Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PC infected , and conventional antivirus donn't solve the problem


  • This topic is locked This topic is locked
6 replies to this topic

#1 me7at7at

me7at7at

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:39 AM

Posted 29 April 2010 - 02:35 PM

i have a problem that might be caused by some kind of a virus, i receive the following messages after windows starts up directly;

Attached File  untitled.JPG   109.03KB   6 downloads


1. error message: windows cannot find 'c:\windows\system32\fdisk.com' .make sure you typed the name correctly, and then try again. to search for a file, click the start button and then click search.

2. a notepad file titled "avgnt - Notepad" : the file written in some special characters, the only english words "This program cannot be run in DOS mode"

3. a notepad file titled "avp - Notepad" : the file has the same content as the avgnt file.

the history of the problem:

* windows running completely normal, then suddenly task manager refuses to open "task manager disabled by administrator", the folder options in the tools menu disappeared and finally, the internet explorer by itself checks the "use a proxy server for your LAN" in the internet options-connections tab and specifies an address and a port.

*windows formated, but then the same problems returned at the same time i finished installing a fresh copy of windows "xp sp 2"

* installing kaspersky failed as the program crashes every time i try to install it, it crashed and opens a notepad file similar to the two files mentioned above.

* only installing Avira Antivir succeeded, the task manager and folder options problems were gone but then i started receiving the messages mentioned at the beginning of the topic, the acrobat reader fails to open as well and finally the avira gives me warning sounds every time i open 'my computer' or any drive within. the internet and the pc performance became slow and annoying.

PS: i turned off the system restore on all drives to run the avira scan , advised to do so on their web site.



******* DDS.txt Log ************


DDS (Ver_10-03-17.01) - NTFSx86
Run by Tarek at 21:03:19.28 on Thu 04/29/2010
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2039.1561 [GMT 2:00]

AV: AntiVir Desktop *On-access scanning enabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Cobian Backup 8\Cobian.exe
C:\Program Files\Cobian Backup 8\cbInterface.exe
C:\Documents and Settings\Tarek\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyServer = 92.242.144.5:8181
mWinlogon: Shell=explorer.exe c:\windows\system32\fdisk.com
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\fdisk.com
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\ievkbd.dll
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\klwtbbho.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [HotKey] c:\documents and settings\tarek\templates\cache\vmx.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [HotKey] c:\documents and settings\tarek\templates\cache\vmx.exe
mRun: [User Agent] c:\windows\system32\fdisk.com
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky anti-virus 2010\avp.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\klwtbbho.dll
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\klwtbbho.dll
Notify: igfxcui - igfxdev.dll
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll
IFEO: ashdisp.exe - notepad
IFEO: AVGNT.EXE - notepad
IFEO: AVP.EXE - notepad
IFEO: mmc.exe - notepad
IFEO: msconfig.exe - notepad

Note: multiple IFEO entries found. Please refer to Attach.txt

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\tarek\applic~1\mozilla\firefox\profiles\y6b5op1w.default\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-10-14 36880]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-4-25 11608]
R1 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2009-9-1 128016]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2010-4-25 315408]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-4-25 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-4-25 267432]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-4-25 60936]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2009-9-14 32272]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-10-2 19472]
S2 AVP;Kaspersky Anti-Virus;c:\program files\kaspersky lab\kaspersky anti-virus 2010\avp.exe [2009-10-20 340456]

=============== Created Last 30 ================

2010-04-29 18:48:42 0 d-----w- c:\program files\Cobian Backup 8
2010-04-25 01:28:32 0 d-----w- c:\docume~1\tarek\applic~1\Avira
2010-04-25 01:26:30 0 d-----w- c:\program files\Avira
2010-04-25 01:26:30 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira
2010-04-25 01:15:56 0 d-----w- c:\program files\common files\ODBC
2010-04-25 01:15:54 0 d-----w- c:\program files\common files\SpeechEngines
2010-04-25 01:15:21 0 d-----r- c:\documents and settings\all users\Documents
2010-04-25 01:07:34 0 d-----w- c:\program files\Kaspersky Lab
2010-04-25 01:07:34 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab
2010-04-25 01:06:50 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2010-04-25 00:13:37 0 d-----w- c:\program files\common files\Windows Live
2010-04-24 23:40:40 0 d-----w- c:\program files\GIGABYTE
2010-04-24 23:29:58 0 d-sh--w- c:\documents and settings\all users\DRM
2010-04-24 23:29:42 0 d--h--w- c:\program files\WindowsUpdate
2010-04-24 23:28:52 0 d-----w- c:\program files\common files\MSSoap
2010-04-24 23:27:36 0 d-----w- c:\program files\Online Services
2010-04-24 23:27:32 0 d-----w- c:\program files\Messenger
2010-04-24 23:27:28 0 d-----w- c:\program files\MSN Gaming Zone
2010-04-24 23:26:51 0 d-----w- c:\program files\Windows NT

==================== Find3M ====================

2010-04-25 01:08:24 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2010-04-25 01:08:23 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2010-04-24 23:27:54 21640 ----a-w- c:\windows\system32\emptyregdb.dat

============= FINISH: 21:03:34.15 ===============


Attached Files



BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 12,130 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Bement, ILL
  • Local time:07:39 PM

Posted 29 April 2010 - 04:58 PM

Hello me7at7at,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • Finally, please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.

1.
Download and Run RKill
    Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

    Link 1
    Link 2
    Link 3
    Link 4

  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply

2.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

Things to include in your next reply:
Combofix.txt
How is your machine running now?



" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


un03.png

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 me7at7at

me7at7at
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:39 AM

Posted 30 April 2010 - 11:23 AM

first , thank you for your time and effort .

unfortunately the problem escalated BEFORE i read your reply. the second time i opened the pc the system crashed and i was forced to install a new copy of windows xp sp2, but then the installation aborted and couldn't be completed and i had to install it on another drive. and after installation finished i couldn't open any of the drives on my computer; every time i double click a drive it gives me the "open with" window to select a program to open the drive!.

anyway, your reply seems to fix all this. i ran the programs and everything seems ok now.

*************combofix log **********

ComboFix 10-04-29.05 - tarek 04/30/2010 18:07:07.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2039.1559 [GMT 2:00]
Running from: f:\documents and settings\tarek\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

d:\$recycle.bin\{5F229C11-5039-40E4-8537-6950BB1C9ECC}
D:\autorun.inf
e:\$recycle.bin\{5F229C11-5039-40E4-8537-6950BB1C9ECC}
E:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2010-03-28 to 2010-04-30 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-30 14:45 . 2010-04-30 12:55 -------- d-----w- f:\documents and settings\All Users\Application Data\NOS
2010-04-30 13:02 . 2010-04-30 13:02 -------- d-----w- f:\program files\Common Files\Adobe
.

------- Sigcheck -------

[-] 2008-05-06 . 32272BF10467C8ACF1F83138C61D541E . 1580544 . . [5.1.2600.2180] . . f:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="f:\windows\system32\igfxtray.exe" [2005-11-28 98304]
"igfxhkcmd"="f:\windows\system32\hkcmd.exe" [2005-11-28 77824]
"igfxpers"="f:\windows\system32\igfxpers.exe" [2005-11-28 118784]
"RTHDCPL"="RTHDCPL.EXE" [2006-05-18 16207872]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"Adobe Reader Speed Launcher"="f:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="f:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="f:\windows\system32\CTFMON.EXE" [2004-08-03 15360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

.
.
------- Supplementary Scan -------
.
FF - ProfilePath - f:\documents and settings\tarek\Application Data\Mozilla\Firefox\Profiles\ykbm9s68.default\

---- FIREFOX POLICIES ----
f:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
f:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
f:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
f:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
f:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
f:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
f:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
f:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
f:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
f:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
f:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
f:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
f:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
f:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
f:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
f:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
f:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
f:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
f:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
f:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
f:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
f:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
f:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
f:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
f:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
f:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
f:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
f:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
f:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
f:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
f:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
f:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
f:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
f:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
f:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
f:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
Completion time: 2010-04-30 18:09:21
ComboFix-quarantined-files.txt 2010-04-30 16:09

Pre-Run: 79,609,225,216 bytes free
Post-Run: 79,604,568,064 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(4)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(4)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 3967AA7D1B3B04F0A0520293984B1B02






is that the end of it .. or there is something else i should perform on the pc ?

thank you again for your time.


#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 12,130 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Bement, ILL
  • Local time:07:39 PM

Posted 30 April 2010 - 11:30 AM

Hello, me7at7at.

1.
Uninstall Combofix
  • Make sure that Combofix.exe that you downloaded is on your Desktop but Do not run it!
    o *If it is not on your Desktop, the below will not work.
  • Click on then Run....
  • Now copy & paste the green bolded text in the run-box and click OK.

    ComboFix /Uninstall



    <Notice the space between the "x" and "/".> <--- It needs to be there
    Windows Vista users: Press the Windows Key + R to bring the Run... Command and then from there you can add in the Combofix /Uninstall


  • Please advise if this step is missed for any reason as it performs some important actions:
    "This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.
    It also makes a clean Restore Point and flashes all the old restore points in order to prevent possible reinfection from an old one through system restore".

2.
Congratulations! You now appear clean! specool.gif

Are things running okay? Do you have any more questions?

System Still Slow?
You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.
If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware.

Recommendations
Below are some recommendations to lower your chances of (re)infection.
  1. Install and maintain an outbound firewall
  2. Install Spyware Blaster and update it regularly
    If you wish, the commercial version provides automatic updating.
  3. Install the MVPs hosts file, and update it regularly
    You can use the HostMan host file manager to do this automaticly if you wish.
    For more information on the hosts file, and what it can do for you, you can view the Tutorial on the Hosts file
  4. Install an Anti-Spyware program, and update it regularly
    Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
    SUPERAntiSpyware is another good scanner with high detection and removal rates.
    Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
  5. Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

    If you are using Windows XP or earlier
    Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

    If you are using Windows Vista
    1. Click the "Start Menu" (or Windows Orb)
    2. Click "All Programs"
    3. Click "Windows Update"
    4. On the left, choose "Change Settings"
    5. Ensure that the checkbox "Use Microsoft Update" at the bottom of the window is checked.
    6. Press OK and accept the UAC prompt.
      Note: You shouldn't need to check this checkbox every single time you update, only the first time.
    7. Click "Check for Updates" in the upper left corner.
    8. Follow the instructions to install the latest updates.
    9. Reboot and repeat the "Check for Updates" until there are no more critical updates to install
  6. Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on your machine.
  7. Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing sad.gif.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


un03.png

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 me7at7at

me7at7at
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:39 AM

Posted 30 April 2010 - 02:51 PM

you're the best .. i only have 2 simple questions ..

1. the next time i format,, will i be able to install windows on the c:drive or the problem i had did something permanent to the drive?

2. your recommendations were excellent .. what about an antivirus? please recommend a FREE one :D

thanks .. you saved my poor PC

#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 12,130 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Bement, ILL
  • Local time:07:39 PM

Posted 30 April 2010 - 09:46 PM

Hello,

QUOTE
1. the next time i format,, will i be able to install windows on the c:drive or the problem i had did something permanent to the drive?

I'm not for sure on that as that is not my specialty.You can post in Windows XP Home and Professional. They should be able to give you a answer.


QUOTE
2. your recommendations were excellent .. what about an antivirus? please recommend a FREE one :D


  • Download and install an antivirus program, and make sure that you keep it updated
    New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
    Two good antivirus programs free for non-commercial home use are Avast! and Antivir
    Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.

I personally use Avira Free myself. thumbup2.gif

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


un03.png

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#7 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 12,130 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Bement, ILL
  • Local time:07:39 PM

Posted 02 May 2010 - 12:13 PM

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send a Private Message to any one of the moderating team member or myself. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


un03.png

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users