Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I keep getting random pop-ups & search engine links are redirected


  • This topic is locked This topic is locked
15 replies to this topic

#1 villyvonka

villyvonka

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:42 AM

Posted 02 May 2010 - 02:11 AM

Hi, hopefully someone can help me.
I keep having a problem when I use search engines, such as google or ask.
When I click on a link, I get sent to a completely different website, I have both Firefox and IE8 and It happens on both.
I also get a random pop-up once in a while, and I think it might just be part of the same problem.
I've done full scans of my computer using Malwarebytes Anti-malware and my McAfee security center, neither was able to find the problem.
Please help... Thanks.

DDS (Ver_10-03-17.01) - NTFSx86
Run by Zavala at 19:23:42.67 on Sat 05/01/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.358 [GMT -7:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\MSN Toolbar\Platform\4.0.0379.0\mswinext.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Zavala\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.ask.com?o=15557&l=dis
uSearch Bar =
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>;*.local
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: MSN Toolbar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\4.0.0379.0\npwinext.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: MSN Toolbar: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\4.0.0379.0\npwinext.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SkyTel] SkyTel.EXE
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [MSN Toolbar] "c:\program files\msn toolbar\platform\4.0.0379.0\mswinext.exe"
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [SoundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
dRunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {5BCC24A7-7D3F-4CC9-AC86-4380FCD68D1E} - hxxp://esupport.trendmicro.com/_layouts/1033/GetPCInfo.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} - hxxp://games.att.oberon-media.com/Gameshell/GameHost/1.0/OberonGameHost.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: AutorunsDisabled - WgaLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\zavala\applic~1\mozilla\firefox\profiles\xmpyi7zc.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.att.net/
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - component: c:\program files\microsoft\search enhancement pack\search helper\firefoxextension\searchhelperextension\components\SEPsearchhelperff.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-1-5 385536]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2010-4-25 203280]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2010-4-25 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2010-4-25 144704]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2010-3-28 97280]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2010-4-25 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-4-25 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-4-25 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2010-4-25 40552]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-2-14 1691480]
S3 ATMFBUS;A600 USB Composite Device Driver;c:\windows\system32\drivers\atmfbus.sys --> c:\windows\system32\drivers\ATMFBUS.sys [?]
S3 ATMFCVsp;A600 Cricket CM Port;c:\windows\system32\drivers\atmfcvsp.sys --> c:\windows\system32\drivers\ATMFCVsp.sys [?]
S3 ATMFFLT;A600 USB Modem Installation CD;c:\windows\system32\drivers\atmfflt.sys --> c:\windows\system32\drivers\ATMFFLT.sys [?]
S3 ATMFMdm;A600 Cricket EVDO Modem;c:\windows\system32\drivers\atmfmdm.sys --> c:\windows\system32\drivers\ATMFMdm.sys [?]
S3 ATMFNET;A600 Cricket EVDO Network Adapter;c:\windows\system32\drivers\atmfnet.sys --> c:\windows\system32\drivers\ATMFNET.sys [?]
S3 ATMFNVsp;A600 Cricket NMEA Port Serial Port;c:\windows\system32\drivers\atmfnvsp.sys --> c:\windows\system32\drivers\ATMFNVsp.sys [?]
S3 ATMFVsp;A600 Cricket Diagnostics Port;c:\windows\system32\drivers\atmfvsp.sys --> c:\windows\system32\drivers\ATMFVsp.sys [?]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2010-4-25 34248]

=============== Created Last 30 ================

2010-05-02 02:21:55 0 ----a-w- c:\documents and settings\zavala\defogger_reenable
2010-04-27 12:22:38 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-04-25 08:51:45 8943 ----a-w- c:\windows\system32\Config.MPF
2010-04-25 08:48:11 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-04-25 08:48:11 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2010-04-25 08:48:11 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-04-25 08:48:04 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2010-04-25 08:47:29 0 d-----w- c:\program files\common files\McAfee
2010-04-25 08:47:28 0 d-----w- c:\program files\McAfee.com
2010-04-25 08:47:16 0 d-----w- c:\program files\McAfee
2010-04-25 08:43:31 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2010-04-24 06:36:37 0 d-----w- c:\docume~1\zavala\applic~1\CasualForge
2010-04-24 06:36:37 0 d-----w- c:\docume~1\alluse~1\applic~1\CasualForge
2010-04-19 22:49:09 0 d-----w- c:\program files\Virtual Villagers - The Lost Children
2010-04-19 22:13:11 0 d-----w- c:\program files\Virtual Villagers
2010-04-14 19:36:51 100864 -c----w- c:\windows\system32\dllcache\6to4svc.dll
2010-04-14 19:35:31 177664 -c----w- c:\windows\system32\dllcache\wintrust.dll
2010-04-14 19:35:27 86016 -c----w- c:\windows\system32\dllcache\cabview.dll
2010-04-14 04:42:46 0 d-----w- c:\program files\iPod
2010-04-14 04:42:22 0 d-----w- c:\program files\iTunes
2010-04-14 04:42:22 0 d-----w- c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-14 04:28:02 0 d-----w- c:\program files\Bonjour
2010-04-09 00:39:13 0 d-----w- c:\program files\Oberon Media
2010-04-03 10:06:47 0 d-----w- c:\program files\Risk
2010-04-03 08:46:06 0 d-----w- c:\program files\RealArcade
2010-04-02 21:40:08 0 d-----w- c:\docume~1\alluse~1\applic~1\Trymedia
2010-04-02 20:33:20 0 d-----w- c:\program files\iWin.com
2010-04-02 19:51:03 0 d-----w- c:\docume~1\alluse~1\applic~1\MumboJumbo
2010-04-02 19:50:04 0 d-----w- c:\docume~1\alluse~1\applic~1\iWin Games
2010-04-02 13:26:43 0 d-----w- c:\docume~1\zavala\applic~1\iWin

==================== Find3M ====================

2010-04-26 09:42:14 37248 ----a-w- c:\windows\system32\drivers\isapnp.sys
2010-04-14 04:15:03 52028 ---ha-w- c:\windows\system32\mlfcache.dat
2010-03-30 07:46:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 07:45:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-29 08:29:51 22542 ----a-w- c:\windows\hpqins19.dat
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 10:41:26 218624 ----a-w- c:\windows\system32\uxtheme.dll
2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-17 16:10:28 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25:04 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 18:46:14 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-02-12 18:46:14 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-09 02:45:16 84512 ----a-w- c:\windows\SOUNDMAN.EXE
2010-02-09 02:45:16 358944 ----a-w- c:\windows\vncutil.exe
2010-02-09 02:45:16 1833504 ----a-w- c:\windows\SkyTel.exe
2010-02-09 02:45:12 9721888 ----a-w- c:\windows\RTLCPL.EXE
2010-02-09 02:45:12 1489440 ----a-w- c:\windows\RtlUpd.exe
2010-02-09 02:45:06 51232 ----a-w- c:\windows\system32\RtkCoInstXP.dll
2010-02-09 02:45:04 18790432 ----a-w- c:\windows\RTHDCPL.EXE
2010-02-09 02:45:04 129568 ----a-w- c:\windows\RtkAudioService.exe
2010-02-09 02:44:58 2177568 ----a-w- c:\windows\MicCal.exe
2010-02-09 02:44:52 64032 ----a-w- c:\windows\ALCMTR.EXE
2010-02-09 02:44:52 2815520 ----a-w- c:\windows\ALCWZRD.EXE

============= FINISH: 19:25:45.70 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:07:42 PM

Posted 04 May 2010 - 12:17 PM

Hello and welcome to Bleeping Computer. smile.gif

*Please Subscribe to this Thread to get immediate notification of replies. See HERE

*It is important not to make any further changes or run any other tools/updates unless instructed to. This may hinder the cleaning process of your machine.

*Please be patient, all Bleeping Computer helpers are volunteers and have lives outside this forum.

*You must reply within 5 days otherwise this topic will be closed.


++++++++++++++++++++++


One or more of the identified infections is a Rootkit/backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterward. Let me know what you decide to do.



~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#3 villyvonka

villyvonka
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:42 AM

Posted 04 May 2010 - 06:32 PM

Thanks for the reply, and the information.

I am currently using a different computer to access this website, I have also made sure that the infected computer is not connected to the internet.
I have taken proper action as far as changing passwords and such.
I do not use the infected computer for online shopping or banking, I mostly just use it for social networking sites now.
So I would like to try and clean the machine.

Thanks

#4 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:07:42 PM

Posted 04 May 2010 - 08:36 PM

Hi,

Alright, so let's begin. Make sure that the PC is connected to the internet while running Combofix.


Download Combofix (by Subs) from any of the links below, make sure that you save it to your desktop.
Link 1
Link 2

  • It's important to temporary disable your anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. See HERE
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
*It's strongly recommended to have this pre-installed on your machine before doing any malware removal.
*The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
*This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. If you did not have it installed, you will see the prompt below. Choose YES.


  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Important notes:
  1. Leave your computer alone while ComboFix is running.
  2. ComboFix will restart your computer if malware is found; allow it to do so.
  3. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  4. Please do not mouseclick combofix's window while its running because it may call it to stall.
  5. ComboFix SHOULD NOT be used unless requested by a forum helper. See HERE.


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#5 villyvonka

villyvonka
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:42 AM

Posted 05 May 2010 - 07:51 PM

ok here is the log, and I wanted to know if I can turn my internet security back on now???

ComboFix 10-05-05.04 - Zavala 05/05/2010 17:33:29.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.585 [GMT -7:00]
Running from: c:\documents and settings\Zavala\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\WindowsUpdate
c:\windows\system\_sv_CMD_
c:\windows\system32\service
c:\windows\system32\service\30032010_TIS17_SfFniAU.log

Infected copy of c:\windows\system32\drivers\isapnp.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-04-06 to 2010-05-06 )))))))))))))))))))))))))))))))
.

2010-04-27 12:22 . 2010-02-24 17:16 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-04-26 11:02 . 2010-04-26 11:02 -------- d-----w- c:\documents and settings\Zavala\Local Settings\Application Data\Identities
2010-04-25 08:59 . 2010-04-25 08:59 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2010-04-25 08:51 . 2010-04-25 08:51 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor
2010-04-25 08:48 . 2010-02-17 23:52 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-04-25 08:48 . 2010-02-17 23:52 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2010-04-25 08:48 . 2010-02-17 23:52 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-04-25 08:48 . 2009-07-16 19:32 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2010-04-25 08:47 . 2010-04-25 08:48 -------- d-----w- c:\program files\Common Files\McAfee
2010-04-25 08:47 . 2010-04-25 08:47 -------- d-----w- c:\program files\McAfee.com
2010-04-25 08:47 . 2010-05-06 00:01 -------- d-----w- c:\program files\McAfee
2010-04-25 08:43 . 2010-02-17 23:52 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2010-04-25 08:26 . 2010-04-27 02:07 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-04-24 06:57 . 2010-04-24 06:57 -------- d-----w- c:\documents and settings\Zavala\Local Settings\Application Data\Grubby Games
2010-04-24 06:36 . 2010-04-24 06:36 -------- d-----w- c:\documents and settings\Zavala\Application Data\CasualForge
2010-04-24 06:36 . 2010-04-24 06:36 -------- d-----w- c:\documents and settings\All Users\Application Data\CasualForge
2010-04-19 22:49 . 2010-04-22 02:04 -------- d-----w- c:\program files\Virtual Villagers - The Lost Children
2010-04-19 22:13 . 2010-04-24 06:02 -------- d-----w- c:\program files\Virtual Villagers
2010-04-14 19:36 . 2010-02-12 04:33 100864 -c----w- c:\windows\system32\dllcache\6to4svc.dll
2010-04-14 19:35 . 2009-12-24 06:59 177664 -c----w- c:\windows\system32\dllcache\wintrust.dll
2010-04-14 19:35 . 2010-01-13 14:01 86016 -c----w- c:\windows\system32\dllcache\cabview.dll
2010-04-14 04:42 . 2010-04-14 04:42 -------- d-----w- c:\program files\iPod
2010-04-14 04:42 . 2010-04-14 04:44 -------- d-----w- c:\program files\iTunes
2010-04-14 04:42 . 2010-04-14 04:44 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-14 04:34 . 2010-04-14 04:34 -------- d-----w- c:\program files\QuickTime
2010-04-14 04:28 . 2010-04-14 04:28 -------- d-----w- c:\program files\Bonjour
2010-04-14 04:17 . 2010-04-14 04:17 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe
2010-04-12 13:05 . 2010-04-12 13:05 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Trend Micro
2010-04-12 12:43 . 2010-04-25 08:41 -------- d-----w- c:\documents and settings\Zavala\Local Settings\Application Data\Trend Micro
2010-04-12 12:27 . 2010-04-27 14:24 -------- d-----w- c:\program files\Windows Live Safety Center
2010-04-12 11:49 . 2010-04-12 23:08 -------- d-----w- c:\documents and settings\Zavala\Local Settings\Application Data\Temp
2010-04-12 08:26 . 2010-04-12 08:26 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-04-09 00:39 . 2010-04-19 22:03 -------- d-----w- c:\program files\Oberon Media

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-02 02:35 . 2009-02-16 05:26 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-27 04:50 . 2007-08-20 01:41 -------- d-----w- c:\program files\Trend Micro
2010-04-26 09:42 . 2001-08-23 12:00 37248 ----a-w- c:\windows\system32\drivers\isapnp.sys
2010-04-25 09:05 . 2010-03-29 07:04 -------- d-----w- c:\program files\ArcSoft
2010-04-25 08:59 . 2010-02-28 06:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-04-25 08:59 . 2010-02-28 06:37 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-04-25 08:58 . 2010-03-08 10:13 -------- d-----w- c:\program files\att games
2010-04-25 08:55 . 2007-08-20 01:30 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-24 21:23 . 2010-03-08 10:13 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-14 04:42 . 2010-02-25 19:22 -------- d-----w- c:\program files\Common Files\Apple
2010-04-14 04:15 . 2010-03-06 12:36 52028 ---ha-w- c:\windows\system32\mlfcache.dat
2010-04-12 10:51 . 2010-03-07 10:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-12 10:51 . 2010-03-07 10:08 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-04-03 10:29 . 2010-04-03 10:06 -------- d-----w- c:\program files\Risk
2010-04-03 09:54 . 2010-04-03 08:46 -------- d-----w- c:\program files\RealArcade
2010-04-03 08:52 . 2010-04-02 13:26 -------- d-----w- c:\documents and settings\Zavala\Application Data\iWin
2010-04-03 06:23 . 2010-04-02 20:33 -------- d-----w- c:\program files\iWin.com
2010-04-02 21:40 . 2010-04-02 21:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Trymedia
2010-04-02 19:51 . 2010-04-02 19:51 -------- d-----w- c:\documents and settings\All Users\Application Data\MumboJumbo
2010-04-02 19:50 . 2010-04-02 19:50 -------- d-----w- c:\documents and settings\All Users\Application Data\iWin Games
2010-03-30 07:46 . 2010-03-07 10:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 07:45 . 2010-03-07 10:07 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-29 08:39 . 2007-08-20 01:22 66112 ------w- c:\documents and settings\Zavala\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-29 08:38 . 2010-03-29 08:38 -------- d-----w- c:\program files\Windows Live
2010-03-29 08:38 . 2010-03-29 08:38 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-03-29 08:37 . 2010-03-29 08:37 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2010-03-29 08:30 . 2010-03-29 08:30 -------- d-----w- c:\program files\Common Files\Windows Live
2010-03-29 08:29 . 2010-03-29 08:27 22542 ----a-w- c:\windows\hpqins19.dat
2010-03-29 08:28 . 2009-05-05 03:04 -------- d-----w- c:\program files\HP
2010-03-29 08:28 . 2010-03-29 08:28 -------- d-----w- c:\program files\Common Files\HP
2010-03-29 08:28 . 2010-03-29 08:28 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2010-03-29 07:14 . 2010-03-29 07:14 -------- d-----w- c:\documents and settings\Zavala\Application Data\ArcSoft
2010-03-10 21:18 . 2010-03-10 21:18 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\ATI
2010-03-10 06:15 . 2007-04-15 21:23 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 11:04 . 2010-03-09 10:52 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2010-03-09 10:41 . 2007-04-15 21:23 218624 ----a-w- c:\windows\system32\uxtheme.dll
2010-03-08 10:13 . 2010-03-08 10:13 -------- d-----w- c:\documents and settings\Zavala\Application Data\PlayFirst
2010-03-08 10:13 . 2010-03-08 10:13 -------- d-----w- c:\documents and settings\All Users\Application Data\PlayFirst
2010-03-08 10:13 . 2010-03-08 10:13 -------- d-----w- c:\program files\Common Files\Oberon Media
2010-03-07 11:28 . 2010-03-07 11:28 -------- d-----w- c:\documents and settings\Zavala\Application Data\Blitware
2010-03-07 10:07 . 2010-03-07 10:07 -------- d-----w- c:\documents and settings\Zavala\Application Data\Malwarebytes
2010-03-07 10:07 . 2010-03-07 10:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-06 12:11 . 2007-08-20 00:50 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-02-27 03:10 . 2010-02-27 03:10 0 ----a-w- c:\windows\ativpsrm.bin
2010-02-27 00:49 . 2010-02-27 00:49 0 ----a-w- c:\windows\nsreg.dat
2010-02-25 17:14 . 2010-02-25 17:14 152576 ------w- c:\documents and settings\Zavala\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-02-25 17:13 . 2010-02-25 17:13 79488 ------w- c:\documents and settings\Zavala\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-02-25 06:58 . 2010-02-25 06:58 152576 ------w- c:\documents and settings\Zavala\Application Data\Sun\Java\jre1.6.0_16\lzma.dll
2010-02-25 06:24 . 2007-04-15 21:23 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2007-04-15 21:22 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-17 16:10 . 2007-04-15 21:23 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2007-02-28 07:15 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 18:46 . 2010-02-12 18:46 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-02-12 18:46 . 2010-02-12 18:46 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-02-12 04:33 . 2007-04-15 21:21 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2007-04-15 21:23 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2010-02-09 02:45 . 2010-02-15 02:51 84512 ----a-w- c:\windows\SOUNDMAN.EXE
2010-02-09 02:45 . 2010-02-15 02:51 358944 ----a-w- c:\windows\vncutil.exe
2010-02-09 02:45 . 2010-02-15 02:51 1833504 ----a-w- c:\windows\SkyTel.exe
2010-02-09 02:45 . 2010-02-15 02:51 1489440 ----a-w- c:\windows\RtlUpd.exe
2010-02-09 02:45 . 2010-02-15 02:50 9721888 ----a-w- c:\windows\RTLCPL.EXE
2010-02-09 02:45 . 2010-02-15 02:50 51232 ----a-w- c:\windows\system32\RtkCoInstXP.dll
2010-02-09 02:45 . 2010-02-15 02:50 129568 ----a-w- c:\windows\RtkAudioService.exe
2010-02-09 02:45 . 2010-02-15 02:50 18790432 ----a-w- c:\windows\RTHDCPL.EXE
2010-02-09 02:44 . 2010-02-15 02:50 2177568 ----a-w- c:\windows\MicCal.exe
2010-02-09 02:44 . 2010-02-15 02:50 64032 ----a-w- c:\windows\ALCMTR.EXE
2010-02-09 02:44 . 2010-02-15 02:50 2815520 ----a-w- c:\windows\ALCWZRD.EXE
2010-02-09 02:15 . 2010-02-15 02:50 5860384 ----a-w- c:\windows\system32\drivers\RtkHDAud.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SkyTel"="SkyTel.EXE" [2010-02-09 1833504]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2007-04-15 61952]
"RTHDCPL"="RTHDCPL.EXE" [2010-02-09 18790432]
"MSN Toolbar"="c:\program files\MSN Toolbar\Platform\4.0.0379.0\mswinext.exe" [2009-12-09 240992]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-07-17 288080]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-02-11 1218008]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AutorunsDisabled]
2009-03-11 06:18 239496 ------w- c:\windows\system32\WgaLogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [4/25/2010 1:50 AM 203280]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [3/28/2010 11:25 PM 97280]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2/14/2010 7:50 PM 1691480]
S3 ATMFBUS;A600 USB Composite Device Driver;c:\windows\system32\DRIVERS\ATMFBUS.sys --> c:\windows\system32\DRIVERS\ATMFBUS.sys [?]
S3 ATMFCVsp;A600 Cricket CM Port;c:\windows\system32\DRIVERS\ATMFCVsp.sys --> c:\windows\system32\DRIVERS\ATMFCVsp.sys [?]
S3 ATMFFLT;A600 USB Modem Installation CD;c:\windows\system32\DRIVERS\ATMFFLT.sys --> c:\windows\system32\DRIVERS\ATMFFLT.sys [?]
S3 ATMFMdm;A600 Cricket EVDO Modem;c:\windows\system32\DRIVERS\ATMFMdm.sys --> c:\windows\system32\DRIVERS\ATMFMdm.sys [?]
S3 ATMFNET;A600 Cricket EVDO Network Adapter;c:\windows\system32\DRIVERS\ATMFNET.sys --> c:\windows\system32\DRIVERS\ATMFNET.sys [?]
S3 ATMFNVsp;A600 Cricket NMEA Port Serial Port;c:\windows\system32\DRIVERS\ATMFNVsp.sys --> c:\windows\system32\DRIVERS\ATMFNVsp.sys [?]
S3 ATMFVsp;A600 Cricket Diagnostics Port;c:\windows\system32\DRIVERS\ATMFVsp.sys --> c:\windows\system32\DRIVERS\ATMFVsp.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-05-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

2010-03-28 c:\windows\Tasks\Driver Fetch.job
- c:\program files\Driver Fetch\2.1.0.0\DriverFetch.exe [2010-02-25 20:08]

2010-04-25 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-04-25 19:22]

2010-04-25 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-04-25 19:22]

2010-05-06 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 23:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com?o=15557&l=dis
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\Zavala\Application Data\Mozilla\Firefox\Profiles\xmpyi7zc.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.att.net/
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - component: c:\program files\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension\components\SEPsearchhelperff.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-05 17:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(888)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\COMRes.dll
.
Completion time: 2010-05-05 17:43:30
ComboFix-quarantined-files.txt 2010-05-06 00:43

Pre-Run: 42,604,937,216 bytes free
Post-Run: 42,975,236,096 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 79F4D7B9320386A370AB67CB15E49E92


#6 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:07:42 PM

Posted 06 May 2010 - 08:54 AM

Hi,

QUOTE
ok here is the log, and I wanted to know if I can turn my internet security back on now???

Yes please, re enable it after doing the fix below.


Do you know this? => c:\program files\Risk


+++++++++++++++++++++++++++


1. We need to execute a ComboFix script. (Tutorials on how to disable your anti virus and anti malware programs can be found HERE.)
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the code box below into it:

CODE
DDS::
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
dRunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32


Folder::
c:\documents and settings\All Users\Application Data\Norton
c:\program files\Common Files\Symantec Shared

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=-
"FirewallOverride"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000000
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"=dword:00000000


4. Save this as CFScript.txt, in the same location as ComboFix.exe




5. Refering to the picture above, drag CFScript into ComboFix.exe

6. When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#7 villyvonka

villyvonka
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:42 AM

Posted 06 May 2010 - 08:16 PM

Yes, I do know that file, it was part of a game I downloaded.


I thought I'd mention that when I dragged the contents of the notepad into combofix, combofix started and it said that there was a newer version available, so i updated it. Just it case something in the log isn't right, that might be why.

anyways, here is the log:


ComboFix 10-05-05.0D - Zavala 05/06/2010 17:58:58.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.494 [GMT -7:00]
Running from: c:\documents and settings\Zavala\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Zavala\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Norton
c:\documents and settings\All Users\Application Data\Norton\symdata.xml
c:\program files\Common Files\Symantec Shared

.
((((((((((((((((((((((((( Files Created from 2010-04-07 to 2010-05-07 )))))))))))))))))))))))))))))))
.

2010-05-07 00:54 . 2010-05-07 00:54 -------- d-----w- c:\windows\LastGood
2010-04-27 12:22 . 2010-02-24 17:16 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-04-26 11:02 . 2010-04-26 11:02 -------- d-----w- c:\documents and settings\Zavala\Local Settings\Application Data\Identities
2010-04-25 08:59 . 2010-04-25 08:59 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2010-04-25 08:51 . 2010-04-25 08:51 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor
2010-04-25 08:48 . 2010-02-17 23:52 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-04-25 08:48 . 2010-02-17 23:52 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2010-04-25 08:48 . 2010-02-17 23:52 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-04-25 08:48 . 2009-07-16 19:32 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2010-04-25 08:47 . 2010-04-25 08:48 -------- d-----w- c:\program files\Common Files\McAfee
2010-04-25 08:47 . 2010-04-25 08:47 -------- d-----w- c:\program files\McAfee.com
2010-04-25 08:47 . 2010-05-07 00:54 -------- d-----w- c:\program files\McAfee
2010-04-25 08:43 . 2010-02-17 23:52 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2010-04-25 08:26 . 2010-04-27 02:07 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-04-24 06:57 . 2010-04-24 06:57 -------- d-----w- c:\documents and settings\Zavala\Local Settings\Application Data\Grubby Games
2010-04-24 06:36 . 2010-04-24 06:36 -------- d-----w- c:\documents and settings\Zavala\Application Data\CasualForge
2010-04-24 06:36 . 2010-04-24 06:36 -------- d-----w- c:\documents and settings\All Users\Application Data\CasualForge
2010-04-19 22:49 . 2010-04-22 02:04 -------- d-----w- c:\program files\Virtual Villagers - The Lost Children
2010-04-19 22:13 . 2010-04-24 06:02 -------- d-----w- c:\program files\Virtual Villagers
2010-04-14 19:36 . 2010-02-12 04:33 100864 -c----w- c:\windows\system32\dllcache\6to4svc.dll
2010-04-14 19:35 . 2009-12-24 06:59 177664 -c----w- c:\windows\system32\dllcache\wintrust.dll
2010-04-14 19:35 . 2010-01-13 14:01 86016 -c----w- c:\windows\system32\dllcache\cabview.dll
2010-04-14 04:42 . 2010-04-14 04:42 -------- d-----w- c:\program files\iPod
2010-04-14 04:42 . 2010-04-14 04:44 -------- d-----w- c:\program files\iTunes
2010-04-14 04:42 . 2010-04-14 04:44 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-14 04:34 . 2010-04-14 04:34 -------- d-----w- c:\program files\QuickTime
2010-04-14 04:28 . 2010-04-14 04:28 -------- d-----w- c:\program files\Bonjour
2010-04-14 04:17 . 2010-04-14 04:17 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe
2010-04-12 13:05 . 2010-04-12 13:05 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Trend Micro
2010-04-12 12:43 . 2010-04-25 08:41 -------- d-----w- c:\documents and settings\Zavala\Local Settings\Application Data\Trend Micro
2010-04-12 12:27 . 2010-04-27 14:24 -------- d-----w- c:\program files\Windows Live Safety Center
2010-04-12 11:49 . 2010-04-12 23:08 -------- d-----w- c:\documents and settings\Zavala\Local Settings\Application Data\Temp
2010-04-12 08:26 . 2010-04-12 08:26 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-04-09 00:39 . 2010-04-19 22:03 -------- d-----w- c:\program files\Oberon Media

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-02 02:35 . 2009-02-16 05:26 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-27 04:50 . 2007-08-20 01:41 -------- d-----w- c:\program files\Trend Micro
2010-04-26 09:42 . 2001-08-23 12:00 37248 ----a-w- c:\windows\system32\drivers\isapnp.sys
2010-04-25 09:05 . 2010-03-29 07:04 -------- d-----w- c:\program files\ArcSoft
2010-04-25 08:58 . 2010-03-08 10:13 -------- d-----w- c:\program files\att games
2010-04-25 08:55 . 2007-08-20 01:30 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-24 21:23 . 2010-03-08 10:13 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-14 04:42 . 2010-02-25 19:22 -------- d-----w- c:\program files\Common Files\Apple
2010-04-14 04:15 . 2010-03-06 12:36 52028 ---ha-w- c:\windows\system32\mlfcache.dat
2010-04-12 10:51 . 2010-03-07 10:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-12 10:51 . 2010-03-07 10:08 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-04-03 10:29 . 2010-04-03 10:06 -------- d-----w- c:\program files\Risk
2010-04-03 09:54 . 2010-04-03 08:46 -------- d-----w- c:\program files\RealArcade
2010-04-03 08:52 . 2010-04-02 13:26 -------- d-----w- c:\documents and settings\Zavala\Application Data\iWin
2010-04-03 06:23 . 2010-04-02 20:33 -------- d-----w- c:\program files\iWin.com
2010-04-02 21:40 . 2010-04-02 21:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Trymedia
2010-04-02 19:51 . 2010-04-02 19:51 -------- d-----w- c:\documents and settings\All Users\Application Data\MumboJumbo
2010-04-02 19:50 . 2010-04-02 19:50 -------- d-----w- c:\documents and settings\All Users\Application Data\iWin Games
2010-03-30 07:46 . 2010-03-07 10:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 07:45 . 2010-03-07 10:07 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-29 08:39 . 2007-08-20 01:22 66112 ------w- c:\documents and settings\Zavala\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-29 08:38 . 2010-03-29 08:38 -------- d-----w- c:\program files\Windows Live
2010-03-29 08:38 . 2010-03-29 08:38 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-03-29 08:37 . 2010-03-29 08:37 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2010-03-29 08:30 . 2010-03-29 08:30 -------- d-----w- c:\program files\Common Files\Windows Live
2010-03-29 08:29 . 2010-03-29 08:27 22542 ----a-w- c:\windows\hpqins19.dat
2010-03-29 08:28 . 2009-05-05 03:04 -------- d-----w- c:\program files\HP
2010-03-29 08:28 . 2010-03-29 08:28 -------- d-----w- c:\program files\Common Files\HP
2010-03-29 08:28 . 2010-03-29 08:28 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2010-03-29 07:14 . 2010-03-29 07:14 -------- d-----w- c:\documents and settings\Zavala\Application Data\ArcSoft
2010-03-10 21:18 . 2010-03-10 21:18 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\ATI
2010-03-10 06:15 . 2007-04-15 21:23 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 11:04 . 2010-03-09 10:52 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2010-03-09 10:41 . 2007-04-15 21:23 218624 ----a-w- c:\windows\system32\uxtheme.dll
2010-03-08 10:13 . 2010-03-08 10:13 -------- d-----w- c:\documents and settings\Zavala\Application Data\PlayFirst
2010-03-08 10:13 . 2010-03-08 10:13 -------- d-----w- c:\documents and settings\All Users\Application Data\PlayFirst
2010-03-08 10:13 . 2010-03-08 10:13 -------- d-----w- c:\program files\Common Files\Oberon Media
2010-03-06 12:11 . 2007-08-20 00:50 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-02-27 03:10 . 2010-02-27 03:10 0 ----a-w- c:\windows\ativpsrm.bin
2010-02-27 00:49 . 2010-02-27 00:49 0 ----a-w- c:\windows\nsreg.dat
2010-02-25 17:14 . 2010-02-25 17:14 152576 ------w- c:\documents and settings\Zavala\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-02-25 17:13 . 2010-02-25 17:13 79488 ------w- c:\documents and settings\Zavala\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-02-25 06:58 . 2010-02-25 06:58 152576 ------w- c:\documents and settings\Zavala\Application Data\Sun\Java\jre1.6.0_16\lzma.dll
2010-02-25 06:24 . 2007-04-15 21:23 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2007-04-15 21:22 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-17 16:10 . 2007-04-15 21:23 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2007-02-28 07:15 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 18:46 . 2010-02-12 18:46 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-02-12 18:46 . 2010-02-12 18:46 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-02-12 04:33 . 2007-04-15 21:21 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2007-04-15 21:23 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2010-02-09 02:45 . 2010-02-15 02:51 84512 ----a-w- c:\windows\SOUNDMAN.EXE
2010-02-09 02:45 . 2010-02-15 02:51 358944 ----a-w- c:\windows\vncutil.exe
2010-02-09 02:45 . 2010-02-15 02:51 1833504 ----a-w- c:\windows\SkyTel.exe
2010-02-09 02:45 . 2010-02-15 02:51 1489440 ----a-w- c:\windows\RtlUpd.exe
2010-02-09 02:45 . 2010-02-15 02:50 9721888 ----a-w- c:\windows\RTLCPL.EXE
2010-02-09 02:45 . 2010-02-15 02:50 51232 ----a-w- c:\windows\system32\RtkCoInstXP.dll
2010-02-09 02:45 . 2010-02-15 02:50 129568 ----a-w- c:\windows\RtkAudioService.exe
2010-02-09 02:45 . 2010-02-15 02:50 18790432 ----a-w- c:\windows\RTHDCPL.EXE
2010-02-09 02:44 . 2010-02-15 02:50 2177568 ----a-w- c:\windows\MicCal.exe
2010-02-09 02:44 . 2010-02-15 02:50 64032 ----a-w- c:\windows\ALCMTR.EXE
2010-02-09 02:44 . 2010-02-15 02:50 2815520 ----a-w- c:\windows\ALCWZRD.EXE
2010-02-09 02:15 . 2010-02-15 02:50 5860384 ----a-w- c:\windows\system32\drivers\RtkHDAud.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-05-06_00.41.27 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-05-07 00:47 . 2010-05-07 00:47 16384 c:\windows\Temp\Perflib_Perfdata_608.dat
+ 2001-08-23 12:00 . 2010-05-07 00:52 70112 c:\windows\system32\perfc009.dat
- 2001-08-23 12:00 . 2010-05-06 00:37 70112 c:\windows\system32\perfc009.dat
- 2007-08-20 00:57 . 2010-05-06 00:03 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-08-20 00:57 . 2010-05-07 00:56 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-08-20 00:57 . 2010-05-06 00:03 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2010-05-07 00:53 . 2010-05-07 00:56 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2001-08-23 12:00 . 2010-05-07 00:52 438456 c:\windows\system32\perfh009.dat
- 2001-08-23 12:00 . 2010-05-06 00:37 438456 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SkyTel"="SkyTel.EXE" [2010-02-09 1833504]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2007-04-15 61952]
"RTHDCPL"="RTHDCPL.EXE" [2010-02-09 18790432]
"MSN Toolbar"="c:\program files\MSN Toolbar\Platform\4.0.0379.0\mswinext.exe" [2009-12-09 240992]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-07-17 288080]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-02-11 1218008]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AutorunsDisabled]
2009-03-11 06:18 239496 ------w- c:\windows\system32\WgaLogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [4/25/2010 1:50 AM 203280]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [3/28/2010 11:25 PM 97280]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2/14/2010 7:50 PM 1691480]
S3 ATMFBUS;A600 USB Composite Device Driver;c:\windows\system32\DRIVERS\ATMFBUS.sys --> c:\windows\system32\DRIVERS\ATMFBUS.sys [?]
S3 ATMFCVsp;A600 Cricket CM Port;c:\windows\system32\DRIVERS\ATMFCVsp.sys --> c:\windows\system32\DRIVERS\ATMFCVsp.sys [?]
S3 ATMFFLT;A600 USB Modem Installation CD;c:\windows\system32\DRIVERS\ATMFFLT.sys --> c:\windows\system32\DRIVERS\ATMFFLT.sys [?]
S3 ATMFMdm;A600 Cricket EVDO Modem;c:\windows\system32\DRIVERS\ATMFMdm.sys --> c:\windows\system32\DRIVERS\ATMFMdm.sys [?]
S3 ATMFNET;A600 Cricket EVDO Network Adapter;c:\windows\system32\DRIVERS\ATMFNET.sys --> c:\windows\system32\DRIVERS\ATMFNET.sys [?]
S3 ATMFNVsp;A600 Cricket NMEA Port Serial Port;c:\windows\system32\DRIVERS\ATMFNVsp.sys --> c:\windows\system32\DRIVERS\ATMFNVsp.sys [?]
S3 ATMFVsp;A600 Cricket Diagnostics Port;c:\windows\system32\DRIVERS\ATMFVsp.sys --> c:\windows\system32\DRIVERS\ATMFVsp.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-05-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

2010-03-28 c:\windows\Tasks\Driver Fetch.job
- c:\program files\Driver Fetch\2.1.0.0\DriverFetch.exe [2010-02-25 20:08]

2010-04-25 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-04-25 19:22]

2010-04-25 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-04-25 19:22]

2010-05-07 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 23:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com?o=15557&l=dis
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\Zavala\Application Data\Mozilla\Firefox\Profiles\xmpyi7zc.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.att.net/
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - component: c:\program files\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension\components\SEPsearchhelperff.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-06 18:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(884)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-05-06 18:06:51
ComboFix-quarantined-files.txt 2010-05-07 01:06
ComboFix2.txt 2010-05-06 00:43

Pre-Run: 42,960,064,512 bytes free
Post-Run: 42,931,933,184 bytes free

- - End Of File - - A8B976E362858D0B6C5A184B32CF70E3


#8 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:07:42 PM

Posted 07 May 2010 - 04:30 AM

Hi,

How's the computer running now?


+++++++++++++++++


1. Download TFC (Temp File Cleaner) to your desktop.
  • Close any other windows.
  • Double click the TFC icon to run the program.
  • It will close all programs itself when run, make sure to let it run uninterrupted.
  • Click the Start button to begin the process. The program should not take long to finish its job
  • Once it's finished it should reboot your machine, if not, do this yourself to ensure a complete clean.
Note: TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.



2. Please go to Kaspersky website and perform an online antivirus scan.
  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply .
Note: Kaspersky online scan may take time to complete, please be patient.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#9 villyvonka

villyvonka
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:42 AM

Posted 07 May 2010 - 05:25 PM

Well when I google something, the links seem to be working now, they haven't been redirected.

here is the kaspersky report:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Friday, May 7, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Friday, May 07, 2010 19:00:52
Records in database: 4084315
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Objects scanned: 65220
Threats found: 1
Infected objects found: 2
Suspicious objects found: 0
Scan duration: 02:26:46


File name / Threat / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\isapnp.sys.vir Infected: Rootkit.Win32.TDSS.ap 1
C:\System Volume Information\_restore{A303EBE8-7989-41DE-999B-42EDA47394BE}\RP91\A0037715.sys Infected: Rootkit.Win32.TDSS.ap 1

Selected area has been scanned.


#10 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:07:42 PM

Posted 07 May 2010 - 06:24 PM

Hi,

Looks good, Kaspersky scan only found quarantined infected file and a system restore entry.


++++++++++++++++++++


Please post the following logs for my final review.


1. Please do another DDS scan and post the latest DDS log.



2. Double click GMER.exe and if you are asked if you want to allow gmer.sys driver to load, please allow it to do so.
  • If it gives you a warning about rootkit activity and asks if you want to run scan, please click on NO.
  • In the right panel you will see several boxes that have been checked. Uncheck the following checkboxes:
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Now click on the Scan button and wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in ark.txt and save it to your desktop.
  • Post the contents of that report when you reply.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#11 villyvonka

villyvonka
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:42 AM

Posted 08 May 2010 - 03:54 AM

Oh, thank you so much smile.gif

I had one other question, should I remove/delete the programs I downloaded, such as dds, gmer,defogger, and TFC
or should I keep them stored on the PC?

here is the dds log, and i put the ark log as an attachment, because I wasn't sure if I am allowed to post it in the reply.

DDS (Ver_10-03-17.01) - NTFSx86
Run by Zavala at 23:01:08.12 on Fri 05/07/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.463 [GMT -7:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\MSN Toolbar\Platform\4.0.0379.0\mswinext.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\DllHost.exe
C:\WINDOWS\system32\msiexec.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Documents and Settings\Zavala\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.ask.com?o=15557&l=dis
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>;*.local
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: MSN Toolbar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\4.0.0379.0\npwinext.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: MSN Toolbar: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\4.0.0379.0\npwinext.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SkyTel] SkyTel.EXE
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [MSN Toolbar] "c:\program files\msn toolbar\platform\4.0.0379.0\mswinext.exe"
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
dRunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {5BCC24A7-7D3F-4CC9-AC86-4380FCD68D1E} - hxxp://esupport.trendmicro.com/_layouts/1033/GetPCInfo.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} - hxxp://games.att.oberon-media.com/Gameshell/GameHost/1.0/OberonGameHost.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: AutorunsDisabled - WgaLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\zavala\applic~1\mozilla\firefox\profiles\xmpyi7zc.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.att.net/
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - component: c:\program files\microsoft\search enhancement pack\search helper\firefoxextension\searchhelperextension\components\SEPsearchhelperff.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-1-5 385536]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2010-4-25 203280]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2010-4-25 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2010-4-25 144704]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2010-3-28 97280]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2010-4-25 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-4-25 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-4-25 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2010-4-25 40552]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-2-14 1691480]
S3 ATMFBUS;A600 USB Composite Device Driver;c:\windows\system32\drivers\atmfbus.sys --> c:\windows\system32\drivers\ATMFBUS.sys [?]
S3 ATMFCVsp;A600 Cricket CM Port;c:\windows\system32\drivers\atmfcvsp.sys --> c:\windows\system32\drivers\ATMFCVsp.sys [?]
S3 ATMFFLT;A600 USB Modem Installation CD;c:\windows\system32\drivers\atmfflt.sys --> c:\windows\system32\drivers\ATMFFLT.sys [?]
S3 ATMFMdm;A600 Cricket EVDO Modem;c:\windows\system32\drivers\atmfmdm.sys --> c:\windows\system32\drivers\ATMFMdm.sys [?]
S3 ATMFNET;A600 Cricket EVDO Network Adapter;c:\windows\system32\drivers\atmfnet.sys --> c:\windows\system32\drivers\ATMFNET.sys [?]
S3 ATMFNVsp;A600 Cricket NMEA Port Serial Port;c:\windows\system32\drivers\atmfnvsp.sys --> c:\windows\system32\drivers\ATMFNVsp.sys [?]
S3 ATMFVsp;A600 Cricket Diagnostics Port;c:\windows\system32\drivers\atmfvsp.sys --> c:\windows\system32\drivers\ATMFVsp.sys [?]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2010-4-25 34248]

=============== Created Last 30 ================

2010-05-08 05:59:11 214 ----a-w- c:\windows\HP_InstantSHareJPG.ini
2010-05-08 05:59:01 217 ----a-w- c:\windows\HP_IZClosingDiscErrorPatch.ini
2010-05-08 05:58:34 214 ----a-w- c:\windows\HP_48BitScanUpdatePatch.ini
2010-05-08 05:54:48 221 ----a-w- c:\windows\HP_RedboxHprblog_HPSU.ini
2010-05-08 05:46:34 0 d-----w- c:\docume~1\zavala\applic~1\HpUpdate
2010-05-08 05:46:29 0 d-----w- c:\windows\Hewlett-Packard
2010-05-07 22:31:48 0 d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-05-07 02:24:22 0 d-----w- c:\program files\common files\Sonic Shared
2010-05-07 02:18:45 0 d-----w- c:\windows\system32\URTTEMP
2010-05-07 02:16:54 0 d-----w- c:\program files\common files\Hewlett-Packard
2010-05-07 02:16:00 77824 ----a-r- c:\windows\system32\hpzids01.dll
2010-05-07 02:15:57 37376 ----a-w- c:\windows\system32\hpz3l3xu.dll
2010-05-07 02:15:40 274432 ----a-r- c:\windows\system32\HPZc3212.dll
2010-05-07 02:15:40 258122 ----a-r- c:\windows\system32\hpovst09.dll
2010-05-07 02:15:12 827392 ----a-r- c:\windows\system32\hpotiop2.dll
2010-05-07 02:15:11 6784 -c--a-w- c:\windows\system32\dllcache\serscan.sys
2010-05-07 02:15:11 6784 ----a-w- c:\windows\system32\drivers\serscan.sys
2010-05-07 02:15:11 278528 ----a-r- c:\windows\system32\hpowiamd.dll
2010-05-07 02:15:02 160 ----a-w- c:\windows\system32\AddPort.ini
2010-05-07 02:14:47 687 ----a-w- c:\windows\hpntwksetup.ini
2010-05-07 02:09:40 88397 ----a-w- c:\windows\hpoins06.dat
2010-05-07 02:09:40 5389 ------w- c:\windows\hpomdl06.dat
2010-05-06 00:19:49 0 d-sha-r- C:\cmdcons
2010-05-06 00:12:23 98816 ----a-w- c:\windows\sed.exe
2010-05-06 00:12:23 77312 ----a-w- c:\windows\MBR.exe
2010-05-06 00:12:23 256512 ----a-w- c:\windows\PEV.exe
2010-05-06 00:12:23 161792 ----a-w- c:\windows\SWREG.exe
2010-05-02 02:21:55 0 ----a-w- c:\documents and settings\zavala\defogger_reenable
2010-04-27 12:22:38 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-04-25 08:51:45 10527 ----a-w- c:\windows\system32\Config.MPF
2010-04-25 08:48:11 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-04-25 08:48:11 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2010-04-25 08:48:11 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-04-25 08:48:04 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2010-04-25 08:47:29 0 d-----w- c:\program files\common files\McAfee
2010-04-25 08:47:28 0 d-----w- c:\program files\McAfee.com
2010-04-25 08:47:16 0 d-----w- c:\program files\McAfee
2010-04-25 08:43:31 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2010-04-24 06:36:37 0 d-----w- c:\docume~1\zavala\applic~1\CasualForge
2010-04-24 06:36:37 0 d-----w- c:\docume~1\alluse~1\applic~1\CasualForge
2010-04-19 22:49:09 0 d-----w- c:\program files\Virtual Villagers - The Lost Children
2010-04-19 22:13:11 0 d-----w- c:\program files\Virtual Villagers
2010-04-14 19:36:51 100864 -c----w- c:\windows\system32\dllcache\6to4svc.dll
2010-04-14 19:35:31 177664 -c----w- c:\windows\system32\dllcache\wintrust.dll
2010-04-14 19:35:27 86016 -c----w- c:\windows\system32\dllcache\cabview.dll
2010-04-14 04:42:46 0 d-----w- c:\program files\iPod
2010-04-14 04:42:22 0 d-----w- c:\program files\iTunes
2010-04-14 04:42:22 0 d-----w- c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-14 04:28:02 0 d-----w- c:\program files\Bonjour
2010-04-09 00:39:13 0 d-----w- c:\program files\Oberon Media

==================== Find3M ====================

2010-04-26 09:42:14 37248 ----a-w- c:\windows\system32\drivers\isapnp.sys
2010-04-14 04:15:03 52028 ---ha-w- c:\windows\system32\mlfcache.dat
2010-03-30 07:46:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 07:45:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-29 08:29:51 22542 ----a-w- c:\windows\hpqins19.dat
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 10:41:26 218624 ----a-w- c:\windows\system32\uxtheme.dll
2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-17 16:10:28 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25:04 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 18:46:14 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-02-12 18:46:14 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-09 02:45:16 84512 ----a-w- c:\windows\SOUNDMAN.EXE
2010-02-09 02:45:16 358944 ----a-w- c:\windows\vncutil.exe
2010-02-09 02:45:16 1833504 ----a-w- c:\windows\SkyTel.exe
2010-02-09 02:45:12 9721888 ----a-w- c:\windows\RTLCPL.EXE
2010-02-09 02:45:12 1489440 ----a-w- c:\windows\RtlUpd.exe
2010-02-09 02:45:06 51232 ----a-w- c:\windows\system32\RtkCoInstXP.dll
2010-02-09 02:45:04 18790432 ----a-w- c:\windows\RTHDCPL.EXE
2010-02-09 02:45:04 129568 ----a-w- c:\windows\RtkAudioService.exe
2010-02-09 02:44:58 2177568 ----a-w- c:\windows\MicCal.exe
2010-02-09 02:44:52 64032 ----a-w- c:\windows\ALCMTR.EXE
2010-02-09 02:44:52 2815520 ----a-w- c:\windows\ALCWZRD.EXE

============= FINISH: 23:01:51.79 ===============

Attached Files

  • Attached File  ark.txt   56.57KB   6 downloads


#12 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:07:42 PM

Posted 08 May 2010 - 05:12 AM

Hi,

QUOTE
I had one other question, should I remove/delete the programs I downloaded, such as dds, gmer,defogger, and TFC
or should I keep them stored on the PC?

Don't worry I will give you the proper instructions on how to remove them once we're done. smile.gif


A few minor fixes before we proceed with the housekeeping.


1. Backup Your Registry with ERUNT
  • Please download ERUNT.
  • Follow the detailed instructions HERE on how to install and run ERUNT.
  • Make sure that you have successfully installed and ran ERUNT before proceeding with the next instruction.



2.Launch Notepad, and copy/paste the contents of the codebox below (do not include the word code) into a new text file. Save it on your Desktop as fixme.reg. For the "save as type" choose all files

CODE
REGEDIT4

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"=-

  • Locate fixme.reg on your Desktop and double-click on it.
  • You will receive a prompt similar to: "Do you wish to merge the information into the registry?".
  • Answer "Yes" and wait for a message to appear similar to "Merged Successfully".


3. Please another DDS scan and post the report so I can review if the fix is successful. Thanks.


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#13 villyvonka

villyvonka
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:42 AM

Posted 08 May 2010 - 07:00 PM

Oh ok.

here is the dds log.


DDS (Ver_10-03-17.01) - NTFSx86
Run by Zavala at 16:58:19.20 on Sat 05/08/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.374 [GMT -7:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\MSN Toolbar\Platform\4.0.0379.0\mswinext.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
C:\WINDOWS\system32\HPZinw12.exe
C:\Documents and Settings\Zavala\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.ask.com?o=15557&l=dis
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>;*.local
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: MSN Toolbar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\4.0.0379.0\npwinext.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: MSN Toolbar: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\4.0.0379.0\npwinext.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SkyTel] SkyTel.EXE
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [MSN Toolbar] "c:\program files\msn toolbar\platform\4.0.0379.0\mswinext.exe"
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {5BCC24A7-7D3F-4CC9-AC86-4380FCD68D1E} - hxxp://esupport.trendmicro.com/_layouts/1033/GetPCInfo.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} - hxxp://games.att.oberon-media.com/Gameshell/GameHost/1.0/OberonGameHost.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: AutorunsDisabled - WgaLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\zavala\applic~1\mozilla\firefox\profiles\xmpyi7zc.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.att.net/
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - component: c:\program files\microsoft\search enhancement pack\search helper\firefoxextension\searchhelperextension\components\SEPsearchhelperff.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-1-5 385536]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2010-4-25 203280]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2010-4-25 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2010-4-25 144704]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2010-3-28 97280]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2010-4-25 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-4-25 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-4-25 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2010-4-25 40552]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-2-14 1691480]
S3 ATMFBUS;A600 USB Composite Device Driver;c:\windows\system32\drivers\atmfbus.sys --> c:\windows\system32\drivers\ATMFBUS.sys [?]
S3 ATMFCVsp;A600 Cricket CM Port;c:\windows\system32\drivers\atmfcvsp.sys --> c:\windows\system32\drivers\ATMFCVsp.sys [?]
S3 ATMFFLT;A600 USB Modem Installation CD;c:\windows\system32\drivers\atmfflt.sys --> c:\windows\system32\drivers\ATMFFLT.sys [?]
S3 ATMFMdm;A600 Cricket EVDO Modem;c:\windows\system32\drivers\atmfmdm.sys --> c:\windows\system32\drivers\ATMFMdm.sys [?]
S3 ATMFNET;A600 Cricket EVDO Network Adapter;c:\windows\system32\drivers\atmfnet.sys --> c:\windows\system32\drivers\ATMFNET.sys [?]
S3 ATMFNVsp;A600 Cricket NMEA Port Serial Port;c:\windows\system32\drivers\atmfnvsp.sys --> c:\windows\system32\drivers\ATMFNVsp.sys [?]
S3 ATMFVsp;A600 Cricket Diagnostics Port;c:\windows\system32\drivers\atmfvsp.sys --> c:\windows\system32\drivers\ATMFVsp.sys [?]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2010-4-25 34248]

=============== Created Last 30 ================

2010-05-08 05:59:11 214 ----a-w- c:\windows\HP_InstantSHareJPG.ini
2010-05-08 05:59:01 217 ----a-w- c:\windows\HP_IZClosingDiscErrorPatch.ini
2010-05-08 05:58:34 214 ----a-w- c:\windows\HP_48BitScanUpdatePatch.ini
2010-05-08 05:54:48 221 ----a-w- c:\windows\HP_RedboxHprblog_HPSU.ini
2010-05-08 05:46:34 0 d-----w- c:\docume~1\zavala\applic~1\HpUpdate
2010-05-08 05:46:29 0 d-----w- c:\windows\Hewlett-Packard
2010-05-07 22:31:48 0 d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-05-07 02:24:22 0 d-----w- c:\program files\common files\Sonic Shared
2010-05-07 02:18:45 0 d-----w- c:\windows\system32\URTTEMP
2010-05-07 02:16:54 0 d-----w- c:\program files\common files\Hewlett-Packard
2010-05-07 02:16:00 77824 ----a-r- c:\windows\system32\hpzids01.dll
2010-05-07 02:15:57 37376 ----a-w- c:\windows\system32\hpz3l3xu.dll
2010-05-07 02:15:40 274432 ----a-r- c:\windows\system32\HPZc3212.dll
2010-05-07 02:15:40 258122 ----a-r- c:\windows\system32\hpovst09.dll
2010-05-07 02:15:12 827392 ----a-r- c:\windows\system32\hpotiop2.dll
2010-05-07 02:15:11 6784 -c--a-w- c:\windows\system32\dllcache\serscan.sys
2010-05-07 02:15:11 6784 ----a-w- c:\windows\system32\drivers\serscan.sys
2010-05-07 02:15:11 278528 ----a-r- c:\windows\system32\hpowiamd.dll
2010-05-07 02:15:02 160 ----a-w- c:\windows\system32\AddPort.ini
2010-05-07 02:14:47 687 ----a-w- c:\windows\hpntwksetup.ini
2010-05-07 02:09:40 88397 ----a-w- c:\windows\hpoins06.dat
2010-05-07 02:09:40 5389 ------w- c:\windows\hpomdl06.dat
2010-05-06 00:19:49 0 d-sha-r- C:\cmdcons
2010-05-06 00:12:23 98816 ----a-w- c:\windows\sed.exe
2010-05-06 00:12:23 77312 ----a-w- c:\windows\MBR.exe
2010-05-06 00:12:23 256512 ----a-w- c:\windows\PEV.exe
2010-05-06 00:12:23 161792 ----a-w- c:\windows\SWREG.exe
2010-05-02 02:21:55 0 ----a-w- c:\documents and settings\zavala\defogger_reenable
2010-04-27 12:22:38 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-04-25 08:51:45 10527 ----a-w- c:\windows\system32\Config.MPF
2010-04-25 08:48:11 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-04-25 08:48:11 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2010-04-25 08:48:11 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-04-25 08:48:04 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2010-04-25 08:47:29 0 d-----w- c:\program files\common files\McAfee
2010-04-25 08:47:28 0 d-----w- c:\program files\McAfee.com
2010-04-25 08:47:16 0 d-----w- c:\program files\McAfee
2010-04-25 08:43:31 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2010-04-24 06:36:37 0 d-----w- c:\docume~1\zavala\applic~1\CasualForge
2010-04-24 06:36:37 0 d-----w- c:\docume~1\alluse~1\applic~1\CasualForge
2010-04-19 22:49:09 0 d-----w- c:\program files\Virtual Villagers - The Lost Children
2010-04-19 22:13:11 0 d-----w- c:\program files\Virtual Villagers
2010-04-14 19:36:51 100864 -c----w- c:\windows\system32\dllcache\6to4svc.dll
2010-04-14 19:35:31 177664 -c----w- c:\windows\system32\dllcache\wintrust.dll
2010-04-14 19:35:27 86016 -c----w- c:\windows\system32\dllcache\cabview.dll
2010-04-14 04:42:46 0 d-----w- c:\program files\iPod
2010-04-14 04:42:22 0 d-----w- c:\program files\iTunes
2010-04-14 04:42:22 0 d-----w- c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-14 04:28:02 0 d-----w- c:\program files\Bonjour
2010-04-09 00:39:13 0 d-----w- c:\program files\Oberon Media

==================== Find3M ====================

2010-04-26 09:42:14 37248 ----a-w- c:\windows\system32\drivers\isapnp.sys
2010-04-14 04:15:03 52028 ---ha-w- c:\windows\system32\mlfcache.dat
2010-03-30 07:46:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 07:45:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-29 08:29:51 22542 ----a-w- c:\windows\hpqins19.dat
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 10:41:26 218624 ----a-w- c:\windows\system32\uxtheme.dll
2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-17 16:10:28 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25:04 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 18:46:14 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-02-12 18:46:14 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-09 02:45:16 84512 ----a-w- c:\windows\SOUNDMAN.EXE
2010-02-09 02:45:16 358944 ----a-w- c:\windows\vncutil.exe
2010-02-09 02:45:16 1833504 ----a-w- c:\windows\SkyTel.exe
2010-02-09 02:45:12 9721888 ----a-w- c:\windows\RTLCPL.EXE
2010-02-09 02:45:12 1489440 ----a-w- c:\windows\RtlUpd.exe
2010-02-09 02:45:06 51232 ----a-w- c:\windows\system32\RtkCoInstXP.dll
2010-02-09 02:45:04 18790432 ----a-w- c:\windows\RTHDCPL.EXE
2010-02-09 02:45:04 129568 ----a-w- c:\windows\RtkAudioService.exe
2010-02-09 02:44:58 2177568 ----a-w- c:\windows\MicCal.exe
2010-02-09 02:44:52 64032 ----a-w- c:\windows\ALCMTR.EXE
2010-02-09 02:44:52 2815520 ----a-w- c:\windows\ALCWZRD.EXE

============= FINISH: 16:59:04.54 ===============


#14 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:07:42 PM

Posted 08 May 2010 - 10:59 PM

Hi villyvonka,

That will do it. thumbup2.gif


++++++++++++++++++++++++++++++++

Updates:

1. Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of  Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "JDK 6 Update 20 (JDK or JRE)...allows end-users to run Java applications".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u20-windows-i586-p.exe to install the newest version.



2. Download the latest version of Adobe Reader. --> HERE
  • Unchecked Free McAfeeŽ Security Scan Plus.
  • Click download and install it by following the prompts.


++++++++++++++++++++++++++++++++

Housekeeping:

Uninstall:
1. ComboFix
  • Click Start > Run > copy/paste the following bolded text into the Run box and click OK:
    ComboFix /Uninstall

2. ERUNT
  • Go to Control Panel > Add Remove Programs > locate and remove ERUNT.



Delete:
1. GMER
2. DDS
3. TFC *(You have the option to keep TFC as your temp file cleaner).



Others:
1. Please run defogger and click Enable button to enable your CD Emulation drivers. Reboot if ask.
2. You can now delete Defogger.




++++++++++++++++++++++++++++++++


Your Log is Clean, please change all your offline and online passwords.

Take the time to read below to secure your machine and take the necessary steps to keep it Clean smile.gif
How to prevent Malware: by miekiemoes
How to increase PC speed: by miekiemoes

Visit Microsoft's Windows Update Site Frequently
It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Make sure your applications have all of their updates
It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Install SpywareBlaster
SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware


Practice Safe Internet
One of the main reasons people get infected in the first place is that they are not practicing Safe Internet. You practice Safe Internet when you educate yourself on how to properly use the Internet through the use of security tools and good practice. Knowing how you can get infected and what types of files and sites to avoid will be the most crucial step in keeping your computer malware free. The reality is that the majority of people who are infected with malware are ones who click on things they shouldn't be clicking on. Whether these things are files or sites it doesn't really matter. If something is out to get you, and you click on it, it most likely will. Below are a list of simple precautions to take to keep your computer clean and running securely:
  1. If you receive an attachment from someone you do not know, DO NOT OPEN IT! Simple as that. Opening attachments from people you do not know is a very common method for viruses or worms to infect your computer.
  2. If you receive an attachment and it ends with a .exe, .com, .bat, or .pif do not open the attachment unless you know for a fact that it is clean. For the casual computer user, you will almost never receive a valid attachment of this type.
  3. If you receive an attachment from someone you know, and it looks suspicious, then it probably is. The email could be from someone you know infected with a malware that is trying to infect everyone in their address book.
  4. If you are browsing the Internet and a popup appears saying that you are infected, ignore it!. These are, as far as I am concerned, scams that are being used to scare you into purchasing a piece of software. For an example of these types of popups, or Foistware, you should read this article: Foistware, And how to avoid it.
    There are also programs that disguise themselves as Anti-Spyware or security products but are instead scams. For a list of these types of programs we recommend you visit this link: Rogue/Suspect Anti-Spyware Products & Web Sites
  5. Another tactic to fool you on the web is when a site displays a popup that looks like a normal Windows message or alert. When you click on them, though, they instead bring you to another site that is trying to push a product on you. We suggest that you close these windows by clicking on the X instead of the OK button. Alternatively, you can check to see if it's a real alert by right-clicking on the window. If there is a menu that comes up saying Add to Favorites... you know it's a fake.
  6. Do not go to adult sites. I know this may bother some of you, but the fact is that a large amount of malware is pushed through these types of sites. I am not saying all adult sites do this, but a lot do.
  7. When using an Instant Messaging program be cautious about clicking on links people send to you. It is not uncommon for infections to send a message to everyone in the infected person's contact list that contains a link to an infection. Instead when you receive a message that contains a link, message back to the person asking if it is legit before you click on it.
  8. Stay away from Warez and Crack sites! In addition to the obvious copyright issues, the downloads from these sites are typically overrun with infections.
  9. Be careful of what you download off of web sites and Peer-2-Peer networks. Some sites disguise malware as legitimate software to trick you into installing them and Peer-2-Peer networks are crawling with it. If you want to download a piece of software a from a site, and are not sure if they are legitimate, you can use McAfee Siteadvisor to look up info on the site.
  10. DO NOT INSTALL any software without first reading the End User License Agreement, otherwise known as the EULA. A tactic that some developers use is to offer their software for free, but have spyware and other programs you do not want bundled with it. This is where they make their money. By reading the agreement there is a good chance you can spot this and not install the software.


Thanks,
~Semp

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#15 villyvonka

villyvonka
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:42 AM

Posted 09 May 2010 - 01:16 AM

Ok I have removed the programs, and decided to keep TFC for future use.
I also updated Java and adobe reader.


Thank you so much for all of your help.
thumbup.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users