Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91681 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] Browser redirects and misc Trojans


  • This topic is locked This topic is locked
28 replies to this topic

#1 Flyingfish

Flyingfish

    Authentic Member

  • Authentic Member
  • PipPip
  • 70 posts
  • Interests:Armadillos, llamas, and occasionally I go slummin' with the El' Packas. But only the ones with small ears.

Posted 24 October 2009 - 09:08 AM

:wub: Hello friends, thanks for your help upfront. I apprieciate it a lot.

Questions:

1. In the root appeal instructions it says;
g. Check the box for your main system drive (Usually C:), and press Ok.
  • I was not prompted to select a drive after I selected the san options.

h. Allow RootRepeal to run a scan of your system. This may take some time.
  • My scan took a total of 2 seconds. Is there something wrong b/c i was not prompted to select a drive? I reran it to see if I missed the drive option and it followed the same process.

3. In the instructions I didn't see anything about running HJT, but then at the bottom it says for # 5,
"You can also go to the #whatthetech chatroom to ask for help with your problem, but you will still need to post your HJT log in the forum."

4. In the section decribing how to deactivate your virus scanners- I have McAfee through comcast, and the directions say to right click icon and choose 'exit'. When I right click on the tool bar icon there is no 'exit' option. I find my McAfee scanner very frustrating as it is not easy to deactivate. I found the pannel a few times, but cannot all the time and I am not a moron. I tried killing the processes in the task manager but they come back.

Just thought I'd let you know since they can interfer with the scans.
So i wasn't sure if the DDS was a suedo HJT log and I didn't need a real HJT log, but I decided to post it any in case you need it.

Here's the poop;

Short Story
1. I have browser redirects
2. Upon start up my main user profile will not load, so I've had to use a secondary profile. (will that effect the scans?)

Long Story
(1.)
The browser redirects are relly annoying. IN the past I could get around them by clicking the back button. Now that doesn't work most times. It has been a real chore to get the programs downloaded and get to the various forum pages to post due to all the redirects. Clickin on the linkm opening in a new window, all fail most of the time. When I try to right click on the link and copy/paste the link address, the address listed in in properties is the redirect web site address. I was impressed with that one. Sometimes it works to type the address manually, that's a PIA though.

The main redirect address is; removed <That's a little badboy.

(2.)
I hope the scans show everything b/c I had to boot into a secondary profile b/c my main profile won't load. I opens but then clocks forever. The background will load, icons, but then if you mouse over the tack bar you just get the hour glass icon for an eternity. Can't launch programs due to clocking. I haven't been able to load it for a few days, but at first when the problems appeared it would load.

[edit; added what i have tried]
What I have tried;
Ran McAfee, said it killed a few trojans, rebooted, no change.
Ran Sbybot, found one thing, killed it, still no change
Ran MBytes, found a few things, killed it, rebooted, issue remained.
I tired them a few times, between the three prolly about 11 diffrerent things were found at one time, they 'killed' it, needed to reboot, issue remained, seemed to get worse.

Other random info you might need, or not;
My shoe size is between 9-10 depending on the brand of shoe.
I like hats.
Fish are my friends, not food, unless sushi is involved.
I like to build and launch model rockets and my recent creation is the best ever. Don't be jealous.
I have a cell phone that is 6 years old and it sucks.


LOGS


DDS (Ver_09-10-13.01) - NTFSx86
Run by Angelina at 9:11:33.68 on Sat 10/24/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.465 [GMT -5:00]

AV: Anti-Virus - SBC Yahoo! Online Protection *On-access scanning disabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\LEXPPS.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Nikon\Wireless Camera Setup Utility\NkPtpEnum.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\taskmgr.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
C:\Documents and Settings\Angelina\Desktop\dds.scr
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*hxxp://www.yahoo.com/search/ie.html
uSearch Page = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*hxxp://www.yahoo.com
uStart Page = hxxp://yahoo.sbc.com/dsl
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Connection Wizard,ShellNext = hxxp://yahoo.sbc.com/dsl
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
mURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Comcast Toolbar: {79ceea4e-c231-4614-9e3b-53b2a02f39b7} - c:\program files\comcasttb\comcastdx.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptsn.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Comcast Toolbar: {79ceea4e-c231-4614-9e3b-53b2a02f39b7} - c:\program files\comcasttb\comcastdx.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - No File
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [userinit] c:\windows\system32\ntos.exe
uRun: [UpdateWin] c:\windows\system32\adptifn.exe
uRun: [ComcastAntispyClient] "c:\program files\comcasttb\comcastspywarescan\ComcastAntispy.exe" /hide
uRun: [calc] rundll32.exe c:\docume~1\locals~1\ntuser.dll,_IWMPEvents@0
uRunServices: [UpdateWin] c:\windows\system32\adptifn.exe
mRun: [Dell AIO Printer A940] "c:\program files\dell aio printer a940\dlbabmgr.exe"
mRun: [Microsoft Works Update Detection] c:\program files\common files\microsoft shared\works shared\WkUFind.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [ddoctorv2] "c:\program files\comcast\desktop doctor\bin\sprtcmd.exe" /P ddoctorv2
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [calc] rundll32.exe c:\windows\system32\calc.dll,_IWMPEvents@0
mRun: [diagent] "c:\program files\creative\sblive\diagnostics\diagent.exe" startup
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
mPolicies-explorer: <NO NAME> =
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\windows\system32\VetRedir.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\angelina\applic~1\mozilla\firefox\profiles\dggrcjdk.default\
FF - prefs.js: browser.search.selectedEngine - Comcast Search
FF - HiddenExtension: XUL Cache: {4709ABB0-C3AC-40CC-8A0E-43548CB45C51} - c:\documents and settings\angelina\local settings\application data\{4709ABB0-C3AC-40CC-8A0E-43548CB45C51}
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

============= SERVICES / DRIVERS ===============

R2 NkPtpEnumP2;NkPtpEnumP2;c:\program files\nikon\wireless camera setup utility\NkPtpEnum.exe [2005-6-17 24064]
R3 VBus;Virtual Bus;c:\windows\system32\drivers\NkVBus.sys [2005-6-17 17664]
S1 bcbus;BestCrypt bus driver;c:\windows\system32\drivers\bcbus.sys --> c:\windows\system32\drivers\bcbus.sys [?]
S2 AntiSpywareService;Comcast AntiSpyware;c:\program files\comcasttb\comcastspywarescan\ComcastAntiSpyService.exe [2009-3-16 616408]

=============== Created Last 30 ================

2009-10-22 09:01 <DIR> --d----- c:\docume~1\angelina\applic~1\Malwarebytes
2009-10-19 18:32 3 a------- c:\windows\system32\o6.dat
2009-10-19 18:32 45 a------- c:\windows\system32\pog.dat
2009-10-19 18:32 1 a------- c:\windows\system32\qsf.dat
2009-10-19 18:32 1 a------- c:\windows\system32\jl.dat
2009-10-19 18:32 1 a------- c:\windows\system32\fcd.dat
2009-10-19 13:38 6,967 a------- c:\windows\system32\lknm
2009-10-18 11:44 <DIR> --d----- c:\docume~1\alluse~1\applic~1\RegCure

==================== Find3M ====================

2009-09-16 10:22 214,664 a------- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 10:22 79,816 a------- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 10:22 40,552 a------- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 10:22 35,272 a------- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 10:22 34,248 a------- c:\windows\system32\drivers\mferkdk.sys
2009-09-11 09:18 136,192 a------- c:\windows\system32\msv1_0.dll
2009-09-10 14:54 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 14:53 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-09-04 16:03 58,880 a------- c:\windows\system32\msasn1.dll
2009-08-29 02:36 832,512 a------- c:\windows\system32\wininet.dll
2009-08-29 02:36 78,336 a------- c:\windows\system32\ieencode.dll
2009-08-29 02:36 17,408 a------- c:\windows\system32\corpol.dll
2009-08-26 03:00 247,326 a------- c:\windows\system32\strmdll.dll
2009-08-05 04:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-04 10:13 2,145,280 a------- c:\windows\system32\ntoskrnl.exe
2009-08-04 09:20 2,023,936 a------- c:\windows\system32\ntkrnlpa.exe
2009-06-10 20:31 0 a------- c:\program files\jre-6u14-windows-i586.exe
2009-06-10 20:26 0 a------- c:\program files\jre-6u14-windows-i586.exe.bak
2009-06-10 20:26 1,192 a------- c:\program files\jre-6u14-windows-i586.exe.sdm
2007-05-17 21:26 20 ----h--- c:\docume~1\alluse~1\applic~1\PKP_DLec.DAT
2006-04-13 13:15 0 a------- c:\docume~1\angelina\applic~1\wklnhst.dat
2008-09-01 03:23 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090120080902\index.dat
2009-05-12 15:20 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009051220090513\index.dat

============= FINISH: 9:13:33.95 ===============

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/10/24 09:18
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF3772000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7A0F000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF3F03000 Size: 49152 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 066 Function Name: NtDeviceIoControlFile
Status: Hooked by "IPVNMon.sys" at address 0xf72c9803

==EOF==


HJT LOG - in case you need it-

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:59:15 AM, on 10/24/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Nikon\Wireless Camera Setup Utility\NkPtpEnum.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\taskmgr.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\notepad.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\notepad.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

[url="http://hxxp://red.cl...w.yahoo.com/sea

rch/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

[url="http://hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*hxxp://www.yahoo.com"]hxxp://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url="http://hxxp://yahoo....hoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

[url="http://hxxp://go.mic...k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

[url="http://hxxp://go.mic...k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

[url="http://hxxp://go.mic...k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =

[url="http://hxxp://yahoo....hoo.sbc.com/dsl
R3 - URLSearchHook: (no name) - FBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - F99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -

C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} -

C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -

C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO:  - {79CEEA4E-C231-4614-9E3B-53B2A02F39B7} - C:\Program

Files\comcasttb\comcastdx.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} -

c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} -

C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Comcast Toolbar - {79CEEA4E-C231-4614-9E3B-53B2A02F39B7} - C:\Program

Files\comcasttb\comcastdx.dll
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer

A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common

Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device

Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P

ddoctorv2
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common

Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [calc] rundll32.exe C:\WINDOWS\system32\calc.dll,_IWMPEvents@0
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe"

startup
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes'

Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [userinit] C:\WINDOWS\system32\ntos.exe
O4 - HKCU\..\Run: [UpdateWin] C:\WINDOWS\system32\adptifn.exe
O4 - HKCU\..\Run: [ComcastAntispyClient] "C:\Program

Files\comcasttb\ComcastSpywareScan\ComcastAntispy.exe" /hide
O4 - HKCU\..\Run: [calc] rundll32.exe C:\DOCUME~1\LOCALS~1\ntuser.dll,_IWMPEvents@0
O4 - HKCU\..\RunServices: [UpdateWin] C:\WINDOWS\system32\adptifn.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line

Detect\DLG.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft

Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration -

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583}

- C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Comcast AntiSpyware (AntiSpywareService) - Unknown owner - C:\Program

Files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common

Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. -

C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd -

C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation -

C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InterBase Guardian (InterBaseGuardian) - Inprise Corporation - C:\Program

Files\Borland\Interbase\Bin\IBGuard.exe
O23 - Service: InterBase Server (InterBaseServer) - Inprise Corporation - C:\Program

Files\Borland\Interbase\Bin\IBServer.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. -

C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. -

C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. -

C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common

Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common

Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common

Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. -

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. -

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. -

C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. -

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. -

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. -

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program

Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NkPtpEnumP2 - Nikon Corporation - C:\Program Files\Nikon\Wireless Camera

Setup Utility\NkPtpEnum.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation -

C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation -

C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft,

Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Unknown owner - C:\Program

Files\Yahoo!\Antivirus\VetMsg.exe (file missing)
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 10826 bytes

Attached Files


Edited by CatByte, 24 October 2009 - 01:25 PM.
remove bad link

I Lag, therefore I am.

    Advertisements

Register to Remove


#2 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,136 posts

Posted 27 October 2009 - 11:21 AM

Hi Flyingfish,

:welcome:

My name is Tomk. I would be glad to take a look at your log and help you with solving any malware problems. Logs can take a while to research, so please be patient and I'd be grateful if you would note the following:

  • I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for the issues on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.

It appears that your number one problem is that fish are better to eat after they've been cooked.
Do the hat's like you?
All cell phones suck.
:P

Now to your computer.

You've got a few things going on there.

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link --> http://forums.whatth...ams_t96260.html

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


Notes:

1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
4. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
5. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Tomk
------------------------------------------------------------

mvplogo1_zpsea7gtc7e.gif


WTT-Grad1.jpg

Topics are closed after 5 days without response
unite_blue_zpsbfd3cd98.png


#3 Flyingfish

Flyingfish

    Authentic Member

  • Authentic Member
  • PipPip
  • 70 posts
  • Interests:Armadillos, llamas, and occasionally I go slummin' with the El' Packas. But only the ones with small ears.

Posted 29 October 2009 - 07:05 AM

HI, I am having trouble downloading the programs due to the redirects, as soon as I get them downloaded and ran, I will post the logs. Thanks. Flyingfish.
I Lag, therefore I am.

#4 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,136 posts

Posted 29 October 2009 - 07:45 AM

Flyingfish, Download the programs on a different computer and transfer them to the infected machine.

Tomk
------------------------------------------------------------

mvplogo1_zpsea7gtc7e.gif


WTT-Grad1.jpg

Topics are closed after 5 days without response
unite_blue_zpsbfd3cd98.png


#5 Flyingfish

Flyingfish

    Authentic Member

  • Authentic Member
  • PipPip
  • 70 posts
  • Interests:Armadillos, llamas, and occasionally I go slummin' with the El' Packas. But only the ones with small ears.

Posted 30 October 2009 - 07:52 PM

Hi Tomk! Hope you had a nice Halloween, and enjoyed your time offline. I haven't used the comp much since the ComboFix scan. However, I didn't get any redirects using IE after the scan comming to the forum to post the logs. Hopefully they stay away. Here's the two logs. ^_^ GooredFix by jpshortstuff (24.09.09.1) Log created at 08:09 on 29/10/2009 (Angelina) Firefox version 3.5.3 (en-US) ========== GooredScan ========== ========== GooredLog ========== C:\Program Files\Mozilla Firefox\extensions\ {972ce4c6-7e08-4474-a285-3208198ce6fd} [12:51 16/04/2009] [HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions] "jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [15:40 03/01/2009] "{20a82645-c095-46ed-80e3-08825760534b}"="c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [16:45 28/03/2009] ---------- Old Logs ---------- GooredFix[13.08.14_29-10-2009].txt -=E.O.F=- ComboFix 09-10-30.01 - Angelina 10/30/2009 19:42.10.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.457 [GMT -5:00] Running from: c:\documents and settings\Angelina\Desktop\ComboFix.exe AV: Anti-Virus - SBC Yahoo! Online Protection *On-access scanning disabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93} AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83} FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Angelina\ntuser.dll c:\documents and settings\Angelina\Start Menu\Programs\Startup\scandisk.dll c:\documents and settings\Angelina\Start Menu\Programs\Startup\scandisk.lnk c:\documents and settings\LocalService\ntuser.dll c:\documents and settings\Meow Meow and Meow\My Documents\registrybackup.reg c:\documents and settings\Meow Meow and Meow\ntuser.dll c:\documents and settings\Meow Meow and Meow\Start Menu\Programs\Startup\scandisk.dll c:\documents and settings\Meow Meow and Meow\Start Menu\Programs\Startup\scandisk.lnk c:\documents and settings\NetworkService\ntuser.dll c:\windows\system32\calc.dll c:\windows\system32\Data c:\windows\system32\o6.dat . ((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-31 ))))))))))))))))))))))))))))))) . 2009-10-22 14:01 . 2009-10-22 14:01 -------- d-----w- c:\documents and settings\Angelina\Application Data\Malwarebytes 2009-10-19 23:32 . 2009-10-20 05:46 45 ----a-w- c:\windows\system32\pog.dat 2009-10-19 23:32 . 2009-10-19 23:32 1 ----a-w- c:\windows\system32\qsf.dat 2009-10-19 23:32 . 2009-10-19 23:32 1 ----a-w- c:\windows\system32\jl.dat 2009-10-19 23:32 . 2009-10-19 23:32 1 ----a-w- c:\windows\system32\fcd.dat 2009-10-18 16:44 . 2009-10-18 16:44 -------- d-----w- c:\documents and settings\All Users\Application Data\RegCure . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-10-24 12:58 . 2009-07-01 03:17 -------- d-----w- c:\program files\McAfee 2009-10-24 12:36 . 2009-09-20 01:20 -------- d-----w- c:\program files\iPhone Configuration Utility 2009-10-24 12:36 . 2006-01-05 07:16 -------- d-----w- c:\program files\FaxTools 2009-10-24 12:36 . 2006-06-23 04:16 -------- d-----w- c:\program files\DivX 2009-10-24 12:36 . 2006-03-18 18:10 -------- d-----w- c:\program files\Dominion Wars 2009-10-24 12:36 . 2009-07-01 03:29 -------- d-----w- c:\program files\comcasttb 2009-10-24 12:36 . 2006-02-24 23:29 -------- d-----w- c:\program files\Microsoft Works 2009-10-24 12:36 . 2006-02-24 23:39 -------- d-----w- c:\program files\Microsoft Picture It! 9 2009-10-24 12:36 . 2006-01-05 07:07 -------- d-----w- c:\program files\Modem Helper 2009-10-24 12:36 . 2006-01-05 07:06 -------- d-----w- c:\program files\NetWaiting 2009-10-24 12:36 . 2008-07-24 01:19 -------- d-----w- c:\program files\RegCure 2009-10-24 12:36 . 2006-02-01 05:29 -------- d-----w- c:\program files\Windows Media Connect 2 2009-10-24 12:36 . 2008-07-26 16:25 -------- d-----w- c:\program files\Quicken 2009-10-20 12:46 . 2009-05-24 20:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-10-18 16:48 . 2007-10-15 23:41 -------- d-----w- c:\program files\Spybot - Search & Destroy 2009-09-21 20:00 . 2009-09-20 01:08 -------- d-----w- c:\program files\QuickTime 2009-09-20 01:16 . 2009-09-20 01:14 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD} 2009-09-20 01:16 . 2009-09-20 01:14 -------- d-----w- c:\program files\iTunes 2009-09-20 01:15 . 2009-09-20 01:15 -------- d-----w- c:\program files\iPod 2009-09-20 01:15 . 2008-01-02 03:36 -------- d-----w- c:\program files\Common Files\Apple 2009-09-18 19:26 . 2006-02-25 01:02 25088 ----a-w- c:\documents and settings\Meow Meow and Meow\Application Data\wklnhst.dat 2009-09-17 12:44 . 2009-07-01 01:23 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee 2009-09-17 09:07 . 2009-09-17 09:07 72280 ----a-w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-09-16 15:22 . 2009-07-01 03:19 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys 2009-09-16 15:22 . 2009-07-01 03:19 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys 2009-09-16 15:22 . 2009-07-01 03:19 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys 2009-09-16 15:22 . 2009-07-01 03:19 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys 2009-09-16 15:22 . 2009-07-01 03:19 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys 2009-09-11 14:18 . 2003-07-16 20:36 136192 ----a-w- c:\windows\system32\msv1_0.dll 2009-09-10 19:54 . 2009-05-24 20:29 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-09-10 19:53 . 2009-05-24 20:29 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-09-10 13:47 . 2009-09-10 13:47 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee 2009-09-04 21:03 . 2003-07-16 20:35 58880 ----a-w- c:\windows\system32\msasn1.dll 2009-08-29 07:36 . 2005-10-21 18:51 832512 ----a-w- c:\windows\system32\wininet.dll 2009-08-29 07:36 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll 2009-08-29 07:36 . 2003-07-16 20:25 17408 ----a-w- c:\windows\system32\corpol.dll 2009-08-26 08:00 . 2003-07-16 20:46 247326 ----a-w- c:\windows\system32\strmdll.dll 2009-08-07 00:24 . 2006-01-05 17:26 327896 ----a-w- c:\windows\system32\wucltui.dll 2009-08-07 00:24 . 2006-01-05 17:26 209632 ----a-w- c:\windows\system32\wuweb.dll 2009-08-07 00:24 . 2006-01-05 17:26 35552 ----a-w- c:\windows\system32\wups.dll 2009-08-07 00:24 . 2005-05-26 10:16 44768 ----a-w- c:\windows\system32\wups2.dll 2009-08-07 00:24 . 2006-01-05 05:53 53472 ----a-w- c:\windows\system32\wuauclt.exe 2009-08-07 00:24 . 2003-07-16 20:25 96480 ----a-w- c:\windows\system32\cdm.dll 2009-08-07 00:23 . 2006-01-05 17:26 575704 ----a-w- c:\windows\system32\wuapi.dll 2009-08-07 00:23 . 2006-01-05 05:53 1929952 ----a-w- c:\windows\system32\wuaueng.dll 2009-08-05 09:01 . 2003-07-16 20:37 204800 ----a-w- c:\windows\system32\mswebdvd.dll 2009-08-04 15:13 . 2003-07-16 20:39 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe 2009-08-04 14:20 . 2002-08-29 01:04 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe 2009-06-11 01:31 . 2009-06-11 01:26 0 ----a-w- c:\program files\jre-6u14-windows-i586.exe 2009-06-11 01:26 . 2009-06-11 01:26 0 ----a-w- c:\program files\jre-6u14-windows-i586.exe.bak 2009-06-11 01:26 . 2009-06-11 01:26 1192 ----a-w- c:\program files\jre-6u14-windows-i586.exe.sdm . ------- Sigcheck ------- [7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys [7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys [-] 2008-06-20 . 9425B72F40257B45D45D24773273DAD0 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys [-] 2008-06-20 . 9425B72F40257B45D45D24773273DAD0 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys [7] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . c:\windows\$NtServicePackUninstall$\tcpip.sys [7] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys [7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys [-] 2008-04-13 . ACCF5A9A1FFAA490F33DBA1C632B95E1 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tcpip.sys [-] 2007-10-30 . 90CAFF4B094573449A0872A0F919B178 . 360064 . . [5.1.2600.3244] . . c:\windows\$NtUninstallKB951748_0$\tcpip.sys [-] 2007-10-30 . 64798ECFA43D78C7178375FCDD16D8C8 . 360832 . . [5.1.2600.3244] . . c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys [-] 2006-04-20 . B2220C618B42A2212A59D91EBD6FC4B4 . 360576 . . [5.1.2600.2892] . . c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys [-] 2006-04-20 . 1DBF125862891817F374F407626967F4 . 359808 . . [5.1.2600.2892] . . c:\windows\$NtUninstallKB941644$\tcpip.sys [-] 2006-01-13 . 5562CC0A47B2AEF06D3417B733F3C195 . 360448 . . [5.1.2600.2827] . . c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys [-] 2006-01-13 . 583E063FDC888CA30D05C2724B0D7EF4 . 359808 . . [5.1.2600.2827] . . c:\windows\$NtUninstallKB917953$\tcpip.sys [-] 2005-05-25 . 63FDFEA54EB53DE2D863EE454937CE1E . 359936 . . [5.1.2600.2685] . . c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys [-] 2005-05-25 . 88763A98A4C26C409741B4AA162720C9 . 359808 . . [5.1.2600.2685] . . c:\windows\$hf_mig$\KB893066\SP2GDR\tcpip.sys [-] 2005-05-25 . 88763A98A4C26C409741B4AA162720C9 . 359808 . . [5.1.2600.2685] . . c:\windows\$NtUninstallKB913446$\tcpip.sys [7] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB893066$\tcpip.sys [-] 2003-07-16 . 244A2F9816BC9B593957281EF577D976 . 332928 . . [5.1.2600.1106] . . c:\windows\$NtUninstallKB893066_0$\tcpip.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288] "ComcastAntispyClient"="c:\program files\comcasttb\ComcastSpywareScan\ComcastAntispy.exe" [2009-03-16 1622488] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Dell AIO Printer A940"="c:\program files\Dell AIO Printer A940\dlbabmgr.exe" [2003-06-25 294998] "Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-07 50688] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440] "itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2008-06-10 1442888] "IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 1406024] "ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560] "LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984] "mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-09-17 645328] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440] "diagent"="c:\program files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 135264] "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-1-5 24576] Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Driver] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS] @="" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "UleadBurningHelper"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "YOP"=c:\progra~1\Yahoo!\YOP\yop.exe /autostart "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime "LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" /hide [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\Program Files\\Yahoo!\\Messenger\\yserver.exe"= c:\\Program Files\\Yahoo!\\Messenger\\yserver.exe "%windir%\\system32\\sessmgr.exe"= "c:\\WINDOWS\\system32\\LEXPPS.EXE"= "c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"= "c:\\Program Files\\Activision\\Star Trek Armada II\\Armada2.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"= "c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"= "c:\\Program Files\\Raven\\Star Trek Voyager Elite Force\\stvoyHM.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= R2 AntiSpywareService;Comcast AntiSpyware;c:\program files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe [3/16/2009 4:37 PM 616408] R2 NkPtpEnumP2;NkPtpEnumP2;c:\program files\Nikon\Wireless Camera Setup Utility\NkPtpEnum.exe [6/17/2005 12:11 PM 24064] R3 VBus;Virtual Bus;c:\windows\system32\drivers\NkVBus.sys [6/17/2005 12:11 PM 17664] S1 bcbus;BestCrypt bus driver;c:\windows\system32\DRIVERS\bcbus.sys --> c:\windows\system32\DRIVERS\bcbus.sys [?] --- Other Services/Drivers In Memory --- *NewlyCreated* - CLASSPNP_2 *NewlyCreated* - MBR *Deregistered* - CLASSPNP_2 *Deregistered* - IPVNMon *Deregistered* - mbr [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e6631082-7d74-11da-96eb-806d6172696f}] \Shell\AutoRun\command - D:\RiskInstall.exe \Shell\directx\command - d:\redist\directx7\dxsetup.exe \Shell\setup\command - D:\RiskInstall.exe \Shell\zone\command - d:\redist\mszone\zoneA600.exe [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{27E53DCF-6B78-4088-BE71-5CA5CDCB2624}] rundll32 pcfr32.dll,laspi . Contents of the 'Scheduled Tasks' folder 2009-10-25 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34] 2009-10-15 c:\windows\Tasks\McDefragTask.job - c:\progra~1\mcafee\mqc\QcConsol.exe [2009-07-01 17:22] 2009-10-01 c:\windows\Tasks\McQcTask.job - c:\progra~1\mcafee\mqc\QcConsol.exe [2009-07-01 17:22] 2009-10-31 c:\windows\Tasks\RegCure Program Check.job - c:\program files\RegCure\RegCure.exe [2009-09-21 19:46] 2009-10-31 c:\windows\Tasks\RegCure Startup.job - c:\program files\RegCure\RegCure.exe [2009-09-21 19:46] . . ------- Supplementary Scan ------- . uStart Page = hxxp://yahoo.sbc.com/dsl uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7 mWindow Title = Windows Internet Explorer provided by Comcast uInternet Connection Wizard,ShellNext = hxxp://yahoo.sbc.com/dsl LSP: c:\windows\System32\VetRedir.dll FF - ProfilePath - c:\documents and settings\Angelina\Application Data\Mozilla\Firefox\Profiles\dggrcjdk.default\ FF - prefs.js: browser.search.selectedEngine - Comcast Search FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ . - - - - ORPHANS REMOVED - - - - URLSearchHooks-FBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) URLSearchHooks-F99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) Toolbar-SITEguard - (no file) WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file) AddRemove-SBC Yahoo! UMUninstaller - c:\program files\SBC Yahoo!\umuninst.exe ************************************************************************** scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(688) c:\windows\system32\Ati2evxx.dll c:\program files\CA\PPRT\bin\CACheck.dll c:\program files\CA\PPRT\bin\CAHook.dll c:\program files\CA\PPRT\bin\CAServer.dll - - - - - - - > 'lsass.exe'(744) c:\windows\System32\VetRedir.dll c:\windows\system32\ISafeIf.dll - - - - - - - > 'explorer.exe'(152) c:\windows\system32\WININET.dll c:\program files\CA\PPRT\bin\CACheck.dll c:\program files\CA\PPRT\bin\CAHook.dll c:\program files\CA\PPRT\bin\CAServer.dll c:\windows\system32\ieframe.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\System32\VetRedir.dll c:\windows\system32\ISafeIf.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\Ati2evxx.exe c:\windows\system32\LEXBCES.EXE c:\windows\system32\LEXPPS.EXE c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\windows\System32\CTsvcCDA.exe c:\program files\Borland\Interbase\Bin\IBGuard.exe c:\program files\CA\PPRT\bin\ITMRTSVC.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe c:\progra~1\McAfee\MSC\mcmscsvc.exe c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe c:\progra~1\McAfee\VIRUSS~1\mcshield.exe c:\program files\McAfee\MPF\MPFSrv.exe c:\progra~1\Dantz\RETROS~1\retrorun.exe c:\progra~1\Dantz\RETROS~1\wdsvc.exe c:\program files\Comcast\Desktop Doctor\bin\sprtsvc.exe c:\windows\System32\MsPMSPSv.exe c:\program files\Windows Media Player\WMPNetwk.exe c:\program files\Borland\Interbase\Bin\IBServer.exe c:\progra~1\mcafee.com\agent\mcagent.exe c:\windows\system32\Ati2evxx.exe c:\program files\Dell AIO Printer A940\dlbabmon.exe c:\program files\Microsoft IntelliType Pro\dpupdchk.exe c:\program files\iPod\bin\iPodService.exe c:\progra~1\mcafee.com\agent\mcupdate.exe . ************************************************************************** . Completion time: 2009-10-31 20:34 - machine was rebooted ComboFix-quarantined-files.txt 2009-10-31 01:34 Pre-Run: 32,706,363,392 bytes free Post-Run: 32,734,298,112 bytes free - - End Of File - - 99858A477B55C69178C0FA140F8851D3
I Lag, therefore I am.

#6 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,136 posts

Posted 01 November 2009 - 11:25 PM

Flyingfish,

COMBOFIX-Script

  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    File::
    c:\windows\system32\pog.dat
    c:\windows\system32\qsf.dat
    c:\windows\system32\jl.dat
    c:\windows\system32\fcd.dat
    
    Registry::
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e6631082-7d74-11da-96eb-806d6172696f}]
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Posted Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Tomk
------------------------------------------------------------

mvplogo1_zpsea7gtc7e.gif


WTT-Grad1.jpg

Topics are closed after 5 days without response
unite_blue_zpsbfd3cd98.png


#7 Flyingfish

Flyingfish

    Authentic Member

  • Authentic Member
  • PipPip
  • 70 posts
  • Interests:Armadillos, llamas, and occasionally I go slummin' with the El' Packas. But only the ones with small ears.

Posted 02 November 2009 - 08:31 PM

Here's the latest log:

ComboFix 09-11-01.04 - Angelina 11/02/2009 17:45.11.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.477 [GMT -6:00]
Running from: c:\documents and settings\Angelina\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Angelina\Desktop\CFScript.txt
AV: Anti-Virus - SBC Yahoo! Online Protection *On-access scanning disabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\msacm32.drv
c:\windows\sdfixwcs.dll
c:\windows\wuasirvy.dll

.
((((((((((((((((((((((((( Files Created from 2009-10-02 to 2009-11-02 )))))))))))))))))))))))))))))))
.

2009-10-22 14:01 . 2009-10-22 14:01 -------- d-----w- c:\documents and settings\Angelina\Application Data\Malwarebytes
2009-10-19 23:32 . 2009-10-20 05:46 45 ----a-w- c:\windows\system32\pog.dat
2009-10-19 23:32 . 2009-10-19 23:32 1 ----a-w- c:\windows\system32\qsf.dat
2009-10-19 23:32 . 2009-10-19 23:32 1 ----a-w- c:\windows\system32\jl.dat
2009-10-19 23:32 . 2009-10-19 23:32 1 ----a-w- c:\windows\system32\fcd.dat
2009-10-18 16:44 . 2009-10-18 16:44 -------- d-----w- c:\documents and settings\All Users\Application Data\RegCure

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-24 12:58 . 2009-07-01 03:17 -------- d-----w- c:\program files\McAfee
2009-10-24 12:36 . 2009-09-20 01:20 -------- d-----w- c:\program files\iPhone Configuration Utility
2009-10-24 12:36 . 2006-01-05 07:16 -------- d-----w- c:\program files\FaxTools
2009-10-24 12:36 . 2006-06-23 04:16 -------- d-----w- c:\program files\DivX
2009-10-24 12:36 . 2006-03-18 18:10 -------- d-----w- c:\program files\Dominion Wars
2009-10-24 12:36 . 2009-07-01 03:29 -------- d-----w- c:\program files\comcasttb
2009-10-24 12:36 . 2006-02-24 23:29 -------- d-----w- c:\program files\Microsoft Works
2009-10-24 12:36 . 2006-02-24 23:39 -------- d-----w- c:\program files\Microsoft Picture It! 9
2009-10-24 12:36 . 2006-01-05 07:07 -------- d-----w- c:\program files\Modem Helper
2009-10-24 12:36 . 2006-01-05 07:06 -------- d-----w- c:\program files\NetWaiting
2009-10-24 12:36 . 2008-07-24 01:19 -------- d-----w- c:\program files\RegCure
2009-10-24 12:36 . 2006-02-01 05:29 -------- d-----w- c:\program files\Windows Media Connect 2
2009-10-24 12:36 . 2008-07-26 16:25 -------- d-----w- c:\program files\Quicken
2009-10-20 12:46 . 2009-05-24 20:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-18 16:48 . 2007-10-15 23:41 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-21 20:00 . 2009-09-20 01:08 -------- d-----w- c:\program files\QuickTime
2009-09-20 01:16 . 2009-09-20 01:14 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-20 01:16 . 2009-09-20 01:14 -------- d-----w- c:\program files\iTunes
2009-09-20 01:15 . 2009-09-20 01:15 -------- d-----w- c:\program files\iPod
2009-09-20 01:15 . 2008-01-02 03:36 -------- d-----w- c:\program files\Common Files\Apple
2009-09-18 19:26 . 2006-02-25 01:02 25088 ----a-w- c:\documents and settings\Meow Meow and Meow\Application Data\wklnhst.dat
2009-09-17 12:44 . 2009-07-01 01:23 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-09-17 09:07 . 2009-09-17 09:07 72280 ----a-w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-16 15:22 . 2009-07-01 03:19 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 15:22 . 2009-07-01 03:19 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 15:22 . 2009-07-01 03:19 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 15:22 . 2009-07-01 03:19 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 15:22 . 2009-07-01 03:19 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-09-11 14:18 . 2003-07-16 20:36 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 19:54 . 2009-05-24 20:29 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2009-05-24 20:29 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-10 13:47 . 2009-09-10 13:47 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee
2009-09-04 21:03 . 2003-07-16 20:35 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36 . 2005-10-21 18:51 832512 ------w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2003-07-16 20:25 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-26 08:00 . 2003-07-16 20:46 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-07 00:24 . 2006-01-05 17:26 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-07 00:24 . 2006-01-05 17:26 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-07 00:24 . 2006-01-05 17:26 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-07 00:24 . 2005-05-26 10:16 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-07 00:24 . 2006-01-05 05:53 53472 ------w- c:\windows\system32\wuauclt.exe
2009-08-07 00:24 . 2003-07-16 20:25 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-07 00:23 . 2006-01-05 17:26 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-07 00:23 . 2006-01-05 05:53 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2003-07-16 20:37 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-06-11 01:31 . 2009-06-11 01:26 0 ----a-w- c:\program files\jre-6u14-windows-i586.exe
2009-06-11 01:26 . 2009-06-11 01:26 0 ----a-w- c:\program files\jre-6u14-windows-i586.exe.bak
2009-06-11 01:26 . 2009-06-11 01:26 1192 ----a-w- c:\program files\jre-6u14-windows-i586.exe.sdm
.

------- Sigcheck -------

[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[-] 2008-06-20 . 9425B72F40257B45D45D24773273DAD0 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 . 9425B72F40257B45D45D24773273DAD0 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . c:\windows\$NtServicePackUninstall$\tcpip.sys
[7] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
[-] 2008-04-13 . ACCF5A9A1FFAA490F33DBA1C632B95E1 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tcpip.sys
[-] 2007-10-30 . 90CAFF4B094573449A0872A0F919B178 . 360064 . . [5.1.2600.3244] . . c:\windows\$NtUninstallKB951748_0$\tcpip.sys
[-] 2007-10-30 . 64798ECFA43D78C7178375FCDD16D8C8 . 360832 . . [5.1.2600.3244] . . c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[-] 2006-04-20 . B2220C618B42A2212A59D91EBD6FC4B4 . 360576 . . [5.1.2600.2892] . . c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[-] 2006-04-20 . 1DBF125862891817F374F407626967F4 . 359808 . . [5.1.2600.2892] . . c:\windows\$NtUninstallKB941644$\tcpip.sys
[-] 2006-01-13 . 5562CC0A47B2AEF06D3417B733F3C195 . 360448 . . [5.1.2600.2827] . . c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
[-] 2006-01-13 . 583E063FDC888CA30D05C2724B0D7EF4 . 359808 . . [5.1.2600.2827] . . c:\windows\$NtUninstallKB917953$\tcpip.sys
[-] 2005-05-25 . 63FDFEA54EB53DE2D863EE454937CE1E . 359936 . . [5.1.2600.2685] . . c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
[-] 2005-05-25 . 88763A98A4C26C409741B4AA162720C9 . 359808 . . [5.1.2600.2685] . . c:\windows\$hf_mig$\KB893066\SP2GDR\tcpip.sys
[-] 2005-05-25 . 88763A98A4C26C409741B4AA162720C9 . 359808 . . [5.1.2600.2685] . . c:\windows\$NtUninstallKB913446$\tcpip.sys
[7] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB893066$\tcpip.sys
[-] 2003-07-16 . 244A2F9816BC9B593957281EF577D976 . 332928 . . [5.1.2600.1106] . . c:\windows\$NtUninstallKB893066_0$\tcpip.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-10-31_01.19.40 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-01-05 06:02 . 2009-11-02 21:25 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-01-05 06:02 . 2009-10-30 21:33 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-10-31 01:50 . 2009-11-02 21:25 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2006-01-05 06:02 . 2009-10-30 21:33 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"ComcastAntispyClient"="c:\program files\comcasttb\ComcastSpywareScan\ComcastAntispy.exe" [2009-03-16 1622488]
"WAB"="c:\documents and settings\Angelina\Application Data\Macromedia\Common\3abfc02619.exe" [2009-11-03 16384]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell AIO Printer A940"="c:\program files\Dell AIO Printer A940\dlbabmgr.exe" [2003-06-25 294998]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-07 50688]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2008-06-10 1442888]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 1406024]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-09-17 645328]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]
"diagent"="c:\program files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 135264]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-1-5 24576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Driver]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"UleadBurningHelper"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"YOP"=c:\progra~1\Yahoo!\YOP\yop.exe /autostart
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" /hide

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Yahoo!\\Messenger\\yserver.exe"= c:\\Program Files\\Yahoo!\\Messenger\\yserver.exe
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Program Files\\Activision\\Star Trek Armada II\\Armada2.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"c:\\Program Files\\Raven\\Star Trek Voyager Elite Force\\stvoyHM.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 AntiSpywareService;Comcast AntiSpyware;c:\program files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe [3/16/2009 3:37 PM 616408]
R3 VBus;Virtual Bus;c:\windows\system32\drivers\NkVBus.sys [6/17/2005 11:11 AM 17664]
S1 bcbus;BestCrypt bus driver;c:\windows\system32\DRIVERS\bcbus.sys --> c:\windows\system32\DRIVERS\bcbus.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - PROCEXP113
*Deregistered* - IPVNMon
*Deregistered* - mbr
*Deregistered* - PROCEXP113

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{27E53DCF-6B78-4088-BE71-5CA5CDCB2624}]
rundll32 pcfr32.dll,laspi
.
Contents of the 'Scheduled Tasks' folder

2009-11-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-10-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-07-01 17:22]

2009-11-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-07-01 17:22]

2009-11-01 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2009-09-21 19:46]

2009-11-01 c:\windows\Tasks\RegCure Startup.job
- c:\program files\RegCure\RegCure.exe [2009-09-21 19:46]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.sbc.com/dsl
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Connection Wizard,ShellNext = hxxp://yahoo.sbc.com/dsl
LSP: c:\windows\System32\VetRedir.dll
FF - ProfilePath - c:\documents and settings\Angelina\Application Data\Mozilla\Firefox\Profiles\dggrcjdk.default\
FF - prefs.js: browser.search.selectedEngine - Comcast Search
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-rundll32.exe - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-02 18:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(676)
c:\windows\system32\Ati2evxx.dll
c:\program files\CA\PPRT\bin\CACheck.dll
c:\program files\CA\PPRT\bin\CAHook.dll
c:\program files\CA\PPRT\bin\CAServer.dll

- - - - - - - > 'lsass.exe'(732)
c:\windows\System32\VetRedir.dll
c:\windows\system32\ISafeIf.dll
.
Completion time: 2009-11-03 18:08
ComboFix-quarantined-files.txt 2009-11-03 00:07
ComboFix2.txt 2009-10-31 01:35

Pre-Run: 32,476,393,472 bytes free
Post-Run: 32,573,419,520 bytes free

- - End Of File - - 53BDD37C54F2C69FF612FE883B0C7803
I Lag, therefore I am.

#8 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,136 posts

Posted 02 November 2009 - 08:58 PM

Flyingfish,

Hmm... only half the script was read. Let's try again.

COMBOFIX-Script

  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    killall::
    
    File::
    c:\windows\system32\pog.dat
    c:\windows\system32\qsf.dat
    c:\windows\system32\jl.dat
    c:\windows\system32\fcd.dat
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Posted Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Tomk
------------------------------------------------------------

mvplogo1_zpsea7gtc7e.gif


WTT-Grad1.jpg

Topics are closed after 5 days without response
unite_blue_zpsbfd3cd98.png


#9 Flyingfish

Flyingfish

    Authentic Member

  • Authentic Member
  • PipPip
  • 70 posts
  • Interests:Armadillos, llamas, and occasionally I go slummin' with the El' Packas. But only the ones with small ears.

Posted 03 November 2009 - 09:56 PM

Hi TomK,

Here's the log from the rerun. Thanks!

ComboFix 09-11-03.01 - Angelina 11/03/2009 21:09.12.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.524 [GMT -6:00]
Running from: c:\documents and settings\Angelina\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Angelina\Desktop\CFScript.txt
AV: Anti-Virus - SBC Yahoo! Online Protection *On-access scanning disabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Created a new restore point

FILE ::
"c:\windows\system32\fcd.dat"
"c:\windows\system32\jl.dat"
"c:\windows\system32\pog.dat"
"c:\windows\system32\qsf.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\fcd.dat
c:\windows\system32\jl.dat
c:\windows\system32\pog.dat
c:\windows\system32\qsf.dat

.
((((((((((((((((((((((((( Files Created from 2009-10-04 to 2009-11-04 )))))))))))))))))))))))))))))))
.

2009-10-22 14:01 . 2009-10-22 14:01 -------- d-----w- c:\documents and settings\Angelina\Application Data\Malwarebytes
2009-10-18 16:44 . 2009-10-18 16:44 -------- d-----w- c:\documents and settings\All Users\Application Data\RegCure

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-24 12:58 . 2009-07-01 03:17 -------- d-----w- c:\program files\McAfee
2009-10-24 12:36 . 2009-09-20 01:20 -------- d-----w- c:\program files\iPhone Configuration Utility
2009-10-24 12:36 . 2006-01-05 07:16 -------- d-----w- c:\program files\FaxTools
2009-10-24 12:36 . 2006-06-23 04:16 -------- d-----w- c:\program files\DivX
2009-10-24 12:36 . 2006-03-18 18:10 -------- d-----w- c:\program files\Dominion Wars
2009-10-24 12:36 . 2009-07-01 03:29 -------- d-----w- c:\program files\comcasttb
2009-10-24 12:36 . 2006-02-24 23:29 -------- d-----w- c:\program files\Microsoft Works
2009-10-24 12:36 . 2006-02-24 23:39 -------- d-----w- c:\program files\Microsoft Picture It! 9
2009-10-24 12:36 . 2006-01-05 07:07 -------- d-----w- c:\program files\Modem Helper
2009-10-24 12:36 . 2006-01-05 07:06 -------- d-----w- c:\program files\NetWaiting
2009-10-24 12:36 . 2008-07-24 01:19 -------- d-----w- c:\program files\RegCure
2009-10-24 12:36 . 2006-02-01 05:29 -------- d-----w- c:\program files\Windows Media Connect 2
2009-10-24 12:36 . 2008-07-26 16:25 -------- d-----w- c:\program files\Quicken
2009-10-20 12:46 . 2009-05-24 20:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-18 16:48 . 2007-10-15 23:41 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-21 20:00 . 2009-09-20 01:08 -------- d-----w- c:\program files\QuickTime
2009-09-20 01:16 . 2009-09-20 01:14 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-20 01:16 . 2009-09-20 01:14 -------- d-----w- c:\program files\iTunes
2009-09-20 01:15 . 2009-09-20 01:15 -------- d-----w- c:\program files\iPod
2009-09-20 01:15 . 2008-01-02 03:36 -------- d-----w- c:\program files\Common Files\Apple
2009-09-18 19:26 . 2006-02-25 01:02 25088 ----a-w- c:\documents and settings\Meow Meow and Meow\Application Data\wklnhst.dat
2009-09-17 12:44 . 2009-07-01 01:23 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-09-17 09:07 . 2009-09-17 09:07 72280 ----a-w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-16 15:22 . 2009-07-01 03:19 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 15:22 . 2009-07-01 03:19 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 15:22 . 2009-07-01 03:19 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 15:22 . 2009-07-01 03:19 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 15:22 . 2009-07-01 03:19 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-09-11 14:18 . 2003-07-16 20:36 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 19:54 . 2009-05-24 20:29 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2009-05-24 20:29 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-10 13:47 . 2009-09-10 13:47 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee
2009-09-04 21:03 . 2003-07-16 20:35 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36 . 2005-10-21 18:51 832512 ------w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2003-07-16 20:25 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-26 08:00 . 2003-07-16 20:46 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-07 00:24 . 2006-01-05 17:26 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-07 00:24 . 2006-01-05 17:26 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-07 00:24 . 2006-01-05 17:26 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-07 00:24 . 2005-05-26 10:16 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-07 00:24 . 2006-01-05 05:53 53472 ------w- c:\windows\system32\wuauclt.exe
2009-08-07 00:24 . 2003-07-16 20:25 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-07 00:23 . 2006-01-05 17:26 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-07 00:23 . 2006-01-05 05:53 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-06-11 01:31 . 2009-06-11 01:26 0 ----a-w- c:\program files\jre-6u14-windows-i586.exe
2009-06-11 01:26 . 2009-06-11 01:26 0 ----a-w- c:\program files\jre-6u14-windows-i586.exe.bak
2009-06-11 01:26 . 2009-06-11 01:26 1192 ----a-w- c:\program files\jre-6u14-windows-i586.exe.sdm
.

------- Sigcheck -------

[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[-] 2008-06-20 . 9425B72F40257B45D45D24773273DAD0 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 . 9425B72F40257B45D45D24773273DAD0 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . c:\windows\$NtServicePackUninstall$\tcpip.sys
[7] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
[-] 2008-04-13 . ACCF5A9A1FFAA490F33DBA1C632B95E1 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tcpip.sys
[-] 2007-10-30 . 90CAFF4B094573449A0872A0F919B178 . 360064 . . [5.1.2600.3244] . . c:\windows\$NtUninstallKB951748_0$\tcpip.sys
[-] 2007-10-30 . 64798ECFA43D78C7178375FCDD16D8C8 . 360832 . . [5.1.2600.3244] . . c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[-] 2006-04-20 . B2220C618B42A2212A59D91EBD6FC4B4 . 360576 . . [5.1.2600.2892] . . c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[-] 2006-04-20 . 1DBF125862891817F374F407626967F4 . 359808 . . [5.1.2600.2892] . . c:\windows\$NtUninstallKB941644$\tcpip.sys
[-] 2006-01-13 . 5562CC0A47B2AEF06D3417B733F3C195 . 360448 . . [5.1.2600.2827] . . c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
[-] 2006-01-13 . 583E063FDC888CA30D05C2724B0D7EF4 . 359808 . . [5.1.2600.2827] . . c:\windows\$NtUninstallKB917953$\tcpip.sys
[-] 2005-05-25 . 63FDFEA54EB53DE2D863EE454937CE1E . 359936 . . [5.1.2600.2685] . . c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
[-] 2005-05-25 . 88763A98A4C26C409741B4AA162720C9 . 359808 . . [5.1.2600.2685] . . c:\windows\$hf_mig$\KB893066\SP2GDR\tcpip.sys
[-] 2005-05-25 . 88763A98A4C26C409741B4AA162720C9 . 359808 . . [5.1.2600.2685] . . c:\windows\$NtUninstallKB913446$\tcpip.sys
[7] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB893066$\tcpip.sys
[-] 2003-07-16 . 244A2F9816BC9B593957281EF577D976 . 332928 . . [5.1.2600.1106] . . c:\windows\$NtUninstallKB893066_0$\tcpip.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-10-31_01.19.40 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-04 03:26 . 2009-11-04 03:26 16384 c:\windows\Temp\Perflib_Perfdata_210.dat
+ 2003-07-16 20:41 . 2009-11-04 03:31 71060 c:\windows\system32\perfc009.dat
- 2003-07-16 20:41 . 2009-10-14 10:22 71060 c:\windows\system32\perfc009.dat
+ 2006-01-05 06:02 . 2009-11-04 03:06 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-01-05 06:02 . 2009-10-30 21:33 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-11-03 02:00 . 2009-11-04 03:06 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2006-01-05 06:02 . 2009-10-30 21:33 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2003-07-16 20:41 . 2009-11-04 03:31 441124 c:\windows\system32\perfh009.dat
- 2003-07-16 20:41 . 2009-10-14 10:22 441124 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"ComcastAntispyClient"="c:\program files\comcasttb\ComcastSpywareScan\ComcastAntispy.exe" [2009-03-16 1622488]
"WAB"="c:\documents and settings\Angelina\Application Data\Macromedia\Common\3abfc02619.exe" [2009-11-04 16384]
"rundll32.exe"="" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell AIO Printer A940"="c:\program files\Dell AIO Printer A940\dlbabmgr.exe" [2003-06-25 294998]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-07 50688]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2008-06-10 1442888]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 1406024]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-09-17 645328]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]
"diagent"="c:\program files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 135264]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-1-5 24576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi1"=c:\docume~1\Angelina\APPLIC~1\MACROM~1\Common\3abfc0261.dll
"mixer1"=c:\docume~1\Angelina\APPLIC~1\MACROM~1\Common\3abfc0261.dll
"wave1"=c:\docume~1\Angelina\APPLIC~1\MACROM~1\Common\3abfc0261.dll
"aux1"=c:\docume~1\Angelina\APPLIC~1\MACROM~1\Common\3abfc0261.dll
"midi2"=c:\docume~1\Angelina\APPLIC~1\MACROM~1\Common\3abfc0261.dll
"mixer2"=c:\docume~1\Angelina\APPLIC~1\MACROM~1\Common\3abfc0261.dll
"wave2"=c:\docume~1\Angelina\APPLIC~1\MACROM~1\Common\3abfc0261.dll
"aux2"=c:\docume~1\Angelina\APPLIC~1\MACROM~1\Common\3abfc0261.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Driver]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"UleadBurningHelper"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"YOP"=c:\progra~1\Yahoo!\YOP\yop.exe /autostart
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" /hide

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Yahoo!\\Messenger\\yserver.exe"= c:\\Program Files\\Yahoo!\\Messenger\\yserver.exe
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Program Files\\Activision\\Star Trek Armada II\\Armada2.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"c:\\Program Files\\Raven\\Star Trek Voyager Elite Force\\stvoyHM.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 AntiSpywareService;Comcast AntiSpyware;c:\program files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe [3/16/2009 3:37 PM 616408]
R2 NkPtpEnumP2;NkPtpEnumP2;c:\program files\Nikon\Wireless Camera Setup Utility\NkPtpEnum.exe [6/17/2005 11:11 AM 24064]
R3 VBus;Virtual Bus;c:\windows\system32\drivers\NkVBus.sys [6/17/2005 11:11 AM 17664]
S1 bcbus;BestCrypt bus driver;c:\windows\system32\DRIVERS\bcbus.sys --> c:\windows\system32\DRIVERS\bcbus.sys [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - IPVNMon
*Deregistered* - mbr

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{27E53DCF-6B78-4088-BE71-5CA5CDCB2624}]
rundll32 pcfr32.dll,laspi
.
Contents of the 'Scheduled Tasks' folder

2009-11-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-10-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-07-01 17:22]

2009-11-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-07-01 17:22]

2009-11-04 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2009-09-21 19:46]

2009-11-04 c:\windows\Tasks\RegCure Startup.job
- c:\program files\RegCure\RegCure.exe [2009-09-21 19:46]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.sbc.com/dsl
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Connection Wizard,ShellNext = hxxp://yahoo.sbc.com/dsl
LSP: c:\windows\System32\VetRedir.dll
FF - ProfilePath - c:\documents and settings\Angelina\Application Data\Mozilla\Firefox\Profiles\dggrcjdk.default\
FF - prefs.js: browser.search.selectedEngine - Comcast Search
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-03 21:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system.ini 227 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(672)
c:\windows\system32\Ati2evxx.dll
c:\program files\CA\PPRT\bin\CACheck.dll
c:\program files\CA\PPRT\bin\CAHook.dll
c:\program files\CA\PPRT\bin\CAServer.dll

- - - - - - - > 'lsass.exe'(728)
c:\windows\System32\VetRedir.dll
c:\windows\system32\ISafeIf.dll

- - - - - - - > 'explorer.exe'(124)
c:\windows\system32\WININET.dll
c:\program files\CA\PPRT\bin\CACheck.dll
c:\program files\CA\PPRT\bin\CAHook.dll
c:\program files\CA\PPRT\bin\CAServer.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\System32\VetRedir.dll
c:\windows\system32\ISafeIf.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\System32\CTsvcCDA.exe
c:\program files\Borland\Interbase\Bin\IBGuard.exe
c:\program files\CA\PPRT\bin\ITMRTSVC.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\progra~1\Dantz\RETROS~1\retrorun.exe
c:\progra~1\Dantz\RETROS~1\wdsvc.exe
c:\program files\Comcast\Desktop Doctor\bin\sprtsvc.exe
c:\windows\System32\MsPMSPSv.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\program files\Borland\Interbase\Bin\IBServer.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\windows\system32\wscntfy.exe
c:\program files\Dell AIO Printer A940\dlbabmon.exe
c:\program files\Microsoft IntelliPoint\dpupdchk.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-11-04 21:44 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-04 03:43
ComboFix2.txt 2009-11-03 00:08
ComboFix3.txt 2009-10-31 01:35

Pre-Run: 32,542,654,464 bytes free
Post-Run: 32,515,309,568 bytes free
I Lag, therefore I am.

#10 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,136 posts

Posted 04 November 2009 - 12:09 AM

Flyingfish,

ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Vista users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

  • Please go here then click on: Posted Image

    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

  • Select the option YES, I accept the Terms of Use then click on: Posted Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Posted Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Posted Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!


Also, please let me know how things are running now?

Tomk
------------------------------------------------------------

mvplogo1_zpsea7gtc7e.gif


WTT-Grad1.jpg

Topics are closed after 5 days without response
unite_blue_zpsbfd3cd98.png

    Advertisements

Register to Remove


#11 Flyingfish

Flyingfish

    Authentic Member

  • Authentic Member
  • PipPip
  • 70 posts
  • Interests:Armadillos, llamas, and occasionally I go slummin' with the El' Packas. But only the ones with small ears.

Posted 08 November 2009 - 03:34 AM

Here's the ESET log; C:\Down Loads\rmconverter.exe probably a variant of Win32/Agent trojan The system seems good, no redirects, and it loads fine.
I Lag, therefore I am.

#12 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,136 posts

Posted 08 November 2009 - 09:03 AM

Flyingfish,

Go ahead and delete that file and you should be good. If you have trouble deleting it, be sure to let me know.

Otherwise, Log looks good :D


Time for some housekeeping
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK
  • Note the space between the X and the U, it needs to be there.
  • Posted Image
The above procedure will:
  • Implement some cleanup procedures.
  • Reset System Restore.

Please re-enable any security that was disabled.

Now to remove most of the tools that we have used in fixing your machine:
  • Make sure you have an Internet Connection.
  • Download OTC to your desktop and run it
  • A list of tool components used in the cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
  • Click Yes to begin the cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the cleanup process. If you are asked to reboot the machine choose Yes.


The following is my standard advice for the future. Use what you can and pat yourself on the back for what you're already doing.

Please take time to read Preventing Malware - Tools and Practices for Safe Computing. Very important information for your consideration is contained therein.

I would also suggest you read this:
So how did I get infected in the first place?
by Tony Klein


Also: "How to prevent malware"
by miekiemoes

Please respond back that you understand the above and let me know if you have any questions. Otherwise, this thread will be closed Resolved. :thumbup:

Tomk
------------------------------------------------------------

mvplogo1_zpsea7gtc7e.gif


WTT-Grad1.jpg

Topics are closed after 5 days without response
unite_blue_zpsbfd3cd98.png


#13 Flyingfish

Flyingfish

    Authentic Member

  • Authentic Member
  • PipPip
  • 70 posts
  • Interests:Armadillos, llamas, and occasionally I go slummin' with the El' Packas. But only the ones with small ears.

Posted 08 November 2009 - 09:49 PM

Hi Tom! I follow the steps to delete the last file, and then I ran the cleanup programs. I had been using a back up profile when this started since my main profile wouldn't load. After the last reboot I clicked on my main profile and encountered the same problem where the system partailly boots up but then the processor runs at 100% and bascailly locks up. At one point it gave an error twice that it couldn't find/load file ntuser.dll. I switch to the backup profile and it loaded slow until it said it blocked and deleted a trojan named, 'spy-agent.cm' twice. Blaaaaaaaaahhhhh. So what should I do?
I Lag, therefore I am.

#14 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,136 posts

Posted 08 November 2009 - 10:04 PM

Flyingfish,

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link --> http://forums.whatth...ams_t96260.html

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


Notes:

1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
4. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
5. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Tomk
------------------------------------------------------------

mvplogo1_zpsea7gtc7e.gif


WTT-Grad1.jpg

Topics are closed after 5 days without response
unite_blue_zpsbfd3cd98.png


#15 Flyingfish

Flyingfish

    Authentic Member

  • Authentic Member
  • PipPip
  • 70 posts
  • Interests:Armadillos, llamas, and occasionally I go slummin' with the El' Packas. But only the ones with small ears.

Posted 09 November 2009 - 09:07 AM

Should I try to run combo from my main profile, so far I have just been using a backup profile, or does that not make a difference?
I Lag, therefore I am.

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users