Jump to content

Recommended Posts

My computer became infected with windows xp antivirus malware. I followed the sticky post on this forum and ran malwarebytes to remove, removed elements of infection, then ran antivirus scan (scan showed no virus). But afterwards i now receive notice that my automatic updates is not turned on (although it appears to be) even changing it in security center doesn't make this go away. So i starting a new thread here with my scan results pursuant to site recommendations.

Here is first mb scan result :

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6709

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

5/29/2011 3:23:32 AM

mbam-log-2011-05-29 (03-23-32).txt

Scan type: Quick scan

Objects scanned: 168551

Time elapsed: 3 minute(s), 35 second(s)

Memory Processes Infected: 1

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 7

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

c:\documents and settings\user\local settings\application data\hoh.exe (Trojan.FakeAlert) -> 3636 -> Unloaded process successfully.

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Value: (default) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\user\Local Settings\Application Data\hoh.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\user\Local Settings\Application Data\hoh.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\user\Local Settings\Application Data\hoh.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\exefile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: ("C:\Documents and Settings\user\Local Settings\Application Data\hoh.exe" -a "%1" %*) Good: ("%1" %*) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

c:\documents and settings\user\local settings\application data\hoh.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Here is second mb scan after removing elements from first scan:

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6716

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

5/29/2011 1:28:49 PM

mbam-log-2011-05-29 (13-28-49).txt

Scan type: Quick scan

Objects scanned: 169027

Time elapsed: 1 minute(s), 39 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Here is dds result:

.

DDS (Ver_11-05-19.01) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22

Run by user at 9:15:22 on 2011-05-30

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2550 [GMT -4:00]

.

AV: ESET NOD32 Antivirus 4.0 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Common Files\Nuance\dgnsvc.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe

C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe

C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe

C:\Program Files\Pure Networks\Network Magic\nmapp.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\RunDLL32.exe

C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Documents and Settings\All Users\Application Data\FLEXnet\Connect\11\ISUSPM.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Documents and Settings\user\Desktop\dds.scr

C:\WINDOWS\system32\WSCRIPT.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = about:blank

uInternet Settings,ProxyOverride = *.local

BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll

uRun: [AdobeBridge]

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [iSUSPM] c:\documents and settings\all users\application data\flexnet\connect\11\ISUSPM.exe -scheduler

mRun: [sigmatelSysTrayApp] stsystra.exe

mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin

mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"

mRun: [<NO NAME>]

mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"

mRun: [Adobe_ID0ENQBO] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"

mRun: [nmapp] "c:\program files\pure networks\network magic\nmapp.exe" -autorun -nosplash

mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [DNS7reminder] "c:\program files\nuance\naturallyspeaking11\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\nuance\naturallyspeaking11\Ereg.ini

mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet

mRun: [Nuance.ctfmngr] c:\program files\nuance\naturallyspeaking11\program\ctfmngr.exe /restore

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert link target to existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -

Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\coreftp\pftpns.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\user\application data\mozilla\firefox\profiles\x0zpycs2.default\

FF - prefs.js: browser.search.selectedEngine - Godaddy.com

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

.

============= SERVICES / DRIVERS ===============

.

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-9-11 108792]

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2009-9-11 96408]

R2 DragonSvc;Dragon Service;c:\program files\common files\nuance\dgnsvc.exe [2010-7-23 296808]

R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2009-9-11 735960]

R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\nvidia corporation\nvidia updatus\daemonu.exe [2011-5-8 2218600]

R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2011-5-8 119272]

S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\common files\adobe\adobe version cue cs4\server\bin\VersionCueCS4.exe [2008-8-15 288112]

S3 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\sisoftware\sisoftware sandra lite 2010\RpcAgentSrv.exe [2010-4-19 93336]

.

=============== Created Last 30 ================

.

2011-05-29 07:15:56 -------- d-----w- c:\windows\system32\LogFiles

2011-05-28 16:39:15 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-05-28 16:39:15 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-05-28 16:39:15 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll

2011-05-28 14:48:01 -------- d-----w- c:\documents and settings\user\local settings\application data\TechSmith

2011-05-28 14:46:47 -------- d-----w- c:\windows\system32\QuickTime

2011-05-28 14:46:26 -------- d-----w- c:\program files\common files\TechSmith Shared

2011-05-28 03:06:04 -------- d-----w- c:\program files\Market Samurai

2011-05-21 23:53:33 -------- d-----w- c:\program files\iPod

2011-05-21 23:49:54 -------- d-----w- c:\program files\Bonjour

2011-05-13 14:45:09 -------- d-----w- c:\windows\system32\appmgmt

2011-05-10 02:00:53 -------- d-----w- c:\program files\common files\DigitalJuice

2011-05-08 19:35:48 -------- d-----w- c:\documents and settings\all users\application data\NVIDIA Corporation

2011-05-08 19:33:09 -------- d-----w- c:\program files\NVIDIA Corporation

2011-05-08 19:32:54 -------- d-----w- C:\NVIDIA

2011-05-02 21:15:38 60032 -c--a-w- c:\windows\system32\dllcache\usbaudio.sys

2011-05-02 21:15:38 60032 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys

2011-05-01 12:09:31 -------- d-----w- c:\program files\MSXML 4.0

2011-05-01 02:23:25 -------- d-----w- c:\documents and settings\user\application data\Nuance

2011-05-01 02:23:25 -------- d-----w- c:\documents and settings\user\application data\FLEXnet

2011-05-01 02:19:36 -------- d-----w- c:\program files\common files\IVA

2011-05-01 02:19:17 -------- d-----w- c:\program files\common files\Nuance

2011-05-01 02:17:44 -------- d-----w- c:\program files\Nuance

2011-05-01 02:17:44 -------- d-----w- c:\documents and settings\all users\application data\Nuance

2011-05-01 02:17:37 -------- d-----w- c:\windows\speech

.

==================== Find3M ====================

.

2011-05-08 19:34:43 259604 ----a-w- c:\windows\system32\nvdrsdb0.bin

2011-05-08 19:34:43 1 ----a-w- c:\windows\system32\nvdrssel.bin

2011-05-08 19:34:40 259604 ----a-w- c:\windows\system32\nvdrsdb1.bin

2011-05-08 16:58:27 2263 ----a-w- c:\documents and settings\all users\application data\xmlB9.tmp

2011-05-08 16:58:27 13621 ----a-w- c:\documents and settings\all users\application data\xmlB8.tmp

2011-05-08 16:58:26 8185 ----a-w- c:\documents and settings\all users\application data\xmlB7.tmp

2011-04-29 01:55:55 73 ----a-w- c:\windows\system32\ssprs.dll

2011-04-29 01:55:55 205 ----a-w- c:\windows\system32\lsprst7.dll

2011-04-08 05:14:00 944232 ----a-w- c:\windows\system32\nvdispco3220140.dll

2011-04-08 05:14:00 855656 ----a-w- c:\windows\system32\nvgenco322060.dll

2011-04-08 05:14:00 61440 ----a-w- c:\windows\system32\OpenCL.dll

2011-04-08 05:14:00 5210112 ----a-w- c:\windows\system32\nvcuda.dll

2011-04-08 05:14:00 4111232 ----a-w- c:\windows\system32\nv4_disp.dll

2011-04-08 05:14:00 2770536 ----a-w- c:\windows\system32\nvcuvid.dll

2011-04-08 05:14:00 2116894 ----a-w- c:\windows\system32\nvdata.bin

2011-04-08 05:14:00 2074216 ----a-w- c:\windows\system32\nvcuvenc.dll

2011-04-08 05:14:00 2027008 ----a-w- c:\windows\system32\nvapi.dll

2011-04-08 05:14:00 14856192 ----a-w- c:\windows\system32\nvoglnt.dll

2011-04-08 05:14:00 13000704 ----a-w- c:\windows\system32\nvcompiler.dll

2011-04-08 05:14:00 12501600 ----a-w- c:\windows\system32\drivers\nv4_mini.sys

2011-04-08 02:15:38 81920 ----a-w- c:\windows\system32\nvwddi.dll

2011-04-08 02:15:38 580200 ----a-w- c:\windows\system32\easyUpdatusAPIU.dll

2011-04-08 02:15:34 277608 ----a-w- c:\windows\system32\nvmccs.dll

2011-04-08 02:15:34 13891176 ----a-w- c:\windows\system32\nvcpl.dll

2011-04-08 02:15:34 111208 ----a-w- c:\windows\system32\nvmctray.dll

2011-04-08 02:15:32 155752 ----a-w- c:\windows\system32\nvsvc32.exe

2011-04-08 02:15:32 145000 ----a-w- c:\windows\system32\nvcolor.exe

2011-04-06 20:20:16 91424 ----a-w- c:\windows\system32\dnssd.dll

2011-04-06 20:20:16 197920 ----a-w- c:\windows\system32\dnssdX.dll

2011-04-06 20:20:16 107808 ----a-w- c:\windows\system32\dns-sd.exe

2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll

2011-03-03 15:59:23 26216 ----a-w- c:\windows\system32\nvhdap32.dll

2011-03-03 15:59:20 119272 ----a-w- c:\windows\system32\drivers\nvhda32.sys

2011-03-03 15:59:16 837224 ----a-w- c:\windows\system32\nvhdagenco322040.dll

2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys

2006-05-03 09:06:54 163328 --sh--r- c:\windows\system32\flvDX.dll

2007-02-21 10:47:16 31232 --sh--r- c:\windows\system32\msfDX.dll

2008-03-16 12:30:52 216064 --sh--r- c:\windows\system32\nbDX.dll

.

============= FINISH: 9:15:56.32 ===============

Here is attach/gmer files:

attach.zip

Please help me get rid of any further infections!

Thank You

Link to post
Share on other sites

Hi AngryInCLE and Welcome to Malwarebytes!

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

---------------------------------------------------------------------------------------------

  1. Download ComboFix from below:
    Combofix download
    * IMPORTANT !!! Place combofix.exe on your Desktop
  2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  3. Double click on combofix.exe & follow the prompts.
  4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    cfRC_screen_1.png
    The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.
    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
    Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.
    ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.
    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:
    The Recovery Console was successfully installed.
    cfRC_screen_2.png
    Click on Yes, to continue scanning for malware.
  5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  6. When finished, it shall produce a log for you. Post that log (C:\ComboFix.txt) in your next reply.
    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
    ---------------------------------------------------------------------------------------------
  7. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
    ---------------------------------------------------------------------------------------------

Link to post
Share on other sites

Thank You for the fast reply, your help is greatly appreciated!

Here is combofix log:

ComboFix 11-05-30.06 - user 05/30/2011 22:51:14.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2359 [GMT -4:00]

Running from: c:\documents and settings\user\Desktop\ComboFix.exe

AV: ESET NOD32 Antivirus 4.0 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\user\Application Data\PriceGong

c:\documents and settings\user\Application Data\PriceGong\Data\1.xml

c:\documents and settings\user\Application Data\PriceGong\Data\a.xml

c:\documents and settings\user\Application Data\PriceGong\Data\b.xml

c:\documents and settings\user\Application Data\PriceGong\Data\c.xml

c:\documents and settings\user\Application Data\PriceGong\Data\d.xml

c:\documents and settings\user\Application Data\PriceGong\Data\e.xml

c:\documents and settings\user\Application Data\PriceGong\Data\f.xml

c:\documents and settings\user\Application Data\PriceGong\Data\g.xml

c:\documents and settings\user\Application Data\PriceGong\Data\h.xml

c:\documents and settings\user\Application Data\PriceGong\Data\i.xml

c:\documents and settings\user\Application Data\PriceGong\Data\J.xml

c:\documents and settings\user\Application Data\PriceGong\Data\k.xml

c:\documents and settings\user\Application Data\PriceGong\Data\l.xml

c:\documents and settings\user\Application Data\PriceGong\Data\m.xml

c:\documents and settings\user\Application Data\PriceGong\Data\mru.xml

c:\documents and settings\user\Application Data\PriceGong\Data\n.xml

c:\documents and settings\user\Application Data\PriceGong\Data\o.xml

c:\documents and settings\user\Application Data\PriceGong\Data\p.xml

c:\documents and settings\user\Application Data\PriceGong\Data\q.xml

c:\documents and settings\user\Application Data\PriceGong\Data\r.xml

c:\documents and settings\user\Application Data\PriceGong\Data\s.xml

c:\documents and settings\user\Application Data\PriceGong\Data\t.xml

c:\documents and settings\user\Application Data\PriceGong\Data\u.xml

c:\documents and settings\user\Application Data\PriceGong\Data\v.xml

c:\documents and settings\user\Application Data\PriceGong\Data\w.xml

c:\documents and settings\user\Application Data\PriceGong\Data\x.xml

c:\documents and settings\user\Application Data\PriceGong\Data\y.xml

c:\documents and settings\user\Application Data\PriceGong\Data\z.xml

c:\windows\system32\lsprst7.dll

c:\windows\system32\ssprs.dll

.

.

((((((((((((((((((((((((( Files Created from 2011-04-28 to 2011-05-31 )))))))))))))))))))))))))))))))

.

.

2011-05-29 07:15 . 2011-05-29 07:15 -------- d-----w- c:\windows\system32\LogFiles

2011-05-28 16:39 . 2011-05-28 16:39 -------- d-----w- c:\windows\Sun

2011-05-28 16:39 . 2011-05-28 16:39 -------- d-----w- c:\program files\Common Files\Java

2011-05-28 16:39 . 2011-05-28 16:39 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll

2011-05-28 16:39 . 2011-05-28 16:39 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-05-28 16:39 . 2011-05-28 16:38 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-05-28 16:38 . 2011-05-28 16:38 -------- d-----w- c:\program files\Java

2011-05-28 14:48 . 2011-05-28 14:48 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\TechSmith

2011-05-28 14:46 . 2011-05-28 14:46 -------- d-----w- c:\windows\system32\QuickTime

2011-05-28 14:46 . 2011-05-28 14:46 -------- d-----w- c:\program files\Common Files\TechSmith Shared

2011-05-28 14:46 . 2011-05-28 14:46 -------- d-----w- c:\documents and settings\All Users\Application Data\TechSmith

2011-05-28 03:06 . 2011-05-28 03:06 -------- d-----w- c:\program files\Market Samurai

2011-05-21 23:53 . 2011-05-21 23:53 -------- d-----w- c:\program files\iPod

2011-05-21 23:49 . 2011-05-21 23:49 -------- d-----w- c:\program files\Bonjour

2011-05-10 02:00 . 2011-05-10 02:00 -------- d-----w- c:\program files\Common Files\DigitalJuice

2011-05-08 19:36 . 2011-05-08 19:36 -------- d-----w- c:\documents and settings\UpdatusUser

2011-05-08 19:36 . 2011-05-08 19:36 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA

2011-05-08 19:35 . 2011-05-08 19:35 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation

2011-05-08 19:33 . 2011-05-08 19:36 -------- d-----w- c:\program files\NVIDIA Corporation

2011-05-08 19:32 . 2011-05-08 19:32 -------- d-----w- C:\NVIDIA

2011-05-02 21:15 . 2008-04-13 18:45 60032 -c--a-w- c:\windows\system32\dllcache\usbaudio.sys

2011-05-02 21:15 . 2008-04-13 18:45 60032 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys

2011-05-01 12:09 . 2011-05-01 12:09 -------- d-----w- c:\program files\MSXML 4.0

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-05-08 16:58 . 2010-04-19 22:07 2263 ----a-w- c:\documents and settings\All Users\Application Data\xmlB9.tmp

2011-05-08 16:58 . 2010-04-19 22:07 13621 ----a-w- c:\documents and settings\All Users\Application Data\xmlB8.tmp

2011-05-08 16:58 . 2010-04-19 22:07 8185 ----a-w- c:\documents and settings\All Users\Application Data\xmlB7.tmp

2011-04-08 05:14 . 2010-04-09 15:17 12501600 ----a-w- c:\windows\system32\drivers\nv4_mini.sys

2011-04-08 05:14 . 2008-04-14 00:12 4111232 ----a-w- c:\windows\system32\nv4_disp.dll

2011-04-08 02:15 . 2011-04-08 02:15 81920 ----a-w- c:\windows\system32\nvwddi.dll

2011-04-08 02:15 . 2011-04-08 02:15 580200 ----a-w- c:\windows\system32\easyUpdatusAPIU.dll

2011-04-08 02:15 . 2011-04-08 02:15 277608 ----a-w- c:\windows\system32\nvmccs.dll

2011-04-08 02:15 . 2011-04-08 02:15 13891176 ----a-w- c:\windows\system32\nvcpl.dll

2011-04-08 02:15 . 2011-04-08 02:15 111208 ----a-w- c:\windows\system32\nvmctray.dll

2011-04-08 02:15 . 2011-04-08 02:15 155752 ----a-w- c:\windows\system32\nvsvc32.exe

2011-04-08 02:15 . 2011-04-08 02:15 145000 ----a-w- c:\windows\system32\nvcolor.exe

2011-04-06 20:20 . 2011-04-06 20:20 91424 ----a-w- c:\windows\system32\dnssd.dll

2011-04-06 20:20 . 2011-04-06 20:20 197920 ----a-w- c:\windows\system32\dnssdX.dll

2011-04-06 20:20 . 2011-04-06 20:20 107808 ----a-w- c:\windows\system32\dns-sd.exe

2011-03-07 05:33 . 2010-01-21 20:47 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-03-04 06:37 . 2004-08-04 10:00 420864 ----a-w- c:\windows\system32\vbscript.dll

2011-03-03 13:21 . 2004-08-04 10:00 1857920 ----a-w- c:\windows\system32\win32k.sys

2011-04-29 23:13 . 2011-03-25 12:46 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

2006-05-03 09:06 163328 --sh--r- c:\windows\system32\flvDX.dll

2007-02-21 10:47 31232 --sh--r- c:\windows\system32\msfDX.dll

2008-03-16 12:30 216064 --sh--r- c:\windows\system32\nbDX.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\documents and settings\user\Application Data\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\documents and settings\user\Application Data\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\documents and settings\user\Application Data\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]

@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\documents and settings\user\Application Data\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ISUSPM"="c:\documents and settings\All Users\Application Data\FLEXnet\Connect\11\ISUSPM.exe" [2010-11-14 222496]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SigmatelSysTrayApp"="stsystra.exe" [2006-07-27 282624]

"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2010-04-12 611712]

"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2010-06-19 38840]

"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2010-06-19 640440]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2009-07-07 647216]

"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2009-07-08 472112]

"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-09-11 2054360]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]

"DNS7reminder"="c:\program files\Nuance\NaturallySpeaking11\Ereg\Ereg.exe" [2007-04-16 259624]

"NvMediaCenter"="NvMCTray.dll" [2011-04-08 111208]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-04-08 13891176]

"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2011-02-24 1753192]

"Nuance.ctfmngr"="c:\program files\Nuance\NaturallySpeaking11\Program\ctfmngr.exe" [2010-07-23 39272]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-27 421160]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=

"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2010\\RpcAgentSrv.exe"=

"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2010\\WNt500x86\\sandra.mui"=

"c:\\Program Files\\CoreFTP\\coreftp.exe"=

"c:\\Program Files\\BitTorrent\\BitTorrent.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Documents and Settings\\user\\Application Data\\Dropbox\\bin\\Dropbox.exe"=

"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2010\\WNt500x86\\RpcSandraSrv.exe"=

"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Updatus\\daemonu.exe"=

"c:\\Program Files\\Activision\\Call of Duty - Black Ops\\BlackOps.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5353:TCP"= 5353:TCP:Adobe CSI CS4

"3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server

"3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server

"51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server

"51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]

"AllowInboundEchoRequest"= 1 (0x1)

.

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [9/11/2009 7:23 AM 108792]

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [9/11/2009 7:26 AM 96408]

R2 DragonSvc;Dragon Service;c:\program files\Common Files\Nuance\dgnsvc.exe [7/23/2010 12:24 PM 296808]

R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [9/11/2009 7:24 AM 735960]

R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [5/8/2011 3:36 PM 2218600]

R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [5/8/2011 3:34 PM 119272]

S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 5:46 AM 288112]

S3 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\SiSoftware\SiSoftware Sandra Lite 2010\RpcAgentSrv.exe [4/19/2010 6:00 PM 93336]

.

--- Other Services/Drivers In Memory ---

.

*Deregistered* - awtcrfog

.

Contents of the 'Scheduled Tasks' folder

.

2011-05-28 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

uInternet Settings,ProxyOverride = *.local

IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert link target to existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

TCP: DhcpNameServer = 192.168.1.1 209.18.47.61 209.18.47.62

FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\x0zpycs2.default\

FF - prefs.js: browser.search.selectedEngine - Godaddy.com

.

- - - - ORPHANS REMOVED - - - -

.

HKCU-Run-AdobeBridge - (no file)

MSConfigStartUp-ATICCC - c:\program files\ATI Technologies\ATI.ACE\cli.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-05-30 22:54

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]

"Version"=hex:b6,7a,3d,65,ed,65,e1,2a,a9,44,d1,0f,9d,38,e1,98,a1,a0,78,ba,fb,

63,ff,a9,15,2e,72,7b,c9,63,90,fa,d6,bf,10,40,50,2c,ec,7d,e9,83,9f,2f,53,4a,\

.

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]

"Version"=hex:b6,7a,3d,65,ed,65,e1,2a,a9,44,d1,0f,9d,38,e1,98,a1,a0,78,ba,fb,

63,ff,a9,15,2e,72,7b,c9,63,90,fa,d6,bf,10,40,50,2c,ec,7d,e9,83,9f,2f,53,4a,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'lsass.exe'(836)

c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

.

Completion time: 2011-05-30 22:55:40

ComboFix-quarantined-files.txt 2011-05-31 02:55

.

Pre-Run: 23,824,379,904 bytes free

Post-Run: 26,071,773,184 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

.

- - End Of File - - 00DC8FC61E5D53EC43A79FB4BAC9EA94

Let me know how to proceed.

Thank You!

Link to post
Share on other sites

Run CFScript

  • Close any open browsers.
  • Open Notepad by click start
  • Click Run
  • Type notepad into the box and click Enter
  • Notepad will open
  • Copy and Paste everything from the Code box into Notepad:

File::
c:\documents and settings\All Users\Application Data\xmlB9.tmp
c:\documents and settings\All Users\Application Data\xmlB8.tmp
c:\documents and settings\All Users\Application Data\xmlB7.tmp

Reglock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. It may ask to reboot. Post the contents of C:\ComboFix.txt in your next reply.

Link to post
Share on other sites

As you requested here is latest combofix scan result:

ComboFix 11-05-30.06 - user 05/30/2011 23:27:18.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2423 [GMT -4:00]

Running from: c:\documents and settings\user\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\user\Desktop\CFScript.txt

AV: ESET NOD32 Antivirus 4.0 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

.

FILE ::

"c:\documents and settings\All Users\Application Data\xmlB7.tmp"

"c:\documents and settings\All Users\Application Data\xmlB8.tmp"

"c:\documents and settings\All Users\Application Data\xmlB9.tmp"

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\All Users\Application Data\xmlB7.tmp

c:\documents and settings\All Users\Application Data\xmlB8.tmp

c:\documents and settings\All Users\Application Data\xmlB9.tmp

.

.

((((((((((((((((((((((((( Files Created from 2011-04-28 to 2011-05-31 )))))))))))))))))))))))))))))))

.

.

2011-05-29 07:15 . 2011-05-29 07:15 -------- d-----w- c:\windows\system32\LogFiles

2011-05-28 16:39 . 2011-05-28 16:39 -------- d-----w- c:\windows\Sun

2011-05-28 16:39 . 2011-05-28 16:39 -------- d-----w- c:\program files\Common Files\Java

2011-05-28 16:39 . 2011-05-28 16:39 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll

2011-05-28 16:39 . 2011-05-28 16:39 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-05-28 16:39 . 2011-05-28 16:38 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-05-28 16:38 . 2011-05-28 16:38 -------- d-----w- c:\program files\Java

2011-05-28 14:48 . 2011-05-28 14:48 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\TechSmith

2011-05-28 14:46 . 2011-05-28 14:46 -------- d-----w- c:\windows\system32\QuickTime

2011-05-28 14:46 . 2011-05-28 14:46 -------- d-----w- c:\program files\Common Files\TechSmith Shared

2011-05-28 14:46 . 2011-05-28 14:46 -------- d-----w- c:\documents and settings\All Users\Application Data\TechSmith

2011-05-28 03:06 . 2011-05-28 03:06 -------- d-----w- c:\program files\Market Samurai

2011-05-21 23:53 . 2011-05-21 23:53 -------- d-----w- c:\program files\iPod

2011-05-21 23:49 . 2011-05-21 23:49 -------- d-----w- c:\program files\Bonjour

2011-05-10 02:00 . 2011-05-10 02:00 -------- d-----w- c:\program files\Common Files\DigitalJuice

2011-05-08 19:36 . 2011-05-08 19:36 -------- d-----w- c:\documents and settings\UpdatusUser

2011-05-08 19:36 . 2011-05-08 19:36 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA

2011-05-08 19:35 . 2011-05-08 19:35 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation

2011-05-08 19:33 . 2011-05-08 19:36 -------- d-----w- c:\program files\NVIDIA Corporation

2011-05-08 19:32 . 2011-05-08 19:32 -------- d-----w- C:\NVIDIA

2011-05-02 21:15 . 2008-04-13 18:45 60032 -c--a-w- c:\windows\system32\dllcache\usbaudio.sys

2011-05-02 21:15 . 2008-04-13 18:45 60032 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys

2011-05-01 12:09 . 2011-05-01 12:09 -------- d-----w- c:\program files\MSXML 4.0

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-04-08 05:14 . 2010-04-09 15:17 12501600 ----a-w- c:\windows\system32\drivers\nv4_mini.sys

2011-04-08 05:14 . 2008-04-14 00:12 4111232 ----a-w- c:\windows\system32\nv4_disp.dll

2011-04-08 02:15 . 2011-04-08 02:15 81920 ----a-w- c:\windows\system32\nvwddi.dll

2011-04-08 02:15 . 2011-04-08 02:15 580200 ----a-w- c:\windows\system32\easyUpdatusAPIU.dll

2011-04-08 02:15 . 2011-04-08 02:15 277608 ----a-w- c:\windows\system32\nvmccs.dll

2011-04-08 02:15 . 2011-04-08 02:15 13891176 ----a-w- c:\windows\system32\nvcpl.dll

2011-04-08 02:15 . 2011-04-08 02:15 111208 ----a-w- c:\windows\system32\nvmctray.dll

2011-04-08 02:15 . 2011-04-08 02:15 155752 ----a-w- c:\windows\system32\nvsvc32.exe

2011-04-08 02:15 . 2011-04-08 02:15 145000 ----a-w- c:\windows\system32\nvcolor.exe

2011-04-06 20:20 . 2011-04-06 20:20 91424 ----a-w- c:\windows\system32\dnssd.dll

2011-04-06 20:20 . 2011-04-06 20:20 197920 ----a-w- c:\windows\system32\dnssdX.dll

2011-04-06 20:20 . 2011-04-06 20:20 107808 ----a-w- c:\windows\system32\dns-sd.exe

2011-03-07 05:33 . 2010-01-21 20:47 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-03-04 06:37 . 2004-08-04 10:00 420864 ----a-w- c:\windows\system32\vbscript.dll

2011-03-03 13:21 . 2004-08-04 10:00 1857920 ----a-w- c:\windows\system32\win32k.sys

2011-04-29 23:13 . 2011-03-25 12:46 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

2006-05-03 09:06 163328 --sh--r- c:\windows\system32\flvDX.dll

2007-02-21 10:47 31232 --sh--r- c:\windows\system32\msfDX.dll

2008-03-16 12:30 216064 --sh--r- c:\windows\system32\nbDX.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\documents and settings\user\Application Data\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\documents and settings\user\Application Data\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\documents and settings\user\Application Data\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]

@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\documents and settings\user\Application Data\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ISUSPM"="c:\documents and settings\All Users\Application Data\FLEXnet\Connect\11\ISUSPM.exe" [2010-11-14 222496]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SigmatelSysTrayApp"="stsystra.exe" [2006-07-27 282624]

"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2010-04-12 611712]

"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2010-06-19 38840]

"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2010-06-19 640440]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2009-07-07 647216]

"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2009-07-08 472112]

"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-09-11 2054360]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]

"DNS7reminder"="c:\program files\Nuance\NaturallySpeaking11\Ereg\Ereg.exe" [2007-04-16 259624]

"NvMediaCenter"="NvMCTray.dll" [2011-04-08 111208]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-04-08 13891176]

"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2011-02-24 1753192]

"Nuance.ctfmngr"="c:\program files\Nuance\NaturallySpeaking11\Program\ctfmngr.exe" [2010-07-23 39272]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-27 421160]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=

"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2010\\RpcAgentSrv.exe"=

"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2010\\WNt500x86\\sandra.mui"=

"c:\\Program Files\\CoreFTP\\coreftp.exe"=

"c:\\Program Files\\BitTorrent\\BitTorrent.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Documents and Settings\\user\\Application Data\\Dropbox\\bin\\Dropbox.exe"=

"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2010\\WNt500x86\\RpcSandraSrv.exe"=

"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Updatus\\daemonu.exe"=

"c:\\Program Files\\Activision\\Call of Duty - Black Ops\\BlackOps.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5353:TCP"= 5353:TCP:Adobe CSI CS4

"3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server

"3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server

"51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server

"51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]

"AllowInboundEchoRequest"= 1 (0x1)

.

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [9/11/2009 7:23 AM 108792]

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [9/11/2009 7:26 AM 96408]

R2 DragonSvc;Dragon Service;c:\program files\Common Files\Nuance\dgnsvc.exe [7/23/2010 12:24 PM 296808]

R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [9/11/2009 7:24 AM 735960]

R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [5/8/2011 3:36 PM 2218600]

R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [5/8/2011 3:34 PM 119272]

S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 5:46 AM 288112]

S3 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\SiSoftware\SiSoftware Sandra Lite 2010\RpcAgentSrv.exe [4/19/2010 6:00 PM 93336]

.

--- Other Services/Drivers In Memory ---

.

*Deregistered* - awtcrfog

.

Contents of the 'Scheduled Tasks' folder

.

2011-05-28 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

uInternet Settings,ProxyOverride = *.local

IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert link target to existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

TCP: DhcpNameServer = 192.168.1.1 209.18.47.61 209.18.47.62

FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\x0zpycs2.default\

FF - prefs.js: browser.search.selectedEngine - Godaddy.com

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-05-30 23:29

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]

"Version"=hex:b6,7a,3d,65,ed,65,e1,2a,a9,44,d1,0f,9d,38,e1,98,a1,a0,78,ba,fb,

63,ff,a9,15,2e,72,7b,c9,63,90,fa,d6,bf,10,40,50,2c,ec,7d,e9,83,9f,2f,53,4a,\

.

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]

"Version"=hex:b6,7a,3d,65,ed,65,e1,2a,a9,44,d1,0f,9d,38,e1,98,a1,a0,78,ba,fb,

63,ff,a9,15,2e,72,7b,c9,63,90,fa,d6,bf,10,40,50,2c,ec,7d,e9,83,9f,2f,53,4a,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'lsass.exe'(836)

c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

.

Completion time: 2011-05-30 23:30:36

ComboFix-quarantined-files.txt 2011-05-31 03:30

ComboFix2.txt 2011-05-31 02:55

.

Pre-Run: 26,084,884,480 bytes free

Post-Run: 26,071,842,816 bytes free

.

- - End Of File - - 83ECDCEC4B9C6678D11CABBD06605C1C

Thank You

Link to post
Share on other sites

Smile we are getting closer. Great job you done there!

There are some older versions of Java on your computer. These can be a source of this infection.

[javaicon.gif

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

  • Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop.
  • Scroll down to where it says Java SE Runtime Environment (JRE) - JRE 6 Update 25 -
  • Click the Download button to the right.
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: I agree to the Java SE Runtime Environment 6u16 with JavaFX 1 License Agreement. Click on Continue.The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u125 -windows-i586-p.exe to install the newest version.

  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      • Applications and Applets
        Trace and Log Files

      [*]Click OK on Delete Temporary Files Window

      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

      [*]Click OK to leave the Temporary Files Window

      [*]Click OK to leave the Java Control Panel.

To test your Java Run-time, you may go to this page http://www.java.com/en/download/help/testvm.xml

When all is well, you should see Java Version: 1.6.0_25 from Sun Microsystems Inc.

Next

Using Internet Explorer or Firefox, visit Kaspersky Online Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.

2. To optimize scanning time and produce a more sensible report for review:

  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan. Click HERE to see how to disable the most common antivirus programs.

3. Click Run at the Security prompt.

The program will then begin downloading and installing and will also update the database.

Please be patient as this can take quite a long time to download.

  • Once the update is complete, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

    • Spyware, adware, dialers, and other riskware
    • Archives
    • E-mail databases

    [*]Click on My Computer under the green Scan bar to the left to start the scan.

    [*]Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.

    [*]Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.

    [*]Click View report... at the bottom.

    [*] Click the Save report... button.

    KasReport.png

    [*] Change the Files of type dropdown box to Text file (.txt) and name the file KasReport.txt to save the file to your desktop so that you may post it in your next reply

    [*]( To see an animated tutorial-how-to on the scan, see >>this link<<)

NOTE

Do not be alarmed if Kaspersky tags items that are already in quarantine by MBAM, or any other quarantine. Kaspersky is a report only and does not remove files.

Link to post
Share on other sites

Completed Java removal and update procedure successfully.

However when I attempted to run kaspersky online scan, I receive the following error message:

"Update has failed The program could not be started. Please close the window of Kaspersky Online Scanner 7.0 and start the program again from the web site of Kaspersky Lab.

Successful updating of Kaspersky Online Scanner 7.0 and scanning of your computer requires uninterrupted Internet connection. Please make sure that the Internet connection is established. [ERROR: License has expired]"

I tried both firefox and Ie, eset was disabled.

Please advise as to how i should proceed.

Thank You

Link to post
Share on other sites

Kaspersky Online Scanner does this at times. We'll use ESET:

ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however may need to disable your current installed Anti-Virus, how to do so can be read here.

  • Please go here then click on: EOLS1.gif
  • Select the option YES, I accept the Terms of Use then click on: EOLS2.gif
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:

    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology

[*]Now click on: EOLS3.gif

[*]The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.

[*]When completed the Online Scan will begin automatically.

[*]Do not touch either the Mouse or keyboard during the scan otherwise it may stall.

[*]When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!

[*]Now click on: EOLS4.gif

[*]Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.

[*]Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

Link to post
Share on other sites

Here is log file from eset online scanner:

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6522

# api_version=3.0.2

# EOSSerial=50c501c98ff82341a7194030c3d208a0

# end=finished

# remove_checked=false

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2011-05-31 07:27:18

# local_time=2011-05-31 03:27:18 (-0500, Eastern Daylight Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=8199 39157157 100 100 0 53254118 0 0

# scanned=738308

# found=0

# cleaned=0

# scan_time=26494

# nod_component=V3 Build:0x30000000

Let me know how to proceed.

Thank You.

Link to post
Share on other sites

How is your computer doing AngryInCLE?

Update Run Malwarebytes

  • Launch Malwarebytes' Anti-Malware
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Link to post
Share on other sites

Computer seems to be running ok the false windows auto update notice is gone from the taskbar :) Feeling slightly less angry :P Now I just to find the sob who invented this malware and deal with him...lol.

Here is MB log:

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6736

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

5/31/2011 3:46:22 PM

mbam-log-2011-05-31 (15-46-22).txt

Scan type: Quick scan

Objects scanned: 171140

Time elapsed: 3 minute(s), 58 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Does this mean my computer is no longer infected?

Thank You

Link to post
Share on other sites

Purge old temporary files. Now that we are done.... :)

Please download TFC by OldTimer to your desktop

  • Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start
    button to begin the process. Depending on how often you clean temp
    files, execution time should be anywhere from a few seconds to a minute
    or two. Let it run uninterrupted to completion.
  • Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

You should keep TFC and run it once a week.

Your Computer is Clean

mr-clean.gif

Some final items:

Follow these steps to uninstall Combofix and tools used in the removal of malware

To remove all of the tools we used and the files and folders they created, please do the following:

Please download OTC.exe by OldTimer:

  • Save it to your Desktop.
  • Double click OTC.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

It's a good idea to Flush your System Restore after removing malware and create a new restore point.

To SET A NEW RESTORE POINT:

1. Go to Start > Programs > Accessories > System Tools and click "System Restore".

2. Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

3. Then go to Start > Run and type: Cleanmgr

4. Click "OK".

5. Click the "More Options" Tab.

6. Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

Graphics for doing this are in the following links if you need them.

How to Create a Restore Point.

How to use Cleanmgr.

Here are some additional links for you to check out to help you with your computer security.

Browsers

Just because your computer came loaded with Internet Explorer doesn't mean that you have to use it, there are other free alternatives, FIREFOX and OPERA, both are free to use and are more secure than IE.

If you are using firefox you can stay more secure by adding NoScript and WOT (Web Of Trust)

NoScript stops Java scripts from starting on a web page unless you give permission for them, and WOT (Web Of Trust) has a comprehensive list of ratings for different websites allowing you to easily see if a website that you are about to go to has a bad reputation; in fact it will warn you to check if you are sure that you want to continue to a bad website.

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialize and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.

Additional Security Measures

Secunia software inspector & update checker

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Cookienator- Scans your PC for tracking cookies in multiple browsers as well as in Adobe Flash.

Auslogics Disc Defrag or JKDefrag - Two good disc defragmenters for you to choose from to help speed up your computer.

Visit My Blog for Malware and Spyware Tips

6567E80CC55576485246E130E48A9FA8.png

Link to post
Share on other sites

Thanks for the fast and courteous help in solving my malware problem! As i understand it my computer is no longer infected and I can proceed to use it again? Also do I need to enable whatever it was that dds disabled earlier on? or is this automatically done upon restart?

Thanks Again.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.