Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93085 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

"c:\windows\System32\wermgr.exe . . . is infected&

Started by jdavie13 , Jul 02 2010 04:08 PM

  • This topic is locked This topic is locked
7 replies to this topic

#1 jdavie13

jdavie13

    New Member

  • New Member
  • Pip
  • 3 posts

Posted 02 July 2010 - 04:08 PM

On advice from a friend I recently used Combofix to scan my computer after it reported that it had a virus. This virus has resulted in occurances such as firefox crashing and shutting down on a regular basis, Windows shutting down and restarting regularly and without warning or reason, various programs such as Windows Media player refusing to work, and has also just wiped my entire Itunes library only a couple of days after it was downloaded and filled with over 8Gbs worth of music. I have tried several system restores in the past and that has worked for a couple of weeks before the problem returned. I have also taken it to a computer specialist who said that it was a problem with the memory and had wiped it and returned it to its factory settings. This seemed to solve the problem but after a couple of weeks the same errors began to occur again. I have posted the complete report and would be grateful if anyone has any input as to what is wrong and what I can do to stop it. Cheers everyone.

ComboFix 10-07-01.02 - System User 02/07/2010 21:31:55.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.44.1033.18.1022.407 [GMT 1:00]
Running from: c:\users\System User\Desktop\com.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\System32\wermgr.exe . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2010-06-02 to 2010-07-02 )))))))))))))))))))))))))))))))
.

2010-07-02 21:24 . 2010-07-02 21:24 -------- d-----w- c:\users\System User\AppData\Local\temp
2010-06-25 18:54 . 2010-06-25 19:05 -------- d-----w- c:\users\System User\AppData\Roaming\Apple Computer
2010-06-25 18:54 . 2010-06-25 18:54 -------- d-----w- c:\users\System User\AppData\Local\Apple Computer
2010-06-25 18:53 . 2009-05-18 12:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-06-25 18:53 . 2008-04-17 11:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2010-06-25 18:53 . 2010-06-25 18:53 -------- dc----w- c:\windows\system32\DRVSTORE
2010-06-25 18:52 . 2010-06-25 18:52 -------- d-----w- c:\program files\iPod
2010-06-25 18:52 . 2010-06-25 18:53 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-06-25 18:52 . 2010-06-25 18:53 -------- d-----w- c:\program files\iTunes
2010-06-25 18:51 . 2010-06-25 18:52 -------- d-----w- c:\program files\QuickTime
2010-06-25 18:51 . 2010-06-25 18:52 -------- d-----w- c:\programdata\Apple Computer
2010-06-25 18:50 . 2010-06-25 18:50 -------- d-----w- c:\users\System User\AppData\Local\Apple
2010-06-25 18:50 . 2010-06-25 18:50 -------- d-----w- c:\program files\Apple Software Update
2010-06-25 18:48 . 2010-06-25 18:48 -------- d-----w- c:\program files\Bonjour
2010-06-25 18:48 . 2010-06-25 18:52 -------- d-----w- c:\program files\Common Files\Apple
2010-06-25 18:48 . 2010-06-25 18:48 -------- d-----w- c:\programdata\Apple
2010-06-15 19:01 . 2010-06-15 19:01 72504 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2010-06-10 17:22 . 2009-08-24 12:47 378368 ----a-w- c:\windows\system32\winhttp.dll
2010-06-09 18:06 . 2009-06-15 15:28 272384 ----a-w- c:\windows\system32\schannel.dll
2010-06-09 18:06 . 2009-06-15 15:23 494592 ----a-w- c:\windows\system32\kerberos.dll
2010-06-03 15:35 . 2010-06-03 15:35 -------- d-----w- C:\found.001
2010-06-03 11:52 . 2008-10-31 23:38 4247552 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-06-03 11:52 . 2008-11-01 03:33 1687040 ----a-w- c:\windows\system32\gameux.dll
2010-06-03 11:52 . 2008-11-01 03:33 28672 ----a-w- c:\windows\system32\Apphlpdm.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-02 17:33 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-06-29 23:21 . 2010-02-24 18:30 -------- d-----w- c:\users\System User\AppData\Roaming\Spotify
2010-05-21 13:14 . 2010-02-25 09:37 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-18 15:35 . 2010-05-18 15:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 15:35 . 2010-05-18 15:35 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2010-05-18 15:35 . 2010-05-18 15:35 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-05-18 15:35 . 2010-05-18 15:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-10 23:37 . 2010-05-10 23:37 655360 ----a-w- c:\users\System User\AppData\Roaming\Spotify\Gracenote\gnsdk_sdkmanager.dll
2010-05-10 23:37 . 2010-05-10 23:37 282624 ----a-w- c:\users\System User\AppData\Roaming\Spotify\Gracenote\gnsdk_musicid_file.dll
2010-05-10 23:37 . 2010-05-10 23:37 208896 ----a-w- c:\users\System User\AppData\Roaming\Spotify\Gracenote\gnsdk_dsp.dll
2010-04-19 08:38 . 2010-02-20 12:02 70176 ----a-w- c:\users\System User\AppData\Local\GDIPFONTCACHEV1.DAT
2007-03-07 12:54 . 2007-03-07 12:54 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2007-12-16 1232896]
"WindowsWelcomeCenter"="oobefldr.dll" [2006-11-02 2159104]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-02 1004136]
"RtHDVCpl"="RtHDVCpl.exe" [2007-03-01 4390912]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-02-10 90192]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-02-10 8429568]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-02-10 81920]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.thetechguys.com
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\System User\AppData\Roaming\Mozilla\Firefox\Profiles\1zo7zya2.default\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr
ef", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-02 22:24
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-07-02 22:28:09
ComboFix-quarantined-files.txt 2010-07-02 21:28

Pre-Run: 235,898,707,968 bytes free
Post-Run: 235,875,119,104 bytes free

- - End Of File - - 27BADB5F881409706E73A50FD46C3410

    Advertisements

Register to Remove

#2 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 05 July 2010 - 07:52 AM

You can delete wermgr.exe and Windows will re-create it when you reboot.

Copy/paste the text in the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Take your mouse, and place your cursor at the beginning of the text in the box below, then click and hold the left mouse button, while pulling your mouse over the text. This should highlight the text. Now release the left mouse button. Now, with the cursor over the highlighted text, right click the mouse for options, and select 'copy'. Now over the empty Notepad box, right click your mouse again, and select 'paste' and you will have copied and pasted the text. 

File::
c:\windows\System32\wermgr.exe

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:
1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...


Posted Image

Drag CFScript.txt into ComboFix.exe


Then post the results log using Copy / Paste


Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#3 jdavie13

jdavie13

    New Member

  • New Member
  • Pip
  • 3 posts

Posted 06 July 2010 - 07:15 AM

Hi

Thanks for getting back to me. I did as you suggested and a copy of the report can be found below. One or two problems with my computer today: a message saying that windows update has stopped working has flashed up a couple of times; a message flashed up yesterday saying that windows firewall is currently off and I couldnt seem to be able to turn it back on, today however it says that the firewall is online and working normally; and also whilst I was in the middle of writting this message my computer crashed and went to a blue screen for a number of seconds before restarting and sending me to a black screen with the option of srting wondows normally. I clicked on starting windows normally and there seemed to be no further problems. Over the past couple of months this has been a regular occurance but after it happens windows seems to work normally.

Thanks again for your time.

ComboFix 10-07-01.02 - System User 06/07/2010 12:16:17.3.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.44.1033.18.1022.469 [GMT 1:00]
Running from: c:\users\System User\Desktop\ComboFix.exe
Command switches used :: c:\users\System User\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\System32\wermgr.exe . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2010-06-06 to 2010-07-06 )))))))))))))))))))))))))))))))
.

2010-07-06 12:01 . 2010-07-06 12:01 -------- d-----w- c:\users\System User\AppData\Local\temp
2010-06-25 18:54 . 2010-06-25 19:05 -------- d-----w- c:\users\System User\AppData\Roaming\Apple Computer
2010-06-25 18:54 . 2010-06-25 18:54 -------- d-----w- c:\users\System User\AppData\Local\Apple Computer
2010-06-25 18:53 . 2009-05-18 12:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-06-25 18:53 . 2008-04-17 11:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2010-06-25 18:53 . 2010-06-25 18:53 -------- dc----w- c:\windows\system32\DRVSTORE
2010-06-25 18:52 . 2010-06-25 18:52 -------- d-----w- c:\program files\iPod
2010-06-25 18:52 . 2010-06-25 18:53 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-06-25 18:52 . 2010-06-25 18:53 -------- d-----w- c:\program files\iTunes
2010-06-25 18:51 . 2010-06-25 18:52 -------- d-----w- c:\program files\QuickTime
2010-06-25 18:51 . 2010-06-25 18:52 -------- d-----w- c:\programdata\Apple Computer
2010-06-25 18:50 . 2010-06-25 18:50 -------- d-----w- c:\users\System User\AppData\Local\Apple
2010-06-25 18:50 . 2010-06-25 18:50 -------- d-----w- c:\program files\Apple Software Update
2010-06-25 18:48 . 2010-06-25 18:48 -------- d-----w- c:\program files\Bonjour
2010-06-25 18:48 . 2010-06-25 18:52 -------- d-----w- c:\program files\Common Files\Apple
2010-06-25 18:48 . 2010-06-25 18:48 -------- d-----w- c:\programdata\Apple
2010-06-15 19:01 . 2010-06-15 19:01 72504 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2010-06-10 17:22 . 2009-08-24 12:47 378368 ----a-w- c:\windows\system32\winhttp.dll
2010-06-09 18:06 . 2009-06-15 15:28 272384 ----a-w- c:\windows\system32\schannel.dll
2010-06-09 18:06 . 2009-06-15 15:23 494592 ----a-w- c:\windows\system32\kerberos.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-05 23:11 . 2010-02-24 18:30 -------- d-----w- c:\users\System User\AppData\Roaming\Spotify
2010-07-02 17:33 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-05-21 13:14 . 2010-02-25 09:37 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-18 15:35 . 2010-05-18 15:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 15:35 . 2010-05-18 15:35 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2010-05-18 15:35 . 2010-05-18 15:35 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-05-18 15:35 . 2010-05-18 15:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-10 23:37 . 2010-05-10 23:37 655360 ----a-w- c:\users\System User\AppData\Roaming\Spotify\Gracenote\gnsdk_sdkmanager.dll
2010-05-10 23:37 . 2010-05-10 23:37 282624 ----a-w- c:\users\System User\AppData\Roaming\Spotify\Gracenote\gnsdk_musicid_file.dll
2010-05-10 23:37 . 2010-05-10 23:37 208896 ----a-w- c:\users\System User\AppData\Roaming\Spotify\Gracenote\gnsdk_dsp.dll
2010-04-19 08:38 . 2010-02-20 12:02 70176 ----a-w- c:\users\System User\AppData\Local\GDIPFONTCACHEV1.DAT
2007-03-07 12:54 . 2007-03-07 12:54 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((( SnapShot@2010-07-02_21.24.46 )))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2007-12-16 1232896]
"WindowsWelcomeCenter"="oobefldr.dll" [2006-11-02 2159104]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-02 1004136]
"RtHDVCpl"="RtHDVCpl.exe" [2007-03-01 4390912]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-02-10 90192]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-02-10 8429568]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-02-10 81920]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.thetechguys.com
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\System User\AppData\Roaming\Mozilla\Firefox\Profiles\1zo7zya2.default\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr
ef", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-06 13:01
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-07-06 13:05:33
ComboFix-quarantined-files.txt 2010-07-06 12:05
ComboFix2.txt 2010-07-02 21:28

Pre-Run: 233,671,045,120 bytes free
Post-Run: 233,651,081,216 bytes free

- - End Of File - - D94F5E48BDBE9DE34D2A64A0283DDC0A







You can delete wermgr.exe and Windows will re-create it when you reboot.

Copy/paste the text in the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Take your mouse, and place your cursor at the beginning of the text in the box below, then click and hold the left mouse button, while pulling your mouse over the text. This should highlight the text. Now release the left mouse button. Now, with the cursor over the highlighted text, right click the mouse for options, and select 'copy'. Now over the empty Notepad box, right click your mouse again, and select 'paste' and you will have copied and pasted the text. 

File::
c:\windows\System32\wermgr.exe

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:
1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...


Posted Image

Drag CFScript.txt into ComboFix.exe


Then post the results log using Copy / Paste


Also please describe how your computer behaves at the moment.


#4 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 06 July 2010 - 07:27 AM

Using Internet Explorer or Firefox, visit Kaspersky On-line Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.
2. To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
3. Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take quite a long time to download.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.

    Posted Image
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#5 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 08 July 2010 - 03:58 PM

Do you still need help with this?

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#6 jdavie13

jdavie13

    New Member

  • New Member
  • Pip
  • 3 posts

Posted 12 July 2010 - 12:13 PM

Sorry for the delay, I ran the scan as you asked and here is the report. Thanks again for the help, much appreciated. -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7.0: scan report Monday, July 12, 2010 Operating system: Microsoft Windows Vista Home Premium Edition, 32-bit (build 6000) Kaspersky Online Scanner version: 7.0.26.13 Last database update: Monday, July 12, 2010 11:38:59 Records in database: 4228535 -------------------------------------------------------------------------------- Scan settings: scan using the following database: extended Scan archives: yes Scan e-mail databases: yes Scan area - My Computer: C:\ E:\ F:\ G:\ H:\ I:\ Scan statistics: Objects scanned: 97219 Threats found: 2 Infected objects found: 2 Suspicious objects found: 0 Scan duration: 02:26:55 File name / Threat / Threats count C:\Users\System User\Downloads\inst.exe Infected: Packed.Win32.Krap.gy 1 C:\Users\System User\Downloads\MalvRem_364s1.exe Infected: Packed.Win32.Katusha.n 1 Selected area has been scanned.

#7 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 12 July 2010 - 02:03 PM

Delete these two files and let me know how it's running.

C:\Users\System User\Downloads\inst.exe
C:\Users\System User\Downloads\MalvRem_364s1.exe

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#8 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 16 July 2010 - 02:21 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please follow the instructions here http://forums.whatth...ed_t106388.html
and start a New Topic.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·