Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google giving me wrong results too!


  • This topic is locked This topic is locked
18 replies to this topic

#1 bri2k

bri2k

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:02:47 PM

Posted 31 May 2009 - 08:33 PM

Hello,

Just like the other user, google is suddenly giving me wrong results too. I am getting a popup for various sites, one of which is google.

Thanks in advance for any help. Logs are attached.

Attached Files



BC AdBot (Login to Remove)

 


#2 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:47 PM

Posted 31 May 2009 - 09:49 PM

Hi and welcome to the HijackThis Logs and Virus/Trojan/Spyware/Malware Removal forum,

I am Posted Image and I am here to help you!



I ask that you refrain from running tools other than those we suggest to you while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Please perform all steps in the order received and do not proceed if you need clarification.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

As I am in training an Expert Coach will assist me in your fix. Your benefit will be "four eyes and two brains" but responses may be somewhat delayed so please be patient!!!!

I would also like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please be courteous and appreciative for the assistance provided!

I will review your logs and post instructions forthcoming.
Regards,
t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#3 bri2k

bri2k
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:02:47 PM

Posted 01 June 2009 - 07:10 AM

Thank you for your help.

Regards,
Brian

#4 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:47 PM

Posted 01 June 2009 - 10:01 PM

Hello again,
Sorry for the delay. The forum is exceptionally busy. I have reviewed your logs and proposed a fix. I am patiently waiting for my coach to approve the clean-up. If possible I would encourage you to minimize use of that computer until we can get it cleaned up. I appreciate your patience.
Regards,
t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#5 bri2k

bri2k
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:02:47 PM

Posted 02 June 2009 - 06:42 AM

Hello,

I appreciate your help. Thanks.

Brian

#6 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:47 PM

Posted 02 June 2009 - 06:39 PM

Hello again,
Let's get started.

**********

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

**********

:thumbup2: P2P Warning :)

Your log indicates that you have Azureus installed.

Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.

- They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.

- Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.

- The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology.

Note: It is pretty much certain that if you continue to use P2P programs, then you will get infected again.
I would recommend that you uninstall Azureus, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel>> Add / Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.

**********

Please download Malwarebytes Anti-Malware (v1.32) and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

**********

Download and Run ComboFix (by sUBs)

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


**********

I don't see an Anti Virus Program running on your machine
  • Download and install an antivirus program, and make sure that you keep it updated


    New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.

    Two good antivirus programs free for non-commercial home use are Avast! and Antivir
    Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
Please download, install and run the program now. Copy and paste the logfile results in your next post.

**********

With your next post please provide:
* MBAM log
* Combofix.txt
* Antivirus scan log
* How is your computer running?
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#7 bri2k

bri2k
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:02:47 PM

Posted 02 June 2009 - 08:59 PM

Hello,

Thank you again for your help. Running into some issues that I am hoping you can resolve. I dl mbam and ran it. Here is the log (read info after log):
Malwarebytes' Anti-Malware 1.37
Database version: 2217
Windows 5.1.2600 Service Pack 2

6/2/2009 9:28:33 PM
mbam-log-2009-06-02 (21-28-33).txt

Scan type: Quick Scan
Objects scanned: 120341
Time elapsed: 9 minute(s), 19 second(s)

Memory Processes Infected: 6
Memory Modules Infected: 0
Registry Keys Infected: 91
Registry Values Infected: 4
Registry Data Items Infected: 3
Folders Infected: 1
Files Infected: 20

Memory Processes Infected:
C:\WINDOWS\pp10.exe (Worm.KoobFace) -> Unloaded process successfully.
C:\WINDOWS\system32\SYSDLL.exe (Trojan.Proxy) -> Unloaded process successfully.
C:\WINDOWS\system32\SYSDLL.exe (Trojan.Proxy) -> Unloaded process successfully.
C:\WINDOWS\pp10.exe (Worm.KoobFace) -> Unloaded process successfully.
C:\WINDOWS\system32\SYSDLL.exe (Trojan.Proxy) -> Unloaded process successfully.
C:\WINDOWS\9129837.exe (Trojan.Dropper) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCONSOL.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVP32.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAV32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPFW.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapsvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapw32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVNT.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navw32.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVWNT.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SCAN32.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZONEALARM.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\filemon.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\outpost.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regmon.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zapro.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrssvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASMain.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASTask.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVDX.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32X.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPF.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OllyDBG.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regtool.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\niu.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\A2SERVICE.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGNT.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGUARD.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVSCAN.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CASECURITYCENTER.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EKRN.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FAMEH32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FPAVSERVER.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FPWIN.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FSAV32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FSGK32ST.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FSMA32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsserv.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drwadins.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drwebupw.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GFRing3.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ArcaCheck.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\arcavir.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashDisp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashEnhcd.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashServ.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashUpd.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aswUpdSv.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avadmin.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcls.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconfig.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avz.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avz4.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avz_se.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdinit.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\caav.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\caavguiscan.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccupdate.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfpupdat.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmdagent.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DRWEB32.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fpscan.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardgui.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardxservice.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardxup.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navigator.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVSTUB.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvcc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\preupd.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pskdr.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SfFnUp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Vba32arkit.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vba32ldr.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zanda.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zlh.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zoneband.dll (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\cs41275 (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pp (Worm.KoobFace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ttool (Trojan.Dropper) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysldtray (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysdll (Worm.Autorun) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\sysloc (Trojan.BHO) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\pp10.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SYSDLL.exe (Trojan.Proxy) -> Quarantined and deleted successfully.
C:\WINDOWS\9129837.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\ld08.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\$winnt$p.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\1031r.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Brian\local settings\temporary internet files\Content.IE5\EVRZCI9J\pp.10[1].exe (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\documents and settings\Brian\local settings\temporary internet files\Content.IE5\IPIKFGWG\6244[1].exe (Worm.Koobface) -> Quarantined and deleted successfully.
c:\documents and settings\Brian\local settings\temporary internet files\Content.IE5\M4CYYIH1\nfr[1].exe (Trojan.Proxy) -> Quarantined and deleted successfully.
c:\documents and settings\temp.brianlaptop.000\local settings\temporary internet files\Content.IE5\Q6I52RTR\nfr[1].exe (Trojan.Proxy) -> Quarantined and deleted successfully.
c:\documents and settings\temp.brianlaptop.000\local settings\temporary internet files\Content.IE5\S17VPK9U\6244[1].exe (Worm.Koobface) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\sysloc\sysloc.dll (Trojan.BHO) -> Quarantined and deleted successfully.
c:\WINDOWS\freddy44.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\msmark2.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\documents and settings\Brian\Application Data\Google\spcffwl.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\9g2234wesdf3dfgjf23 (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\f23567.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\WINDOWS\sonce122713.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\WINDOWS\sonce122730.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\WINDOWS\sonce122739.dat (Worm.KoobFace) -> Quarantined and deleted successfully.

Once I quarantined and then rebooted, I could no longer access the internet. At this time, I had not dl combofix or an antivirus software. So.....I un-quarantined all that was in the log so that I could access this page, dl combo fix, and an antivirus software, and now will run mbam again, quarantine everything, run combo fix.

I am not sure I will be able to access the internet after that, but I am hoping you can help me with that.

Best,
Brian

#8 bri2k

bri2k
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:02:47 PM

Posted 02 June 2009 - 09:41 PM

Hello,

Here is a follow up. I re-ran mbam and here is the log:
Malwarebytes' Anti-Malware 1.37
Database version: 2217
Windows 5.1.2600 Service Pack 2

6/2/2009 10:14:39 PM
mbam-log-2009-06-02 (22-14-39).txt

Scan type: Quick Scan
Objects scanned: 113247
Time elapsed: 9 minute(s), 57 second(s)

Memory Processes Infected: 5
Memory Modules Infected: 1
Registry Keys Infected: 90
Registry Values Infected: 4
Registry Data Items Infected: 3
Folders Infected: 1
Files Infected: 20

Memory Processes Infected:
C:\WINDOWS\ld08.exe (Trojan.Agent) -> Unloaded process successfully.
C:\WINDOWS\pp10.exe (Worm.KoobFace) -> Unloaded process successfully.
C:\WINDOWS\system32\SYSDLL.exe (Trojan.Proxy) -> Unloaded process successfully.
C:\WINDOWS\system32\SYSDLL.exe (Trojan.Proxy) -> Unloaded process successfully.
C:\WINDOWS\9129837.exe (Trojan.Dropper) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\$winnt$p.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCONSOL.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVP32.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAV32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPFW.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapsvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapw32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVNT.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navw32.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVWNT.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SCAN32.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZONEALARM.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\filemon.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\outpost.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regmon.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zapro.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrssvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASMain.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASTask.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVDX.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32X.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPF.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OllyDBG.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regtool.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\niu.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\A2SERVICE.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGNT.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGUARD.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVSCAN.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CASECURITYCENTER.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EKRN.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FAMEH32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FPAVSERVER.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FPWIN.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FSAV32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FSGK32ST.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FSMA32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsserv.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drwadins.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drwebupw.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GFRing3.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ArcaCheck.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\arcavir.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashDisp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashEnhcd.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashServ.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashUpd.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aswUpdSv.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avadmin.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcls.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconfig.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avz.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avz4.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avz_se.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdinit.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\caav.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\caavguiscan.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccupdate.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfpupdat.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmdagent.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DRWEB32.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fpscan.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardgui.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardxservice.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardxup.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navigator.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVSTUB.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvcc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\preupd.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pskdr.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SfFnUp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Vba32arkit.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vba32ldr.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zanda.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zlh.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zoneband.dll (Security.Hijack) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysldtray (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pp (Worm.KoobFace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ttool (Trojan.Dropper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysdll (Worm.Autorun) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\sysloc (Trojan.BHO) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\$winnt$p.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\ld08.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\pp10.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SYSDLL.exe (Trojan.Proxy) -> Quarantined and deleted successfully.
C:\WINDOWS\9129837.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\documents and settings\Brian\local settings\temporary internet files\Content.IE5\EVRZCI9J\pp.10[1].exe (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\documents and settings\Brian\local settings\temporary internet files\Content.IE5\IPIKFGWG\6244[1].exe (Worm.Koobface) -> Quarantined and deleted successfully.
c:\documents and settings\Brian\local settings\temporary internet files\Content.IE5\M4CYYIH1\nfr[1].exe (Trojan.Proxy) -> Quarantined and deleted successfully.
c:\documents and settings\Brian\local settings\temporary internet files\Content.IE5\M4CYYIH1\6244[1].exe (Worm.Koobface) -> Quarantined and deleted successfully.
c:\documents and settings\temp.brianlaptop.000\local settings\temporary internet files\Content.IE5\Q6I52RTR\nfr[1].exe (Trojan.Proxy) -> Quarantined and deleted successfully.
c:\documents and settings\temp.brianlaptop.000\local settings\temporary internet files\Content.IE5\S17VPK9U\6244[1].exe (Worm.Koobface) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\sysloc\sysloc.dll (Trojan.BHO) -> Quarantined and deleted successfully.
c:\WINDOWS\freddy44.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\msmark2.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\documents and settings\Brian\Application Data\Google\spcffwl.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\9g2234wesdf3dfgjf23 (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\f23567.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\WINDOWS\sonce122713.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\WINDOWS\sonce122730.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\WINDOWS\sonce122739.dat (Worm.KoobFace) -> Quarantined and deleted successfully.

I then ran combo fix and here is the log:
ComboFix 09-06-01.03 - Brian 06/02/2009 22:22.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2039.1600 [GMT -4:00]
Running from: c:\documents and settings\Brian\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Brian\Application Data\wiaserva.log
c:\windows\system32\1031r.exe
c:\windows\system32\drivers\e351edf0.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_dcomlaunchswprv
-------\Service_DcomLaunchSwPrv
-------\Service_e351edf0


((((((((((((((((((((((((( Files Created from 2009-05-03 to 2009-06-03 )))))))))))))))))))))))))))))))
.

2009-06-03 02:29 . 2009-06-03 02:29 32 --s-a-w- c:\windows\system32\1892631811.dat
2009-06-03 01:45 . 2009-06-03 01:45 -------- d--h--w- c:\windows\system32\WLANProfiles
2009-06-03 01:45 . 2009-06-03 01:45 -------- d--h--w- C:\Settings
2009-06-03 01:44 . 2009-06-03 01:44 -------- d-----w- c:\documents and settings\temp.brianlaptop.000
2009-05-30 10:04 . 2009-05-30 10:04 140 ----a-w- C:\487656.bat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-03 02:29 . 2005-10-13 12:42 -------- d-----w- c:\documents and settings\All Users\Application Data\DIGStream
2009-06-03 02:29 . 2009-06-03 02:30 56833 ----a-w- c:\windows\9129837.exe
2009-06-03 02:29 . 2009-06-03 02:29 51712 --sh--r- c:\windows\system32\advapi32y.exe
2009-06-03 01:16 . 2008-12-07 18:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-01 00:31 . 2009-01-07 02:29 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-05-26 17:20 . 2008-12-07 18:50 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 17:19 . 2008-12-07 18:50 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-03-06 14:44 . 2004-08-10 17:51 283648 ----a-w- c:\windows\system32\pdh.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"ttool"="c:\windows\9129837.exe" [2009-06-03 56833]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2004-12-20 33792]
"DIGStream"="c:\program files\DIGStream\digstream.exe" [2005-05-18 282624]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2008-11-25 356352]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-12 290816]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"DIGServices"="c:\program files\ESPNRunTime\DIGServices.exe" [2005-05-19 101888]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 202544]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]

c:\documents and settings\Brian\Start Menu\Programs\Startup\
fqosys32.exe [2004-8-4 27648]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 21:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\a2service.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ArcaCheck.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\arcavir.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ashDisp.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ashEnhcd.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ashServ.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ashUpd.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\aswUpdSv.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\autoruns.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avadmin.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avcenter.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avcls.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avconfig.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avconsol.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avgnt.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avgrssvc.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avguard.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AvMonitor.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avp.com]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avp.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AVP32.EXE]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avscan.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avz.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avz4.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avz_se.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdagent.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdinit.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\caav.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\caavguiscan.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\casecuritycenter.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\CCenter.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ccupdate.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\cfp.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\cfpupdat.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\cmdagent.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\drwadins.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\DRWEB32.EXE]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\drwebupw.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ekrn.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\FAMEH32.EXE]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\filemon.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\FPAVServer.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\fpscan.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\FPWin.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\fsav32.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\fsgk32st.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\FSMA32.EXE]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\GFRing3.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\guardgui.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\guardxservice.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\guardxup.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\HijackThis.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KASMain.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KASTask.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KAV32.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KAVDX.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KAVPF.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KAVPFW.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KAVStart.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KPFW32.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KPFW32X.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Navapsvc.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Navapw32.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\navigator.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NAVNT.EXE]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NAVSTUB.EXE]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NAVW32.EXE]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NAVWNT.EXE]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\niu.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\nod32.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\nod32krn.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Nvcc.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\OllyDBG.EXE]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\outpost.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\preupd.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\procexp.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\pskdr.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\regedit.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\regmon.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RegTool.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\scan32.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\SfFnUp.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Vba32arkit.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\vba32ldr.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\vsserv.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Zanda.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\zapro.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Zlh.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\zonealarm.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\zoneband.dll]
"Debugger"=ntsd -d

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Find Fast.lnk
backup=c:\windows\pss\Microsoft Find Fast.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Office Startup.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Office Startup.lnk
backup=c:\windows\pss\Office Startup.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\DC++\\DCPlusPlus.exe"=
"c:\\Program Files\\Java\\jre1.5.0_04\\bin\\javaw.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Java\\jre1.5.0_09\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jre1.5.0_11\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jre1.6.0_05\\bin\\javaw.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

S2 PlugPlayTapiSrv;Plug and Play PlugPlayTapiSrv;c:\windows\system32\advapi32y.exe srv --> c:\windows\system32\advapi32y.exe srv [?]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [6/19/2007 2:21 AM 18560]
.
Contents of the 'Scheduled Tasks' folder

2009-04-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 21:57]
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-procexp90.sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
FF - ProfilePath - c:\documents and settings\Brian\Application Data\Mozilla\Firefox\Profiles\ip3s6ic5.default\
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 7171
FF - prefs.js: network.proxy.type - 1
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-02 22:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1076)
c:\program files\Intel\Wireless\Bin\LgNotify.dll

- - - - - - - > 'explorer.exe'(1892)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\windows\system32\brss01a.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\LeapFrog\LeapFrog Connect\CommandService.exe
c:\program files\Dell\NicConfigSvc\NicConfigSvc.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe
c:\progra~1\Intel\Wireless\Bin\1XConfig.exe
c:\program files\Apoint\hidfind.exe
c:\program files\Apoint\ApntEx.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-06-03 22:35 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-03 02:35
ComboFix2.txt 2009-01-10 20:08

Pre-Run: 9,179,996,160 bytes free
Post-Run: 9,390,850,048 bytes free

353 --- E O F --- 2009-04-18 22:11

The computer is connecting to the internet and seems to be working a lot faster.

One question off topic. Can hackers get passwords if I have not logged into a page and do not keep them stored? I have not logged into my bank info and do not keep that password stored. Do I still need to change it?

Best,
Brian

#9 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:47 PM

Posted 03 June 2009 - 12:02 AM

Hi Brian. Great Job! :thumbup2:
The computer is connecting to the internet and seems to be working a lot faster.
Good & bad. We still have more work to do. The koobface worm has established a proxy with your internet connection. We will fix that!
One question off topic. Can hackers get passwords if I have not logged into a page and do not keep them stored? I have not logged into my bank info and do not keep that password stored. Do I still need to change it?
I would change my passwords & alert your financial institution if you have entered those passwords or done any financial transactions on that computer.

**********

Do this.....

-In IE: Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.

-In Firefox in Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection and uncheck the proxyserver.

**********

Right mouse click Combofix.exe and delete it!!

**********

I do not see a recovery console installed.
Download the tools needed to a flash drive or other removable media, and transfer them to the infected computer.

***************************************************

Download a fresh copy of ComboFix from one of these locations:

Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.


Go to Microsoft's website => http://support.microsoft.com/kb/310994

Select the download that's appropriate for your Operating System

Posted Image


Download the file & save it as it's originally named.


---------------------------------------------------------------------

Transfer all files you just downloaded, to the desktop of the infected computer.

--------------------------------------------------------------------


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

Posted Image
  • Drag the setup package onto ComboFix.exe and drop it.

  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.


    Posted Image


  • At the next prompt, click 'No' to run the full ComboFix scan.
**********

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\487656.bat
c:\windows\9129837.exe
c:\windows\system32\1892631811.dat
c:\windows\system32\advapi32y.exe
c:\windows\9129837.exe
c:\documents and settings\Brian\Start Menu\Programs\Startup\fqosys32.exe
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\a2service.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ArcaCheck.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\arcavir.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ashDisp.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ashEnhcd.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ashServ.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ashUpd.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\aswUpdSv.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\autoruns.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avadmin.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avcenter.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avcls.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avconfig.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avconsol.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avgnt.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avgrssvc.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avguard.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AvMonitor.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avp.com]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avp.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AVP32.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avscan.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avz.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avz4.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avz_se.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdagent.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdinit.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\caav.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\caavguiscan.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\casecuritycenter.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\CCenter.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ccupdate.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\cfp.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\cfpupdat.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\cmdagent.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\drwadins.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\DRWEB32.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\drwebupw.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ekrn.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\FAMEH32.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\filemon.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\FPAVServer.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\fpscan.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\FPWin.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\fsav32.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\fsgk32st.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\FSMA32.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\GFRing3.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\guardgui.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\guardxservice.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\guardxup.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\HijackThis.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KASMain.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KASTask.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KAV32.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KAVDX.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KAVPF.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KAVPFW.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KAVStart.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KPFW32.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KPFW32X.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Navapsvc.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Navapw32.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\navigator.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NAVNT.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NAVSTUB.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NAVW32.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NAVWNT.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\niu.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\nod32.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\nod32krn.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Nvcc.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\OllyDBG.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\outpost.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\preupd.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\procexp.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\pskdr.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\regedit.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\regmon.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RegTool.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\scan32.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\SfFnUp.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Vba32arkit.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\vba32ldr.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\vsserv.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Zanda.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\zapro.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Zlh.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\zonealarm.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\zoneband.dll]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ttool"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000
"AntiVirusDisableNotify"=dword:00000000
"FirewallDisableNotify"=dword:00000000
"UpdatesDisableNotify"=dword:00000000


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

**********

Please download gmer.zip and save to your desktop.
  • Extract (unzip) the file to its own folder such as C:\Gmer. (Click here for information on how to do this if not sure.)
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • You may be prompted to scan immediately if GMER detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as gmer.log and copy/paste the contents in your next reply.
  • Exit GMER and re-enable all active protection when done.
**********

Try performing an online scan with Kaspersky WebScanner.

(Requires free Java Runtime Environment (JRE) be installed before scanning for malware as ActiveX is no longer being used.)
  • Click on the Posted Image ...button.
  • The program will launch and fill in the Information section ... on the left.
  • Read the "Requirements and Limitations" then press... the Posted Image ...button.
  • The program will begin downloading the latest program and definition files.

    It takes a while... please be patient and let it finish.
  • Once the files have been downloaded, click on the Posted Image ...button.

    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:

      Viruses, Worms, Trojan Horses, Rootkits

      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):

      Archives

      Mail databases

      By default the above items should already be checked.
    • Click the Posted Image ...button, if you made any changes.
  • Now under the Scan section on the left:Select My Computer
  • The program will start and scan your system. This will run for a while, be patient... let it run.

    Once the scan is complete, it will display if your system has been infected.
  • Save the scan results as a Text file ... save it to your desktop.
  • Copy and paste the saved scan results file in your next reply.
**********

With your next post please provide:

* Combofix.txt
* Gmer.log
* Kaspersky log
* How is your computer running?
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#10 bri2k

bri2k
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:02:47 PM

Posted 03 June 2009 - 01:03 PM

Hello,

Thank you again. I followed the instructions perfectly, however, when I ran combofix with the win xp home sp2 file, it said, attempting to create restore point, but it didn't do anything. It ran combo fix. Here is the first log:
ComboFix 09-06-01.03 - Brian 06/03/2009 8:10.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2039.1545 [GMT -4:00]
Running from: c:\documents and settings\Brian\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Brian\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\9129837.exe
c:\windows\system32\advapi32y.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_PlugPlayTapiSrv


((((((((((((((((((((((((( Files Created from 2009-05-03 to 2009-06-03 )))))))))))))))))))))))))))))))
.

2009-06-03 12:15 . 2009-06-03 12:15 54784 --sh--r- c:\windows\system32\activedss.exe
2009-06-03 02:29 . 2009-06-03 12:15 32 --s-a-w- c:\windows\system32\1892631811.dat
2009-06-03 01:45 . 2009-06-03 01:45 -------- d--h--w- c:\windows\system32\WLANProfiles
2009-06-03 01:45 . 2009-06-03 01:45 -------- d--h--w- C:\Settings
2009-06-03 01:44 . 2009-06-03 01:44 -------- d-----w- c:\documents and settings\temp.brianlaptop.000
2009-05-30 10:04 . 2009-05-30 10:04 140 ----a-w- C:\487656.bat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-03 12:15 . 2005-10-13 12:42 -------- d-----w- c:\documents and settings\All Users\Application Data\DIGStream
2009-06-03 12:15 . 2009-06-03 12:17 56833 ----a-w- c:\windows\9129837.exe
2009-06-03 01:16 . 2008-12-07 18:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-01 00:31 . 2009-01-07 02:29 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-05-26 17:20 . 2008-12-07 18:50 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 17:19 . 2008-12-07 18:50 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-03-06 14:44 . 2004-08-10 17:51 283648 ----a-w- c:\windows\system32\pdh.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"ttool"="c:\windows\9129837.exe" [2009-06-03 56833]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2004-12-20 33792]
"DIGStream"="c:\program files\DIGStream\digstream.exe" [2005-05-18 282624]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2008-11-25 356352]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-12 290816]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"DIGServices"="c:\program files\ESPNRunTime\DIGServices.exe" [2005-05-19 101888]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 202544]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]

c:\documents and settings\Brian\Start Menu\Programs\Startup\
fqosys32.exe [2004-8-4 27648]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 21:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\a2service.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ArcaCheck.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\arcavir.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ashDisp.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ashEnhcd.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ashServ.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ashUpd.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\aswUpdSv.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\autoruns.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avadmin.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avcenter.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avcls.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avconfig.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avconsol.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avgnt.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avgrssvc.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avguard.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AvMonitor.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avp.com]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avp.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AVP32.EXE]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avscan.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avz.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avz4.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avz_se.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdagent.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdinit.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\caav.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\caavguiscan.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\casecuritycenter.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\CCenter.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ccupdate.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\cfp.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\cfpupdat.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\cmdagent.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\drwadins.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\DRWEB32.EXE]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\drwebupw.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ekrn.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\FAMEH32.EXE]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\filemon.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\FPAVServer.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\fpscan.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\FPWin.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\fsav32.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\fsgk32st.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\FSMA32.EXE]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\GFRing3.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\guardgui.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\guardxservice.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\guardxup.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\HijackThis.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KASMain.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KASTask.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KAV32.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KAVDX.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KAVPF.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KAVPFW.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KAVStart.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KPFW32.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KPFW32X.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Navapsvc.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Navapw32.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\navigator.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NAVNT.EXE]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NAVSTUB.EXE]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NAVW32.EXE]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NAVWNT.EXE]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\niu.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\nod32.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\nod32krn.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Nvcc.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\OllyDBG.EXE]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\outpost.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\preupd.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\procexp.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\pskdr.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\regedit.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\regmon.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RegTool.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\scan32.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\SfFnUp.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Vba32arkit.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\vba32ldr.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\vsserv.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Zanda.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\zapro.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Zlh.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\zonealarm.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\zoneband.dll]
"Debugger"=ntsd -d

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Find Fast.lnk
backup=c:\windows\pss\Microsoft Find Fast.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Office Startup.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Office Startup.lnk
backup=c:\windows\pss\Office Startup.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\DC++\\DCPlusPlus.exe"=
"c:\\Program Files\\Java\\jre1.5.0_04\\bin\\javaw.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Java\\jre1.5.0_09\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jre1.5.0_11\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jre1.6.0_05\\bin\\javaw.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

S2 wuauservAppMgmt;Automatic Updates wuauservAppMgmt;c:\windows\system32\activedss.exe srv --> c:\windows\system32\activedss.exe srv [?]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [6/19/2007 2:21 AM 18560]
.
Contents of the 'Scheduled Tasks' folder

2009-04-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 21:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
FF - ProfilePath - c:\documents and settings\Brian\Application Data\Mozilla\Firefox\Profiles\ip3s6ic5.default\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-03 08:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1080)
c:\program files\Intel\Wireless\Bin\LgNotify.dll

- - - - - - - > 'explorer.exe'(3152)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\windows\system32\brss01a.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\LeapFrog\LeapFrog Connect\CommandService.exe
c:\program files\Dell\NicConfigSvc\NicConfigSvc.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe
c:\progra~1\Intel\Wireless\Bin\1XConfig.exe
c:\program files\Apoint\hidfind.exe
c:\program files\Apoint\ApntEx.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-06-03 8:21 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-03 12:21
ComboFix2.txt 2009-06-03 02:35
ComboFix3.txt 2009-01-10 20:08

Pre-Run: 9,380,818,944 bytes free
Post-Run: 9,377,587,200 bytes free

347 --- E O F --- 2009-04-18 22:11

I then copied the text you provided, dropped it into combo fix, and here is the log:
ComboFix 09-06-01.03 - Brian 06/03/2009 8:24.7 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2039.1562 [GMT -4:00]
Running from: c:\documents and settings\Brian\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Brian\Desktop\CFScript.txt

FILE ::
"C:\487656.bat"
"c:\documents and settings\Brian\Start Menu\Programs\Startup\fqosys32.exe"
"c:\windows\9129837.exe"
"c:\windows\system32\1892631811.dat"
"c:\windows\system32\advapi32y.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\487656.bat
c:\documents and settings\Brian\Application Data\wiaserva.log
c:\documents and settings\Brian\Start Menu\Programs\Startup\fqosys32.exe
c:\windows\9129837.exe
c:\windows\system32\1892631811.dat
c:\windows\system32\activedss.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_wuauservAppMgmt


((((((((((((((((((((((((( Files Created from 2009-05-03 to 2009-06-03 )))))))))))))))))))))))))))))))
.

2009-06-03 01:45 . 2009-06-03 01:45 -------- d--h--w- c:\windows\system32\WLANProfiles
2009-06-03 01:45 . 2009-06-03 01:45 -------- d--h--w- C:\Settings
2009-06-03 01:44 . 2009-06-03 01:44 -------- d-----w- c:\documents and settings\temp.brianlaptop.000

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-03 12:29 . 2005-10-13 12:42 -------- d-----w- c:\documents and settings\All Users\Application Data\DIGStream
2009-06-03 01:16 . 2008-12-07 18:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-01 00:31 . 2009-01-07 02:29 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-05-26 17:20 . 2008-12-07 18:50 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 17:19 . 2008-12-07 18:50 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-03-06 14:44 . 2004-08-10 17:51 283648 ----a-w- c:\windows\system32\pdh.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2004-12-20 33792]
"DIGStream"="c:\program files\DIGStream\digstream.exe" [2005-05-18 282624]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2008-11-25 356352]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-12 290816]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"DIGServices"="c:\program files\ESPNRunTime\DIGServices.exe" [2005-05-19 101888]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 202544]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 21:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Find Fast.lnk
backup=c:\windows\pss\Microsoft Find Fast.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Office Startup.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Office Startup.lnk
backup=c:\windows\pss\Office Startup.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\DC++\\DCPlusPlus.exe"=
"c:\\Program Files\\Java\\jre1.5.0_04\\bin\\javaw.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Java\\jre1.5.0_09\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jre1.5.0_11\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jre1.6.0_05\\bin\\javaw.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [6/19/2007 2:21 AM 18560]
.
Contents of the 'Scheduled Tasks' folder

2009-04-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 21:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
FF - ProfilePath - c:\documents and settings\Brian\Application Data\Mozilla\Firefox\Profiles\ip3s6ic5.default\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-03 08:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1080)
c:\program files\Intel\Wireless\Bin\LgNotify.dll

- - - - - - - > 'explorer.exe'(1468)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\windows\system32\brss01a.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\LeapFrog\LeapFrog Connect\CommandService.exe
c:\program files\Dell\NicConfigSvc\NicConfigSvc.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\Intel\Wireless\Bin\1XConfig.exe
c:\program files\Apoint\ApntEx.exe
c:\program files\Apoint\hidfind.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-06-03 8:33 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-03 12:33
ComboFix2.txt 2009-06-03 12:22
ComboFix3.txt 2009-06-03 02:35
ComboFix4.txt 2009-01-10 20:08

Pre-Run: 9,397,477,376 bytes free
Post-Run: 9,372,708,864 bytes free

166 --- E O F --- 2009-04-18 22:11

I then ran gmer and here is the log:
GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-06-03 10:54:31
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

Code \??\C:\DOCUME~1\Brian\LOCALS~1\Temp\catchme.sys pIofCallDriver

---- Kernel code sections - GMER 1.0.15 ----

? Combo-Fix.sys The system cannot find the file specified. !
? C:\DOCUME~1\Brian\LOCALS~1\Temp\catchme.sys The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\Brian\Cookies\brian@go[2].txt 1431 bytes
File C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb 65536 bytes

---- EOF - GMER 1.0.15 ----

Finally, here is the kaspersky log:
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Wednesday, June 3, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Wednesday, June 03, 2009 17:23:49
Records in database: 2302197
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 84936
Threat name: 5
Infected objects: 7
Suspicious objects: 0
Duration of the scan: 02:06:54


File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\1031r.exe.vir Infected: Trojan.Win32.Agent.cjwr 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\advapi32y.exe.vir Infected: Backdoor.Win32.IRCBot.kna 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_e351edf0_.sys.zip Infected: Backdoor.Win32.NewRest.z 2
C:\Qoobox\Quarantine\[4]-Submit_2009-06-03_08.23.43.zip Infected: Trojan.Win32.Agent.cjxq 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP70\A0013918.exe Infected: Trojan.Win32.Agent.cjvg 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP73\A0014204.exe Infected: Trojan.Win32.Agent.cjwr 1

The selected area was scanned.


The computer is running better. Hopefully everything is fixed?

Brian

#11 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:47 PM

Posted 04 June 2009 - 07:19 AM

Hello, Brian.
Almost done.
Do this...

:thumbup2: Warning: This script was specifically written and designed for this user only. Unsupervised use of this tool could render your computer unbootable permanently!! :)

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:

DDS::
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
Registry::
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"=-
"NoActiveDesktopChanges"=-

Save this as CFScript.txt, in the same location as ComboFix.exe
Posted Image
Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


**********

Congratulations! You now appear clean! :) The steps that follow must be completed to protect against reinfection. Pay particularly close attention to purging System Restore.

**********

I still do not see an installed Antivirus Program. It is critically important you install this now. Please produce a log for my review.
  • Download and install an antivirus program, and make sure that you keep it updated


    New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.

    Two good antivirus programs free for non-commercial home use are Avast! and Antivir
    Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
Please download, install and run the program now. Copy and paste the logfile results in your next post.

**********

I also do not see an installed Firewall!!

Install and use a firewall with outbound protection
While the firewall built into Windows XP is adequate to protect you from incoming attacks, it will not be much help in alerting you to programs already on your PC attempting to connect to remote servers
I therefore strongly recommend that you install one of the following free firewalls: Comodo Firewall (remember to uncheck Install Comodo Antivirus) or Zonealarm (remember to uncheck the spyware blocker toolbar option)
See Bleepingcomputer's excellent tutorial to help using and understanding a firewall here
Note: You should only have one firewall installed at a time. Having more than one firewall program installed at once is likely to cause conflicts and may well decrease your overall protection as well as seriously impairing the performance of your PC.

**********

Are things running okay? Do you have any more questions?

System Still Slow?
You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.
If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware.

**********

We Need to Clean Up Our Mess
  • Please download OTCleanIt from one of the following mirrors and save it to your desktop:
  • Double click the Posted Image icon.
  • Push the large "Cleanup" button.
  • Allow your system to reboot.
**********

Reset System Restore <---- Important
You should disable and enable system restore to make sure there are no infected files found in a restore point. You can find instructions on how to enable and enable system restore here:
Windows ME
Window XP
Windows Vista

Note: You should only do this once, not on a regular basis!
You will not be able to restore computer to any earlier than today!

**********

Recommendations
Below are some recommendations to lower your chances of (re)infection.
  • Install and maintain an outbound firewall
  • Install Spyware Blaster and update it regularly
    If you wish, the commercial version provides automatic updating.
  • Install the MVPs hosts file, and update it regularly
    You can use the HostMan host file manager to do this automaticly if you wish.
    For more information on the hosts file, and what it can do for you, you can view the Tutorial on the Hosts file
  • Install an Anti-Spyware program, and update it regularly
    Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
    SUPERAntiSpyware is another good scanner with high detection and removal rates.
    Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
  • Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

    You are using Windows XP
    Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!
  • Keep your other software up to date as well. Software does not need to be made by Microsoft to be insecure. Download Secunia Software Inspector to keep all your software up to date.
  • Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing :cool:.
With your next post please provide:

* Antivirus log
* Combofix.txt
* Any remaining problems
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#12 bri2k

bri2k
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:02:47 PM

Posted 05 June 2009 - 06:59 AM

Hello,

I followed your steps again and dropped in the script for combofix and let it do its thing. I dl antivir and installed comodo firewall and since I have done those items, I cannot connect to the internet with my wireless network card. I don't want to uninstall either one. Could I have removed something that was tied in with my internet? It worked fine right before those two things?

Brian

#13 bri2k

bri2k
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:02:47 PM

Posted 05 June 2009 - 07:32 AM

Hello,

I uninstalled comodo for the moment since that was interfering with my internet. I will have to try to figure out how to configure it to work. Below are my logs for combo and antivirus:

antivirus:


Avira AntiVir Personal
Report file date: Thursday, June 04, 2009 21:09

Scanning for 1284893 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 2) [5.1.2600]
Boot mode : Normally booted
Username : Brian
Computer name : BRIANLAPTOP

Version information:
BUILD.DAT : 9.0.0.394 17962 Bytes 4/17/2009 11:20:00
AVSCAN.EXE : 9.0.3.5 466689 Bytes 4/17/2009 13:57:30
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 15:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 16:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 15:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 17:30:36
ANTIVIR1.VDF : 7.1.2.12 3336192 Bytes 2/11/2009 01:33:26
ANTIVIR2.VDF : 7.1.2.105 513536 Bytes 3/3/2009 12:41:14
ANTIVIR3.VDF : 7.1.2.127 110592 Bytes 3/5/2009 19:58:20
Engineversion : 8.2.0.100
AEVDF.DLL : 8.1.1.0 106868 Bytes 1/27/2009 22:36:42
AESCRIPT.DLL : 8.1.1.56 352634 Bytes 2/27/2009 01:01:56
AESCN.DLL : 8.1.1.7 127347 Bytes 2/12/2009 16:44:25
AERDL.DLL : 8.1.1.3 438645 Bytes 10/29/2008 23:24:41
AEPACK.DLL : 8.1.3.10 397686 Bytes 3/4/2009 18:06:10
AEOFFICE.DLL : 8.1.0.36 196987 Bytes 2/27/2009 01:01:56
AEHEUR.DLL : 8.1.0.100 1618295 Bytes 2/25/2009 20:49:16
AEHELP.DLL : 8.1.2.2 119158 Bytes 2/27/2009 01:01:56
AEGEN.DLL : 8.1.1.24 336244 Bytes 3/4/2009 18:06:10
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/9/2008 19:32:40
AECORE.DLL : 8.1.6.6 176501 Bytes 2/17/2009 19:22:44
AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 19:32:40
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 13:47:59
AVPREF.DLL : 9.0.0.1 43777 Bytes 12/5/2008 15:32:15
AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 19:34:28
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 15:32:09
AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 20:05:41
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 15:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 20:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 13:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 15:32:10
RCIMAGE.DLL : 9.0.0.21 2438401 Bytes 2/9/2009 16:45:45
RCTEXT.DLL : 9.0.37.0 86785 Bytes 4/17/2009 15:19:48

Configuration settings for the scan:
Jobname.............................: Short system scan after installation
Configuration file..................: c:\program files\avira\antivir desktop\setupprf.dat
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: off
Integrity checking of system files..: off
Scan all files......................: Intelligent file selection
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Thursday, June 04, 2009 21:09

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avconfig.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'setup.exe' - '1' Module(s) have been scanned
Scan process 'msiexec.exe' - '1' Module(s) have been scanned
Scan process 'presetup.exe' - '1' Module(s) have been scanned
Scan process 'avira_antivir_personal_en.exe' - '1' Module(s) have been scanned
Scan process 'iexplore.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process '1XConfig.exe' - '1' Module(s) have been scanned
Scan process 'iPodService.exe' - '1' Module(s) have been scanned
Scan process 'hidfind.exe' - '1' Module(s) have been scanned
Scan process 'ApntEx.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'sprtcmd.exe' - '1' Module(s) have been scanned
Scan process 'DIGServices.exe' - '1' Module(s) have been scanned
Scan process 'PCMService.exe' - '1' Module(s) have been scanned
Scan process 'Monitor.exe' - '1' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
Scan process 'Apoint.exe' - '1' Module(s) have been scanned
Scan process 'digstream.exe' - '1' Module(s) have been scanned
Scan process 'winampa.exe' - '1' Module(s) have been scanned
Scan process 'iFrmewrk.exe' - '1' Module(s) have been scanned
Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned
Scan process 'wscntfy.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'CALMAIN.exe' - '1' Module(s) have been scanned
Scan process 'ZCfgSvc.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'sprtsvc.exe' - '1' Module(s) have been scanned
Scan process 'RegSrvc.exe' - '1' Module(s) have been scanned
Scan process 'NicConfigSvc.exe' - '1' Module(s) have been scanned
Scan process 'CommandService.exe' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'AOLacsd.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'brss01a.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'WLKEEPER.exe' - '1' Module(s) have been scanned
Scan process 'S24EvMon.exe' - '1' Module(s) have been scanned
Scan process 'EvtEng.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
54 processes with 54 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:

Starting to scan executable files (registry).
The registry was scanned ( '60' files ).



End of the scan: Thursday, June 04, 2009 21:10
Used time: 00:14 Minute(s)

The scan has been done completely.

0 Scanned directories
479 Files were scanned
0 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
0 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
479 Files not concerned
3 Archives were scanned
0 Warnings
0 Notes

combofix:
ComboFix 09-06-01.03 - Brian 06/04/2009 20:42.8 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2039.1490 [GMT -4:00]
Running from: c:\documents and settings\Brian\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Brian\Desktop\CFScript.txt
.

((((((((((((((((((((((((( Files Created from 2009-05-05 to 2009-06-05 )))))))))))))))))))))))))))))))
.

2009-06-03 01:45 . 2009-06-03 01:45 -------- d--h--w- c:\windows\system32\WLANProfiles
2009-06-03 01:45 . 2009-06-03 01:45 -------- d--h--w- C:\Settings
2009-06-03 01:44 . 2009-06-03 01:44 -------- d-----w- c:\documents and settings\temp.brianlaptop.000

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-05 00:41 . 2005-10-13 12:42 -------- d-----w- c:\documents and settings\All Users\Application Data\DIGStream
2009-06-03 01:16 . 2008-12-07 18:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-01 00:31 . 2009-01-07 02:29 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-05-26 17:20 . 2008-12-07 18:50 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 17:19 . 2008-12-07 18:50 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2004-12-20 33792]
"DIGStream"="c:\program files\DIGStream\digstream.exe" [2005-05-18 282624]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2008-11-25 356352]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-12 290816]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"DIGServices"="c:\program files\ESPNRunTime\DIGServices.exe" [2005-05-19 101888]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 202544]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 21:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Find Fast.lnk
backup=c:\windows\pss\Microsoft Find Fast.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Office Startup.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Office Startup.lnk
backup=c:\windows\pss\Office Startup.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\DC++\\DCPlusPlus.exe"=
"c:\\Program Files\\Java\\jre1.5.0_04\\bin\\javaw.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Java\\jre1.5.0_09\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jre1.5.0_11\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jre1.6.0_05\\bin\\javaw.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [6/19/2007 2:21 AM 18560]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - AUJASNKJ
*Deregistered* - aujasnkj
.
Contents of the 'Scheduled Tasks' folder

2009-04-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 21:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
FF - ProfilePath - c:\documents and settings\Brian\Application Data\Mozilla\Firefox\Profiles\ip3s6ic5.default\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-04 20:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1080)
c:\program files\Intel\Wireless\Bin\LgNotify.dll
c:\windows\system32\igfxsrvc.dll
c:\windows\system32\hccutils.DLL

- - - - - - - > 'explorer.exe'(2020)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-06-05 20:49
ComboFix-quarantined-files.txt 2009-06-05 00:48
ComboFix2.txt 2009-06-03 12:33
ComboFix3.txt 2009-06-03 12:22
ComboFix4.txt 2009-06-03 02:35
ComboFix5.txt 2009-06-05 00:41

Pre-Run: 9,339,142,144 bytes free
Post-Run: 9,410,924,544 bytes free

127 --- E O F --- 2009-04-18 22:11

#14 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:47 PM

Posted 05 June 2009 - 08:57 AM

Hey Brian,
Still having troubles connecting to the internet? Or was Comodo interfering? If still unable to connect after disabling Comodo then.....when you double click the IE/FF icon what happens and what dialogue do you receive exactly?
Thanks for the clarification,
t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#15 bri2k

bri2k
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:02:47 PM

Posted 05 June 2009 - 07:25 PM

Hello,

I uninstalled comodo and have no problems with the internet now. I have a wireless router and network card and with comodo, it's wasn't connecting to our network. If I have a router, do I need a software firewall?

Brian




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users