Jump to content

rootkit.TDSS woes....


Recommended Posts

First time in forums, first time using Malwarebytes....

I noticed that my browser was redirecting and found that HijackThis would not longer run.

I did a hard disconnect from all networks (i.e. detached my ethernet cable) and on the advice of a friend went and got a copy of MBAM (and the update file) loaded onto an empty thumb drive and installed it on my computer.

It would not run either.

Figuring this to be a nasty bugger, I pulled the hard drive and took it to another (known "clean") machine, and installed and ran MBAM there, using a mass storage device to attach the affected drive via USB. (I.e. Not as a boot device, and not attached at boot, rather after login was quiescent.)

I first did an MBAM run only on the boot partition (mounted as "D:") which yielded the following log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

10/1/2010 11:57:57 PM
mbam-log-2010-10-01 (23-57-57).txt

Scan type: Full scan (D:\|)
Objects scanned: 184650
Time elapsed: 40 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

...No Joy.

So I ran it again with all of the affected machine's partitions mounted, and got this:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4700

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

10/2/2010 6:22:14 AM
mbam-log-2010-10-02 (06-22-14).txt

Scan type: Full scan (D:\|E:\|F:\|I:\|J:\|)
Objects scanned: 304719
Time elapsed: 1 hour(s), 7 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
D:\System Volume Information\_restore{9EC6323F-7A7A-407C-A873-2754C8C49611}\RP217\A0099428.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
F:\ZDoom\ZDL.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
I:\Tmp\Pepsi's Halo Hacks\nsli.exe (Malware.Packer.Gen) -> Not selected for removal.

In reverse order: I know about the nsli.exe one, and it's safely tucked away doing no harm, so I marked it "Ignore." The ZDL.exe one was new to me (although I haven't played it in years!), so I marked it to be quarantined. That leaves the bugger at hand: Rootkit.TDSS, which I marked to also be quarantined.

Feeling substantially relieved, but being the cautious sort, I ran MBAM again, resulting in:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4700

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

10/3/2010 7:07:07 PM
mbam-log-2010-10-03 (19-07-07).txt

Scan type: Full scan (D:\|E:\|F:\|I:\|J:\|)
Objects scanned: 304765
Time elapsed: 1 hour(s), 8 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

...That seemed a bit too easy to me....

So I replaced the HDD back in the machine to which it belonged - leaving it disconnected from the network, and anything else - and booted it up.

Things don't seem to have changed enough for me to connect to the network yet. To whit: MBAM still won't run, and I couldn't get my network devices to even connect to a "test router" that I set up just to see if its networking would work. (It does not. It fails to negotiate with the router....)

I did pull off a HijackThis log of it, tho: (Note that some lines are edited only to occlude what I consider to be private data. Content is otherwise correct.)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 1:16:35 PM, on 10/4/2010
Platform: Windows XP SP3, v.3311 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.3311)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [VirtualDrive] C:\Program Files\FarStone\VirtualDrive\VDP\vdtask.exe /AutoRestore
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Program Files\RivaTuner v2.24\RivaTuner.exe" /S
O4 - HKLM\..\Run: [Dimondback] C:\Program Files\Razer\Diamondback\razerhid.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\XXXXXXXX\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c **EDITED**
O4 - HKCU\..\Run: [EA Core] C:\Program Files\Electronic Arts\EADM\Core.exe -silent
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\IOGEAR\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: PDFill PDF Editor - {FB858B22-55E2-413f-87F5-30ADC5552151} - C:\Program Files\PlotSoft\PDFill\\DownloadPDF.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [url="http://go.microsoft.com/fwlink/?linkid=39204"]http://go.microsoft.com/fwlink/?linkid=39204[/url]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url="http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229658882061"]http://www.update.microsoft.com/windowsupd...b?1229658882061[/url]
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = unknown **EDITED**
O17 - HKLM\Software\..\Telephony: DomainName = unknown **EDITED**
O17 - HKLM\System\CCS\Services\Tcpip\..\{C18FE4DF-CD1F-4F04-8A7C-68E91972559E}: NameServer = xx.xxx.162.89,xx.xxx.161.229 **EDITED**
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = unknown **EDITED**
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = xx.xxx.162.89,xx.xxx.161.229 **EDITED**
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = xx.xxx.162.89,xx.xxx.161.229 **EDITED**
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 5203 bytes

Nothing jumped out at me there, so I did a run with GMER:

GMER 1.0.15.15281 - [url="http://www.gmer.net"]http://www.gmer.net[/url]
Rootkit scan 2010-10-04 13:10:33
Windows 5.1.2600 Service Pack 3, v.3311
Running: GMER_8637fmx9.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kgtdapog.sys


---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB9767380, 0x34C81F, 0xE8000020]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs avg7rsw.sys (AVG Resident Shield Unload Helper/GRISOFT, s.r.o.)

Device \Driver\Tcpip \Device\Ip avgtdi.sys (AVG Network connection watcher/GRISOFT, s.r.o.)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 Maestro1.sys (KeyMaestro Sys for Windows NT, 2000, .../BTC)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 Maestro1.sys (KeyMaestro Sys for Windows NT, 2000, .../BTC)

Device \Driver\Tcpip \Device\Tcp avgtdi.sys (AVG Network connection watcher/GRISOFT, s.r.o.)
Device \Driver\Tcpip \Device\Udp avgtdi.sys (AVG Network connection watcher/GRISOFT, s.r.o.)
Device \Driver\Tcpip \Device\RawIp avgtdi.sys (AVG Network connection watcher/GRISOFT, s.r.o.)
Device \Driver\Tcpip \Device\IPMULTICAST avgtdi.sys (AVG Network connection watcher/GRISOFT, s.r.o.)

AttachedDevice \FileSystem\Fastfat \Fat avg7rsw.sys (AVG Resident Shield Unload Helper/GRISOFT, s.r.o.)

---- EOF - GMER 1.0.15 ----

I await your wise advice!

Link to post
Share on other sites

Hello Homer! Welcome to Malwarebytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

  • The process of cleaning your system may take some time, so please be patient.
  • Follow my instructions step by step if there is a problem somewhere, stop and tell me.
  • Stay with the thread until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • If you don't know or can't understand something please ask.
  • Do not install or uninstall any software or hardware, while work on.
  • Keep me informed about any changes.

Please follow the instructions for DDS and Defogger. Post these log files in your next reply.

http://forums.malwarebytes.org/index.php?showtopic=9573

Link to post
Share on other sites

Hello Homer! Welcome to Malwarebytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

  • The process of cleaning your system may take some time, so please be patient.
  • Follow my instructions step by step if there is a problem somewhere, stop and tell me.
  • Stay with the thread until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • If you don't know or can't understand something please ask.
  • Do not install or uninstall any software or hardware, while work on.
  • Keep me informed about any changes.

Please follow the instructions for DDS and Defogger. Post these log files in your next reply.

http://forums.malwarebytes.org/index.php?showtopic=9573

Okay, following the order on that page, I ran Defogger first. After selecting the "OK" button to do the reboot, NOTHING happened. Nada.

Just in case it might help/matter, I manually rebooted the machine myself. No diff; drives all still there....

Here's the resultant defogger_disable log (to which I've added "_01" so if we do multiple of these I can tell them apart....)

defogger_disable by jpshortstuff (23.02.10.1)
Log created at 18:49 on 07/10/2010 (Homer)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...


-=E.O.F=-

I have several emulated CD/DVD drives using VirtualDrive by Farstone Technologies. [ http://www.farstone.com/ ]

Since the result I got did not match any specific instruction, I did a dead-stop right there, and did not proceed with anything else until so instructed....

Link to post
Share on other sites

Okay, I redid the Defogger run (same results) and am posting that and the DDS logs from the DDS run thereafter:

defogger_disable by jpshortstuff (23.02.10.1)
Log created at 06:19 on 08/10/2010 (Homer)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...


-=E.O.F=-


DDS (Ver_10-10-05.01) - NTFSx86
Run by Homer at 6:19:58.90 on Fri 10/08/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1622 [GMT -7:00]

AV: AVG 7.5.560 *On-access scanning enabled* (Outdated) {41564737-3200-1071-989B-0000E87B4FB1}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\FarStone\VirtualDrive\VDP\vdtask.exe
C:\Program Files\Razer\Diamondback\razerhid.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Razer\Diamondback\razerofa.exe
C:\WINDOWS\VPlay801.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Documents and Settings\Homer\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.hotmail.com/
uDefault_Page_URL = res://shdoclc.dll/hardAdmin.htm
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
mRun: [AVG7_CC] c:\progra~1\grisoft\avg7\avgcc.exe /STARTUP
mRun: [NWEReboot]
mRun: [VirtualDrive] c:\program files\farstone\virtualdrive\vdp\vdtask.exe /AutoRestore
mRun: [Dimondback] c:\program files\razer\diamondback\razerhid.exe
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
dRun: [AVG7_Run] c:\progra~1\grisoft\avg7\avgw.exe /RUNONCE
uPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {FB858B22-55E2-413f-87F5-30ADC5552151} - c:\program files\plotsoft\pdfill\\DownloadPDF.exe
Trusted Zone: aol.com\free
Trusted Zone: intuit.com\ttlc
Trusted Zone: turbotax.com
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {41564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1286479626359
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Hosts: 10.22.2.1 gateway modem
Hosts: 10.22.2.2 UNUSED2
Hosts: 10.22.2.3 router01 dhcpsvr natsrvr router firewall
Hosts: 10.22.2.4 UNUSED4
Hosts: 10.22.2.5 server00 adsvr dnssvr netlogon

Note: multiple HOSTS entries found. Please refer to Attach.txt

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\homer\applic~1\mozilla\firefox\profiles\j1c5da2f.firebug\
FF - prefs.js: browser.startup.homepage - hxxp://www.blackle.com/
FF - plugin: c:\documents and settings\homer\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\homer\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\homer\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\documents and settings\homer\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\documents and settings\homer\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\documents and settings\homer\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

============= SERVICES / DRIVERS ===============

R1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys [2007-1-9 821856]
R1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys [2007-1-9 4224]
R1 Avg7RsXP;AVG7 Resident Driver XP;c:\windows\system32\drivers\avg7rsxp.sys [2007-1-9 27776]
R1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys [2007-1-9 10760]
R2 Avg7Alrt;AVG7 Alert Manager Server;c:\progra~1\grisoft\avg7\avgamsvr.exe [2008-3-10 418816]
R2 AVGEMS;AVG E-mail Scanner;c:\progra~1\grisoft\avg7\avgemc.exe [2008-3-10 406528]
R2 AvgTdi;AVG Network Redirector;c:\windows\system32\drivers\avgtdi.sys [2007-1-9 4960]
R3 fvdscsi;fvdscsi;c:\windows\system32\drivers\fvdscsi.sys [2007-4-9 64868]
S3 Avg7UpdSvc;AVG7 Update Service;c:\progra~1\grisoft\avg7\avgupsvc.exe [2008-3-10 49664]
S3 lac97inf;lac97inf;\??\c:\docume~1\homer\locals~1\temp\lac97inf.sys --> c:\docume~1\homer\locals~1\temp\lac97inf.sys [?]
S3 Razerlow;Razerlow USB Filter Driver;c:\windows\system32\drivers\Razerlow.sys [2010-5-3 13225]

=============== Created Last 30 ================

2010-10-08 01:49:26 0 ----a-w- c:\documents and settings\homer\defogger_reenable
2010-10-07 22:46:33 701440 ----a-w- c:\windows\system32\cohelper.dll
2010-10-07 21:09:49 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-10-07 21:07:48 2189952 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-10-07 21:07:48 2146304 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-10-07 21:07:48 2024448 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-10-07 21:07:44 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-10-07 21:07:02 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-10-07 19:32:49 -------- d-----w- c:\docume~1\alluse~1\applic~1\NVIDIA Corporation
2010-10-07 19:27:33 15064 ----a-w- c:\windows\system32\wuapi.dll.mui
2010-10-07 19:19:15 485920 ----a-w- c:\windows\system32\nvunrm.exe
2010-10-07 06:03:58 8192 -c--a-w- c:\windows\system32\dllcache\httpmb51.dll
2010-10-07 05:47:21 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2010-10-07 05:47:21 24661 ----a-w- c:\windows\system32\spxcoins.dll
2010-10-07 05:47:21 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2010-10-07 05:47:21 13312 ----a-w- c:\windows\system32\irclass.dll
2010-10-06 05:00:58 -------- d-----w- c:\docume~1\homer\applic~1\Malwarebytes
2010-10-06 03:26:51 353280 ----a-r- c:\windows\system32\idecoiins.dll
2010-10-06 03:26:51 353280 ----a-r- c:\windows\system32\idecoi.dll
2010-10-06 03:26:51 164896 ----a-w- c:\windows\system32\drivers\nvgts.sys
2010-10-05 19:27:04 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe
2010-10-05 18:28:40 194048 ----a-r- c:\windows\system32\SETB7.tmp
2010-10-05 18:28:38 194048 ----a-r- c:\windows\system32\SETB4.tmp
2010-10-05 18:28:18 194048 ----a-r- c:\windows\system32\SETB1.tmp
2010-10-05 10:48:28 -------- d-----w- c:\windows\system32\scripting
2010-10-01 21:48:43 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-01 21:48:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-01 21:48:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-01 21:48:42 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-09-20 20:31:55 47878 ----a-w- c:\documents and settings\homer\.recently-used.xbel
2010-09-09 22:23:34 756736 ------w- c:\windows\system32\ir41_32.dll
2010-09-08 17:03:25 -------- d-----w- c:\documents and settings\homer\bluej

==================== Find3M ====================

2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-07-22 15:49:15 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2003-11-12 15:31:16 258048 ----a-w- c:\windows\inf\i386\M5623_24.dll
2003-11-12 15:31:16 155648 ----a-w- c:\windows\inf\i386\rtscan.dll
2003-10-02 15:18:06 36864 ----a-w- c:\windows\inf\i386\Vizmicro.dll
2003-10-02 15:17:36 172032 ----a-w- c:\windows\inf\i386\viceo.dll
2001-08-04 02:29:18 13824 ----a-w- c:\windows\inf\i386\Usbscan.sys
1998-12-09 02:53:54 99840 ----a-w- c:\program files\common files\IRAABOUT.DLL
1998-12-09 02:53:54 70144 ----a-w- c:\program files\common files\IRAMDMTR.DLL
1998-12-09 02:53:54 48640 ----a-w- c:\program files\common files\IRALPTTR.DLL
1998-12-09 02:53:54 31744 ----a-w- c:\program files\common files\IRAWEBTR.DLL
1998-12-09 02:53:54 186368 ----a-w- c:\program files\common files\IRAREG.DLL
1998-12-09 02:53:54 17920 ----a-w- c:\program files\common files\IRASRIAL.DLL

============= FINISH: 6:21:14.39 ===============

Attach_02.zip

Link to post
Share on other sites

Step 1

Please, uninstall the following applications:

  1. Adobe Reader 9.1

You can read, how to do this here:

Step 2

Please go into the Control Panel, Add/Remove and for now remove ALL versions of JAVA

Then run this tool to help cleanup any left over Java

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer (or other web browser) before continuing!***

  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location and post it back when you reply
    Then look for the following Java folders and if found delete them.
    C:\Program Files\Java
    C:\Program Files\Common Files\Java
    C:\Windows\Sun
    C:\Documents and Settings\All Users\Application Data\Java
    C:\Documents and Settings\All Users\Application Data\Sun\Java
    C:\Documents and Settings\username\Application Data\Java
    C:\Documents and Settings\username\Application Data\Sun\Java

Step 3

I suggest you to uninstall CCleaner . About CCleaner and the others registry cleaners:

http://miekiemoes.blogspot.com/2008/02/reg...weaking_13.html

Step 4

  • Launch Malwarebytes' Anti-Malware
  • Go to "Update" tab and select "Check for Updates". If an update is found, it will download and install the latest version.
  • Go to "Scanner" tab and select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

In your next reply, please include these log(s):

  1. JavaRa log
  2. Malwarebytes' Anti-Malware log
  3. a new fresh DDS log only

Link to post
Share on other sites

Step 1: DONE

Step 2: DONE, with additional detail as follows:

[...]

Then look for the following Java folders and if found delete them.

C:\Program Files\Java

C:\Program Files\Common Files\Java *** Did Not Exist (DNE)

C:\Windows\Sun

C:\Documents and Settings\All Users\Application Data\Java *** DNE

C:\Documents and Settings\All Users\Application Data\Sun\Java

C:\Documents and Settings\username\Application Data\Java *** DNE for any user account

C:\Documents and Settings\username\Application Data\Sun\Java *** Deleted from ALL existing accounts

***** ALSO NOTE: ALL OCCURRENCES were deleted completely, i,e, NOT sent to Recycle Bin

JavaRa log:

JavaRa 1.16 Removal Log.Report follows after line.------------------------------------The JavaRa removal process was started on Fri Oct 08 16:59:46 2010

Found and removed: Software\JavaSoft\Java2D\1.5.0_02Found and removed: Software\JavaSoft\Java2D\1.5.0_04Found and removed: Software\JavaSoft\Java2D\1.5.0_10Found and removed: SOFTWARE\Classes\JavaPlugin.150_10Found and removed: SOFTWARE\Classes\JavaWebStart.isInstalled.1.5.0.0Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A0F842331866D117AB7000B0D511000Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A0F842331866D117AB7000B0D610001Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.6.0_01\------------------------------------Finished reporting.

Step 3: Uninstalled

Step 4: Nothing found!:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4782

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

10/8/2010 5:23:48 PM
mbam-log-2010-10-08 (17-23-48).txt

Scan type: Quick scan
Objects scanned: 171251
Time elapsed: 4 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

...and the requested additional DDS run log:


DDS (Ver_10-10-05.01) - NTFSx86
Run by Homer at 18:03:05.56 on Fri 10/08/2010
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1578 [GMT -7:00]

AV: AVG 7.5.560 *On-access scanning enabled* (Outdated) {41564737-3200-1071-989B-0000E87B4FB1}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\FarStone\VirtualDrive\VDP\vdtask.exe
C:\Program Files\Razer\Diamondback\razerhid.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Razer\Diamondback\razerofa.exe
C:\WINDOWS\VPlay801.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Documents and Settings\Homer\Desktop\MBAM Forum stuff\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.hotmail.com/
uDefault_Page_URL = res://shdoclc.dll/hardAdmin.htm
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
mRun: [AVG7_CC] c:\progra~1\grisoft\avg7\avgcc.exe /STARTUP
mRun: [NWEReboot]
mRun: [VirtualDrive] c:\program files\farstone\virtualdrive\vdp\vdtask.exe /AutoRestore
mRun: [Dimondback] c:\program files\razer\diamondback\razerhid.exe
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
dRun: [AVG7_Run] c:\progra~1\grisoft\avg7\avgw.exe /RUNONCE
uPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {FB858B22-55E2-413f-87F5-30ADC5552151} - c:\program files\plotsoft\pdfill\\DownloadPDF.exe
Trusted Zone: aol.com\free
Trusted Zone: intuit.com\ttlc
Trusted Zone: turbotax.com
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {41564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1286479626359
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Hosts: 10.22.22.1 gateway modem
Hosts: 10.22.22.2 UNUSED2
Hosts: 10.22.22.3 router01 dhcpsvr natsrvr router firewall
Hosts: 10.22.22.4 UNUSED4
Hosts: 10.22.22.5 server00 adsvr dnssvr netlogon

Note: multiple HOSTS entries found. Please refer to Attach.txt

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\homer\applic~1\mozilla\firefox\profiles\j1c5da2f.firebug\
FF - prefs.js: browser.startup.homepage - hxxp://www.blackle.com/
FF - plugin: c:\documents and settings\homer\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\homer\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\homer\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\documents and settings\homer\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\documents and settings\homer\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

============= SERVICES / DRIVERS ===============

R1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys [2007-1-9 821856]
R1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys [2007-1-9 4224]
R1 Avg7RsXP;AVG7 Resident Driver XP;c:\windows\system32\drivers\avg7rsxp.sys [2007-1-9 27776]
R1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys [2007-1-9 10760]
R2 Avg7Alrt;AVG7 Alert Manager Server;c:\progra~1\grisoft\avg7\avgamsvr.exe [2008-3-10 418816]
R2 AVGEMS;AVG E-mail Scanner;c:\progra~1\grisoft\avg7\avgemc.exe [2008-3-10 406528]
R2 AvgTdi;AVG Network Redirector;c:\windows\system32\drivers\avgtdi.sys [2007-1-9 4960]
R3 fvdscsi;fvdscsi;c:\windows\system32\drivers\fvdscsi.sys [2007-4-9 64868]
S3 Avg7UpdSvc;AVG7 Update Service;c:\progra~1\grisoft\avg7\avgupsvc.exe [2008-3-10 49664]
S3 lac97inf;lac97inf;\??\c:\docume~1\homer\locals~1\temp\lac97inf.sys --> c:\docume~1\homer\locals~1\temp\lac97inf.sys [?]
S3 Razerlow;Razerlow USB Filter Driver;c:\windows\system32\drivers\Razerlow.sys [2010-5-3 13225]

=============== Created Last 30 ================

2010-10-08 01:49:26 0 ----a-w- c:\documents and settings\homer\defogger_reenable
2010-10-07 22:46:33 701440 ----a-w- c:\windows\system32\cohelper.dll
2010-10-07 21:09:49 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-10-07 21:07:48 2189952 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-10-07 21:07:48 2146304 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-10-07 21:07:48 2024448 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-10-07 21:07:44 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-10-07 21:07:02 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-10-07 19:32:49 -------- d-----w- c:\docume~1\alluse~1\applic~1\NVIDIA Corporation
2010-10-07 19:27:33 15064 ----a-w- c:\windows\system32\wuapi.dll.mui
2010-10-07 19:19:15 485920 ----a-w- c:\windows\system32\nvunrm.exe
2010-10-07 06:03:58 8192 -c--a-w- c:\windows\system32\dllcache\httpmb51.dll
2010-10-07 05:47:21 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2010-10-07 05:47:21 24661 ----a-w- c:\windows\system32\spxcoins.dll
2010-10-07 05:47:21 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2010-10-07 05:47:21 13312 ----a-w- c:\windows\system32\irclass.dll
2010-10-06 05:00:58 -------- d-----w- c:\docume~1\homer\applic~1\Malwarebytes
2010-10-06 03:26:51 353280 ----a-r- c:\windows\system32\idecoiins.dll
2010-10-06 03:26:51 353280 ----a-r- c:\windows\system32\idecoi.dll
2010-10-06 03:26:51 164896 ----a-w- c:\windows\system32\drivers\nvgts.sys
2010-10-05 19:27:04 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe
2010-10-05 18:28:40 194048 ----a-r- c:\windows\system32\SETB7.tmp
2010-10-05 18:28:38 194048 ----a-r- c:\windows\system32\SETB4.tmp
2010-10-05 18:28:18 194048 ----a-r- c:\windows\system32\SETB1.tmp
2010-10-05 10:48:28 -------- d-----w- c:\windows\system32\scripting
2010-10-01 21:48:43 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-01 21:48:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-01 21:48:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-01 21:48:42 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-09-20 20:31:55 47878 ----a-w- c:\documents and settings\homer\.recently-used.xbel
2010-09-09 22:23:34 756736 ------w- c:\windows\system32\ir41_32.dll

==================== Find3M ====================

2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-07-22 15:49:15 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2003-11-12 15:31:16 258048 ----a-w- c:\windows\inf\i386\M5623_24.dll
2003-11-12 15:31:16 155648 ----a-w- c:\windows\inf\i386\rtscan.dll
2003-10-02 15:18:06 36864 ----a-w- c:\windows\inf\i386\Vizmicro.dll
2003-10-02 15:17:36 172032 ----a-w- c:\windows\inf\i386\viceo.dll
2001-08-04 02:29:18 13824 ----a-w- c:\windows\inf\i386\Usbscan.sys
1998-12-09 02:53:54 99840 ----a-w- c:\program files\common files\IRAABOUT.DLL
1998-12-09 02:53:54 70144 ----a-w- c:\program files\common files\IRAMDMTR.DLL
1998-12-09 02:53:54 48640 ----a-w- c:\program files\common files\IRALPTTR.DLL
1998-12-09 02:53:54 31744 ----a-w- c:\program files\common files\IRAWEBTR.DLL
1998-12-09 02:53:54 186368 ----a-w- c:\program files\common files\IRAREG.DLL
1998-12-09 02:53:54 17920 ----a-w- c:\program files\common files\IRASRIAL.DLL

============= FINISH: 18:03:51.14 ===============

Link to post
Share on other sites

Good! :)

**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Open Tools -> Options -> Main tab
    • Set to Always ask me where to Save the files.

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the C:\Combo-Fix.txt for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Link to post
Share on other sites

Well, I ran into a bump here: Somehow along the way here my AVG 7.x (old, I know) free version had its license key removed, so all along it's been popping up warning me to "reactivate" it.

Well it lost or destroyed the key that was either generated or supplied with it.

Figuring that AVG was therefore disabled, and that I have none of the other scanners listed on the referenced site you gave, I ran Combo-Fix.exe as directed - and of course it stopped due to some still-installed AVG runtime stuff.

However... I cannot run the AVG Command Center without first reactivating it somehow. :o

Perhaps I should simply uninstall AVG instead? (It's old and cruft anyway....)

Meanwhile I see no way to abort the Combo-Fix run, so its prompt sits awaiting my "okay" that I've disabled the AVG stuff! :o

NOTE & FYI: The infected machine has been off the network virtually all of the time I've been doing this, and has been put into hibernation after each time I've gone back to it to execute your instructions. I.e. It is isolated and quiescent unless I'm doing what you're telling me to do. THIS TIME however, it has been left running - I did not want to hibernate it while Combo-Fix was "running...."

So: Uninstall AVG?

Link to post
Share on other sites

Please disable your AVG Real-Time protection before you go.

http://www.bleepingcomputer.com/forums/ind...st&p=649843

:o

I said earlier that I CANNOT DO THAT.

AVG's License Key got destroyed in the process of all this, and is asking to be REACTIVATED before I can get into its Control Center....

*Sigh*

Well here's the best that I can think of then, since you obviously do not want me to UNINSTALL what's left of AVG 7: I'm going to REINSTALL AVG 7 (I save EVERYTHING - EVERY FILE I I EVER INSTALLED) then follow the steps on the page you reference to DEACTIVATE the stuff that's supposed to be deactivated.

'Seemed like UNinstalling it would've been easier and more straightforward tho....

Link to post
Share on other sites

ComboFix 10-10-09.06 - Homer 10/10/2010  14:21:35.1.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1593 [GMT -7:00]
Running from: c:\documents and settings\Homer\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\INSTALL.LOG
c:\windows\system32\11548841.dll
c:\windows\system32\Config.ini

.
((((((((((((((((((((((((( Files Created from 2010-09-10 to 2010-10-10 )))))))))))))))))))))))))))))))
.

2010-10-07 22:46 . 2009-07-01 18:54 701440 ----a-w- c:\windows\system32\cohelper.dll
2010-10-07 21:09 . 2010-02-24 13:11 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-10-07 21:07 . 2010-04-28 02:25 2189952 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-10-07 21:07 . 2010-04-27 13:59 2146304 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-10-07 21:07 . 2010-04-27 13:05 2024448 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-10-07 21:07 . 2010-07-22 05:57 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-10-07 21:07 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-10-07 19:32 . 2010-10-07 19:32 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation
2010-10-07 19:32 . 2010-10-07 19:33 232968 ----a-w- c:\windows\system32\nvdrsdb0.bin
2010-10-07 19:32 . 2010-10-08 01:56 232968 ----a-w- c:\windows\system32\nvdrsdb1.bin
2010-10-07 19:32 . 2010-10-08 01:56 1 ----a-w- c:\windows\system32\nvdrssel.bin
2010-10-07 19:27 . 2009-08-07 02:24 44768 ----a-w- c:\windows\system32\wups2.dll
2010-10-07 19:27 . 2009-08-07 02:24 15064 ----a-w- c:\windows\system32\wuapi.dll.mui
2010-10-07 19:19 . 2009-07-01 07:42 485920 ----a-w- c:\windows\system32\nvunrm.exe
2010-10-07 06:03 . 2008-04-14 12:41 8192 -c--a-w- c:\windows\system32\dllcache\httpmb51.dll
2010-10-07 05:47 . 2004-08-04 12:00 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2010-10-07 05:47 . 2004-08-04 12:00 24661 ----a-w- c:\windows\system32\spxcoins.dll
2010-10-07 05:47 . 2004-08-04 12:00 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2010-10-07 05:47 . 2004-08-04 12:00 13312 ----a-w- c:\windows\system32\irclass.dll
2010-10-07 05:47 . 2008-04-14 14:34 16535 ----a-r- c:\windows\SET5F.tmp
2010-10-07 05:47 . 2008-04-14 14:34 1088840 ----a-r- c:\windows\SET53.tmp
2010-10-07 05:47 . 2008-04-14 14:40 1296669 ----a-r- c:\windows\SET50.tmp
2010-10-06 05:00 . 2010-10-06 05:00 -------- d-----w- c:\documents and settings\Homer\Application Data\Malwarebytes
2010-10-06 03:26 . 2009-07-01 00:31 164896 ----a-w- c:\windows\system32\drivers\nvgts.sys
2010-10-06 03:26 . 2007-08-09 19:03 353280 ----a-r- c:\windows\system32\idecoiins.dll
2010-10-06 03:26 . 2007-08-09 19:03 353280 ----a-r- c:\windows\system32\idecoi.dll
2010-10-06 02:29 . 2008-04-14 14:34 16535 ----a-r- c:\windows\SET5E.tmp
2010-10-06 02:29 . 2008-04-14 14:34 1088840 ----a-r- c:\windows\SET52.tmp
2010-10-06 02:29 . 2008-04-14 14:40 1296669 ----a-r- c:\windows\SET4F.tmp
2010-10-05 20:25 . 2010-10-05 20:25 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-10-05 19:27 . 2004-08-04 12:00 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe
2010-10-05 19:27 . 2004-08-04 12:00 16384 ----a-w- c:\program files\Internet Explorer\Connection Wizard\isignup.exe
2010-10-05 18:28 . 2007-10-13 00:14 194048 ----a-r- c:\windows\system32\SETB7.tmp
2010-10-05 18:28 . 2007-10-13 00:14 194048 ----a-r- c:\windows\system32\SETB4.tmp
2010-10-05 18:28 . 2007-10-13 00:14 194048 ----a-r- c:\windows\system32\SETB1.tmp
2010-10-05 17:56 . 2008-04-14 14:34 16535 ----a-r- c:\windows\SET63.tmp
2010-10-05 17:56 . 2008-04-14 14:34 1088840 ----a-r- c:\windows\SET57.tmp
2010-10-05 17:56 . 2008-04-14 14:40 1296669 ----a-r- c:\windows\SET54.tmp
2010-10-05 10:48 . 2010-10-06 22:43 -------- d-----w- c:\windows\system32\scripting
2010-10-01 21:48 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-01 21:48 . 2010-10-01 21:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-01 21:48 . 2010-10-01 21:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-10-01 21:48 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-05 81920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VirtualDrive"="c:\program files\FarStone\VirtualDrive\VDP\vdtask.exe" [2005-08-09 143360]
"Dimondback"="c:\program files\Razer\Diamondback\razerhid.exe" [2007-01-18 147456]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-07-08 1753192]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-07-09 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 1 (0x1)

[HKLM\~\startupfolder\C:^Documents and Settings^Homer^Start Menu^Programs^Startup^RivaTuner.lnk]
path=c:\documents and settings\Homer\Start Menu\Programs\Startup\RivaTuner.lnk
backup=c:\windows\pss\RivaTuner.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-04 01:43 69632 ----a-w- c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\boincmgr]
2010-07-01 20:27 4862720 ----a-w- d:\program files\BOINC\boincmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\boinctray]
2010-07-01 20:27 58112 ----a-w- d:\program files\BOINC\boinctray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BtcMaestro]
2002-11-27 20:47 159744 ----a-w- c:\program files\KMaestro\Kmaestro.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DNS7reminder]
2006-11-27 17:25 255528 ----a-w- d:\program files\Nuance\NaturallySpeaking9\Ereg\Ereg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon04]
2002-11-22 20:48 348160 ----a-w- c:\windows\system32\hphmon04.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
2002-09-23 17:50 36864 ----a-w- c:\program files\Scansoft\PaperPort\IndexSearch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2005-02-16 23:15 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 23:40 155648 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2010-07-09 23:24 110696 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
2002-09-23 17:25 45108 ----a-w- c:\program files\Scansoft\PaperPort\pptd40nt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-03-29 06:37 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RivaTunerStartupDaemon]
2009-02-25 17:55 2781184 ----a-w- c:\program files\RivaTuner v2.24\RivaTuner.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2008-03-07 00:14 16858112 ----a-w- c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2006-10-25 16:03 210472 ----a-w- c:\program files\Common Files\scansoft shared\SSBkgdUpdate\SSBkgdUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"RAMDrive"="c:\program files\FarStone\VDPBS\VHD\RDTask.exe"
"HPHUPD04"="c:\program files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
"OneTouch Monitor"=c:\program files\Visioneer OneTouch\OneTouchMon.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\BOINC\\boinc.exe"=
"\\\\Server00\\NetFiles\\User Homes\\Homer\\Program Files\\Palm\\Hotsync.exe"=
"c:\\Documents and Settings\\Homer\\Program Files\\Xfire Client\\Xfire.exe"=
"e:\\Microsoft Games\\Halo\\halo.exe"=
"c:\\Documents and Settings\\Homer\\Program Files\\BlueZone\\BZFTP.EXE"=
"e:\\Microsoft Games\\Halo CE\\haloce.exe"=
"c:\\Documents and Settings\\Homer\\Program Files\\HLSW\\hlsw.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"e:\\THQ\\Gas Powered Games\\Supreme Commander - Forged Alliance\\bin\\ForgedAlliance.exe"=
"e:\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"e:\\Qtracker\\qtracker.exe"=
"\\\\Media01\\Homer\\Program Files\\Palm\\Hotsync.exe"=
"c:\\Documents and Settings\\Homer\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"T:1\\Program Files\\Palm\\HOTSYNC.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R3 fvdscsi;fvdscsi;c:\windows\system32\drivers\fvdscsi.sys [4/9/2007 11:59 AM 64868]
S3 lac97inf;lac97inf;\??\c:\docume~1\Homer\LOCALS~1\Temp\lac97inf.sys --> c:\docume~1\Homer\LOCALS~1\Temp\lac97inf.sys [?]
S3 Razerlow;Razerlow USB Filter Driver;c:\windows\system32\drivers\Razerlow.sys [5/3/2010 9:03 PM 13225]
.
Contents of the 'Scheduled Tasks' folder

2010-10-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1783828635-2473591544-2100720560-1115Core.job
- c:\documents and settings\Homer\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-27 07:18]

2010-10-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1783828635-2473591544-2100720560-1115UA.job
- c:\documents and settings\Homer\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-27 07:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.hotmail.com/
Trusted Zone: aol.com\free
Trusted Zone: intuit.com\ttlc
Trusted Zone: turbotax.com
FF - ProfilePath - c:\documents and settings\Homer\Application Data\Mozilla\Firefox\Profiles\j1c5da2f.Firebug\
FF - prefs.js: browser.startup.homepage - hxxp://www.blackle.com/
FF - plugin: c:\documents and settings\Homer\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Homer\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\Homer\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\documents and settings\Homer\Program Files\Mozilla Firefox\plugins\npmozax.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-NWEReboot - (no file)
Notify-AtiExtEvent - (no file)
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
MSConfigStartUp-Norton Ghost 9 - c:\program files\Symantec\Norton Ghost\Agent\GhostTray.exe
AddRemove-NVIDIA Display Control Panel - c:\program files\NVIDIA Corporation\Uninstall\nvuninst.exe


.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1783828635-2473591544-2100720560-1115\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:82,e8,de,77,fe,b1,48,d6,1c,9f,c9,c9,b8,a4,37,66,cc,ec,45,5a,5d,b2,21,
bc,7a,36,c3,52,2d,a9,fa,b5,1d,35,a0,94,5f,6b,62,63,2f,1f,82,27,7e,a5,b6,e3,\
"??"=hex:93,b3,dc,31,71,e3,29,f5,66,81,1a,06,cc,cf,f5,60

[HKEY_USERS\S-1-5-21-1783828635-2473591544-2100720560-1115\Software\SecuROM\License information*]
"datasecu"=hex:ac,16,fa,48,04,fc,e7,8c,6e,e4,82,1f,c7,35,07,07,c9,94,4a,02,d2,
37,45,ce,4a,1d,57,fc,c4,35,b4,74,9a,e8,99,5a,81,17,22,f9,d5,e3,a4,23,46,77,\
"rkeysecu"=hex:3e,80,9e,c4,40,b4,90,83,87,8e,33,49,64,ac,f8,d9
.
Completion time: 2010-10-10 14:25:03
ComboFix-quarantined-files.txt 2010-10-10 21:25

Pre-Run: 23,572,033,536 bytes free
Post-Run: 23,735,128,064 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 5B64E549BEADE99121F06568148A3CBD

...and just in case you might want it next, here's the ComboFix-quarantined-files.txt file:

2010-10-10 21:24:41 . 2010-10-10 21:24:41            1,286 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\AddRemove-NVIDIA Display Control Panel.reg.dat
2010-10-10 21:24:36 . 2010-10-10 21:24:36 660 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-Norton Ghost 9.reg.dat
2010-10-10 21:24:35 . 2010-10-10 21:24:35 704 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-Adobe Reader Speed Launcher.reg.dat
2010-10-10 21:24:34 . 2010-10-10 21:24:34 276 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Notify-AtiExtEvent.reg.dat
2010-10-10 21:24:30 . 2010-10-10 21:24:30 96 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-NWEReboot.reg.dat
2010-10-10 21:23:09 . 2010-10-10 21:23:09 7,907 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2010-10-10 21:06:10 . 2010-10-10 21:06:10 51 ----a-w- C:\Qoobox\Quarantine\catchme.log
2009-04-13 02:37:40 . 2008-02-12 22:59:22 82,432 ----atw- C:\Qoobox\Quarantine\C\WINDOWS\system32\11548841.dll.vir
2007-10-30 07:40:09 . 2007-10-30 07:40:10 339 ----a-w- C:\Qoobox\Quarantine\C\Program Files\INSTALL.LOG.vir
2007-04-09 19:05:46 . 2010-08-05 18:51:58 89 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\config.ini.vir

Link to post
Share on other sites

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4782

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

10/11/2010 12:57:21 PM
mbam-log-2010-10-11 (12-57-21).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|M:\|T:\|W:\|X:\|)
Objects scanned: 382485
Time elapsed: 44 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

I'll keep an eye out in case anything pops up again, but everything look good!

Thanks for all your help and your patience!

P.S. Consider me a new MBAM user!

Link to post
Share on other sites

Thank you! :(

Last steps:

Step 1

  1. Go to Start => Run... and copy & paste next command in the field:
    ComboFix /uninstall


  2. Then hit Enter button.

This procedure will do the following:

  • Uninstall ComboFix
  • Delete its related folders and files
  • Reset your clock settings
  • Hide file extensions
  • Hide the system/hidden files
  • Resets System Restore again

P.S.: Make sure there's a space between ComboFix and /uninstall

Step 2

To enable CD Emulation programs using DeFogger please perform these steps:

  1. Please download DeFogger to your desktop.
  2. Once downloaded, double-click on the DeFogger icon to start the tool.
  3. The application window will now appear. You should now click on the Enable button to enable your CD Emulation drivers
  4. When it prompts you whether or not you want to continue, please click on the Yes button to continue
  5. When the program has completed you will see a Finished! message. Click on the OK button to exit the program.
  6. If CD Emulation programs are present and have been enabled, DeFogger will now ask you to reboot the machine. Please allow it to do so by clicking on the OK button.

Step 3

Please manually delete Defogger, DDS and JavaRa.

Step 4

Please uninstall HijackThis 1.99.1 .

Step 5

Please download and install the latest version of Adobe Reader from:

www.adobe.com

About Java:

www.java.com/en

About AVG:

http://free.avg.com/ww-en/homepage

Step 6

Some malware preventions:

http://forums.malwarebytes.org/index.php?showtopic=9365

http://www.bleepingcomputer.com/tutorials/tutorial174.html

Safe surfing! :)

Link to post
Share on other sites

Done!

There were a couple of other things I found lying around that I think should/can be cleaned up also:

- C:\cmdcons - a directory full of drivers and stuff

- C:\Config.msi - contains one file with a mixed letter+number name and has an "rbf" extension

Please confirm these can be removed.

Also & FYI: If you don't look carefully to the right of their download page and UNcheck the auto-checked box there, those bums at Adobe auto-install a copy of McAfee Security Scan Plus along with Adobe Reader.... :(

I have a bit more cleaning up to do, and then I'll do a full backup and my usual system cleanup after that.

Thank you again!

Link to post
Share on other sites

I advise you not to delete these things because they are important and can harm the normal operation of the system.

Oky-doky!

I figured since they weren't there before they got left, but now that you mention it, it must be part of the newly-installed Recovery Console stuff (which I've avoided using/needing for years up until now....)

Thanks.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.