Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hosts System File Infected


  • This topic is locked This topic is locked
23 replies to this topic

#1 zcooler

zcooler

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:07:36 AM

Posted 21 November 2009 - 05:35 PM

Hello,

Recently, my computer had a bunch of malware installed on it, such as System Defender, Windows Protection Suite, etc. I ran a combination of MalwareBytes, Spybot, AdAware, and TrendMicro Housecall scans and I thought I got rid of it. I was a bit skeptical though because whenever I went to google.com, it would redirect me to google.nl.

Sure enough, a few days later, the spyware came back. I tried running HiJackThis, and got an error message about my system denying write access to my Hosts file. I have Windows XP and it told me to basically edit it with notepad. My Hosts file has a bunch of links on it, as seen below. I tried to delete them but it would not let me save. I repeated the scans and I think I got rid of all the malware now, but I still have trouble repairing the Hosts file. Spybot also tried to fix my Hosts file, but it too was denied write access. I heard about HostsXpert software, but it too had trouble. Can anyone help me clean the Hosts file?

Thanks.

# Copyright © 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost
74.125.45.100 4-open-davinci.com
74.125.45.100 securitysoftwarepayments.com
74.125.45.100 privatesecuredpayments.com
74.125.45.100 secure.privatesecuredpayments.com
74.125.45.100 getantivirusplusnow.com
74.125.45.100 secure-plus-payments.com
74.125.45.100 www.getantivirusplusnow.com
74.125.45.100 www.secure-plus-payments.com
74.125.45.100 www.getavplusnow.com
74.125.45.100 safebrowsing-cache.google.com
74.125.45.100 www.securesoftwarebill.com
74.125.45.100 secure.paysecuresystem.com
74.125.45.100 paysoftbillsolution.com
89.248.168.186 google.ae
89.248.168.186 google.as
89.248.168.186 google.at
89.248.168.186 google.az
89.248.168.186 google.ba
89.248.168.186 google.be
89.248.168.186 google.bg
89.248.168.186 google.bs
89.248.168.186 google.ca
89.248.168.186 google.cd
89.248.168.186 google.com.gh
89.248.168.186 google.com.hk
89.248.168.186 google.com.jm
89.248.168.186 google.com.mx
89.248.168.186 google.com.my
89.248.168.186 google.com.na
89.248.168.186 google.com.nf
89.248.168.186 google.com.ng
89.248.168.186 google.ch
89.248.168.186 google.com.np
89.248.168.186 google.com.pr
89.248.168.186 google.com.qa
89.248.168.186 google.com.sg
89.248.168.186 google.com.tj
89.248.168.186 google.com.tw
89.248.168.186 google.dj
89.248.168.186 google.de
89.248.168.186 google.dk
89.248.168.186 google.dm
89.248.168.186 google.ee
89.248.168.186 google.fi
89.248.168.186 google.fm
89.248.168.186 google.fr
89.248.168.186 google.ge
89.248.168.186 google.gg
89.248.168.186 google.gm
89.248.168.186 google.gr
89.248.168.186 google.ht
89.248.168.186 google.ie
89.248.168.186 google.im
89.248.168.186 google.in
89.248.168.186 google.it
89.248.168.186 google.ki
89.248.168.186 google.la
89.248.168.186 google.li
89.248.168.186 google.lv
89.248.168.186 google.ma
89.248.168.186 google.ms
89.248.168.186 google.mu
89.248.168.186 google.mw
89.248.168.186 google.nl
89.248.168.186 google.no
89.248.168.186 google.nr
89.248.168.186 google.nu
89.248.168.186 google.pl
89.248.168.186 google.pn
89.248.168.186 google.pt
89.248.168.186 google.ro
89.248.168.186 google.ru
89.248.168.186 google.rw
89.248.168.186 google.sc
89.248.168.186 google.se
89.248.168.186 google.sh
89.248.168.186 google.si
89.248.168.186 google.sm
89.248.168.186 google.sn
89.248.168.186 google.st
89.248.168.186 google.tl
89.248.168.186 google.tm
89.248.168.186 google.tt
89.248.168.186 google.us
89.248.168.186 google.vu
89.248.168.186 google.ws
89.248.168.186 google.co.ck
89.248.168.186 google.co.id
89.248.168.186 google.co.il
89.248.168.186 google.co.in
89.248.168.186 google.co.jp
89.248.168.186 google.co.kr
89.248.168.186 google.co.ls
89.248.168.186 google.co.ma
89.248.168.186 google.co.nz
89.248.168.186 google.co.tz
89.248.168.186 google.co.ug
89.248.168.186 google.co.uk
89.248.168.186 google.co.za
89.248.168.186 google.co.zm
89.248.168.186 google.com
89.248.168.186 google.com.af
89.248.168.186 google.com.ag
89.248.168.186 google.com.ar
89.248.168.186 google.com.au
89.248.168.186 google.com.bn
89.248.168.186 google.com.br
89.248.168.186 google.com.by
89.248.168.186 google.com.bz
89.248.168.186 google.com.cu
89.248.168.186 google.com.ec
89.248.168.186 google.com.fj
89.248.168.186 www.google.ae
89.248.168.186 www.google.as
89.248.168.186 www.google.at
89.248.168.186 www.google.az
89.248.168.186 www.google.ba
89.248.168.186 www.google.be
89.248.168.186 www.google.bg
89.248.168.186 www.google.bs
89.248.168.186 www.google.ca
89.248.168.186 www.google.cd
89.248.168.186 www.google.com.gh
89.248.168.186 www.google.com.hk
89.248.168.186 www.google.com.jm
89.248.168.186 www.google.com.mx
89.248.168.186 www.google.com.my
89.248.168.186 www.google.com.na
89.248.168.186 www.google.com.nf
89.248.168.186 www.google.com.ng
89.248.168.186 www.google.ch
89.248.168.186 www.google.com.np
89.248.168.186 www.google.com.pr
89.248.168.186 www.google.com.qa
89.248.168.186 www.google.com.sg
89.248.168.186 www.google.com.tj
89.248.168.186 www.google.com.tw
89.248.168.186 www.google.dj
89.248.168.186 www.google.de
89.248.168.186 www.google.dk
89.248.168.186 www.google.dm
89.248.168.186 www.google.ee
89.248.168.186 www.google.fi
89.248.168.186 www.google.fm
89.248.168.186 www.google.fr
89.248.168.186 www.google.ge
89.248.168.186 www.google.gg
89.248.168.186 www.google.gm
89.248.168.186 www.google.gr
89.248.168.186 www.google.ht
89.248.168.186 www.google.ie
89.248.168.186 www.google.im
89.248.168.186 www.google.in
89.248.168.186 www.google.it
89.248.168.186 www.google.ki
89.248.168.186 www.google.la
89.248.168.186 www.google.li
89.248.168.186 www.google.lv
89.248.168.186 www.google.ma
89.248.168.186 www.google.ms
89.248.168.186 www.google.mu
89.248.168.186 www.google.mw
89.248.168.186 www.google.nl
89.248.168.186 www.google.no
89.248.168.186 www.google.nr
89.248.168.186 www.google.nu
89.248.168.186 www.google.pl
89.248.168.186 www.google.pn
89.248.168.186 www.google.pt
89.248.168.186 www.google.ro
89.248.168.186 www.google.ru
89.248.168.186 www.google.rw
89.248.168.186 www.google.sc
89.248.168.186 www.google.se
89.248.168.186 www.google.sh
89.248.168.186 www.google.si
89.248.168.186 www.google.sm
89.248.168.186 www.google.sn
89.248.168.186 www.google.st
89.248.168.186 www.google.tl
89.248.168.186 www.google.tm
89.248.168.186 www.google.tt
89.248.168.186 www.google.us
89.248.168.186 www.google.vu
89.248.168.186 www.google.ws
89.248.168.186 www.google.co.ck
89.248.168.186 www.google.co.id
89.248.168.186 www.google.co.il
89.248.168.186 www.google.co.in
89.248.168.186 www.google.co.jp
89.248.168.186 www.google.co.kr
89.248.168.186 www.google.co.ls
89.248.168.186 www.google.co.ma
89.248.168.186 www.google.co.nz
89.248.168.186 www.google.co.tz
89.248.168.186 www.google.co.ug
89.248.168.186 www.google.co.uk
89.248.168.186 www.google.co.za
89.248.168.186 www.google.co.zm
89.248.168.186 www.google.com
89.248.168.186 www.google.com.af
89.248.168.186 www.google.com.ag
89.248.168.186 www.google.com.ar
89.248.168.186 www.google.com.au
89.248.168.186 www.google.com.bn
89.248.168.186 www.google.com.br
89.248.168.186 www.google.com.by
89.248.168.186 www.google.com.bz
89.248.168.186 www.google.com.cu
89.248.168.186 www.google.com.ec
89.248.168.186 www.google.com.fj
89.248.168.186 google.com
89.248.168.186 www.google.com
89.248.168.186 bing.com
89.248.168.186 www.bing.com
89.248.168.186 search.yahoo.com
89.248.168.186 www.search.yahoo.com
89.248.168.186 search.live.com
89.248.168.186 search.msn.com

BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,714 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:36 PM

Posted 21 November 2009 - 09:18 PM

Hi zcooler,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

I see the issue with the hosts file. But I need more formation to make sure we will have a clean computer after taking care of the hosts file.

Please go through Preparation Guide For Use Before Using HijackThis and other Malware Removal Tools, Instructions for receiving help in cleaning your computer and provide both DDS logs along with the RootRepeal log.

#3 zcooler

zcooler
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:07:36 AM

Posted 21 November 2009 - 10:31 PM

Yes, I agree with it. I ran the two programs, and here are the reports.


DDS (Ver_09-10-26.01) - NTFSx86
Run by Lisa at 21:17:08.59 on Sat 11/21/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.177 [GMT -6:00]

AV: System Defender *On-access scanning enabled* (Updated) {C9BCB40F-3011-4C4C-AE60-347D90934691}
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: System Defender *enabled* {E4D54819-244D-43E3-886C-4610B63D39F7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Lisa\Desktop\dds.scr

============== Pseudo HJT Report ===============

uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8

\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8

\toolbar\IEToolbar.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common

files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6

\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli bupozeje.dll
IFEO: image file execution options - svchost.exe
IFEO: brastk.exe - svchost.exe

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\lisa\applic~1\mozilla\firefox\profiles\nqx8zt8r.default\
FF - prefs.js: browser.startup.homepage - yahoo.com
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} -

c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-

0004-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-

0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-

0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-

0015-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-11-20 64288]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-4-28 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-4-28 108552]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-4 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-4 297752]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-9-24 1184912]
S3 ATHFMWDL;802.11 USB Wireless Adapter Bootloader driver;c:\windows\system32\drivers\athfmwdl.sys --> c:\windows\system32

\drivers\ATHFMWDL.sys [?]
S3 PciCon;PciCon;\??\e:\pcicon.sys --> e:\PciCon.sys [?]

=============== Created Last 30 ================

2009-11-21 17:15:13 0 d-----w- c:\program files\Spybot - Search & Destroy
2009-11-21 17:15:13 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-11-21 07:55:19 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-11-21 05:14:55 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-11-21 05:14:30 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-11-21 05:09:14 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-11-21 04:33:33 0 d-----w- C:\HostsXpert
2009-11-21 03:19:21 0 d-----w- c:\program files\Trend Micro
2009-11-21 03:18:24 10752 ----a-w- c:\windows\DCEBoot.exe
2009-11-18 22:24:26 0 d-----w- c:\docume~1\alluse~1\applic~1\90e32
2009-11-18 22:23:43 0 d-sh--w- c:\documents and settings\all users\0f6644b
2009-11-05 01:03:33 0 d-----w- c:\docume~1\lisa\applic~1\Malwarebytes
2009-11-05 01:03:26 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-05 01:03:25 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-05 01:03:25 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-05 01:03:25 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

==================== Find3M ====================

2009-09-25 05:37:11 667136 ----a-w- c:\windows\system32\wininet.dll
2009-09-25 05:37:09 81920 ------w- c:\windows\system32\ieencode.dll
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll

============= FINISH: 21:19:06.01 ===============

Attached Files



#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,714 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:36 PM

Posted 22 November 2009 - 06:03 AM

Your log(s) show that you are using so called peer-to-peer or file-sharing programs. These programs allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."


Removal Instructions
  • Optional:Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

    http://www.clickz.com/news/article.php/3561546

    I suggest you uninstall the following program via Add or Remove Programs if your are using it:

    Viewpoint Media Player.

    If you uninstalled it also remove the folder in bold: C:\Program Files\Viewpoint

  • Open your Malwarebytes' Anti-Malware.
    • First update it, to do that under the Update tab press "Check for Updates".
    • Under Scanner tab select "Perform Quick Scan", then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.
    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


  • Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools. (See the end of post and information on A/V control HERE)
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    Posted Image


    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image


    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.
++++

To disable AVG Resident Shield:
  • Double click AVG system tray icon to open AVG.
  • In Overview section double click Resident Shield.
  • Uncheck Resident Shield Active.
  • Press Save Changes.

    Note: It is important to activate the resident shield immediately after ComboFix produced its log.


#5 zcooler

zcooler
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:07:36 AM

Posted 23 November 2009 - 09:54 PM

Ok, first, here's my MalwareBytes log.

Malwarebytes' Anti-Malware 1.41
Database version: 3221
Windows 5.1.2600 Service Pack 3

11/23/2009 8:10:55 PM
mbam-log-2009-11-23 (20-10-55).txt

Scan type: Quick Scan
Objects scanned: 102033
Time elapsed: 22 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\Drivers\str.sys (Rootkit.Agent) -> Delete on reboot.








Next, here's my combofix log


ComboFix 09-11-23.02 - Lisa 11/23/2009 20:24.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.106 [GMT -6:00]
Running from: c:\documents and settings\Lisa\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Mozilla Firefox\searchplugins\search.xml
c:\windows\system32\bszip.dll
c:\windows\system32\drivers\qiumbibip.sys
c:\windows\system32\drivers\str.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_UCOHCZXFUKQGO


((((((((((((((((((((((((( Files Created from 2009-10-24 to 2009-11-24 )))))))))))))))))))))))))))))))
.

2009-11-21 17:15 . 2009-11-21 17:43 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-21 17:15 . 2009-11-21 17:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-21 07:55 . 2009-11-21 05:14 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-11-21 05:13 . 2009-11-21 05:13 5908024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2009-11-21 05:13 . 2009-11-21 05:13 327000 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2009-11-21 05:13 . 2009-11-21 05:13 87496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2009-11-21 05:13 . 2009-11-21 05:13 933120 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-11-21 05:13 . 2009-11-21 05:13 641632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2009-11-21 05:13 . 2009-11-21 05:13 816272 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-11-21 05:12 . 2009-11-21 05:13 822904 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-11-21 05:12 . 2009-11-21 05:12 1638640 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-11-21 05:12 . 2009-11-21 05:12 788880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-11-21 05:12 . 2009-11-21 05:12 1184912 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-11-21 05:09 . 2009-11-21 05:09 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-11-21 05:09 . 2009-10-03 08:15 2924848 -c--a-w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe
2009-11-21 04:33 . 2009-11-21 23:15 -------- d-----w- C:\HostsXpert
2009-11-21 03:19 . 2009-11-21 03:19 -------- d-----w- c:\program files\Trend Micro
2009-11-21 03:18 . 2009-11-21 03:18 10752 ----a-w- c:\windows\DCEBoot.exe
2009-11-18 22:24 . 2009-11-19 01:11 -------- d-----w- c:\documents and settings\All Users\Application Data\90e32
2009-11-18 22:23 . 2009-11-19 01:12 -------- d-sh--w- c:\documents and settings\All Users\0f6644b
2009-11-05 01:06 . 2009-11-05 01:35 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-05 01:03 . 2009-11-05 01:03 -------- d-----w- c:\documents and settings\Lisa\Application Data\Malwarebytes
2009-11-05 01:03 . 2009-09-10 20:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-05 01:03 . 2009-11-05 01:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-05 01:03 . 2009-11-05 01:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-05 01:03 . 2009-09-10 20:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-21 04:53 . 2008-04-29 01:13 -------- d-----w- c:\program files\Lavasoft
2009-11-21 04:51 . 2008-04-29 01:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-11-17 00:59 . 2008-05-03 12:58 -------- d-----w- c:\documents and settings\Lisa\Application Data\Apple Computer
2009-11-11 05:04 . 2008-06-09 02:55 -------- d-----w- c:\documents and settings\Lisa\Application Data\uTorrent
2009-11-05 00:59 . 2008-04-29 00:46 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-02 22:57 . 2008-04-29 02:07 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-10-16 01:38 . 2008-12-27 21:23 -------- d-----w- c:\documents and settings\Lisa\Application Data\.purple
2009-10-16 01:27 . 2009-10-16 01:25 -------- d-----w- c:\program files\iTunes
2009-10-16 01:27 . 2009-10-16 01:25 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-10-16 01:26 . 2009-10-16 01:26 -------- d-----w- c:\program files\iPod
2009-10-16 01:26 . 2008-05-03 12:55 -------- d-----w- c:\program files\Common Files\Apple
2009-10-16 01:24 . 2009-10-16 01:23 -------- d-----w- c:\program files\QuickTime
2009-10-16 01:14 . 2009-10-16 01:14 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.1.8\SetupAdmin.exe
2009-10-13 22:32 . 2008-04-29 19:32 -------- d-----w- c:\program files\Java
2009-10-13 22:31 . 2009-10-13 22:31 152576 ----a-w- c:\documents and settings\Lisa\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-09-25 05:37 . 2003-07-16 20:51 667136 ----a-w- c:\windows\system32\wininet.dll
2009-09-25 05:37 . 2008-04-29 01:59 81920 ------w- c:\windows\system32\ieencode.dll
2009-09-23 12:55 . 2009-11-21 05:14 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-09-11 14:18 . 2003-07-16 20:36 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2003-07-16 20:35 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-26 08:00 . 2003-07-16 20:46 247326 ----a-w- c:\windows\system32\strmdll.dll
2008-02-08 02:46 . 2008-02-08 02:46 13624 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2008-02-08 02:46 . 2008-02-08 02:46 87360 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2008-02-08 02:46 . 2008-02-08 02:46 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2008-02-08 02:46 . 2008-02-08 02:46 21824 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2008-02-08 02:46 . 2008-02-08 02:46 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2008-02-08 02:46 . 2008-02-08 02:46 31544 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2008-02-08 02:46 . 2008-02-08 02:46 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2007-03-16 22:27 . 2007-03-16 22:27 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll
2007-03-16 22:27 . 2007-03-16 22:27 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll
2007-03-16 22:27 . 2007-03-16 22:27 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll
2007-07-20 17:47 . 2007-07-20 17:47 981170 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2008-02-08 02:46 . 2008-02-08 02:46 24384 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
.

------- Sigcheck -------

[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys
[-] 2008-04-13 18:40 . 451FFFCD4C14A00DBF0071F5FEF73D9D . 96512 . . [------] . . c:\windows\system32\drivers\atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\atapi.sys
[-] 2003-07-16 . 95B858761A00E1D4F81F79A0DA019ACA . 86912 . . [5.1.2600.1106] . . c:\windows\system32\ReinstallBackups\0002\DriverFiles\i386\atapi.sys
[-] 2002-08-29 . 95B858761A00E1D4F81F79A0DA019ACA . 86912 . . [5.1.2600.1106] . . c:\windows\system32\ReinstallBackups\0006\DriverFiles\i386\atapi.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-09-02 16:58 1107200 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2006-07-25 5898240]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2006-07-25 86016]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-07-25 1519616]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-20 13:41 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^802.11g Wireless Client Utility.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\802.11g Wireless Client Utility.lnk
backup=c:\windows\pss\802.11g Wireless Client Utility.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NMIndexingService"=3 (0x3)
"NBService"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"iPod Service"=3 (0x3)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [11/20/2009 11:14 PM 64288]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/28/2008 8:07 PM 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/28/2008 8:07 PM 108552]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [7/4/2008 7:28 AM 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/4/2008 7:27 AM 297752]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 5:17 AM 1184912]
S2 ucohczxfukqgo;ucohczxfukqgo;\??\c:\windows\system32\drivers\qiumbibip.sys --> c:\windows\system32\drivers\qiumbibip.sys [?]
S3 ATHFMWDL;802.11 USB Wireless Adapter Bootloader driver;c:\windows\system32\Drivers\ATHFMWDL.sys --> c:\windows\system32\Drivers\ATHFMWDL.sys [?]
S3 PciCon;PciCon;\??\e:\pcicon.sys --> e:\PciCon.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-11-24 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 05:13]

2009-11-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\documents and settings\Lisa\Application Data\Mozilla\Firefox\Profiles\nqx8zt8r.default\
FF - prefs.js: browser.startup.homepage - yahoo.com
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-aawservice
AddRemove-Ad-Aware - c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe REMOVE=TRUE MODIFY=FALSE
AddRemove-NVIDIA Drivers - c:\windows\System32\nvudisp.exe UninstallGUI



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-23 20:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2700)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ZuneBusEnum.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\System32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2009-11-23 20:50 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-24 02:50

Pre-Run: 111,709,880,320 bytes free
Post-Run: 111,890,796,544 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 89F9B24D59448AB61B8909F0161C414E

#6 zcooler

zcooler
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:07:36 AM

Posted 23 November 2009 - 09:57 PM

Oh!!! I just checked my Hosts file, and it's clean now! All that's on there is

127.0.0.1 localhost


Is my computer problem fixed now? Thanks!

#7 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,714 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:36 PM

Posted 24 November 2009 - 03:45 AM

Yes the hosts problem is fixed. But we have to make sure the system is clean.

Close any open browsers.

Open notepad (start > All Programs > Accessories > Notepad) and copy/paste the text in the code box below into it:

Driver::
ucohczxfukqgo
Rootkit::
c:\windows\system32\drivers\qiumbibip.sys
DDS::
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
Registry::
[-HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
[-HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
FileLook::
c:\windows\system32\drivers\atapi.sys

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you ( "C:\ComboFix.txt"). Please copy and paste the log to your reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


#8 zcooler

zcooler
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:07:36 AM

Posted 24 November 2009 - 08:37 PM

ok, my combofix log is now as follows


ComboFix 09-11-24.02 - Lisa 11/24/2009 19:11.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.270 [GMT -6:00]
Running from: c:\documents and settings\Lisa\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Lisa\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ucohczxfukqgo


((((((((((((((((((((((((( Files Created from 2009-10-25 to 2009-11-25 )))))))))))))))))))))))))))))))
.

2009-11-21 17:15 . 2009-11-21 17:43 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-21 17:15 . 2009-11-21 17:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-21 07:55 . 2009-11-21 05:14 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-11-21 05:13 . 2009-11-21 05:13 5908024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2009-11-21 05:13 . 2009-11-21 05:13 327000 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2009-11-21 05:13 . 2009-11-21 05:13 87496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2009-11-21 05:13 . 2009-11-21 05:13 933120 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-11-21 05:13 . 2009-11-21 05:13 641632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2009-11-21 05:13 . 2009-11-21 05:13 816272 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-11-21 05:12 . 2009-11-21 05:13 822904 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-11-21 05:12 . 2009-11-21 05:12 1638640 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-11-21 05:12 . 2009-11-21 05:12 788880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-11-21 05:12 . 2009-11-21 05:12 1184912 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-11-21 05:09 . 2009-11-21 05:09 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-11-21 05:09 . 2009-10-03 08:15 2924848 -c--a-w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe
2009-11-21 04:33 . 2009-11-21 23:15 -------- d-----w- C:\HostsXpert
2009-11-21 03:19 . 2009-11-21 03:19 -------- d-----w- c:\program files\Trend Micro
2009-11-21 03:18 . 2009-11-21 03:18 10752 ----a-w- c:\windows\DCEBoot.exe
2009-11-18 22:24 . 2009-11-19 01:11 -------- d-----w- c:\documents and settings\All Users\Application Data\90e32
2009-11-18 22:23 . 2009-11-19 01:12 -------- d-sh--w- c:\documents and settings\All Users\0f6644b
2009-11-05 01:06 . 2009-11-05 01:35 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-05 01:03 . 2009-11-05 01:03 -------- d-----w- c:\documents and settings\Lisa\Application Data\Malwarebytes
2009-11-05 01:03 . 2009-09-10 20:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-05 01:03 . 2009-11-05 01:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-05 01:03 . 2009-11-05 01:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-05 01:03 . 2009-09-10 20:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-21 04:53 . 2008-04-29 01:13 -------- d-----w- c:\program files\Lavasoft
2009-11-21 04:51 . 2008-04-29 01:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-11-17 00:59 . 2008-05-03 12:58 -------- d-----w- c:\documents and settings\Lisa\Application Data\Apple Computer
2009-11-11 05:04 . 2008-06-09 02:55 -------- d-----w- c:\documents and settings\Lisa\Application Data\uTorrent
2009-11-05 00:59 . 2008-04-29 00:46 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-02 22:57 . 2008-04-29 02:07 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-10-16 01:38 . 2008-12-27 21:23 -------- d-----w- c:\documents and settings\Lisa\Application Data\.purple
2009-10-16 01:27 . 2009-10-16 01:25 -------- d-----w- c:\program files\iTunes
2009-10-16 01:27 . 2009-10-16 01:25 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-10-16 01:26 . 2009-10-16 01:26 -------- d-----w- c:\program files\iPod
2009-10-16 01:26 . 2008-05-03 12:55 -------- d-----w- c:\program files\Common Files\Apple
2009-10-16 01:24 . 2009-10-16 01:23 -------- d-----w- c:\program files\QuickTime
2009-10-16 01:14 . 2009-10-16 01:14 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.1.8\SetupAdmin.exe
2009-10-13 22:32 . 2008-04-29 19:32 -------- d-----w- c:\program files\Java
2009-10-13 22:31 . 2009-10-13 22:31 152576 ----a-w- c:\documents and settings\Lisa\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-09-25 05:37 . 2003-07-16 20:51 667136 ------w- c:\windows\system32\wininet.dll
2009-09-25 05:37 . 2008-04-29 01:59 81920 ------w- c:\windows\system32\ieencode.dll
2009-09-23 12:55 . 2009-11-21 05:14 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-09-11 14:18 . 2003-07-16 20:36 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2003-07-16 20:35 58880 ----a-w- c:\windows\system32\msasn1.dll
2008-02-08 02:46 . 2008-02-08 02:46 13624 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2008-02-08 02:46 . 2008-02-08 02:46 87360 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2008-02-08 02:46 . 2008-02-08 02:46 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2008-02-08 02:46 . 2008-02-08 02:46 21824 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2008-02-08 02:46 . 2008-02-08 02:46 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2008-02-08 02:46 . 2008-02-08 02:46 31544 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2008-02-08 02:46 . 2008-02-08 02:46 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2007-03-16 22:27 . 2007-03-16 22:27 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll
2007-03-16 22:27 . 2007-03-16 22:27 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll
2007-03-16 22:27 . 2007-03-16 22:27 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll
2007-07-20 17:47 . 2007-07-20 17:47 981170 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2008-02-08 02:46 . 2008-02-08 02:46 24384 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

--- c:\windows\system32\drivers\atapi.sys ---
Company: ------
File Description: ------
File Version: ------
Product Name: ------
Copyright: ------
Original Filename: ------
File size: 96512
Created time: 2008-04-29 00:49
Modified time: 2008-04-13 18:40
MD5: 451FFFCD4C14A00DBF0071F5FEF73D9D
SHA1: C96AA8F3BEAC4981A2155E2D35E25AAB5CD3973C


------- Sigcheck -------

[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys
[-] 2008-04-13 18:40 . 451FFFCD4C14A00DBF0071F5FEF73D9D . 96512 . . [------] . . c:\windows\system32\drivers\atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\atapi.sys
[-] 2003-07-16 . 95B858761A00E1D4F81F79A0DA019ACA . 86912 . . [5.1.2600.1106] . . c:\windows\system32\ReinstallBackups\0002\DriverFiles\i386\atapi.sys
[-] 2002-08-29 . 95B858761A00E1D4F81F79A0DA019ACA . 86912 . . [5.1.2600.1106] . . c:\windows\system32\ReinstallBackups\0006\DriverFiles\i386\atapi.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-11-24_02.41.23 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-29 00:40 . 2009-11-24 19:12 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-04-29 00:40 . 2009-11-24 02:12 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-04-29 00:40 . 2009-11-24 19:12 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-04-29 00:40 . 2009-11-24 02:12 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-04-29 00:40 . 2009-11-24 19:12 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-04-29 00:40 . 2009-11-24 02:12 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2006-07-25 5898240]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2006-07-25 86016]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-07-25 1519616]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-20 13:41 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^802.11g Wireless Client Utility.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\802.11g Wireless Client Utility.lnk
backup=c:\windows\pss\802.11g Wireless Client Utility.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NMIndexingService"=3 (0x3)
"NBService"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"iPod Service"=3 (0x3)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [11/20/2009 11:14 PM 64288]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/28/2008 8:07 PM 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/28/2008 8:07 PM 108552]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [7/4/2008 7:28 AM 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/4/2008 7:27 AM 297752]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 5:17 AM 1184912]
S3 ATHFMWDL;802.11 USB Wireless Adapter Bootloader driver;c:\windows\system32\Drivers\ATHFMWDL.sys --> c:\windows\system32\Drivers\ATHFMWDL.sys [?]
S3 PciCon;PciCon;\??\e:\pcicon.sys --> e:\PciCon.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-11-25 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 05:13]

2009-11-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\documents and settings\Lisa\Application Data\Mozilla\Firefox\Profiles\nqx8zt8r.default\
FF - prefs.js: browser.startup.homepage - yahoo.com
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
BHO-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-24 19:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2500)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ZuneBusEnum.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\System32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2009-11-24 19:33 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-25 01:33
ComboFix2.txt 2009-11-24 02:50

Pre-Run: 111,830,892,544 bytes free
Post-Run: 111,801,405,440 bytes free

- - End Of File - - 5DDE65507CEECD9767EC1600A4F9BF7A

#9 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,714 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:36 PM

Posted 24 November 2009 - 09:01 PM

  • The atapi.sys file needs to be replaced. There is a good copy on the system. But to make sure we need a clean copy. Do you have access another computer with Windows XP Service Pack 3. It can be from a friends computer.

  • Please go to Start => Run and copy/paste the following line into run box and click OK.

    cmd /c sc query type= driver group= "SCSI Miniport" > Log.txt&Start Log.txt

    A log file opens. Please post the content of it to your reply.


#10 zcooler

zcooler
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:07:36 AM

Posted 25 November 2009 - 07:38 PM

1. Unfortunately, none of my friends have Windows XP anymore. Is there a place I can find it online?

2. Here are the log contents


SERVICE_NAME: atapi
DISPLAY_NAME: Standard IDE/ESDI Hard Disk Controller
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: imagedrv
DISPLAY_NAME: imagedrv
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

#11 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,714 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:36 PM

Posted 26 November 2009 - 12:50 PM

We will replace using a copy on your computer.
  • Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box into a new file:

    @echo off
    md c:\atapibak
    copy /y C:\WINDOWS\system32\drivers\atapi.sys c:\atapibak >log.txt
    copy /y C:\WINDOWS\ServicePackFiles\i386\atapi.sys C:\ >>log.txt
    start log.txt
    del %0
    • Select save in:desktop
    • Fill in File name: copy.bat
    • Save as type: All file types (*.*)
    • Click Save and close the Notepad.
    • Double-click copy.bat on the desktop.
    • A text file (log.txt) opens. Only if "1 file(s) copied" twice is listed proceed with the next step.
  • Download The Avenger by Swandog46 from here.
    • Unzip/extract it to a folder on your desktop.
    • Double click on avenger.exe to run The Avenger.
    • Click OK.
    • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
    • Copy all of the text in the below code box to the clipboard by highlighting it and then pressing Ctrl+C.
      Files to move:
      C:\atapi.sys | C:\WINDOWS\system32\drivers\atapi.sys
    • In the avenger window, click the Paste Script from Clipboard, Posted Image button.
    • Click the Execute button.
    • You will be asked Are you sure you want to execute the current script?.
    • Click Yes.
    • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot.  Reboot now?.
    • Click Yes.
    • Your PC will now be rebooted.
    • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
    • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
    • Please post this log in your next reply.


#12 zcooler

zcooler
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:07:36 AM

Posted 26 November 2009 - 02:17 PM

I had "1 file(s) copied" twice so I went to the second step. Here's the log.



Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "C:\atapi.sys|C:\WINDOWS\system32\drivers\atapi.sys" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,714 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:36 PM

Posted 26 November 2009 - 04:02 PM

Well done. :(

Close any open browsers.

Open notepad (start > All Programs > Accessories > Notepad) and copy/paste the text in the code box below into it:

FileLook::
C:\WINDOWS\system32\drivers\atapi.sys

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you ( "C:\ComboFix.txt"). Please copy and paste the log to your reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


#14 zcooler

zcooler
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:07:36 AM

Posted 27 November 2009 - 08:22 PM

Ok, here's the new log


ComboFix 09-11-27.04 - Lisa 11/27/2009 19:01.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.218 [GMT -6:00]
Running from: c:\documents and settings\Lisa\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Lisa\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2009-10-28 to 2009-11-28 )))))))))))))))))))))))))))))))
.

2009-11-26 19:18 . 2009-11-26 19:18 5136 ----a-w- c:\windows\system32\pxod13.dll
2009-11-26 18:44 . 2009-11-26 18:44 -------- d-----w- C:\atapibak
2009-11-25 17:25 . 2009-11-06 15:34 2064152 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-11-25 17:25 . 2009-11-03 19:52 3513624 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe
2009-11-25 17:25 . 2009-11-03 19:52 2028312 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgtray.exe
2009-11-21 17:15 . 2009-11-21 17:43 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-21 17:15 . 2009-11-21 17:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-21 07:55 . 2009-11-21 05:14 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-11-21 05:13 . 2009-11-21 05:13 5908024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2009-11-21 05:13 . 2009-11-21 05:13 327000 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2009-11-21 05:13 . 2009-11-21 05:13 87496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2009-11-21 05:13 . 2009-11-21 05:13 933120 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-11-21 05:13 . 2009-11-21 05:13 641632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2009-11-21 05:13 . 2009-11-21 05:13 816272 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-11-21 05:12 . 2009-11-21 05:13 822904 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-11-21 05:12 . 2009-11-21 05:12 1638640 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-11-21 05:12 . 2009-11-21 05:12 788880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-11-21 05:12 . 2009-11-21 05:12 1184912 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-11-21 05:09 . 2009-11-21 05:09 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-11-21 05:09 . 2009-10-03 08:15 2924848 -c--a-w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe
2009-11-21 04:33 . 2009-11-21 23:15 -------- d-----w- C:\HostsXpert
2009-11-21 03:19 . 2009-11-21 03:19 -------- d-----w- c:\program files\Trend Micro
2009-11-21 03:18 . 2009-11-21 03:18 10752 ----a-w- c:\windows\DCEBoot.exe
2009-11-18 22:24 . 2009-11-19 01:11 -------- d-----w- c:\documents and settings\All Users\Application Data\90e32
2009-11-18 22:23 . 2009-11-19 01:12 -------- d-sh--w- c:\documents and settings\All Users\0f6644b
2009-11-05 01:06 . 2009-11-05 01:35 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-05 01:03 . 2009-11-05 01:03 -------- d-----w- c:\documents and settings\Lisa\Application Data\Malwarebytes
2009-11-05 01:03 . 2009-09-10 20:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-05 01:03 . 2009-11-05 01:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-05 01:03 . 2009-11-05 01:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-05 01:03 . 2009-09-10 20:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-21 04:53 . 2008-04-29 01:13 -------- d-----w- c:\program files\Lavasoft
2009-11-21 04:51 . 2008-04-29 01:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-11-17 00:59 . 2008-05-03 12:58 -------- d-----w- c:\documents and settings\Lisa\Application Data\Apple Computer
2009-11-11 05:04 . 2008-06-09 02:55 -------- d-----w- c:\documents and settings\Lisa\Application Data\uTorrent
2009-11-05 00:59 . 2008-04-29 00:46 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-02 22:57 . 2008-04-29 02:07 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-10-16 01:38 . 2008-12-27 21:23 -------- d-----w- c:\documents and settings\Lisa\Application Data\.purple
2009-10-16 01:27 . 2009-10-16 01:25 -------- d-----w- c:\program files\iTunes
2009-10-16 01:27 . 2009-10-16 01:25 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-10-16 01:26 . 2009-10-16 01:26 -------- d-----w- c:\program files\iPod
2009-10-16 01:26 . 2008-05-03 12:55 -------- d-----w- c:\program files\Common Files\Apple
2009-10-16 01:24 . 2009-10-16 01:23 -------- d-----w- c:\program files\QuickTime
2009-10-16 01:14 . 2009-10-16 01:14 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.1.8\SetupAdmin.exe
2009-10-13 22:32 . 2008-04-29 19:32 -------- d-----w- c:\program files\Java
2009-10-13 22:31 . 2009-10-13 22:31 152576 ----a-w- c:\documents and settings\Lisa\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-09-25 05:37 . 2003-07-16 20:51 667136 ------w- c:\windows\system32\wininet.dll
2009-09-25 05:37 . 2008-04-29 01:59 81920 ------w- c:\windows\system32\ieencode.dll
2009-09-23 12:55 . 2009-11-21 05:14 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-09-11 14:18 . 2003-07-16 20:36 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2003-07-16 20:35 58880 ----a-w- c:\windows\system32\msasn1.dll
2008-02-08 02:46 . 2008-02-08 02:46 13624 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2008-02-08 02:46 . 2008-02-08 02:46 87360 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2008-02-08 02:46 . 2008-02-08 02:46 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2008-02-08 02:46 . 2008-02-08 02:46 21824 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2008-02-08 02:46 . 2008-02-08 02:46 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2008-02-08 02:46 . 2008-02-08 02:46 31544 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2008-02-08 02:46 . 2008-02-08 02:46 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2007-03-16 22:27 . 2007-03-16 22:27 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll
2007-03-16 22:27 . 2007-03-16 22:27 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll
2007-03-16 22:27 . 2007-03-16 22:27 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll
2007-07-20 17:47 . 2007-07-20 17:47 981170 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2008-02-08 02:46 . 2008-02-08 02:46 24384 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

--- c:\windows\system32\drivers\atapi.sys ---
Company: Microsoft Corporation
File Description: IDE/ATAPI Port Driver
File Version: 5.1.2600.5512 (xpsp.080413-2108)
Product Name: Microsoft® Windows® Operating System
Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: atapi.sys
File size: 96512
Created time: 2008-04-29 00:49
Modified time: 2008-04-13 18:40
MD5: 9F3A2F5AA6875C72BF062C712CFA2674
SHA1: A719156E8AD67456556A02C34E762944234E7A44


((((((((((((((((((((((((((((( SnapShot@2009-11-24_02.41.23 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-29 00:40 . 2009-11-26 19:13 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-04-29 00:40 . 2009-11-24 02:12 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-04-29 00:40 . 2009-11-26 19:13 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-04-29 00:40 . 2009-11-24 02:12 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-04-29 00:40 . 2009-11-26 19:13 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-04-29 00:40 . 2009-11-24 02:12 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2006-07-25 5898240]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2006-07-25 86016]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-07-25 1519616]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-20 13:41 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pxod13]
2009-11-26 19:18 5136 ----a-w- c:\windows\system32\pxod13.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^802.11g Wireless Client Utility.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\802.11g Wireless Client Utility.lnk
backup=c:\windows\pss\802.11g Wireless Client Utility.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NMIndexingService"=3 (0x3)
"NBService"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"iPod Service"=3 (0x3)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [11/20/2009 11:14 PM 64288]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/28/2008 8:07 PM 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/28/2008 8:07 PM 108552]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [7/4/2008 7:28 AM 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/4/2008 7:27 AM 297752]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 5:17 AM 1184912]
S3 ATHFMWDL;802.11 USB Wireless Adapter Bootloader driver;c:\windows\system32\Drivers\ATHFMWDL.sys --> c:\windows\system32\Drivers\ATHFMWDL.sys [?]
S3 PciCon;PciCon;\??\e:\pcicon.sys --> e:\PciCon.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-11-28 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 05:13]

2009-11-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\documents and settings\Lisa\Application Data\Mozilla\Firefox\Profiles\nqx8zt8r.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - yahoo.com
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-27 19:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(864)
c:\windows\system32\pxod13.dll
c:\program files\Bonjour\mdnsNSP.dll

- - - - - - - > 'explorer.exe'(3048)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-11-27 19:11
ComboFix-quarantined-files.txt 2009-11-28 01:11
ComboFix2.txt 2009-11-25 01:33
ComboFix3.txt 2009-11-24 02:50

Pre-Run: 111,730,831,360 bytes free
Post-Run: 111,725,723,648 bytes free

- - End Of File - - 26C698305EEB57638CE1E9CDD274E0F3

#15 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,714 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:36 PM

Posted 27 November 2009 - 08:45 PM

  • Go to start > Run copy/paste the following line in the run box and click OK.

    cmd /c rd /s /q c:\atapibak

    A window flashes. It is normal.

  • Click on this link--> virustotal

    Click the browse button. Copy and paste the line in bold in the open box, then click Send File.

    c:\windows\system32\pxod13.dll

    If the file is analyzed before, click Reanalyse File Now button.
    Please copy and paste the results of the scan in your next post.

  • Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
    • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
    • Look for "Java Runtime Environment (JRE)" JRE 6 Update 17.
    • Click the Download button to the right.
    • Select your Platform: "Windows".
    • Select your Language: "Multi-language".
    • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Click Continue and the page will refresh.
    • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
    • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u17-windows-i586.exe to install the newest version.
  • Please run a fresh DDS.txt to your reply. No need for Attach.txt





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users