Jump to content
Coalza

How do I remove fake MS Removal Tool?

Recommended Posts

My husband went online looking for an anti-virus program without realising I'd already downloaded Malwarebytes and downloaded a fake MS Removal Tool.

Now it's preventing me from opening a lot of programs, like MBAM for example.

I've been into the safe mode and run both a quick and a full scan, but it's not finding anything.

Does anyone know what I can do now to get rid of it?

Thanks!

Share this post


Link to post
Share on other sites

Hi Coalza and Welcome to Malwarebytes!

We need to look at some information about what is going on in your computer:

Please perform the following scan:

  • Download DDS by sUBs from one of the following links. Save it to your desktop.

    [*]Double click on the DDS icon, allow it to run.

    [*]A small box will open, with an explanation about the tool.

    [*]When done, DDS will open two (2) logs

    1. DDS.txt

    2. Attach.txt

    [*] Save both reports to your desktop.

    [*] The instructions here ask you to attach the Attach.txt.

    DDS.jpg

    [*]Instead of attaching, please copy/past both logs into your Thread

    [*]Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run.

After downloading the tool, disconnect from the internet and disable all antivirus protection.

Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HEREThen post your DDS (DDS.txt and Attach.txt

Share this post


Link to post
Share on other sites

This virus is preventing me from opening the DDS program.

Will I be able to open it in Safe Mode?

Share this post


Link to post
Share on other sites

Let's do the following instead.

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

---------------------------------------------------------------------------------------------

Please copy and paste this post to a new text document or print it for reference later.

Please reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select Safe Mode with Networking and press Enter.
  • safe-mode-with-networking.jpg

Next

  1. Download ComboFix from below:
    Combofix download
    * IMPORTANT !!! Place combofix.exe on your Desktop
  2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  3. Double click on combofix.exe & follow the prompts.
  4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    cfRC_screen_1.png
    The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.
    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
    Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.
    ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.
    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:
    The Recovery Console was successfully installed.
    cfRC_screen_2.png
    Click on Yes, to continue scanning for malware.
  5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  6. When finished, it shall produce a log for you. Post that log in your next reply
    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
    ---------------------------------------------------------------------------------------------
  7. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
    ---------------------------------------------------------------------------------------------

Share this post


Link to post
Share on other sites

.

DDS (Ver_11-03-05.01) - NTFSx86 NETWORK

Run by Zack & Colleen at 10:39:27.42 on Sun 27/03/2011

Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_21

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.811 [GMT 11:00]

.

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\WgaTray.exe

C:\WINDOWS\Explorer.EXE

C:\Documents and Settings\Zack & Colleen\My Documents\Downloads\dds.scr

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.crawler.com/homepage.aspx?tbid=60475

uSearch Page = hxxp://search.live.com

uSearch Bar = hxxp://www.crawler.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=60475

mSearch Bar = hxxp://www.google.com

uInternet Settings,ProxyOverride = *.local

mSearchAssistant = hxxp://www.crawler.com/search/ie.aspx?tb_id=60475

mCustomizeSearch = hxxp://dnl.crawler.com/support/sa_customize.aspx?TbId=60475

uURLSearchHooks: N/A: {1cb20bf0-bbae-40a7-93f4-6435ff3d0411} - c:\progra~1\crawler\ctbr.dll

uURLSearchHooks: the blinkx toolbar: {f08555b0-9cc3-11d2-aa8e-000000000567} - c:\program

files\blinkx remote toolbar\the_blinkx_shook.dll

uURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program

files\utorrentbar\tbuTo1.dll

BHO: The blinkx Toolbar: {0069b690-7a2b-41c5-98ca-9f535b4c8532} - c:\program files\blinkx remote

toolbar\the_blinkx_bho.dll

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat

6.0\reader\activex\AcroIEHelper.dll

BHO: ALOT Toolbar Helper: {14ceeaff-96dd-4101-ae37-d5ecdc23c3f6} - c:\program

files\alot\bin\alot.dll

BHO: PriceGongBHO Class: {1631550f-191d-4826-b069-d9439253d926} - c:\program

files\pricegong\2.1.0\PriceGongIE.dll

BHO: : {1cb20bf0-bbae-40a7-93f4-6435ff3d0411} - c:\progra~1\crawler\ctbr.dll

BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program

files\conduitengine\ConduitEngin0.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program

files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program

files\utorrentbar\tbuTo1.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program

files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program

files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: ALOT Toolbar: {5aa2ba46-9913-4dc7-9620-69ab0fa17ae7} - c:\program files\alot\bin\alot.dll

TB: &Crawler Toolbar: {4b3803ea-5230-4dc3-a7fc-33638f3d3542} - c:\progra~1\crawler\ctbr.dll

TB: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program

files\utorrentbar\tbuTo1.dll

TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program

files\conduitengine\ConduitEngin0.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

EB: GP Bar: {c3538050-face-11de-8a39-0800200c9a66} - %SystemRoot%\system32\shdocvw.dll

uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe

uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent

uRun: [blinkx_toolbar] "c:\program files\blinkx remote toolbar\the_blinkx_toolbar.exe"

-startservice

uRunOnce: [oMkDdBdOaMn06504] c:\documents and settings\all users\application

data\omkddbdoamn06504\oMkDdBdOaMn06504.exe

mRun: [soundMan] SOUNDMAN.EXE

mRun: [autodetect] c:\windows\system32\supportappxl\AutoDect.exe

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

StartupFolder: c:\docume~1\zack&c~1\startm~1\programs\startup\pictur~1.lnk - c:\program

files\sony\sony picture utility\pmbcore\SPUVolumeWatcher.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program

files\hp\digital imaging\bin\hpqtra08.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program

files\hp\digital imaging\bin\hpqthb08.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program

files\kodak\kodak easyshare software\bin\EasyShare.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodaks~1.lnk - c:\program

files\kodak\kodak software updater\7288971\program\Kodak Software Updater.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program

files\mcafee security scan\2.0.181\SSScheduler.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program

files\microsoft office\office10\OSA.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program

files\winzip\WZQKPICK.EXE

IE: &Search -

http://tbedits.iwon.com/one-toolbaredits/menusearch.jhtml?s=100000420&p=ZVxdm140YYAU&si=gua182401

&a=13ABCC14-2691-4C62-9658-758ECBBD2079&n=2010100621

IE: Crawler Search - tbr:iemenu

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000

IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program

files\windows live\writer\WriterBrowserExtension.dll

DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} -

hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft

shared\web folders\PKMCDO.DLL

Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - c:\progra~1\crawler\ctbr.dll

Notify: AtiExtEvent - Ati2evxx.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\docume~1\zack&c~1\applic~1\mozilla\firefox\profiles\oa2j6eys.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=

FF - prefs.js: browser.search.selectedEngine - ALOT Search

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/

FF - prefs.js: keyword.URL -

hxxp://search.alot.com/web?&src_id=11649&client_id=9846788c29f85ca76478c4a4&camp_id=1500&install_

time=2010-10-31T12:50:23Z&tb_version=2.4.4000%28F%29&pr=auto&q=

FF - component: c:\documents and settings\zack & colleen\application

data\mozilla\firefox\profiles\oa2j6eys.default\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}\

components\RadioWMPCoreGecko19.dll

FF - component: c:\documents and settings\zack & colleen\application

data\mozilla\firefox\profiles\oa2j6eys.default\extensions\engine@conduit.com\components\RadioWMPC

oreGecko19.dll

FF - component: c:\documents and settings\zack & colleen\application

data\mozilla\firefox\profiles\oa2j6eys.default\extensions\toolbar@alot.com\components\AlotXpcom.d

ll

FF - component: c:\program files\crawler\firefox\components\xcomm.dll

FF - component: c:\program files\crawler\firefox\components\xshared.dll

FF - component: c:\program files\crawler\firefox\components\xsupport.dll

FF - component: c:\program files\crawler\firefox\components\xwsg.dll

FF - component: c:\program files\pricegong\2.1.0\ff\components\PriceGongFF.dll

FF - plugin: c:\documents and settings\zack & colleen\application

data\mozilla\firefox\profiles\oa2j6eys.default\extensions\battlefieldheroespatcher@ea.com\platfor

m\winnt_x86-msvc\plugins\npBFHUpdater.dll

FF - plugin: c:\documents and settings\zack & colleen\local settings\application

data\unity\webplayer\loader\npUnity3D32.dll

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll

FF - plugin: c:\program files\iwong\bar\1.bin\NP9uStub.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\microsoft\office live\npOLW.dll

FF - plugin: c:\program files\mozilla firefox\plugins\np_blinkx_plugin.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npclntax_ClickPotatoLiteSA.dll

FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll

FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla

firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\mozilla

firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla

firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} -

c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

FF - Ext: IWON: 9uffxtbr@IWONG.com - c:\program files\iwong\bar\1.bin

FF - Ext: Crawler Toolbar: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - c:\program

files\crawler\firefox

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} -

%profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: ALOT Toolbar: toolbar@alot.com - %profile%\extensions\toolbar@alot.com

FF - Ext: Battlefield Heroes Updater: battlefieldheroespatcher@ea.com -

%profile%\extensions\battlefieldheroespatcher@ea.com

FF - Ext: Conduit Engine : engine@conduit.com - %profile%\extensions\engine@conduit.com

FF - Ext: uTorrentBar Community Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} -

%profile%\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}

FF - Ext: PriceGong: {8A9386B4-E958-4c4c-ADF4-8F26DB3E4829} - c:\program files\pricegong\2.1.0\FF

.

============= SERVICES / DRIVERS ===============

.

S2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2010-9-12 54760]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe

[2010-11-2 136176]

S2 IWONGService;IWON Service;c:\progra~1\iwong\bar\1.bin\9ubarsvc.exe [2010-10-7 28766]

S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family

safety\fsssvc.exe [2010-4-28 704872]

S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys

[2010-1-29 7680]

S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee

security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]

.

=============== Created Last 30 ================

.

2011-03-26 09:06:19 -------- d-----w- C:\f5fcc391bb7e702f4be258223716

2011-03-26 09:06:10 -------- d-----w- C:\bcc42e3541eb221b28f80cdeab

2011-03-26 08:58:52 -------- d-----w- C:\6f437a5fc8a0b1a93ffb81d741524752

2011-03-26 08:57:35 -------- d-----w- C:\25bec85c0760eaec3b0db21d5f4c

2011-03-26 08:00:36 -------- d-----w- C:\90b445b9c714707fd4

2011-03-26 07:45:01 -------- d-----w- C:\97e4faf146464322cc34156f2734135f

2011-03-26 07:44:06 -------- d-----w- C:\c48df6810fe8389704ee4a4fa6

2011-03-26 04:18:38 -------- d-----w-

c:\docume~1\alluse~1\applic~1\oMkDdBdOaMn06504

2011-03-13 12:14:06 -------- d-----w-

c:\docume~1\zack&c~1\locals~1\applic~1\Roblox

2011-03-13 12:13:29 -------- d-----w-

c:\docume~1\zack&c~1\locals~1\applic~1\RobloxVersions

2011-03-13 12:13:29 -------- d-----w-

c:\docume~1\zack&c~1\locals~1\applic~1\RobloxDownloads

2011-03-12 06:23:59 -------- d-----w- c:\documents and settings\zack &

colleen\NearRealityCachev111

.

==================== Find3M ====================

.

2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll

2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll

2011-02-03 07:53:56 1409 ----a-w- c:\windows\QTFont.for

2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll

2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe

2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll

2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll

2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys

.

============= FINISH: 10:40:54.68 ===============

.

UNLESS SPECIFICALLY INSTRUCTED,

DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH

IT

.

DDS (Ver_11-03-05.01)

.

Microsoft Windows XP Professional

Boot Device:

\Device\HarddiskVolume1

Install Date: 27/06/2008 1:47:33

PM

System Uptime: 27/03/2011

10:38:27 AM (0 hours ago)

.

Motherboard: Gigabyte Technology

Co., Ltd. | | 8IPE775/-G

Processor: Intel®

Pentium® 4 CPU 3.40GHz | Socket

775 | 3416/200mhz

.

==== Disk Partitions

=========================

.

A: is Removable

C: is FIXED (NTFS) - 112 GiB

total, 61.693 GiB free.

D: is CDROM ()

E: is CDROM ()

.

==== Disabled Device Manager

Items =============

.

Class GUID:

{4D36E97E-E325-11CE-BFC1-08002BE1

0318}

Description: Ethernet Controller

Device ID:

PCI\VEN_168C&DEV_0013&SUBSYS_3A13

1186&REV_01\4&1F7DBC9F&0&08F0

Manufacturer:

Name: Ethernet Controller

PNP Device ID:

PCI\VEN_168C&DEV_0013&SUBSYS_3A13

1186&REV_01\4&1F7DBC9F&0&08F0

Service:

.

Class GUID:

{4D36E97E-E325-11CE-BFC1-08002BE1

0318}

Description: PCI Simple

Communications Controller

Device ID:

PCI\VEN_14F1&DEV_2F30&SUBSYS_20D5

14F1&REV_01\4&1F7DBC9F&0&20F0

Manufacturer:

Name: PCI Simple Communications

Controller

PNP Device ID:

PCI\VEN_14F1&DEV_2F30&SUBSYS_20D5

14F1&REV_01\4&1F7DBC9F&0&20F0

Service:

.

==== System Restore Points

===================

.

RP627: 27/12/2010 12:36:16 AM -

System Checkpoint

RP628: 28/12/2010 12:36:55 AM -

System Checkpoint

RP629: 29/12/2010 7:55:38 AM -

System Checkpoint

RP630: 30/12/2010 8:50:04 AM -

System Checkpoint

RP631: 31/12/2010 9:29:01 AM -

System Checkpoint

RP632: 1/01/2011 3:00:16 AM -

Software Distribution Service 3.0

RP633: 2/01/2011 3:41:13 AM -

System Checkpoint

RP634: 3/01/2011 10:53:11 AM -

System Checkpoint

RP635: 4/01/2011 12:08:44 PM -

System Checkpoint

RP636: 5/01/2011 8:57:04 PM -

System Checkpoint

RP637: 6/01/2011 11:37:56 PM -

Software Distribution Service 3.0

RP638: 7/01/2011 7:41:07 AM -

Software Distribution Service 3.0

RP639: 8/01/2011 9:56:27 PM -

System Checkpoint

RP640: 9/01/2011 10:17:23 PM -

System Checkpoint

RP641: 11/01/2011 8:19:41 AM -

System Checkpoint

RP642: 12/01/2011 1:56:20 PM -

System Checkpoint

RP643: 12/01/2011 9:55:50 PM -

Software Distribution Service 3.0

RP644: 13/01/2011 8:50:22 AM -

Software Distribution Service 3.0

RP645: 14/01/2011 12:42:01 PM -

System Checkpoint

RP646: 15/01/2011 1:11:03 PM -

System Checkpoint

RP647: 16/01/2011 1:51:58 PM -

System Checkpoint

RP648: 17/01/2011 3:26:56 PM -

System Checkpoint

RP649: 18/01/2011 4:01:16 PM -

System Checkpoint

RP650: 19/01/2011 4:06:14 PM -

System Checkpoint

RP651: 20/01/2011 5:34:30 PM -

System Checkpoint

RP652: 21/01/2011 6:11:08 PM -

System Checkpoint

RP653: 23/01/2011 7:05:47 PM -

System Checkpoint

RP654: 25/01/2011 9:22:36 AM -

System Checkpoint

RP655: 26/01/2011 2:05:38 PM -

System Checkpoint

RP656: 27/01/2011 2:49:36 PM -

System Checkpoint

RP657: 28/01/2011 2:56:41 PM -

System Checkpoint

RP658: 29/01/2011 3:01:38 PM -

System Checkpoint

RP659: 30/01/2011 6:20:19 PM -

System Checkpoint

RP660: 31/01/2011 6:20:54 PM -

System Checkpoint

RP661: 1/02/2011 9:03:11 PM -

System Checkpoint

RP662: 2/02/2011 11:06:33 PM -

System Checkpoint

RP663: 5/02/2011 10:52:54 AM -

System Checkpoint

RP664: 6/02/2011 7:57:15 PM -

System Checkpoint

RP665: 8/02/2011 9:06:58 AM -

System Checkpoint

RP666: 9/02/2011 2:19:51 PM -

System Checkpoint

RP667: 12/02/2011 11:19:14 AM -

System Checkpoint

RP668: 13/02/2011 6:39:36 PM -

System Checkpoint

RP669: 16/02/2011 9:10:51 AM -

System Checkpoint

RP670: 17/02/2011 9:29:31 PM -

System Checkpoint

RP671: 19/02/2011 11:35:59 AM -

System Checkpoint

RP672: 20/02/2011 1:12:12 PM -

System Checkpoint

RP673: 21/02/2011 4:32:06 PM -

System Checkpoint

RP674: 21/02/2011 11:44:52 PM -

Software Distribution Service 3.0

RP675: 23/02/2011 8:23:55 AM -

System Checkpoint

RP676: 23/02/2011 1:24:57 PM -

Installed iTunes

RP677: 24/02/2011 7:05:57 PM -

Software Distribution Service 3.0

RP678: 24/02/2011 10:00:05 PM -

Software Distribution Service 3.0

RP679: 26/02/2011 9:52:57 AM -

System Checkpoint

RP680: 28/02/2011 8:52:34 AM -

System Checkpoint

RP681: 1/03/2011 11:26:59 AM -

System Checkpoint

RP682: 5/03/2011 9:54:27 PM -

System Checkpoint

RP683: 7/03/2011 7:24:35 AM -

System Checkpoint

RP684: 8/03/2011 11:38:25 AM -

System Checkpoint

RP685: 9/03/2011 11:32:00 PM -

Software Distribution Service 3.0

RP686: 11/03/2011 12:32:02 AM -

System Checkpoint

RP687: 12/03/2011 10:40:45 AM -

System Checkpoint

RP688: 13/03/2011 10:46:47 AM -

System Checkpoint

RP689: 14/03/2011 4:27:38 PM -

System Checkpoint

RP690: 15/03/2011 4:58:34 PM -

System Checkpoint

RP691: 16/03/2011 9:41:04 PM -

System Checkpoint

RP692: 17/03/2011 9:47:32 PM -

System Checkpoint

RP693: 18/03/2011 10:05:59 PM -

System Checkpoint

RP694: 19/03/2011 10:33:55 PM -

System Checkpoint

RP695: 21/03/2011 12:11:17 AM -

System Checkpoint

RP696: 23/03/2011 12:55:08 PM -

System Checkpoint

RP697: 24/03/2011 1:36:52 PM -

System Checkpoint

RP698: 24/03/2011 10:16:58 PM -

Software Distribution Service 3.0

RP699: 25/03/2011 3:00:14 AM -

Software Distribution Service 3.0

RP700: 26/03/2011 10:00:19 AM -

System Checkpoint

RP701: 26/03/2011 3:36:08 PM -

Software Distribution Service 3.0

RP702: 26/03/2011 11:19:27 PM -

Software Distribution Service 3.0

RP703: 27/03/2011 7:46:54 AM -

Software Distribution Service 3.0

.

==== Installed Programs

======================

.

Share this post


Link to post
Share on other sites

Sorry, I ran that DDS thing before I read your last post.

Share this post


Link to post
Share on other sites

That's okay.... :) On my previous post. Download ComboFix in Safe Mode with Networking. Then post the ComboFix log.

Share this post


Link to post
Share on other sites

I'm sorry, it must be so frustrating working with an amateur.

I ran the ComboFix thing and it didn't get rid of it, I also didn't see a log to copy and paste.

I didn't disable any AntiVirus or AntiSpyware programs because there were none on the System Tray.

I looked through programs and I have Norton 2000, I don't know how to disable that.

I have McAfee Security Scan Plus which when opened only gives me options of 'Update Now' and 'Cancel'.. So I'm not sure if it needs to be disabled or not, but I'm not sure how.

Also, do I need to disable MBAM?

Again, I'm really sorry!

Share this post


Link to post
Share on other sites

Yes disable MBAM. We can't remove this infection in one try but, we'll remove it.

Since you cannot access your infected computer, you will have to download the required tools from your clean computer and move them to the infected computer with some removable media, for example burn it to a CD or write it to an USB flash disk.

If you use an USB flash disk, I highly recommend you to immunize it first, to prevent malware using the usb flash drive for spreading itself.

Please download Flash_Disinfector by sUBs from here and save it to your desktop.

  • Double-click Flash_Disinfector.exe to run the tool
  • When requested, insert the USB flash disk(s) you want to to immunize/disinfect
  • Hold down the Shift key when inserting the drive(s) until Windows detects the drive
  • Click OK to start the disinfection process
  • Reboot your computer when done.

Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that you choose to disinfect. Do not delete that folder!

====================

You should have combofix.exe on your Desktop. Right. Okay, we are going to use a tool to help us run combofix in normal mode. Place this tool WiNlOgOn.exe or uSeRiNiT.exe on your infected PC desktop. Then we'll run ComboFix in normal mode. Ready.. Take your time, I'm not going anywhere.

Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)

There are 2 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click and choose Run as Admin

You only need to get one of them to run, not both of them.


  1. WiNlOgOn.exe
  2. uSeRiNiT.exe

Once you've gotten one of them to run then try to immediately run the following:

  1. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  2. Double click on combofix.exe & follow the prompts.
  3. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    cfRC_screen_1.png
    The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.
    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
    Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.
    ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.
    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:
    The Recovery Console was successfully installed.
    cfRC_screen_2.png
    Click on Yes, to continue scanning for malware.
  4. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  5. When finished, it shall produce a log for you. Post that log in your next reply
    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Share this post


Link to post
Share on other sites

ComboFix 11-03-26.01 - Zack & Colleen 27/03/2011 12:22:21.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.706 [GMT 11:00]

Running from: c:\documents and settings\Zack & Colleen\My Documents\Downloads\ComboFix.exe

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\All Users\Application Data\oMkDdBdOaMn06504

c:\documents and settings\All Users\Application Data\oMkDdBdOaMn06504\oMkDdBdOaMn06504

c:\documents and settings\All Users\Application Data\oMkDdBdOaMn06504\oMkDdBdOaMn06504.exe

c:\documents and settings\All Users\Start Menu\HP Image Zone .lnk

c:\documents and settings\Zack & Colleen\My Documents\Desktop_.ini

c:\program files\blinkx Remote Toolbar\thE_blinkx_bho.dll

.

.

((((((((((((((((((((((((( Files Created from 2011-02-27 to 2011-03-27 )))))))))))))))))))))))))))))))

.

.

2011-03-26 23:52 . 2011-03-27 00:23 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData

2011-03-26 09:06 . 2011-03-26 09:06 -------- d-----w- C:\f5fcc391bb7e702f4be258223716

2011-03-26 09:06 . 2011-03-26 09:06 -------- d-----w- C:\bcc42e3541eb221b28f80cdeab

2011-03-26 08:58 . 2011-03-26 08:58 -------- d-----w- C:\6f437a5fc8a0b1a93ffb81d741524752

2011-03-26 08:57 . 2011-03-26 08:57 -------- d-----w- C:\25bec85c0760eaec3b0db21d5f4c

2011-03-26 08:00 . 2011-03-26 08:00 -------- d-----w- C:\90b445b9c714707fd4

2011-03-26 07:45 . 2011-03-26 07:45 -------- d-----w- C:\97e4faf146464322cc34156f2734135f

2011-03-26 07:44 . 2011-03-26 07:44 -------- d-----w- C:\c48df6810fe8389704ee4a4fa6

2011-03-13 12:14 . 2011-03-13 12:44 -------- d-----w- c:\documents and settings\Zack & Colleen\Local Settings\Application Data\Roblox

2011-03-12 06:23 . 2011-03-12 06:24 -------- d-----w- c:\documents and settings\Zack & Colleen\NearRealityCachev111

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-02-09 13:53 . 2002-08-28 17:41 270848 ----a-w- c:\windows\system32\sbe.dll

2011-02-09 13:53 . 2002-08-28 17:40 186880 ----a-w- c:\windows\system32\encdec.dll

2011-02-03 07:53 . 2011-02-03 07:53 1409 ----a-w- c:\windows\QTFont.for

2011-02-02 07:58 . 2008-06-27 03:42 2067456 ----a-w- c:\windows\system32\mstscax.dll

2011-01-27 11:57 . 2008-06-27 03:42 677888 ----a-w- c:\windows\system32\mstsc.exe

2011-01-21 14:44 . 2002-08-28 17:41 439296 ----a-w- c:\windows\system32\shimgvw.dll

2011-01-21 10:40 . 2009-11-13 04:45 5632 ----a-w- c:\windows\system32\drivers\StarOpen.sys

2011-01-07 14:09 . 2001-08-23 02:00 290048 ----a-w- c:\windows\system32\atmfd.dll

2010-12-31 13:10 . 2002-08-28 16:14 1854976 ----a-w- c:\windows\system32\win32k.sys

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "c:\program files\uTorrentBar\tbuTo1.dll" [2011-03-09 3911776]

.

[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1631550F-191D-4826-B069-D9439253D926}]

2010-03-28 19:47 353656 ----a-w- c:\program files\PriceGong\2.1.0\PriceGongIE.dll

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]

2011-03-09 23:19 3911776 ----a-w- c:\program files\ConduitEngine\ConduitEngin0.dll

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]

2011-03-09 23:19 3911776 ----a-w- c:\program files\uTorrentBar\tbuTo1.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "c:\program files\uTorrentBar\tbuTo1.dll" [2011-03-09 3911776]

"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\ConduitEngin0.dll" [2011-03-09 3911776]

.

[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]

.

[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC}"= "c:\program files\uTorrentBar\tbuTo1.dll" [2011-03-09 3911776]

.

[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"blinkx_toolbar"="c:\program files\blinkx Remote Toolbar\the_blinkx_toolbar.exe" [2009-09-16 196608]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMan"="SOUNDMAN.EXE" [2006-08-02 577536]

"autodetect"="c:\windows\system32\SupportAppXL\AutoDect.exe" [2008-08-07 91648]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-01-25 421160]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

.

c:\documents and settings\Zack & Colleen\Start Menu\Programs\Startup\

Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2008-12-23 385024]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]

HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-5-12 73728]

Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2006-6-2 180224]

KODAK Software Updater.lnk - c:\program files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-2-13 16423]

McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2010-4-5 494920]

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

"c:\\WINDOWS\\system32\\dplaysvr.exe"=

"c:\\Program Files\\Microsoft Games\\Age of Empires II\\empires2.exe"=

"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=

"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=

"c:\\WINDOWS\\system32\\java.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=

"c:\\Program Files\\GameSpy Arcade\\Aphex.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"56385:TCP"= 56385:TCP:Pando Media Booster

"56385:UDP"= 56385:UDP:Pando Media Booster

.

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/11/2010 9:28 AM 136176]

S2 IWONGService;IWON Service;c:\progra~1\IWONG\bar\1.bin\9ubarsvc.exe [7/10/2010 10:26 AM 28766]

S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [29/01/2010 10:10 AM 7680]

S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [15/01/2010 11:49 PM 227232]

.

Contents of the 'Scheduled Tasks' folder

.

2011-03-24 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 00:50]

.

2011-03-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-01 22:28]

.

2011-03-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-01 22:28]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.crawler.com/homepage.aspx?tbid=60475

mSearch Bar = hxxp://www.google.com

uInternet Settings,ProxyOverride = *.local

IE: Crawler Search - tbr:iemenu

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - c:\progra~1\Crawler\ctbr.dll

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\Zack & Colleen\Application Data\Mozilla\Firefox\Profiles\oa2j6eys.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=

FF - prefs.js: browser.search.selectedEngine - ALOT Search

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/

FF - prefs.js: keyword.URL - hxxp://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=ZVxdm140YYAU&ptb=13ABCC14-2691-4C62-9658-758ECBBD2079&psa=&ind=2010100621&ptnrS=ZVxdm140YYAU&si=gua182401&st=kwd&n=77cfb38d&searchfor=

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: IWON: 9uffxtbr@IWONG.com - c:\program files\IWONG\bar\1.bin

FF - Ext: Crawler Toolbar: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - c:\program files\Crawler\firefox

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: ALOT Toolbar: toolbar@alot.com - %profile%\extensions\toolbar@alot.com

FF - Ext: Battlefield Heroes Updater: battlefieldheroespatcher@ea.com - %profile%\extensions\battlefieldheroespatcher@ea.com

FF - Ext: Conduit Engine : engine@conduit.com - %profile%\extensions\engine@conduit.com

FF - Ext: uTorrentBar Community Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - %profile%\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}

FF - Ext: PriceGong: {8A9386B4-E958-4c4c-ADF4-8F26DB3E4829} - c:\program files\PriceGong\2.1.0\FF

.

- - - - ORPHANS REMOVED - - - -

.

HKCU-Run-EA Core - c:\program files\Electronic Arts\EADM\Core.exe

HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe

AddRemove-SimParkDemov1.0 - c:\maxis\ParkDemo\DeIsL1.isu

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-03-27 12:30

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(676)

c:\windows\system32\Ati2evxx.dll

.

Completion time: 2011-03-27 12:33:12

ComboFix-quarantined-files.txt 2011-03-27 01:33

.

Pre-Run: 66,148,859,904 bytes free

Post-Run: 71,694,073,856 bytes free

.

- - End Of File - - 911D746732659E4178EEC1789BE35C18

Share this post


Link to post
Share on other sites

Nice Job!! Okay, we need to run ComboFix again, but a little different.

  • Close any open browsers.
  • Open Notepad by click start
  • Click Run
  • Type notepad into the box and click enter
  • Notepad will open
  • Copy and Paste everything from the Code box into Notepad:

KILLALL::
Folder::
c:\documents and settings\All Users\Application Data\MFAData
C:\f5fcc391bb7e702f4be258223716
C:\bcc42e3541eb221b28f80cdeab
C:\6f437a5fc8a0b1a93ffb81d741524752
C:\25bec85c0760eaec3b0db21d5f4c
C:\90b445b9c714707fd4
C:\97e4faf146464322cc34156f2734135f
C:\c48df6810fe8389704ee4a4fa6

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56385:TCP"=-
"56385:UDP"=-

Reglock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

Share this post


Link to post
Share on other sites

ComboFix 11-03-26.01 - Zack & Colleen 27/03/2011 13:09:11.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.641 [GMT 11:00]

Running from: c:\documents and settings\Zack & Colleen\My Documents\Downloads\ComboFix.exe

Command switches used :: c:\documents and settings\Zack & Colleen\Desktop\CFScript.txt

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

C:\25bec85c0760eaec3b0db21d5f4c

c:\25bec85c0760eaec3b0db21d5f4c\compappscontent.dll

c:\25bec85c0760eaec3b0db21d5f4c\en-us\amhelp.chm

c:\25bec85c0760eaec3b0db21d5f4c\en-us\epploc.cab

c:\25bec85c0760eaec3b0db21d5f4c\epplauncher.exe

c:\25bec85c0760eaec3b0db21d5f4c\eppmanifest.dll

c:\25bec85c0760eaec3b0db21d5f4c\setup.ini

c:\25bec85c0760eaec3b0db21d5f4c\setupres.dll

C:\6f437a5fc8a0b1a93ffb81d741524752

c:\6f437a5fc8a0b1a93ffb81d741524752\dw20shared.msi

c:\6f437a5fc8a0b1a93ffb81d741524752\legitlib.dll

c:\6f437a5fc8a0b1a93ffb81d741524752\mp_ambits.msi

c:\6f437a5fc8a0b1a93ffb81d741524752\msse.msi

c:\6f437a5fc8a0b1a93ffb81d741524752\setup.exe

c:\6f437a5fc8a0b1a93ffb81d741524752\setup.ini

c:\6f437a5fc8a0b1a93ffb81d741524752\setupres.dll

c:\6f437a5fc8a0b1a93ffb81d741524752\windowsxp-kb914882-x86.exe

C:\90b445b9c714707fd4

C:\97e4faf146464322cc34156f2734135f

C:\bcc42e3541eb221b28f80cdeab

c:\bcc42e3541eb221b28f80cdeab\mrt.exe

c:\bcc42e3541eb221b28f80cdeab\mrtstub.exe

C:\c48df6810fe8389704ee4a4fa6

c:\documents and settings\All Users\Application Data\MFAData

c:\documents and settings\All Users\Application Data\MFAData\logs\mfa-20110326-235233.log

c:\documents and settings\All Users\Application Data\MFAData\logs\mfa-20110327-002311.log

c:\documents and settings\All Users\Application Data\MFAData\logs\msi-20110327-002311.log

c:\documents and settings\All Users\Application Data\MFAData\mfaurlconf.ini

c:\documents and settings\All Users\Application Data\MFAData\pack\avg10infoavi.ctf

c:\documents and settings\All Users\Application Data\MFAData\pack\avg10infooi.ctf

c:\documents and settings\All Users\Application Data\MFAData\pack\avg10infowin.ctf

c:\documents and settings\All Users\Application Data\MFAData\pack\Avgx86.msi

c:\documents and settings\All Users\Application Data\MFAData\pack\bins\poi10free_lic8gq.bin

c:\documents and settings\All Users\Application Data\MFAData\pack\bins\poi10free_mis15el.bin

c:\documents and settings\All Users\Application Data\MFAData\pack\bins\w10avgx1204bl.bin

c:\documents and settings\All Users\Application Data\MFAData\pack\free_mis.mdf

c:\documents and settings\All Users\Application Data\MFAData\pack\lic.mdf

C:\f5fcc391bb7e702f4be258223716

c:\f5fcc391bb7e702f4be258223716\compappscontent.dll

c:\f5fcc391bb7e702f4be258223716\en-us\amhelp.chm

c:\f5fcc391bb7e702f4be258223716\en-us\epploc.cab

c:\f5fcc391bb7e702f4be258223716\en-us\epploc_x86.msi

c:\f5fcc391bb7e702f4be258223716\en-us\eula.rtf

c:\f5fcc391bb7e702f4be258223716\en-us\setupres.dll.mui

c:\f5fcc391bb7e702f4be258223716\epplauncher.exe

c:\f5fcc391bb7e702f4be258223716\eppmanifest.dll

c:\f5fcc391bb7e702f4be258223716\setup.ini

c:\f5fcc391bb7e702f4be258223716\setupres.dll

c:\f5fcc391bb7e702f4be258223716\x86\dw20shared.msi

c:\f5fcc391bb7e702f4be258223716\x86\epp.msi

c:\f5fcc391bb7e702f4be258223716\x86\legitlib.dll

c:\f5fcc391bb7e702f4be258223716\x86\setup.exe

c:\f5fcc391bb7e702f4be258223716\x86\sqmapi.dll

.

.

((((((((((((((((((((((((( Files Created from 2011-02-27 to 2011-03-27 )))))))))))))))))))))))))))))))

.

.

2011-03-13 12:14 . 2011-03-13 12:44 -------- d-----w- c:\documents and settings\Zack & Colleen\Local Settings\Application Data\Roblox

2011-03-12 06:23 . 2011-03-12 06:24 -------- d-----w- c:\documents and settings\Zack & Colleen\NearRealityCachev111

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-02-09 13:53 . 2002-08-28 17:41 270848 ----a-w- c:\windows\system32\sbe.dll

2011-02-09 13:53 . 2002-08-28 17:40 186880 ----a-w- c:\windows\system32\encdec.dll

2011-02-03 07:53 . 2011-02-03 07:53 1409 ----a-w- c:\windows\QTFont.for

2011-02-02 07:58 . 2008-06-27 03:42 2067456 ----a-w- c:\windows\system32\mstscax.dll

2011-01-27 11:57 . 2008-06-27 03:42 677888 ----a-w- c:\windows\system32\mstsc.exe

2011-01-21 14:44 . 2002-08-28 17:41 439296 ----a-w- c:\windows\system32\shimgvw.dll

2011-01-21 10:40 . 2009-11-13 04:45 5632 ----a-w- c:\windows\system32\drivers\StarOpen.sys

2011-01-07 14:09 . 2001-08-23 02:00 290048 ----a-w- c:\windows\system32\atmfd.dll

2010-12-31 13:10 . 2002-08-28 16:14 1854976 ----a-w- c:\windows\system32\win32k.sys

.

.

((((((((((((((((((((((((((((( SnapShot@2011-03-27_01.30.56 )))))))))))))))))))))))))))))))))))))))))

.

+ 2011-03-27 02:15 . 2011-03-27 02:15 16384 c:\windows\temp\Perflib_Perfdata_79c.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "c:\program files\uTorrentBar\tbuTo1.dll" [2011-03-09 3911776]

.

[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1631550F-191D-4826-B069-D9439253D926}]

2010-03-28 19:47 353656 ----a-w- c:\program files\PriceGong\2.1.0\PriceGongIE.dll

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]

2011-03-09 23:19 3911776 ----a-w- c:\program files\ConduitEngine\ConduitEngin0.dll

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]

2011-03-09 23:19 3911776 ----a-w- c:\program files\uTorrentBar\tbuTo1.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "c:\program files\uTorrentBar\tbuTo1.dll" [2011-03-09 3911776]

"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\ConduitEngin0.dll" [2011-03-09 3911776]

.

[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]

.

[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC}"= "c:\program files\uTorrentBar\tbuTo1.dll" [2011-03-09 3911776]

.

[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"blinkx_toolbar"="c:\program files\blinkx Remote Toolbar\the_blinkx_toolbar.exe" [2009-09-16 196608]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMan"="SOUNDMAN.EXE" [2006-08-02 577536]

"autodetect"="c:\windows\system32\SupportAppXL\AutoDect.exe" [2008-08-07 91648]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-01-25 421160]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

.

c:\documents and settings\Zack & Colleen\Start Menu\Programs\Startup\

Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2008-12-23 385024]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]

HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-5-12 73728]

Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2006-6-2 180224]

KODAK Software Updater.lnk - c:\program files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-2-13 16423]

McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2010-4-5 494920]

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

"c:\\WINDOWS\\system32\\dplaysvr.exe"=

"c:\\Program Files\\Microsoft Games\\Age of Empires II\\empires2.exe"=

"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=

"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=

"c:\\WINDOWS\\system32\\java.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=

"c:\\Program Files\\GameSpy Arcade\\Aphex.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

.

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/11/2010 9:28 AM 136176]

S2 IWONGService;IWON Service;c:\progra~1\IWONG\bar\1.bin\9ubarsvc.exe [7/10/2010 10:26 AM 28766]

S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [29/01/2010 10:10 AM 7680]

S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [15/01/2010 11:49 PM 227232]

.

Contents of the 'Scheduled Tasks' folder

.

2011-03-24 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 00:50]

.

2011-03-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-01 22:28]

.

2011-03-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-01 22:28]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://home.alot.com/?client_id=64B70DA001CB7A5801E6C25A&src_id=11649&camp_id=1500&tb_version=2.5.15000.521

mSearch Bar = hxxp://www.google.com

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\Zack & Colleen\Application Data\Mozilla\Firefox\Profiles\oa2j6eys.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=

FF - prefs.js: browser.search.selectedEngine - ALOT Search

FF - prefs.js: browser.startup.homepage - www.google.com

FF - prefs.js: keyword.URL - hxxp://search.alot.com/web?&src_id=11649&client_id=9846788c29f85ca76478c4a4&camp_id=1500&install_time=2010-10-31T12:50Z&tb_version=2.4.4000%28F%29&pr=auto&q=

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: IWON: 9uffxtbr@IWONG.com - c:\program files\IWONG\bar\1.bin

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: ALOT Toolbar: toolbar@alot.com - %profile%\extensions\toolbar@alot.com

FF - Ext: Battlefield Heroes Updater: battlefieldheroespatcher@ea.com - %profile%\extensions\battlefieldheroespatcher@ea.com

FF - Ext: Conduit Engine : engine@conduit.com - %profile%\extensions\engine@conduit.com

FF - Ext: uTorrentBar Community Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - %profile%\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}

FF - Ext: PriceGong: {8A9386B4-E958-4c4c-ADF4-8F26DB3E4829} - c:\program files\PriceGong\2.1.0\FF

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-03-27 13:17

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(676)

c:\windows\system32\Ati2evxx.dll

.

- - - - - - - > 'explorer.exe'(3264)

c:\windows\system32\WININET.dll

c:\docume~1\ZACK&C~1\LOCALS~1\Temp\IadHide5.dll

c:\windows\system32\ieframe.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\windows\system32\Ati2evxx.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\WgaTray.exe

c:\windows\SOUNDMAN.EXE

c:\program files\iPod\bin\iPodService.exe

c:\program files\HP\Digital Imaging\bin\hpqimzone.exe

c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe

c:\program files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe

.

**************************************************************************

.

Completion time: 2011-03-27 13:20:44 - machine was rebooted

ComboFix-quarantined-files.txt 2011-03-27 02:20

ComboFix2.txt 2011-03-27 01:33

.

Pre-Run: 71,722,422,272 bytes free

Post-Run: 71,649,361,920 bytes free

.

- - End Of File - - F71F635A3132E0A75C5136BA46A17F57

Share this post


Link to post
Share on other sites

Smile we are getting closer.... :)

Update Run Malwarebytes

  • Launch Malwarebytes' Anti-Malware
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Share this post


Link to post
Share on other sites

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6179

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13

27/03/2011 1:39:39 PM

mbam-log-2011-03-27 (13-39-39).txt

Scan type: Quick scan

Objects scanned: 151995

Time elapsed: 3 minute(s), 38 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 3

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\AppID\z2010MegawildAdverpopper.DLL (Adware.PlayMP3z.Gen) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\documents and settings\zack & colleen\my documents\downloads\VLCSetup.exe (Adware.Hotbar) -> Quarantined and deleted successfully.

c:\documents and settings\zack & colleen\my documents\downloads\xvidsetup.exe (Adware.Hotbar) -> Quarantined and deleted successfully.

c:\documents and settings\zack & colleen\my documents\downloads\WiNlOgOn.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

Share this post


Link to post
Share on other sites

Looking good! How is your PC doing Coalza?

Let me check your Security, so this will not happen again. By the way, you should remove uTorrent. P2P (peer-to-peer) using P2P software is very risky, because it makes you very susceptible to infection, attack, exposure of personal or company information. But this is up to you to remove uTorrent

Download Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Share this post


Link to post
Share on other sites

Yeah, it's running like a dream now! Thank you!

After I did the security check, the checkup document was empty.

The security check box says "The system cannot find the path specified."

Share this post


Link to post
Share on other sites

The reason is you have no anti-virus program. So, lets add one to your PC.

Anti-virus software are programs that detect cleans and erase harmful virus files on a computer

Web server or network. Unchecked virus files can unintentionally be forwarded to others including trading partners and thereby spreading infection. Because new viruses regularly emerge anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present and will clean delete (or quarantine) infected files or directories.

Here's the one I use below and it's free.

  • Avira AntiVir Personal - Free anti-virus software for Windows. Detects and removes more than 50000 viruses. Free support.

Perform a full scan with Avira and let it delete everything it is finding.

Then reboot.

After reboot, open your Avira and select "reports".

There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply.

Share this post


Link to post
Share on other sites

Avira AntiVir Personal

Report file date: Sunday, 27 March 2011 14:36

Scanning for 2533833 virus strains and unwanted programs.

The program is running as an unrestricted full version.

Online services are available:

Licensee : Avira AntiVir Personal - FREE Antivirus

Serial number : 0000149996-ADJIE-0000001

Platform : Windows XP

Windows version : (Service Pack 3) [5.1.2600]

Boot mode : Normally booted

Username : Zack & Colleen

Computer name : ZC-S2VCX35UWDY0

Version information:

BUILD.DAT : 10.0.0.635 31822 Bytes 3/7/2011 12:15:00

AVSCAN.EXE : 10.0.3.5 435368 Bytes 3/4/2011 03:36:52

AVSCAN.DLL : 10.0.3.0 46440 Bytes 4/1/2010 01:57:04

LUKE.DLL : 10.0.3.2 104296 Bytes 3/4/2011 03:36:59

LUKERES.DLL : 10.0.0.1 12648 Bytes 2/10/2010 12:40:49

VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 22:05:36

VBASE001.VDF : 7.11.0.0 13342208 Bytes 12/14/2010 03:37:07

VBASE002.VDF : 7.11.3.0 1950720 Bytes 2/9/2011 03:37:08

VBASE003.VDF : 7.11.3.1 2048 Bytes 2/9/2011 03:37:08

VBASE004.VDF : 7.11.3.2 2048 Bytes 2/9/2011 03:37:08

VBASE005.VDF : 7.11.3.3 2048 Bytes 2/9/2011 03:37:08

VBASE006.VDF : 7.11.3.4 2048 Bytes 2/9/2011 03:37:08

VBASE007.VDF : 7.11.3.5 2048 Bytes 2/9/2011 03:37:08

VBASE008.VDF : 7.11.3.6 2048 Bytes 2/9/2011 03:37:08

VBASE009.VDF : 7.11.3.7 2048 Bytes 2/9/2011 03:37:08

VBASE010.VDF : 7.11.3.8 2048 Bytes 2/9/2011 03:37:08

VBASE011.VDF : 7.11.3.9 2048 Bytes 2/9/2011 03:37:09

VBASE012.VDF : 7.11.3.10 2048 Bytes 2/9/2011 03:37:09

VBASE013.VDF : 7.11.3.59 157184 Bytes 2/14/2011 03:37:09

VBASE014.VDF : 7.11.3.97 120320 Bytes 2/16/2011 03:37:09

VBASE015.VDF : 7.11.3.148 128000 Bytes 2/19/2011 03:37:09

VBASE016.VDF : 7.11.3.183 140288 Bytes 2/22/2011 03:37:09

VBASE017.VDF : 7.11.3.216 124416 Bytes 2/24/2011 07:02:23

VBASE018.VDF : 7.11.3.251 159232 Bytes 2/28/2011 05:08:03

VBASE019.VDF : 7.11.4.33 148992 Bytes 3/2/2011 07:30:49

VBASE020.VDF : 7.11.4.73 150016 Bytes 3/6/2011 05:14:47

VBASE021.VDF : 7.11.4.108 122880 Bytes 3/8/2011 03:34:41

VBASE022.VDF : 7.11.4.150 133120 Bytes 3/10/2011 03:34:44

VBASE023.VDF : 7.11.4.183 122368 Bytes 3/14/2011 03:34:46

VBASE024.VDF : 7.11.4.228 123392 Bytes 3/16/2011 03:34:48

VBASE025.VDF : 7.11.5.8 246272 Bytes 3/21/2011 03:34:50

VBASE026.VDF : 7.11.5.38 137216 Bytes 3/23/2011 03:34:52

VBASE027.VDF : 7.11.5.39 2048 Bytes 3/23/2011 03:34:52

VBASE028.VDF : 7.11.5.40 2048 Bytes 3/23/2011 03:34:52

VBASE029.VDF : 7.11.5.41 2048 Bytes 3/23/2011 03:34:53

VBASE030.VDF : 7.11.5.42 2048 Bytes 3/23/2011 03:34:53

VBASE031.VDF : 7.11.5.79 142848 Bytes 3/25/2011 03:34:54

Engineversion : 8.2.4.192

AEVDF.DLL : 8.1.2.1 106868 Bytes 3/4/2011 03:36:49

AESCRIPT.DLL : 8.1.3.57 1261947 Bytes 3/27/2011 03:35:24

AESCN.DLL : 8.1.7.2 127349 Bytes 3/4/2011 03:36:48

AESBX.DLL : 8.1.3.2 254324 Bytes 3/4/2011 03:36:48

AERDL.DLL : 8.1.9.9 639347 Bytes 3/27/2011 03:35:21

AEPACK.DLL : 8.2.4.13 524662 Bytes 3/27/2011 03:35:18

AEOFFICE.DLL : 8.1.1.18 205178 Bytes 3/27/2011 03:35:15

AEHEUR.DLL : 8.1.2.91 3387767 Bytes 3/27/2011 03:35:14

AEHELP.DLL : 8.1.16.1 246134 Bytes 3/4/2011 03:36:41

AEGEN.DLL : 8.1.5.3 397684 Bytes 3/27/2011 03:34:59

AEEMU.DLL : 8.1.3.0 393589 Bytes 3/4/2011 03:36:40

AECORE.DLL : 8.1.19.2 196983 Bytes 3/4/2011 03:36:40

AEBB.DLL : 8.1.1.0 53618 Bytes 3/4/2011 03:36:39

AVWINLL.DLL : 10.0.0.0 19304 Bytes 3/4/2011 03:36:53

AVPREF.DLL : 10.0.0.0 44904 Bytes 3/4/2011 03:36:52

AVREP.DLL : 10.0.0.8 62209 Bytes 6/17/2010 03:27:13

AVREG.DLL : 10.0.3.2 53096 Bytes 3/4/2011 03:36:52

AVSCPLR.DLL : 10.0.3.2 84328 Bytes 3/4/2011 03:36:53

AVARKT.DLL : 10.0.22.6 231784 Bytes 3/4/2011 03:36:50

AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 3/4/2011 03:36:51

SQLITE3.DLL : 3.6.19.0 355688 Bytes 6/17/2010 03:27:22

AVSMTP.DLL : 10.0.0.17 63848 Bytes 3/4/2011 03:36:53

NETNT.DLL : 10.0.0.0 11624 Bytes 6/17/2010 03:27:21

RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 3/4/2011 03:37:12

RCTEXT.DLL : 10.0.58.0 97128 Bytes 3/4/2011 03:37:12

Configuration settings for the scan:

Jobname.............................: Short system scan after installation

Configuration file..................: c:\program files\avira\antivir desktop\setupprf.dat

Logging.............................: low

Primary action......................: interactive

Secondary action....................: ignore

Scan master boot sector.............: on

Scan boot sector....................: on

Process scan........................: on

Scan registry.......................: on

Search for rootkits.................: off

Integrity checking of system files..: off

Scan all files......................: Intelligent file selection

Scan archives.......................: on

Recursion depth.....................: 20

Smart extensions....................: on

Macro heuristic.....................: on

File heuristic......................: medium

Start of the scan: Sunday, 27 March 2011 14:36

The scan of running processes will be started

Scan process 'avscan.exe' - '1' Module(s) have been scanned

Scan process 'avcenter.exe' - '1' Module(s) have been scanned

Scan process 'avconfig.exe' - '1' Module(s) have been scanned

Scan process 'avgnt.exe' - '1' Module(s) have been scanned

Scan process 'sched.exe' - '1' Module(s) have been scanned

Scan process 'avshadow.exe' - '1' Module(s) have been scanned

Scan process 'avguard.exe' - '1' Module(s) have been scanned

Scan process 'setup.exe' - '1' Module(s) have been scanned

Scan process 'msiexec.exe' - '1' Module(s) have been scanned

Scan process 'presetup.exe' - '1' Module(s) have been scanned

Scan process 'avira_antivir_personal_en.exe' - '1' Module(s) have been scanned

Scan process 'wuauclt.exe' - '1' Module(s) have been scanned

Scan process 'hprblog.exe' - '1' Module(s) have been scanned

Scan process 'hpqSTE08.exe' - '1' Module(s) have been scanned

Scan process 'iPodService.exe' - '1' Module(s) have been scanned

Scan process 'hpqimzone.exe' - '1' Module(s) have been scanned

Scan process 'SPUVolumeWatcher.exe' - '1' Module(s) have been scanned

Scan process 'WZQKPICK.EXE' - '1' Module(s) have been scanned

Scan process 'SSScheduler.exe' - '1' Module(s) have been scanned

Scan process 'Kodak Software Updater.exe' - '1' Module(s) have been scanned

Scan process 'EasyShare.exe' - '1' Module(s) have been scanned

Scan process 'hpqtra08.exe' - '1' Module(s) have been scanned

Scan process 'the_blinkx_toolbar.exe' - '1' Module(s) have been scanned

Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned

Scan process 'QTTask.exe' - '1' Module(s) have been scanned

Scan process 'HPWuSchd2.exe' - '1' Module(s) have been scanned

Scan process 'AutoDect.exe' - '1' Module(s) have been scanned

Scan process 'SOUNDMAN.EXE' - '1' Module(s) have been scanned

Scan process 'Explorer.EXE' - '1' Module(s) have been scanned

Scan process 'WgaTray.exe' - '1' Module(s) have been scanned

Scan process 'alg.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'jqs.exe' - '1' Module(s) have been scanned

Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned

Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'spoolsv.exe' - '1' Module(s) have been scanned

Scan process 'Ati2evxx.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'Ati2evxx.exe' - '1' Module(s) have been scanned

Scan process 'lsass.exe' - '1' Module(s) have been scanned

Scan process 'services.exe' - '1' Module(s) have been scanned

Scan process 'winlogon.exe' - '1' Module(s) have been scanned

Scan process 'csrss.exe' - '1' Module(s) have been scanned

Scan process 'smss.exe' - '1' Module(s) have been scanned

Starting master boot sector scan:

Master boot sector HD0

[iNFO] No virus was found!

Master boot sector HD1

[iNFO] No virus was found!

Start scanning boot sectors:

Starting to scan executable files (registry).

The registry was scanned ( '1716' files ).

End of the scan: Sunday, 27 March 2011 14:36

Used time: 00:42 Minute(s)

The scan has been done completely.

0 Scanned directories

2198 Files were scanned

0 Viruses and/or unwanted programs were found

0 Files were classified as suspicious

0 files were deleted

0 Viruses and unwanted programs were repaired

0 Files were moved to quarantine

0 Files were renamed

0 Files cannot be scanned

2198 Files not concerned

5 Archives were scanned

0 Warnings

0 Notes

Share this post


Link to post
Share on other sites

You really did a fantastic job Coalza!!!! We dropped a train on this malware!..... :D

Please download JavaRa to your desktop and unzip it to its own folder

  • Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.
  • Open JavaRa.exe again and select Search For Updates.
  • Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

To clear your Java Cache.

Click Start > Control Panel.

In the Control Panel, double-click the "Java" icon in the control panel. The Java Control Panel then appears.

Under the header "Temporary Internet Files", select the "Settings" button.

81f6db55.png

Don't change any of the settings, then click "Delete Files".

9e91904d.png

Next, the Delete Temporary Files dialog box appears.

a7252171.png

Make sure both boxes are ticked, and hit the OK button.

=========================================================================

Your Computer is Clean

mr-clean.gif

Some final items:

Follow these steps to uninstall Combofix and tools used in the removal of malware

  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the x and /)
    CF_Uninstall-1.jpg
  • Please follow the prompts to uninstall Combofix.
  • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Here are some additional links for you to check out to help you with your computer security.

Browsers

Just because your computer came loaded with Internet Explorer doesn't mean that you have to use it, there are other free alternatives, FIREFOX and OPERA, both are free to use and are more secure than IE.

If you are using firefox you can stay more secure by adding NoScript and WOT (Web Of Trust)

NoScript stops Java scripts from starting on a web page unless you give permission for them, and WOT (Web Of Trust) has a comprehensive list of ratings for different websites allowing you to easily see if a website that you are about to go to has a bad reputation; in fact it will warn you to check if you are sure that you want to continue to a bad website.

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialize and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.

Additional Security Measures

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

SpywareBlaster- SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial for Spywareblaster can be found here.

Cookienator- Scans your PC for tracking cookies in multiple browsers as well as in Adobe Flash.

Secunia software inspector & update checker

Auslogics Disc Defrag or JKDefrag - Two good disc defragmenters for you to choose from to help speed up your computer.

Visit My Blog for Malware and Spyware Tips

6567E80CC55576485246E130E48A9FA8.png

Share this post


Link to post
Share on other sites

You are amazing!

Thank you so, so much for your help, I truly appreciate it!

:)

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.