem"

Any attempt to re-install Avast gets blocked. I do not remember the message that came up when I made the attempt. I think it is something to the effect the windows installer could not be found, or run ... something like that.

3) Can ComboFix be run in Safe mode, or do you want me to continue ComboFix by clicking on 'OK' without actually stopping Avast, or take some other action? I await ....... thanks again!

Link to post
Share on other sites

Good Day screen317 !

deleted combofix, got a new copy and executed the Run command per your instruction

Unfortunately combofix still sees Avast as running .... so I again deleted the current copy of combofix and re-downloaded a fresh copy (have not run) and now await new directions.

I can see this is going to be a challenge! Please work on this at ur convenience and keep my post open as I will be away from my computer until Monday. Have a good weekend n thanks!

Link to post
Share on other sites

Ok screen317, I am back and ran combofix and a new dds. I am unable to log on to the internet after running combofix. (not via wireless or the local area connection). I am still connecting via my other computer so here are the logs n thanx for the assist!

ComboFix 10-09-06.04 - NAU 09/07/2010 10:36:34.5.1 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.341 [GMT -7:00]

Running from: c:\documents and settings\NAU\desktop\ComboFix.exe

Command switches used :: /killall

AV: avast! antivirus 4.8.1368 [VPS 100808-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

ADS - WINDOWS: deleted 24 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\NAU\Application Data\inst.exe

c:\documents and settings\NAU\Application Data\Usinke

c:\documents and settings\NAU\Application Data\Usinke\hirou.tmp

c:\documents and settings\NAU\Application Data\Usinke\hirou.ulh

c:\documents and settings\NAU\GoToAssistDownloadHelper.exe

c:\documents and settings\NAU\My Documents\Readiris.DUS

c:\program files\Internet Explorer\complete.dat

c:\program files\Internet Explorer\dmlconf.dat

c:\windows\system32\1279876501.dat

c:\windows\system32\ff4h.gy

c:\windows\TEMP\logishrd\LVPrcInj01.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_ndisrd

((((((((((((((((((((((((( Files Created from 2010-08-07 to 2010-09-07 )))))))))))))))))))))))))))))))

.

2010-08-20 13:25 . 2010-07-27 02:13 3683248 ----a-w- c:\documents and settings\NAU\Application Data\Simply Super Software\Trojan Remover\jbk3.exe

2010-08-19 18:33 . 2010-08-19 18:33 -------- d-----w- c:\documents and settings\Administrator.NAU-ALLAZLTG2Q7\Application Data\Simply Super Software

2010-08-19 18:33 . 2010-07-27 02:13 3683248 ----a-w- c:\documents and settings\Administrator.NAU-ALLAZLTG2Q7\Application Data\Simply Super Software\Trojan Remover\cab1.exe

2010-08-19 18:11 . 2010-08-20 13:26 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-08-19 18:09 . 2006-06-19 20:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll

2010-08-19 18:09 . 2006-05-25 22:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll

2010-08-19 18:09 . 2005-08-26 08:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll

2010-08-19 18:09 . 2002-03-06 08:00 75264 ----a-w- c:\windows\system32\unacev2.dll

2010-08-19 18:09 . 2003-02-03 03:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll

2010-08-19 18:09 . 2010-08-19 18:09 -------- d-----w- c:\program files\Trojan Remover

2010-08-19 18:09 . 2010-08-19 18:09 -------- d-----w- c:\documents and settings\NAU\Application Data\Simply Super Software

2010-08-19 18:09 . 2010-08-19 18:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software

2010-08-13 07:06 . 2010-08-13 07:06 -------- d-----w- c:\windows\system32\wbem\Repository

2010-08-13 07:05 . 2010-08-13 07:05 -------- d-----w- c:\windows\ShellNew

2010-08-13 07:05 . 2010-08-13 07:05 -------- d-----w- c:\program files\Microsoft ActiveSync

2010-08-13 07:02 . 2010-08-13 07:02 -------- d-----w- c:\program files\Roxio

2010-08-13 06:05 . 2010-08-13 07:02 -------- d-----w- c:\program files\Roxio(2)

2010-08-13 05:46 . 2009-02-04 23:59 61440 ----a-w- c:\windows\system32\cdrtc.dll

2010-08-13 05:46 . 2009-02-04 23:59 45056 ----a-w- c:\windows\system32\cdral.dll

2010-08-13 04:56 . 2010-08-13 04:58 -------- d-----w- c:\windows\SHELLNEW(2)

2010-08-09 20:54 . 2010-08-09 20:54 -------- d-----w- c:\documents and settings\All Users\Application Data\FirmTools

2010-08-09 20:54 . 2010-08-09 20:54 -------- d-----w- c:\program files\FirmTools

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-09-07 17:50 . 2008-09-02 01:23 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs

2010-09-07 17:50 . 2008-09-02 01:23 0 ----a-w- c:\windows\system32\drivers\logiflt.iad

2010-09-07 16:27 . 2010-05-31 07:45 1744 ----a-w- c:\windows\system32\d3d9caps.dat

2010-09-07 08:45 . 2010-07-19 17:24 18 ----a-w- c:\program files\Common Files\winafx.log

2010-08-31 13:58 . 2010-06-12 19:42 -------- d-----w- c:\documents and settings\NAU\Application Data\vlc

2010-08-30 16:30 . 2009-10-05 01:03 -------- d-----w- c:\program files\Opera

2010-08-29 19:46 . 2009-10-02 18:05 -------- d-----w- c:\documents and settings\NAU\Application Data\dvdcss

2010-08-18 13:49 . 2010-07-19 17:24 -------- d-----w- c:\program files\Common Files\WmiPlug

2010-08-13 07:02 . 2009-02-04 23:21 -------- d-----w- c:\program files\Common Files\Roxio Shared

2010-08-08 16:20 . 2008-11-03 06:57 -------- d-----w- c:\program files\Vuze

2010-08-08 16:19 . 2008-10-22 00:08 -------- d-----w- c:\program files\SUPERAntiSpyware

2010-08-08 16:18 . 2009-02-10 20:44 -------- d-----w- c:\program files\Readiris Pro 11

2010-08-08 16:18 . 2009-02-04 01:14 -------- d-----w- c:\program files\QuickTime

2010-08-08 16:18 . 2008-12-31 03:50 -------- d-----w- c:\program files\Photocopier

2010-08-08 16:17 . 2010-08-05 15:27 -------- d-----w- c:\program files\Microsoft

2010-08-08 16:17 . 2008-10-08 23:02 -------- d-----w- c:\program files\Magic Folders

2010-08-08 16:16 . 2009-12-03 20:44 -------- d-----w- c:\program files\ImgBurn

2010-08-08 16:16 . 2009-05-12 15:54 -------- d-----w- c:\program files\ffdshow

2010-08-08 16:15 . 2008-12-02 03:26 -------- d-----w- c:\program files\DVD Shrink

2010-08-08 16:15 . 2008-12-02 03:24 -------- d-----w- c:\program files\DVD Decrypter

2010-08-08 16:13 . 2010-06-15 13:44 -------- d-----w- c:\program files\Common Files\Gibinsoft Shared

2010-08-08 16:13 . 2008-11-04 20:03 -------- d-----w- c:\program files\Ancient Sudoku

2010-08-08 15:50 . 2009-12-14 04:55 -------- d-----w- c:\documents and settings\NAU\Application Data\Isiva

2010-08-08 15:46 . 2009-09-03 22:55 -------- d-----w- c:\documents and settings\Guest\Application Data\Aqofez

2010-08-07 23:35 . 2009-04-10 04:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-08-07 14:33 . 2010-08-05 15:27 -------- d-----w- c:\program files\riva

2010-08-07 03:09 . 2009-11-25 09:07 -------- d-----w- c:\documents and settings\Guest\Application Data\Ocufa

2010-08-06 02:25 . 2008-03-23 14:15 -------- d-----w- c:\program files\CCleaner

2010-08-05 23:56 . 2008-10-21 15:57 -------- d-----w- c:\documents and settings\NAU\Application Data\Covaq

2010-08-05 15:28 . 2009-06-20 15:04 -------- d-----w- c:\documents and settings\NAU\Application Data\Emog

2010-08-03 15:10 . 2009-02-04 23:40 -------- d-----w- c:\documents and settings\NAU\Application Data\Roxio

2010-08-03 00:12 . 2008-11-03 06:58 -------- d-----w- c:\documents and settings\NAU\Application Data\Azureus

2010-08-01 17:23 . 2010-06-07 03:47 1744 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\d3d9caps.tmp

2010-07-30 03:22 . 2010-07-30 03:22 -------- d-----w- c:\documents and settings\Guest\Application Data\CyberLink

2010-07-20 22:17 . 2008-12-02 03:26 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink

2010-07-19 17:15 . 2008-09-02 01:59 -------- d-----w- c:\documents and settings\NAU\Application Data\Skype

2010-07-19 15:02 . 2008-09-02 02:00 -------- d-----w- c:\documents and settings\NAU\Application Data\skypePM

2010-07-13 19:42 . 2010-07-13 19:42 20 ----a-w- c:\documents and settings\NetworkService\Application Data\hvyacl.dat

2010-07-13 17:59 . 2010-07-13 17:59 20 ----a-w- c:\documents and settings\NAU\Application Data\hvyacl.dat

2010-07-11 20:38 . 2009-11-03 04:29 -------- d-----w- c:\documents and settings\NAU\Application Data\Vso

2010-06-15 13:44 . 2010-06-15 13:44 14336 ----a-r- c:\documents and settings\NAU\Application Data\Microsoft\Installer\{9F185C48-595B-401A-A1D6-AAB324890DC4}\IconCBE855212.exe

2010-06-10 14:23 . 2007-01-31 15:34 1632 ----a-w- c:\windows\system32\d3d8caps.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-08-15 565008]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-07-28 4841472]

"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2010-06-15 17:10 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^NAU^Start Menu^Programs^Startup^monipu32.exe]

path=c:\documents and settings\NAU\Start Menu\Programs\Startup\monipu32.exe

backup=c:\windows\pss\monipu32.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"avast! Web Scanner"=3 (0x3)

"avast! Mail Scanner"=3 (0x3)

"avast! Antivirus"=2 (0x2)

"aswUpdSv"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\helpctr.exe"=

"c:\\Program Files\\Opera\\opera.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\WINDOWS\\system32\\spoolsv.exe"=

"c:\\Program Files\\Vuze\\Azureus.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

"36000:TCP"= 36000:TCP:Azureus TCP

"36000:UDP"= 36000:UDP:Azureus UDP

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [5/25/2010 2:00 PM 28552]

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [12/8/2009 12:16 PM 114768]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [9/3/2008 2:07 PM 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/3/2008 2:07 PM 67656]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/8/2009 12:16 PM 20560]

R3 TNET1130;802.11 WLAN;c:\windows\system32\drivers\TNET1130.sys [3/22/2008 10:09 PM 386688]

S2 MSWA-c935c299;MSWA-c935c299;c:\windows\system32\c935c299.exe --> c:\windows\system32\c935c299.exe [?]

S2 MSWA-f36decbb;MSWA-f36decbb;c:\windows\system32\f36decbb.exe --> c:\windows\system32\f36decbb.exe [?]

S2 zokxqs;zokxqs;\??\c:\windows\system32\drivers\xqqulnp.sys --> c:\windows\system32\drivers\xqqulnp.sys [?]

S3 ngrpci;NETGEAR FA310TX Fast Ethernet Adapter Driver;c:\windows\system32\drivers\Ngrpci.sys [10/20/2008 10:33 AM 32840]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/3/2008 2:07 PM 12872]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/1/2008 8:35 PM 717296]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Connection Wizard,ShellNext = iexplore

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\NAU\Application Data\Mozilla\Firefox\Profiles\gjvszn7m.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.search.selectedEngine - mamma

FF - prefs.js: browser.startup.homepage - hxxp://tucson.cox.net/cci/home

FF - plugin: c:\documents and settings\NAU\Application Data\Move Networks\plugins\npqmp071505000011.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

SSODL-Btmchk-{DAAC11DD-3AD7-4BE4-B2B8-8A2C0FF2C1D1} - c:\documents and settings\NAU\Local Settings\temp\Adobe\AdobeRdrPlug.dll

MSConfigStartUp-icwresICWDL - c:\program files\internet explorer\connection wizard\icwdloperating.exe

MSConfigStartUp-pssarfPanda1513 - c:\program files\panda security\activescan 2.0\vplatprcpskavs.exe

MSConfigStartUp-QuickTime Task - c:\program files\QuickTime\qttask.exe

MSConfigStartUp-~TM5E - c:\windows\temp\~tm5e.tmp

MSConfigStartUp-~TMC - c:\windows\TEMP\~TMC.tmp

AddRemove-Belarc Advisor - c:\progra~1\Belarc\Advisor\Uninstall.exe

AddRemove-WinRAR archiver - c:\program files\WinRAR\uninstall.exe

**************************************************************************

disk not found C:\

please note that you need administrator rights to perform deep scan

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files:

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2052111302-113007714-1343024091-1003\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(452)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(6060)

c:\windows\system32\WININET.dll

c:\windows\TEMP\logishrd\LVPrcInj01.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

c:\windows\system32\nvsvc32.exe

c:\windows\system32\MsPMSPSv.exe

c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

c:\windows\system32\devldr32.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2010-09-07 10:56:33 - machine was rebooted

ComboFix-quarantined-files.txt 2010-09-07 17:56

ComboFix2.txt 2009-06-14 22:15

Pre-Run: 2,607,497,216 bytes free

Post-Run: 2,956,201,984 bytes free

- - End Of File - - 9718C18E5189B5D9EC8C096267A582FF

and now the dds

DDS (Ver_10-03-17.01) - NTFSx86

Run by NAU at 11:02:51.17 on Tue 09/07/2010

Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_20

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.290 [GMT -7:00]

AV: avast! antivirus 4.8.1368 [VPS 100808-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\WINDOWS\system32\MsPMSPSv.exe

C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe

C:\WINDOWS\system32\devldr32.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\explorer.exe

C:\Documents and Settings\NAU\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

uInternet Connection Wizard,ShellNext = iexplore

mURLSearchHooks: H - No File

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File

mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB

DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} -

Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} -

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\nau\applic~1\mozilla\firefox\profiles\gjvszn7m.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.search.selectedEngine - mamma

FF - prefs.js: browser.startup.homepage - hxxp://tucson.cox.net/cci/home

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2010-5-25 28552]

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-12-8 114768]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2008-9-3 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-9-3 67656]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-12-8 20560]

R3 TNET1130;802.11 WLAN;c:\windows\system32\drivers\TNET1130.sys [2008-3-22 386688]

S2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-12-8 138680]

S2 MSWA-c935c299;MSWA-c935c299;c:\windows\system32\c935c299.exe --> c:\windows\system32\c935c299.exe [?]

S2 MSWA-f36decbb;MSWA-f36decbb;c:\windows\system32\f36decbb.exe --> c:\windows\system32\f36decbb.exe [?]

S2 zokxqs;zokxqs;\??\c:\windows\system32\drivers\xqqulnp.sys --> c:\windows\system32\drivers\xqqulnp.sys [?]

S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-12-8 254040]

S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-12-8 352920]

S3 ngrpci;NETGEAR FA310TX Fast Ethernet Adapter Driver;c:\windows\system32\drivers\Ngrpci.sys [2008-10-20 32840]

S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-9-3 12872]

=============== Created Last 30 ================

2010-09-07 17:29:10 98816 ----a-w- c:\windows\sed.exe

2010-09-07 17:29:10 77312 ----a-w- c:\windows\MBR.exe

2010-09-07 17:29:10 256512 ----a-w- c:\windows\PEV.exe

2010-09-07 17:29:10 161792 ----a-w- c:\windows\SWREG.exe

2010-08-30 20:45:15 20 ----a-w- c:\documents and settings\nau\defogger_reenable

2010-08-27 02:04:24 397 ----a-w- c:\documents and settings\nau\exe.js

2010-08-19 18:09:48 77312 ----a-w- c:\windows\system32\ztvunace26.dll

2010-08-19 18:09:48 75264 ----a-w- c:\windows\system32\unacev2.dll

2010-08-19 18:09:48 69632 ----a-w- c:\windows\system32\ztvcabinet.dll

2010-08-19 18:09:48 162304 ----a-w- c:\windows\system32\ztvunrar36.dll

2010-08-19 18:09:47 153088 ----a-w- c:\windows\system32\UNRAR3.dll

2010-08-19 18:09:45 0 d-----w- c:\program files\Trojan Remover

2010-08-19 18:09:45 0 d-----w- c:\docume~1\nau\applic~1\Simply Super Software

2010-08-19 18:09:45 0 d-----w- c:\docume~1\alluse~1\applic~1\Simply Super Software

2010-08-13 07:06:01 0 d-----w- c:\windows\system32\wbem\Repository

2010-08-13 07:05:23 0 d-----w- c:\windows\ShellNew

2010-08-13 07:05:19 0 d-----w- c:\program files\Microsoft ActiveSync

2010-08-13 07:02:59 0 d-----w- c:\program files\Roxio

2010-08-13 06:05:00 0 d-----w- c:\program files\Roxio(2)

2010-08-13 05:46:20 61440 ----a-w- c:\windows\system32\cdrtc.dll

2010-08-13 05:46:20 45056 ----a-w- c:\windows\system32\cdral.dll

2010-08-13 04:56:41 0 d-----w- c:\windows\SHELLNEW(2)

2010-08-09 20:54:09 0 d-----w- c:\docume~1\alluse~1\applic~1\FirmTools

2010-08-09 20:54:04 0 d-----w- c:\program files\FirmTools

==================== Find3M ====================

2010-09-07 17:50:34 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs

2010-09-07 17:50:32 0 ----a-w- c:\windows\system32\drivers\logiflt.iad

2010-09-07 16:27:35 1744 ----a-w- c:\windows\system32\d3d9caps.dat

2010-09-07 08:45:13 18 ----a-w- c:\program files\common files\winafx.log

2010-07-13 17:59:44 20 ----a-w- c:\docume~1\nau\applic~1\hvyacl.dat

2010-06-10 14:23:30 1632 ----a-w- c:\windows\system32\d3d8caps.dat

============= FINISH: 11:03:11.00 ===============

:blink:

Link to post
Share on other sites

Just thought I would follow-up on my inability to connect to the internet. I did go into device manager and found the following:

Network adapters

3Com 3C920 Integrated Fast Ethernet Controller (3C905C-TX Compatible)

! 3Com 3C920 Integrated Fast Ethernet Controller (3C905C-TX Compatible) - WinpkFilter Miniport

802.11g Wireless PCI Card

! 802.11g Wireless PCI Card - WinpkFilter Miniport

! NETGEAR FA310TX Fast Ethernet Adapter (NGRPCI) - WinpkFilter Miniport

! WAN Miniport (IP) - WinpkFilter Miniport

All devices above with an ! are showing the following device status when I click on them:

Windows cannot start this hardware device because its configuration information

(in the registry) is incomplete or damaged. (Code 19)

Click Troubleshoot to start the troubleshooter for this device.

I cannot say for sure, but in the past (long, long ago!) I do not remember seeing the adapters listed

with WinpkFilter Miniport. The devices without the ! all show enabled and working fine. Is this

just a byproduct of Defogger and I need to just wait until we are done and settings restored? Don't

mean to sidetrack ... just wanted to provide more info besides my curiosity.

Link to post
Share on other sites

Ok,

Tried the winsock reset command, rebooted .... no change, still unable to connect to internet. Will proceed whichever direction u wish. Since I can still access the internet via my other computer, I am fine with getting the malware issue resolved then addressing the connectivity .... thinking may need to uninstall the drivers in Device manager for those affected network devices (but malware first, connectivity second unless u think otherwise ... I defer and await .... can't thank you enough ... can see how busy we keep all of you!)

Link to post
Share on other sites

  • Staff

Yes, let's definitely continue with removing all of the malware before addressing other issues.

Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.

Next, please open Notepad. Copy and paste the text in the Code box below into Notepad:

http://forums.malwarebytes.org/index.php?showtopic=61595
Collect::
c:\windows\system32\drivers\lvuvc.hs
c:\windows\system32\drivers\logiflt.iad
c:\documents and settings\NetworkService\Application Data\hvyacl.dat
c:\documents and settings\NAU\Application Data\hvyacl.dat
Suspect::
c:\documents and settings\NAU\Start Menu\Programs\Startup\monipu32.exe
Driver::
zokxqs
MSWA-f36decbb
MSWA-c935c299
DDS::
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} -
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} -
KILLALL::
Dirlook::
c:\program files\riva
c:\documents and settings\Guest\Application Data\Ocufa
c:\documents and settings\NAU\Application Data\Covaq
c:\documents and settings\NAU\Application Data\Emog

Save this as CFScript.txt

CFScriptB-4.gif

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

  • Ensure you are connected to the internet and click OK on the message box.

Next, please go to VirusTotal, and upload the following file for analysis:

c:\documents and settings\NAU\Start Menu\Programs\Startup\monipu32.exe

Post the results in your reply.

Also post a fresh DDS log.

Link to post
Share on other sites

Ok, I understand the instructions. I will have to xfer a copy of monipu32.exe to usb drive on other computer to upload to VirusTotal (along with the log files combofix and dds for posting) . I am not sure about the ComboFix message box ... the note says I have to be connected to the internet before clicking OK so Combofix can can capture files to submit for analysis. Since I cannot connect to the internet on the affected computer, I am not sure what you want me to do for this particular step.

Link to post
Share on other sites

Ok deleted combofix, redownloaded and ran along with new dds. Here are the logs. I could not find monipu32.exe in the startup folder and a windows explorer search could not find it. I did have show hidden and system files checked. The Startup folder properties do show 1 file 84 bytes but I cannot see it.

ComboFix 10-09-09.04 - NAU 09/11/2010 6:11.6.1 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.335 [GMT -7:00]

Running from: c:\documents and settings\NAU\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\NAU\Desktop\CFScript.txt

AV: avast! antivirus 4.8.1368 [VPS 100808-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\NAU\Application Data\hvyacl.dat

c:\documents and settings\NetworkService\Application Data\hvyacl.dat

c:\program files\Common Files\winafx.log

c:\windows\system32\drivers\logiflt.iad

c:\windows\system32\drivers\lvuvc.hs

c:\windows\TEMP\logishrd\LVPrcInj01.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_MSWA-C935C299

-------\Legacy_MSWA-F36DECBB

-------\Legacy_ZOKXQS

-------\Service_MSWA-c935c299

-------\Service_MSWA-f36decbb

-------\Service_zokxqs

((((((((((((((((((((((((( Files Created from 2010-08-11 to 2010-09-11 )))))))))))))))))))))))))))))))

.

2010-08-20 13:25 . 2010-07-27 02:13 3683248 ----a-w- c:\documents and settings\NAU\Application Data\Simply Super Software\Trojan Remover\jbk3.exe

2010-08-19 18:33 . 2010-08-19 18:33 -------- d-----w- c:\documents and settings\Administrator.NAU-ALLAZLTG2Q7\Application Data\Simply Super Software

2010-08-19 18:33 . 2010-07-27 02:13 3683248 ----a-w- c:\documents and settings\Administrator.NAU-ALLAZLTG2Q7\Application Data\Simply Super Software\Trojan Remover\cab1.exe

2010-08-19 18:11 . 2010-08-20 13:26 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-08-19 18:09 . 2006-06-19 20:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll

2010-08-19 18:09 . 2006-05-25 22:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll

2010-08-19 18:09 . 2005-08-26 08:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll

2010-08-19 18:09 . 2002-03-06 08:00 75264 ----a-w- c:\windows\system32\unacev2.dll

2010-08-19 18:09 . 2003-02-03 03:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll

2010-08-19 18:09 . 2010-08-19 18:09 -------- d-----w- c:\program files\Trojan Remover

2010-08-19 18:09 . 2010-08-19 18:09 -------- d-----w- c:\documents and settings\NAU\Application Data\Simply Super Software

2010-08-19 18:09 . 2010-08-19 18:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software

2010-08-13 07:06 . 2010-08-13 07:06 -------- d-----w- c:\windows\system32\wbem\Repository

2010-08-13 07:05 . 2010-08-13 07:05 -------- d-----w- c:\windows\ShellNew

2010-08-13 07:05 . 2010-08-13 07:05 -------- d-----w- c:\program files\Microsoft ActiveSync

2010-08-13 07:02 . 2010-08-13 07:02 -------- d-----w- c:\program files\Roxio

2010-08-13 06:05 . 2010-08-13 07:02 -------- d-----w- c:\program files\Roxio(2)

2010-08-13 05:46 . 2009-02-04 23:59 61440 ----a-w- c:\windows\system32\cdrtc.dll

2010-08-13 05:46 . 2009-02-04 23:59 45056 ----a-w- c:\windows\system32\cdral.dll

2010-08-13 04:56 . 2010-08-13 04:58 -------- d-----w- c:\windows\SHELLNEW(2)

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-09-11 13:21 . 2010-09-11 13:21 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs

2010-09-07 16:27 . 2010-05-31 07:45 1744 ----a-w- c:\windows\system32\d3d9caps.dat

2010-08-31 13:58 . 2010-06-12 19:42 -------- d-----w- c:\documents and settings\NAU\Application Data\vlc

2010-08-30 16:30 . 2009-10-05 01:03 -------- d-----w- c:\program files\Opera

2010-08-29 19:46 . 2009-10-02 18:05 -------- d-----w- c:\documents and settings\NAU\Application Data\dvdcss

2010-08-18 13:49 . 2010-07-19 17:24 -------- d-----w- c:\program files\Common Files\WmiPlug

2010-08-13 07:02 . 2009-02-04 23:21 -------- d-----w- c:\program files\Common Files\Roxio Shared

2010-08-09 20:54 . 2010-08-09 20:54 -------- d-----w- c:\documents and settings\All Users\Application Data\FirmTools

2010-08-09 20:54 . 2010-08-09 20:54 -------- d-----w- c:\program files\FirmTools

2010-08-08 16:20 . 2008-11-03 06:57 -------- d-----w- c:\program files\Vuze

2010-08-08 16:19 . 2008-10-22 00:08 -------- d-----w- c:\program files\SUPERAntiSpyware

2010-08-08 16:18 . 2009-02-10 20:44 -------- d-----w- c:\program files\Readiris Pro 11

2010-08-08 16:18 . 2009-02-04 01:14 -------- d-----w- c:\program files\QuickTime

2010-08-08 16:18 . 2008-12-31 03:50 -------- d-----w- c:\program files\Photocopier

2010-08-08 16:17 . 2010-08-05 15:27 -------- d-----w- c:\program files\Microsoft

2010-08-08 16:17 . 2008-10-08 23:02 -------- d-----w- c:\program files\Magic Folders

2010-08-08 16:16 . 2009-12-03 20:44 -------- d-----w- c:\program files\ImgBurn

2010-08-08 16:16 . 2009-05-12 15:54 -------- d-----w- c:\program files\ffdshow

2010-08-08 16:15 . 2008-12-02 03:26 -------- d-----w- c:\program files\DVD Shrink

2010-08-08 16:15 . 2008-12-02 03:24 -------- d-----w- c:\program files\DVD Decrypter

2010-08-08 16:13 . 2010-06-15 13:44 -------- d-----w- c:\program files\Common Files\Gibinsoft Shared

2010-08-08 16:13 . 2008-11-04 20:03 -------- d-----w- c:\program files\Ancient Sudoku

2010-08-08 15:50 . 2009-12-14 04:55 -------- d-----w- c:\documents and settings\NAU\Application Data\Isiva

2010-08-08 15:46 . 2009-09-03 22:55 -------- d-----w- c:\documents and settings\Guest\Application Data\Aqofez

2010-08-07 23:35 . 2009-04-10 04:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-08-07 14:33 . 2010-08-05 15:27 -------- d-----w- c:\program files\riva

2010-08-07 03:09 . 2009-11-25 09:07 -------- d-----w- c:\documents and settings\Guest\Application Data\Ocufa

2010-08-06 02:25 . 2008-03-23 14:15 -------- d-----w- c:\program files\CCleaner

2010-08-05 23:56 . 2008-10-21 15:57 -------- d-----w- c:\documents and settings\NAU\Application Data\Covaq

2010-08-05 15:28 . 2009-06-20 15:04 -------- d-----w- c:\documents and settings\NAU\Application Data\Emog

2010-08-03 15:10 . 2009-02-04 23:40 -------- d-----w- c:\documents and settings\NAU\Application Data\Roxio

2010-08-03 00:12 . 2008-11-03 06:58 -------- d-----w- c:\documents and settings\NAU\Application Data\Azureus

2010-08-01 17:23 . 2010-06-07 03:47 1744 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\d3d9caps.tmp

2010-07-30 03:22 . 2010-07-30 03:22 -------- d-----w- c:\documents and settings\Guest\Application Data\CyberLink

2010-07-20 22:17 . 2008-12-02 03:26 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink

2010-07-19 17:15 . 2008-09-02 01:59 -------- d-----w- c:\documents and settings\NAU\Application Data\Skype

2010-07-19 15:02 . 2008-09-02 02:00 -------- d-----w- c:\documents and settings\NAU\Application Data\skypePM

2010-06-15 13:44 . 2010-06-15 13:44 14336 ----a-r- c:\documents and settings\NAU\Application Data\Microsoft\Installer\{9F185C48-595B-401A-A1D6-AAB324890DC4}\IconCBE855212.exe

.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

---- Directory of c:\documents and settings\Guest\Application Data\Ocufa ----

2009-11-25 09:07 . 2010-08-07 03:09 6650 ----a-w- c:\documents and settings\Guest\Application Data\Ocufa\yvhu.tmp

---- Directory of c:\documents and settings\NAU\Application Data\Covaq ----

---- Directory of c:\documents and settings\NAU\Application Data\Emog ----

2010-08-05 23:31 . 2010-08-05 23:56 1165 ----a-w- c:\documents and settings\NAU\Application Data\Emog\odqa.quw

2009-06-20 15:04 . 2010-08-05 15:28 14809 ----a-w- c:\documents and settings\NAU\Application Data\Emog\odqa.tmp

---- Directory of c:\program files\riva ----

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-08-15 565008]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-07-28 4841472]

"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2010-06-15 17:10 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^NAU^Start Menu^Programs^Startup^monipu32.exe]

path=c:\documents and settings\NAU\Start Menu\Programs\Startup\monipu32.exe

backup=c:\windows\pss\monipu32.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"avast! Web Scanner"=3 (0x3)

"avast! Mail Scanner"=3 (0x3)

"avast! Antivirus"=2 (0x2)

"aswUpdSv"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\helpctr.exe"=

"c:\\Program Files\\Opera\\opera.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Vuze\\Azureus.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

"36000:TCP"= 36000:TCP:Azureus TCP

"36000:UDP"= 36000:UDP:Azureus UDP

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [5/25/2010 2:00 PM 28552]

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [12/8/2009 12:16 PM 114768]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [9/3/2008 2:07 PM 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/3/2008 2:07 PM 67656]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/8/2009 12:16 PM 20560]

S3 ngrpci;NETGEAR FA310TX Fast Ethernet Adapter Driver;c:\windows\system32\drivers\Ngrpci.sys [10/20/2008 10:33 AM 32840]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/3/2008 2:07 PM 12872]

S3 TNET1130;802.11 WLAN;c:\windows\system32\drivers\TNET1130.sys [3/22/2008 10:09 PM 386688]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/1/2008 8:35 PM 717296]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Connection Wizard,ShellNext = iexplore

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\NAU\Application Data\Mozilla\Firefox\Profiles\gjvszn7m.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.search.selectedEngine - mamma

FF - prefs.js: browser.startup.homepage - hxxp://tucson.cox.net/cci/home

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

**************************************************************************

disk not found C:\

please note that you need administrator rights to perform deep scan

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files:

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2052111302-113007714-1343024091-1003\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(404)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(4348)

c:\windows\system32\WININET.dll

c:\windows\TEMP\logishrd\LVPrcInj01.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

c:\windows\system32\nvsvc32.exe

c:\windows\system32\MsPMSPSv.exe

c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\devldr32.exe

.

**************************************************************************

.

Completion time: 2010-09-11 06:31:16 - machine was rebooted

ComboFix-quarantined-files.txt 2010-09-11 13:31

ComboFix2.txt 2010-09-07 17:56

ComboFix3.txt 2009-06-14 22:15

Pre-Run: 4,402,925,568 bytes free

Post-Run: 4,389,658,624 bytes free

- - End Of File - - 4EC9308FDD62D68B85B99CB1E96C88EF

DDS (Ver_10-03-17.01) - NTFSx86

Run by NAU at 6:42:00.75 on Sat 09/11/2010

Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_20

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.291 [GMT -7:00]

AV: avast! antivirus 4.8.1368 [VPS 100808-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\WINDOWS\system32\MsPMSPSv.exe

C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe

C:\WINDOWS\system32\devldr32.exe

C:\WINDOWS\explorer.exe

C:\Documents and Settings\NAU\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

uInternet Connection Wizard,ShellNext = iexplore

mURLSearchHooks: H - No File

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File

mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB

DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\nau\applic~1\mozilla\firefox\profiles\gjvszn7m.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.search.selectedEngine - mamma

FF - prefs.js: browser.startup.homepage - hxxp://tucson.cox.net/cci/home

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2010-5-25 28552]

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-12-8 114768]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2008-9-3 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-9-3 67656]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-12-8 20560]

S2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-12-8 138680]

S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-12-8 254040]

S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-12-8 352920]

S3 ngrpci;NETGEAR FA310TX Fast Ethernet Adapter Driver;c:\windows\system32\drivers\Ngrpci.sys [2008-10-20 32840]

S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-9-3 12872]

S3 TNET1130;802.11 WLAN;c:\windows\system32\drivers\TNET1130.sys [2008-3-22 386688]

=============== Created Last 30 ================

2010-09-11 13:21:56 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs

2010-09-07 17:29:10 98816 ----a-w- c:\windows\sed.exe

2010-09-07 17:29:10 77312 ----a-w- c:\windows\MBR.exe

2010-09-07 17:29:10 256512 ----a-w- c:\windows\PEV.exe

2010-09-07 17:29:10 161792 ----a-w- c:\windows\SWREG.exe

2010-08-30 20:45:15 20 ----a-w- c:\documents and settings\nau\defogger_reenable

2010-08-27 02:04:24 397 ----a-w- c:\documents and settings\nau\exe.js

2010-08-19 18:09:48 77312 ----a-w- c:\windows\system32\ztvunace26.dll

2010-08-19 18:09:48 75264 ----a-w- c:\windows\system32\unacev2.dll

2010-08-19 18:09:48 69632 ----a-w- c:\windows\system32\ztvcabinet.dll

2010-08-19 18:09:48 162304 ----a-w- c:\windows\system32\ztvunrar36.dll

2010-08-19 18:09:47 153088 ----a-w- c:\windows\system32\UNRAR3.dll

2010-08-19 18:09:45 0 d-----w- c:\program files\Trojan Remover

2010-08-19 18:09:45 0 d-----w- c:\docume~1\nau\applic~1\Simply Super Software

2010-08-19 18:09:45 0 d-----w- c:\docume~1\alluse~1\applic~1\Simply Super Software

2010-08-13 07:06:01 0 d-----w- c:\windows\system32\wbem\Repository

2010-08-13 07:05:23 0 d-----w- c:\windows\ShellNew

2010-08-13 07:05:19 0 d-----w- c:\program files\Microsoft ActiveSync

2010-08-13 07:02:59 0 d-----w- c:\program files\Roxio

2010-08-13 06:05:00 0 d-----w- c:\program files\Roxio(2)

2010-08-13 05:46:20 61440 ----a-w- c:\windows\system32\cdrtc.dll

2010-08-13 05:46:20 45056 ----a-w- c:\windows\system32\cdral.dll

2010-08-13 04:56:41 0 d-----w- c:\windows\SHELLNEW(2)

==================== Find3M ====================

2010-09-07 16:27:35 1744 ----a-w- c:\windows\system32\d3d9caps.dat

============= FINISH: 6:42:20.48 ===============

Thanks. At your convenience!

Link to post
Share on other sites

  • Staff

Hi,

My apologies for the delay.

Delete these folders please:

c:\documents and settings\Guest\Application Data\Ocufa

c:\documents and settings\NAU\Application Data\Covaq

c:\documents and settings\NAU\Application Data\Emog

Can you still not connect to the Internet? What happens when you try?

How are you trying to connect?

Link to post
Share on other sites

Please, no apologies! We are thankful people like you take the time to learn how to do this and share your skills with the rest of us!

I deleted the folders per your request.

Okay, the network connections (wireless and LAN) both show connected despite the problem I stated earlier about Network Connections in Device Manager (which stll exists). Unfortunately, something is blocking the connections. Here is what I can share:

1) Opening IE returns "Internet Explorer cannot display the webpage"

Internet options > Connections > LAN settings are set to auto detect and proxy server is unchecked.

2) Tried Opera and could get Google home page but any attempt to search returns "Could not locate remote server"

3) I thought I would try to update Malwarebytes via the Update tab to see if it could connect -- It returned "An error has occurred. Please report this error code to our support team. MBAM_ERROR_UPDATING (12007,0,WinHttpSendRequest)

Not sure what else to try. I will be away from the computer for a 1-2 days, so as always -- at your convenience!

Link to post
Share on other sites

  • Staff

Hi,

Are you using a router? If so, try plugging in your computer directly into the modem and see if you can connect.

If no joy, please reboot to Safe Mode With Networking (tap the F8 key just before Windows starts to load and select the Safe Mode With Networking option from the menu).

See if you can connect (while plugged directly into the modem) from there.

Link to post
Share on other sites

Yes, I have a router. I tried bypassing the router both in regular mode and safe mode straight to the modem with no change. My other computers have access via router without problem. I did also lose my network places icons on the infected computer at the same time I lost internet connection after running combofix, so I am assuming my network setting have been affected the same way. (I recall a message some time ago about Registry errors but I don't remember the context).

I assume the infection has been cleaned up and we are now looking to restore function?

So would restoring settings stopped by Defogger, then possibly running system repair maybe help? (I do not have the XP install disks for this system but might be able to get another install disk ...) (also I have never done a system repair before so it would be all new to me)

I await your guidance

Link to post
Share on other sites

ok followup I went into a command prompt and typed ipconfig. It returned the heading Windows IP Configuration but went right back to the c: prompt. There was not information posted about the ethernet adapter Wireless Network Connection or Local Area Connection. It looks like no ip address is being assigned. I also tried ipconfig /release and ipconfig /renew with the same result as just ipconfig. Cannot see an ip address for this machine.

Link to post
Share on other sites

  • Staff

Hi,

Delete these folders please:

c:\documents and settings\NAU\Application Data\Isiva

c:\documents and settings\Guest\Application Data\Aqofez

The infection seems to be cleared.

Since you're running XP SP2, there's a good chance that updating to SP3 will restore whatever was changed back to default settings.

Since you can't access the Internet on this computer, please download SP3 from here on a different computer and copy it to some removable media (CD, flash drive, etc.); transfer it to this computer.

Ensure that all protection programs are disabled and install SP3.

When it completes, restart your computer and see if functionality has been restored. Let me know if there were any complications with installing SP3.

-screen317

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.