Jump to content

Recommended Posts

Hi,

It looks like this is a popular one - Broken open and possible a few other trojan horses, malwarebytes gets them, and thye come back, I think I need your expert help.

I have downloaded hijack this, but have not run it - waiting for your instructions.

Many thanks,

mkinaz

Link to post
Share on other sites

Welcome to the forum, please do this:

Download aswMBR.exe (http://public.avast.com/~gmerek/aswMBR.exe) ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan

On completion of the scan click save log, save it to your desktop and post in your next reply

Next.......

Please download OTL from one of the links below:

http://oldtimer.geekstogo.com/OTL.exe

http://oldtimer.geekstogo.com/OTL.com

Save it to your desktop.

Double click on the icon on your desktop.

Click the Scan All Users checkbox.

Push the Quick Scan button.

Two reports will open, copy and paste them in a reply here: (or attach them as .txt files)

OTListIt.txt <-- Will be opened

Extra.txt <-- Will be minimized

MrC

Link to post
Share on other sites

Hi MrCharlie

Thanks for your assistance.

When I run this - and I have to run as an administrator - otherwise - i get an error that says: "The file does not have a program associated with it for performing this action...."

When I run as admin - I get This message:

aswMBR version 0.9.4 Copyright© 2011 AVAST Software

Run date: 2011-04-01 15:32:52

-----------------------------

15:32:52.549 OS Version: Windows 6.1.7600

15:32:52.549 Number of processors: 2 586 0x170A

15:32:52.550 ComputerName: KAREN8730WKS UserName: Karen

15:32:53.259 Initialze error

How should I proceed?

Thanks,

Link to post
Share on other sites

What operating system are you using?

-------------------

Download this file to your desktop, then right click on it and choose merge:

http://download.bleepingcomputer.com/reg/FixExe.reg

--------------------

Try this one:

Download TDSSKiller to your Desktop.

Doubleclick on TDSSKiller.exe to run the application, then click on Start Scan.

Don't Change These Settings:

If an infected file is detected, the default action will be Cure, click on Continue.

If a suspicious file is detected, the default action will be Skip, click on Continue.

You may be asked you to reboot the computer to complete the process. Click on Reboot Now

To view the report:

Click the Report button and copy/paste the contents of it into your next reply.

Note:It will also create a log in the C:\ directory and look something like this:

TDSSKiller.2.4.17.0_12.02.2011_14.35.56_log.txt

MrC

Link to post
Share on other sites

Please download OTL from one of the links below:

http://oldtimer.geekstogo.com/OTL.exe

http://oldtimer.geekstogo.com/OTL.com

Save it to your desktop.

Double click on the icon on your desktop.

Click the Scan All Users checkbox.

Push the Quick Scan button.

Two reports will open, copy and paste them in a reply here: (or attach them as .txt files)

OTListIt.txt <-- Will be opened

Extra.txt <-- Will be minimized

MrC

Link to post
Share on other sites

OK, you don't have to do it right now, but at some time please update your Java, older versions are vulnerable to malware.

Java 6 Update 17 <--should be Update 24

Just go into your control panel and click on Java and then update.

---------------------------

Please do this:

Run OTL

  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
    O3 - HKU\S-1-5-21-1549388737-3676839149-1627991844-1000\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
    O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
    O20 - Winlogon\Notify\ScCertProp: DllName - wlnotify.dll - File not found
    O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
    [2011/03/31 21:46:15 | 000,001,790 | -HS- | M] () -- C:\Users\Karen\AppData\Local\85c41t1n5cbla04i6352uvj1206w3hx3tpr218awhu85420
    [2011/03/31 21:42:34 | 000,001,798 | -HS- | M] () -- C:\ProgramData\85c41t1n5cbla04i6352uvj1206w3hx3tpr218awhu85420
    [2011/03/30 19:53:40 | 000,001,316 | -HS- | C] () -- C:\Users\Karen\AppData\Local\152u4fdc2g
    [2011/03/30 19:53:40 | 000,001,316 | -HS- | C] () -- C:\ProgramData\152u4fdc2g
    [2011/03/21 11:02:46 | 000,008,512 | -HS- | C] () -- C:\Users\Karen\AppData\Local\uk18fi747v81qli728h37w8s1uvgd
    [2011/03/21 11:02:46 | 000,008,512 | -HS- | C] () -- C:\ProgramData\uk18fi747v81qli728h37w8s1uvgd
    [2010/01/26 11:02:10 | 000,000,000 | ---- | C] () -- C:\Users\Karen\AppData\Local\Txewotigiha.bin

    :Commands
    [emptytemp]


  • Then click the Run Fix button at the top
  • Let the program run unhindered, when done it will say "Fix Complete press ok to open the log"
  • Please post that log in your next reply. Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

MrC

Link to post
Share on other sites

Ok,

here you go:

All processes killed

========== OTL ==========

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{CCC7A320-B3CA-4199-B1A6-9F516DD69829} deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}\ not found.

Registry value HKEY_USERS\S-1-5-21-1549388737-3676839149-1627991844-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{CCC7A320-B3CA-4199-B1A6-9F516DD69829} deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}\ not found.

Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet:/pagefile deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp\ deleted successfully.

Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\WebCheck deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\ not found.

C:\Users\Karen\AppData\Local\85c41t1n5cbla04i6352uvj1206w3hx3tpr218awhu85420 moved successfully.

C:\ProgramData\85c41t1n5cbla04i6352uvj1206w3hx3tpr218awhu85420 moved successfully.

C:\Users\Karen\AppData\Local\152u4fdc2g moved successfully.

C:\ProgramData\152u4fdc2g moved successfully.

C:\Users\Karen\AppData\Local\uk18fi747v81qli728h37w8s1uvgd moved successfully.

C:\ProgramData\uk18fi747v81qli728h37w8s1uvgd moved successfully.

C:\Users\Karen\AppData\Local\Txewotigiha.bin moved successfully.

========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

User: Karen

->Temp folder emptied: 3440380 bytes

->Temporary Internet Files folder emptied: 6885445 bytes

->Java cache emptied: 67406134 bytes

->FireFox cache emptied: 81166531 bytes

->Flash cache emptied: 8456 bytes

User: Mark

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 0 bytes

%systemroot%\System32 .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 54753 bytes

RecycleBin emptied: 2280046 bytes

Total Files Cleaned = 154.00 mb

Link to post
Share on other sites

One more scan to run....ComboFix

The most important things to remember when running ComboFix is download and run it from your desktop and make sure you disable your anti-virus programs before you run it.

---------------------------------------

Please download and run ComboFix:

A few notes first:

[*]ComboFix is compatible exclusively with XP and W2K (32-bit only) <===> Vista and Windows 7 (32-bit and 64-bit)

[*]ComboFix must be run from an Administrative account.

[*]Vista and W7 users - Right click, choose "Run as Administrator"

[*]It must be downloaded to and run from your desktop.

[*]Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can and will interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". (see below)

[*]ComboFix Guide <---please read!

Download ComboFix from one of these locations: (you may have to use right click > save target as)

[*]Link 1

[*]Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon and choose disable/exit.

More info HERE<-------

They may interfere with the running of ComboFix.

Note: If you have AVG or CA Internet Security Suite installed, due to recent changes in how these AV's target the tool's internal files, they must be uninstalled before running ComboFix. If you have difficulty uninstalling the AV, download and run Opswat AppRemover

[*]Double click on ComboFix.exe & follow the prompts.

[*]Note: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.

[*] Note: If you have SP3, use the SP2 package.

If Vista or Windows 7, skip the Recovery Console part

[*]ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

[*]**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RC1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

[*]1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

[*]2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

[*]3. Combofix permanently prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security.

Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. Read USB-Based Malware Attacks and Please disable Autorun ASAP!.

[*]4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

If a reboot doesn't restore your connection, please try this:

Check HERE

For XP systems download and run WinSockFix and Here

Vista users: Check HERE

Windows 7 systems: Download and run this Winsockfix.bat

[*]5.Give ComboFix at least 20-30 minutes to finish if needed.

MrC

Link to post
Share on other sites

OK.

Combo fix ran - and I have attached the log

I un-installed AVG first - then rebooted

but combofix told me it was still running - i told it to run at my own risk, and it finished.

Waiting instructions

Thanks

Mark

ComboFix 11-04-01.01 - Karen 04/01/2011 17:55:37.1.2 - x86

Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3036.2148 [GMT -7:00]

Running from: c:\users\Karen\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}

SP: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\users\Karen\AppData\Local\{267F1BF5-F6F5-476A-89B2-866A2E781B91}

c:\users\Karen\AppData\Local\{267F1BF5-F6F5-476A-89B2-866A2E781B91}\chrome.manifest

c:\users\Karen\AppData\Local\{267F1BF5-F6F5-476A-89B2-866A2E781B91}\chrome\content\_cfg.js

c:\users\Karen\AppData\Local\{267F1BF5-F6F5-476A-89B2-866A2E781B91}\chrome\content\overlay.xul

c:\users\Karen\AppData\Local\{267F1BF5-F6F5-476A-89B2-866A2E781B91}\install.rdf

c:\users\Karen\g2mdlhlpx.exe

c:\windows\system32\AutoRun.inf

.

.

((((((((((((((((((((((((( Files Created from 2011-03-02 to 2011-04-02 )))))))))))))))))))))))))))))))

.

.

2011-04-02 01:00 . 2011-04-02 01:00 -------- d-----w- c:\users\Mark\AppData\Local\temp

2011-04-02 01:00 . 2011-04-02 01:00 -------- d-----w- c:\users\Default\AppData\Local\temp

2011-04-02 00:28 . 2011-04-02 00:28 -------- d-----w- C:\_OTL

2011-04-01 05:14 . 2010-12-21 01:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-04-01 05:14 . 2010-12-21 01:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-04-01 04:15 . 2011-04-01 04:15 -------- d-----w- c:\windows\Sun

2011-03-09 15:12 . 2011-02-19 05:33 802304 ----a-w- c:\windows\system32\FntCache.dll

2011-03-09 15:12 . 2011-02-19 05:32 1074176 ----a-w- c:\windows\system32\DWrite.dll

2011-03-09 15:12 . 2011-02-19 05:32 739840 ----a-w- c:\windows\system32\d2d1.dll

2011-03-09 15:12 . 2010-12-23 05:28 850432 ----a-w- c:\windows\system32\sbe.dll

2011-03-09 15:12 . 2010-12-23 05:28 642048 ----a-w- c:\windows\system32\CPFilters.dll

2011-03-09 15:12 . 2010-12-23 05:28 534528 ----a-w- c:\windows\system32\EncDec.dll

2011-03-09 15:12 . 2010-12-23 05:24 199680 ----a-w- c:\windows\system32\mpg2splt.ax

2011-03-09 15:12 . 2010-12-18 05:30 2690560 ----a-w- c:\windows\system32\mstscax.dll

2011-03-09 15:12 . 2010-12-18 05:26 1034240 ----a-w- c:\windows\system32\mstsc.exe

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-02-03 05:45 . 2011-02-09 22:53 219008 ----a-w- c:\windows\system32\drivers\dxgmms1.sys

2011-01-07 07:31 . 2011-02-24 02:35 442880 ----a-w- c:\windows\system32\XpsPrint.dll

2011-01-07 07:31 . 2011-02-24 02:35 288256 ----a-w- c:\windows\system32\XpsGdiConverter.dll

2011-01-07 07:27 . 2011-02-09 22:53 34304 ----a-w- c:\windows\system32\atmlib.dll

2011-01-07 05:33 . 2011-02-09 22:53 294400 ----a-w- c:\windows\system32\atmfd.dll

2011-01-05 05:37 . 2011-02-09 22:53 428032 ----a-w- c:\windows\system32\vbscript.dll

2011-01-05 03:37 . 2011-02-09 22:53 2329088 ----a-w- c:\windows\system32\win32k.sys

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1173504]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-12-11 1310720]

"HostManager"="c:\program files\Common Files\AOL\1250461112\ee\AOLSoftware.exe" [2008-06-24 41824]

"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-06 149280]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-21 963976]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-21 963976]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"AvgUninstallURL"="start http:" [X]

.

c:\users\Karen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

BounceBack Launcher.lnk - c:\program files\CMS Products\BounceBack Professional\BBStartup.exe [2009-10-25 40960]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-9-23 270336]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 0 (0x0)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"HideSCAHealth"= 1 (0x1)

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2011-01-31 08:44 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

.

R0 dlkmdldr;dlkmdldr;c:\windows\system32\drivers\dlkmdldr.sys [2009-03-10 13424]

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R3 dlkmd;dlkmd;c:\windows\system32\drivers\dlkmd.sys [2009-03-10 367728]

R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETw5v32.sys [2009-06-18 4233728]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-04-13 1343400]

R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2009-07-14 17920]

S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]

S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-08-18 176128]

S2 ATService;AuthenTec Fingerprint Service;c:\program files\Fingerprint Sensor\AtService.exe [2008-06-12 1164536]

S2 BBWatcherService;BBWatcherService;c:\program files\CMS Products\BounceBack Professional\BBWatcherService.exe [2008-05-01 36864]

S2 DisplayLinkService;DisplayLink Service;c:\program files\DisplayLink Core Software\DisplayLinkService.exe [2009-03-10 447848]

S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [2010-02-27 26168]

S3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\Drivers\ATSwpWDF.sys [2008-06-12 477696]

S3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\DRIVERS\e1y6032.sys [2008-11-21 220288]

S3 NETw5s32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETw5s32.sys [2010-01-13 6755840]

S3 rismc32;RICOH Smart Card Reader;c:\windows\system32\DRIVERS\rismc32.sys [2006-12-20 47616]

S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]

.

.

--- Other Services/Drivers In Memory ---

.

*Deregistered* - Avgtdix

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

getPlusHelper REG_MULTI_SZ getPlusHelper

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

HPService REG_MULTI_SZ HPSLPSVC

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

.

.

------- Supplementary Scan -------

.

IE: &AOL Toolbar Search - c:\programdata\AOL\ieToolbar\resources\en-US\local\search.html

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000

FF - ProfilePath - c:\users\Karen\AppData\Roaming\Mozilla\Firefox\Profiles\r33rjzp5.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tb50ffTB50CLie7&query=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - www.sendperfectcards.com

FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - Ext: Starfield Zoom: zoomext@starfield - c:\program files\Mozilla Firefox\extensions\zoomext@starfield

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: AOL Toolbar: {7affbfae-c4e2-4915-8c0f-00fa3ec610a1} - %profile%\extensions\{7affbfae-c4e2-4915-8c0f-00fa3ec610a1}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

.

- - - - ORPHANS REMOVED - - - -

.

AddRemove-Agere Systems Soft Modem - c:\windows\agrsmdel

.

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

"MSCurrentCountry"=dword:000000b5

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2011-04-01 18:01:50

ComboFix-quarantined-files.txt 2011-04-02 01:01

.

Pre-Run: 168,703,565,824 bytes free

Post-Run: 168,689,553,408 bytes free

.

- - End Of File - - C278E743C877B42D732A23ABE833344C

Link to post
Share on other sites

Ok, will do that now -

May I re-install my AVG Anti virus?

.. or, is their better AV program I should be using - free or fee?

I think i got this after a google search was redirected to a strange web site - does that sound feasible?

I don't surf any "dangerous sites - like games, gambling, porn , limewire, , etc on this machine - so would like to know how i got it

Should i update any windows defense SW - like defender?

Anything else you can recommend - I'm all ears

Thanks

Mark

Link to post
Share on other sites

ok here goes:

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6242

Windows 6.1.7600

Internet Explorer 8.0.7600.16385

4/1/2011 6:27:10 PM

mbam-log-2011-04-01 (18-27-10).txt

Scan type: Quick scan

Objects scanned: 158242

Time elapsed: 2 minute(s), 1 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

OK....Clean Good :)

-------------------------

Please Uninstall ComboFix:

Go to start > run and copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

cf2.jpg

Then hit enter.

This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

------------------------

Run OTL and hit the CleanUp button. (This will cleanup the tools and logs used including itself)

-----------------------

I think i got this after a google search was redirected to a strange web site - does that sound feasible?

Yes that is.

--------------------------

What to use......

If you can afford it, buy the full version of MBAM, that will give you excellent realtime protection.

Your firewall should be OK

You can use MBAM with Avast, Avira or Microsoft Security Essentials.

If not use Avast or Avira as your anti-virus.

There's all kinds of info and links in My Preventive Maintenance, look it over and if you have any questions let me know, MrC

Link to post
Share on other sites

  • Staff

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.