Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Adware


  • This topic is locked This topic is locked
7 replies to this topic

#1 davicim0

davicim0

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:14 PM

Posted 27 March 2010 - 05:48 PM

Hi. I've recently come across problems using Google. When I click on Google links, I'm usually redirected to other websites that advertise for vacations, loans for small businesses, etc. (I'm sorry I can't be more specific, but there is a variety of sites, and I don't remember them.) I'm also sometimes redirected to other sites when I'm browsing forums or using Youtube. I've tried using Spybot S&D, Adware Pro, Housecall, and MBM, none of which fixed the problem. I was wondering if anyone could help me out. Here are the logs:

DDS (Ver_10-03-17.01) - NTFSx86
Run by Davi at 14:55:29.43 on Sat 03/27/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1587 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
svchost.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Davi\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\davi\applic~1\mozilla\firefox\profiles\y8chqz16.default\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\davi\locals~1\temp\rzf12.tmp --> c:\docume~1\davi\locals~1\temp\RZF12.tmp [?]
S3 gel90xne;gel90xne;\??\c:\docume~1\davi\locals~1\temp\gel90xne.sys --> c:\docume~1\davi\locals~1\temp\gel90xne.sys [?]

=============== Created Last 30 ================

2010-03-27 18:43:50 0 d-----w- c:\program files\Trend Micro
2010-03-27 18:38:12 0 d-sh--w- c:\documents and settings\davi\PrivacIE
2010-03-27 18:37:22 0 d-sh--w- c:\documents and settings\davi\IETldCache
2010-03-27 18:34:57 0 dc-h--w- c:\windows\ie8
2010-03-27 18:28:00 0 d-s---w- c:\documents and settings\davi\UserData
2010-03-27 08:04:57 0 d-----w- c:\program files\MSXML 6.0
2010-03-27 01:23:54 0 d-----w- c:\windows\system32\CatRoot_bak
2010-03-26 23:09:39 453760 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-03-26 23:08:16 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-03-26 22:51:59 0 d-----w- c:\docume~1\davi\applic~1\Malwarebytes
2010-03-26 22:51:56 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-26 22:51:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-26 22:51:54 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-26 22:51:54 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-03-26 21:47:10 2180352 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-03-26 21:47:10 2136064 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-03-26 21:47:09 2057728 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-03-26 21:47:09 2015744 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-03-26 21:23:12 0 d-----w- c:\windows\ServicePackFiles
2010-03-26 21:17:00 0 d-----w- c:\program files\MSXML 4.0
2010-03-26 16:34:35 0 d-----w- c:\windows\system32\PreInstall
2010-03-26 16:34:34 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2010-03-26 16:34:33 0 d--h--w- c:\windows\$hf_mig$
2010-03-26 16:26:44 0 d-----w- c:\windows\system32\SoftwareDistribution
2010-03-26 00:23:35 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-03-26 00:23:35 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-03-23 00:55:54 0 d-----w- c:\program files\StarCraft

==================== Find3M ====================

2010-03-11 12:50:40 78885 ----a-w- c:\windows\War3Unin.dat

============= FINISH: 14:56:30.54 ===============

Thanks in advance,

David

Attached Files


Edited by davicim0, 27 March 2010 - 05:50 PM.


BC AdBot (Login to Remove)

 


#2 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:01:14 AM

Posted 28 March 2010 - 01:15 PM

Hi,

Please download ComboFix to your desktop from one of these locations. You must rename it before saving it. Save it to your desktop.
Link 1
Link 2
Link 3





IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on Combo-Fix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.
4. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please advise.
5. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image

#3 davicim0

davicim0
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:14 PM

Posted 28 March 2010 - 08:44 PM

Thanks for the help, jp. I ran combofix, and it produced the following log:

ComboFix 10-03-28.01 - Davi 03/28/2010 21:31:39.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1759 [GMT -4:00]
Running from: c:\documents and settings\Davi\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Internet Explorer\sxs.dll

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it tongue.gif
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF


((((((((((((((((((((((((( Files Created from 2010-02-28 to 2010-03-29 )))))))))))))))))))))))))))))))
.

2010-03-29 01:21 . 2010-03-29 01:21 -------- d-----w- c:\windows\ie8updates
2010-03-27 18:43 . 2010-03-27 18:43 -------- d-----w- c:\program files\Trend Micro
2010-03-27 18:42 . 2010-03-27 18:42 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-03-27 18:38 . 2010-03-27 18:38 -------- d-sh--w- c:\documents and settings\Davi\PrivacIE
2010-03-27 18:37 . 2010-03-27 18:37 -------- d-sh--w- c:\documents and settings\Davi\IETldCache
2010-03-27 18:34 . 2010-03-27 18:35 -------- dc-h--w- c:\windows\ie8
2010-03-27 18:28 . 2010-03-27 18:28 -------- d-s---w- c:\documents and settings\Davi\UserData
2010-03-27 08:04 . 2010-03-27 08:04 -------- d-----w- c:\program files\MSXML 6.0
2010-03-27 01:23 . 2010-03-29 01:26 -------- d-----w- c:\windows\system32\CatRoot_bak
2010-03-26 23:09 . 2009-12-04 14:41 453760 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-03-26 23:08 . 2008-06-13 13:10 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-03-26 22:51 . 2010-03-26 22:51 -------- d-----w- c:\documents and settings\Davi\Application Data\Malwarebytes
2010-03-26 22:51 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-26 22:51 . 2010-03-26 22:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-26 22:51 . 2010-03-26 22:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-26 22:51 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-26 21:47 . 2009-12-08 18:55 2180352 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-03-26 21:47 . 2009-12-08 18:53 2136064 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-03-26 21:47 . 2009-12-08 18:19 2057728 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-03-26 21:47 . 2009-12-08 18:19 2015744 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-03-26 21:23 . 2010-03-26 21:23 -------- d-----w- c:\windows\ServicePackFiles
2010-03-26 21:17 . 2010-03-26 21:17 -------- d-----w- c:\program files\MSXML 4.0
2010-03-26 16:34 . 2009-01-07 22:21 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2010-03-26 16:34 . 2010-03-29 01:21 -------- d--h--w- c:\windows\$hf_mig$
2010-03-26 00:23 . 2010-03-26 00:30 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-26 00:23 . 2010-03-26 00:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-24 19:27 . 2010-03-24 19:27 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-03-24 15:56 . 2010-03-24 15:56 -------- d-sh--w- c:\documents and settings\NetworkService\UserData
2010-03-24 07:57 . 2010-03-24 07:57 -------- d-s---w- c:\documents and settings\LocalService\UserData
2010-03-23 22:54 . 2010-03-23 22:54 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-03-23 00:55 . 2010-03-23 02:41 -------- d-----w- c:\program files\StarCraft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-28 02:59 . 2009-03-24 07:50 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-28 01:47 . 2009-06-14 01:13 -------- d-----w- c:\program files\Warcraft III
2010-03-26 02:33 . 2009-03-23 09:15 1100 ----a-w- c:\windows\system32\d3d8caps.dat
2010-03-26 01:22 . 2009-09-08 05:44 -------- d-----w- c:\program files\WC3Banlist
2010-03-25 21:06 . 2009-03-30 23:25 1 ----a-w- c:\documents and settings\Davi\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-03-23 05:51 . 2009-07-26 18:11 29472 ----a-w- c:\documents and settings\Davi\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-23 00:57 . 2009-03-24 05:08 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2010-03-11 12:50 . 2009-06-14 01:17 78885 ----a-w- c:\windows\War3Unin.dat
2010-02-08 08:14 . 2009-07-05 01:10 -------- d-----w- c:\documents and settings\Davi\Application Data\vlc
2009-12-31 16:14 . 2004-08-12 13:30 352640 ----a-w- c:\windows\system32\drivers\srv.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-12 110592]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-01-11 344064]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-01 1392640]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Philips SA30XX Device Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Philips SA30XX Device Manager.lnk
backup=c:\windows\pss\Philips SA30XX Device Manager.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\Davi\\Desktop\\listchecker\\pickup.listchecker.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\Davi\LOCALS~1\Temp\RZF12.tmp --> c:\docume~1\Davi\LOCALS~1\Temp\RZF12.tmp [?]
S3 gel90xne;gel90xne;\??\c:\docume~1\Davi\LOCALS~1\Temp\gel90xne.sys --> c:\docume~1\Davi\LOCALS~1\Temp\gel90xne.sys [?]
.
.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\documents and settings\Davi\Application Data\Mozilla\Firefox\Profiles\y8chqz16.default\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-Finale NotePad 2005a - c:\windows\unvise32.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-28 21:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GarenaPEngine]
"ImagePath"="\??\c:\docume~1\Davi\LOCALS~1\Temp\RZF12.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(764)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(4028)
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\windows\system32\rundll32.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
.
**************************************************************************
.
Completion time: 2010-03-28 21:39:53 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-29 01:39

Pre-Run: 46,113,185,792 bytes free
Post-Run: 46,218,203,136 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 4A11767AE777A5C5771594EE87039A73


#4 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:01:14 AM

Posted 29 March 2010 - 05:55 AM

Hi,

Looking better, just a couple of things that need attention.

Click Start >> Run, then copy & paste this line into the Run box and hit Enter:
sc delete gel90xne

Repeat for this line:
sc delete GarenaPEngine

Next, I want a second opinion, so we can make sure there isn't anything else left.

You can use either Internet Explorer or Mozilla FireFox for this scan.
  • Please go here then click on:
    QUOTE
    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
  • Select the option YES, I accept the Terms of Use then click on:
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on:
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on:
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.
Please also post a new DDS log, and let me know how things are running now.
Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image

#5 davicim0

davicim0
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:14 PM

Posted 29 March 2010 - 01:34 PM

Okay, here are the logs your requested. I can't thank you enough for your help! I'm no longer redirected when looking at web pages, and Firefox takes less time to start up now. Moreover, I had a (seemingly) unrelated problem with my sound being occasionally disabled, and this was also fixed.

ESET:

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=65076f9643cf974c91a749c986d82135
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-03-29 04:34:10
# local_time=2010-03-29 12:34:10 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=33050
# found=2
# cleaned=0
# scan_time=3725
C:\Documents and Settings\Davi\Application Data\Sun\Java\Deployment\cache\6.0\46\50d407ee-37913fec probably a variant of Java/TrojanDownloader.Agent.NAI trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.sys.vir Win32/Olmarik.VM trojan 00000000000000000000000000000000 I

DDS:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Davi at 14:30:49.48 on Mon 03/29/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1555 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
svchost.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Davi\Desktop\Virus Scanners\dds.scr

============== Pseudo HJT Report ===============

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"
uRunOnce: [TSClientAXDisabler] cmd.exe /C "%systemroot%\Installer\TSClientMsiTrans\tscdsbl.bat"
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRunOnce: [OE_WMPWMFSDK_Install_2] c:\windows\system32\regsvr32 /s "c:\windows\system32\wmnetmgr.dll"
mRunOnce: [OE_WMPWMFSDK_Install_3] c:\windows\system32\regsvr32 /s /u "c:\windows\system32\wmv8dmod.dll"
mRunOnce: [OE_WMPWMFSDK_Install_4] c:\windows\system32\regsvr32 /s "c:\windows\system32\wmvdmod.dll"
mRunOnce: [OE_WMPWMFSDK_Install_5] c:\windows\system32\regsvr32 /s "c:\windows\system32\wmvdmoe2.dll"
mRunOnce: [OE_WMPWMFSDK_Install_6] c:\windows\system32\regsvr32 /s "c:\windows\system32\wmadmoe.dll"
mRunOnce: [OE_WMPWMFSDK_Install_7] c:\windows\system32\regsvr32 /s "c:\windows\system32\wmspdmod.dll"
mRunOnce: [OE_WMPWMFSDK_Install_8] c:\windows\system32\regsvr32 /s "c:\windows\system32\wmspdmoe.dll"
mRunOnce: [OE_WMPWMFSDK_Install_9] c:\windows\system32\regsvr32 /s "c:\windows\system32\wmsdmoe.dll"
mRunOnce: [OE_WMPWMFSDK_Install_10] c:\windows\system32\regsvr32 /s "c:\windows\system32\wmsdmoe2.dll"
mRunOnce: [OE_WMPWMFSDK_Install_20] c:\windows\system32\regsvr32 /s "c:\windows\system32\wmadmod.dll"
mRunOnce: [OE_WMPWMFSDK_Install_21] c:\windows\system32\regsvr32 /s "c:\windows\system32\mpg4dmod.dll"
mRunOnce: [OE_WMPWMFSDK_Install_22] c:\windows\system32\regsvr32 /s "c:\windows\system32\mp43dmod.dll"
mRunOnce: [OE_WMPWMFSDK_Install_23] c:\windows\system32\regsvr32 /s "c:\windows\system32\mp4sdmod.dll"
mRunOnce: [OE_WMPWMFSDK_Install_24] c:\windows\system32\regsvr32 /s "c:\windows\system32\wmsdmod.dll"
mRunOnce: [OE_WMPWMFSDK_Install_30] c:\windows\system32\regsvr32 /s "c:\windows\system32\laprxy.dll"
mRunOnce: [OE_WMPWMFSDK_Install_31] "c:\windows\system32\logagent.exe" /RegServer
mRunOnce: [OE_WMPWMFSDK_Install_32] c:\windows\system32\regsvr32 /s "c:\windows\system32\wmvcore.dll"
mRunOnce: [OE_WMPDRM_Install_1] c:\windows\system32\regsvr32 /s "c:\windows\system32\drmstor.dll"
mRunOnce: [OE_WMPDRM_Install_2] c:\windows\system32\regsvr32 /s "c:\windows\system32\drmclien.dll"
mRunOnce: [OE_WMPDRM_Install_4] c:\windows\system32\regsvr32 /s "c:\windows\system32\drmv2clt.dll"
mRunOnce: [OE_WMPDRM_Install_5] c:\windows\system32\regsvr32 /s "c:\windows\system32\blackbox.dll"
mRunOnce: [OE_WMPDRM_Install_6] c:\windows\system32\regsvr32 /s "c:\windows\system32\msnetobj.dll"
mRunOnce: [OE_WMPWMP7_Install_0] c:\windows\inf\unregmp2.exe /MigrateLibrary
mRunOnce: [OE_WMPWMP7_Install_1] "c:\program files\windows media player\migrate.exe" /s
mRunOnce: [OE_WMPWMP7_Install_2] c:\windows\system32\regsvr32 /s c:\windows\system32\wmp.dll
mRunOnce: [OE_WMPWMP7_Install_8] c:\windows\system32\regsvr32 /s c:\windows\system32\wmpshell.dll
mRunOnce: [OE_WMPWMP7_Install_9] c:\windows\system32\regsvr32 /s c:\windows\system32\wmpasf.dll
mRunOnce: [OE_WMPWMP7_Install_10] c:\windows\system32\regsvr32 /s c:\windows\system32\wmpdxm.dll
mRunOnce: [OE_WMPWMP7_Install_11] c:\windows\system32\regsvr32 /s "c:\program files\windows media player\mpvis.dll"
mRunOnce: [OE_WMPWMDM_Install_7] c:\windows\system32\regsvr32 /s c:\windows\system32\mspmsnsv.dll
mRunOnce: [OE_WMPWMP7_Install_20] c:\windows\inf\unregmp2.exe /Shortcuts /RegExts
mRunOnce: [KB923561] rundll32.exe apphelp.dll,ShimFlushCache
mRunOnce: [KB955759] rundll32.exe apphelp.dll,ShimFlushCache
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\davi\applic~1\mozilla\firefox\profiles\y8chqz16.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2010-03-29 15:52:15 6693 ----a-w- c:\windows\system32\spupdsvc.inf
2010-03-29 15:47:12 0 d-----w- c:\program files\Messenger
2010-03-29 15:46:32 0 d-----w- c:\windows\system32\scripting
2010-03-29 15:46:31 0 d-----w- c:\windows\system32\en
2010-03-29 15:46:31 0 d-----w- c:\windows\system32\bits
2010-03-29 15:46:31 0 d-----w- c:\windows\l2schemas
2010-03-29 15:36:06 0 d-----w- c:\windows\network diagnostic
2010-03-29 15:31:05 0 d-----w- c:\windows\system32\ReinstallBackups
2010-03-29 15:27:15 0 d-----w- c:\program files\ESET
2010-03-29 01:28:02 0 d-sha-r- C:\cmdcons
2010-03-29 01:26:27 98816 ----a-w- c:\windows\sed.exe
2010-03-29 01:26:27 77312 ----a-w- c:\windows\MBR.exe
2010-03-29 01:26:27 261632 ----a-w- c:\windows\PEV.exe
2010-03-29 01:26:27 161792 ----a-w- c:\windows\SWREG.exe
2010-03-29 01:23:58 685056 ------w- c:\windows\system32\drivers\hsfcxts2.sys
2010-03-29 01:22:53 73216 ------w- c:\windows\system32\drivers\atintuxx.sys
2010-03-29 01:21:28 0 d-----w- c:\windows\ie8updates
2010-03-27 18:43:50 0 d-----w- c:\program files\Trend Micro
2010-03-27 18:38:12 0 d-sh--w- c:\documents and settings\davi\PrivacIE
2010-03-27 18:37:22 0 d-sh--w- c:\documents and settings\davi\IETldCache
2010-03-27 18:34:57 0 dc-h--w- c:\windows\ie8
2010-03-27 18:28:00 0 d-s---w- c:\documents and settings\davi\UserData
2010-03-27 08:04:57 0 d-----w- c:\program files\MSXML 6.0
2010-03-26 23:10:01 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2010-03-26 23:10:01 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2010-03-26 23:10:01 119808 ------w- c:\windows\system32\SET6125.tmp
2010-03-26 23:09:39 455424 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-03-26 23:09:23 1172480 ------w- c:\windows\system32\SET6136.tmp
2010-03-26 23:09:07 691712 -c----w- c:\windows\system32\dllcache\inetcomm.dll
2010-03-26 23:07:55 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-03-26 22:51:59 0 d-----w- c:\docume~1\davi\applic~1\Malwarebytes
2010-03-26 22:51:56 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-26 22:51:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-26 22:51:54 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-26 22:51:54 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-03-26 21:45:47 353792 -c----w- c:\windows\system32\dllcache\srv.sys
2010-03-26 21:23:12 0 d-----w- c:\windows\ServicePackFiles
2010-03-26 21:17:00 0 d-----w- c:\program files\MSXML 4.0
2010-03-26 16:40:27 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2010-03-26 16:40:25 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2010-03-26 16:39:16 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2010-03-26 16:39:16 337408 ------w- c:\windows\system32\SET5F7E.tmp
2010-03-26 16:34:35 0 d-----w- c:\windows\system32\PreInstall
2010-03-26 16:34:34 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2010-03-26 16:34:33 0 d--h--w- c:\windows\$hf_mig$
2010-03-26 16:26:44 0 d-----w- c:\windows\system32\SoftwareDistribution
2010-03-26 00:23:35 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-03-26 00:23:35 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-03-23 00:55:54 0 d-----w- c:\program files\StarCraft

==================== Find3M ====================

2010-03-11 12:50:40 78885 ----a-w- c:\windows\War3Unin.dat

============= FINISH: 14:30:56.67 ===============


#6 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:01:14 AM

Posted 30 March 2010 - 02:16 AM

Hi,

Logs look good thumbup2.gif


Open your Control Panel and double-click Java. Click the Settings... button in the Temporary Internet Files box on the General tab. Click Delete Files..., ensure all boxes are selected, then click OK.


Click Start >> Run, and then type ComboFix /Uninstall and hit enter. You can now delete any other tools I had you download and use, unless you wish to keep them.


You don't appear to be running any AntiVirus software. Without active AntiVirus protection, your computer is at high risk from infection. I strongly recommend you download and install an AntiVirus program as soon as you can. A few free ones that I usually recommend are AVG, Avast!, and Avira.


Now that your computer is clean again, there's a few things that you should consider to keep it that way.
  • Windows Update
    Keeping Windows up-to-date is crucial to your computer's security. Without the latest security fixes and patches, your computer is a sitting target for Malware to find its way in. Microsoft regularly release free updates to fix security flaws and increase the overall security of Windows.
    Windows XP: Use the Windows Update Site (using Internet Explorer) to download and install updates.
    Windows Vista & 7: Open your Control Panel and click Check for updates (under 'Security') or Windows Update ('Classic View').

  • Security Updates
    You should also make sure you regularly update your AntiVirus and Firewall software. New Malware is being developed all the time, so it is vital to stay up-to-date with the latest protection available.

  • Secure Internet Explorer
    Even if you don't use Internet Explorer, it is important to secure it. Many Microsoft and other third-party software utilize Internet Explorer's functionality for their own Internet related activities (like updating for example), so it is important to keep it secure.

    1. Click Start >> Run, type inetcpl.cpl and then hit Enter
    2. Click on the Security tab, then click once on the Internet icon to highlight it
    3. Click Custom Level button, then make the following changes:
    • Change the Download signed ActiveX controls to Prompt
    • Change the Download unsigned ActiveX controls to Disable
    • Change the Initialize and script ActiveX controls not marked as safe to Disable
    • Change the Installation of desktop items to Prompt
    • Change the Launching programs and files in an IFRAME to Prompt
    • Change the Navigate sub-frames across different domains to Prompt
    4. When all these changes have been made, click on the OK button.
    5. If it prompts you as to whether or not you want to save the settings, press the Yes button.
    6. Press the Apply button and then the OK to exit the Internet Properties page.

  • Extra Protection (optional but recommended)
    Download and install the free version of WinPatrol
    . This program protects your computer from malicious changes in a variety of ways and will work well with your existing security software. Have a look at this tutorial to help you get started with the program. WinPatrol supports everything from Windows 98 to Windows 7, and the developer is constantly improving the program, so its an excellent protection program to have on-board.

  • Have a read of this article for more information on how you became infected and how to stay secure:
    How did I get infected?
Please reply to this thread once more if you are satisfied so that we can mark the problem as resolved.

Stay Clean!

jpshortstuff
Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image

#7 davicim0

davicim0
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:14 PM

Posted 30 March 2010 - 04:07 PM

Everything's running smoothly. I did what you asked, and I'll be sure to read your articles when I have time. Thank you again!

-David

#8 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:01:14 AM

Posted 01 April 2010 - 01:33 PM

Glad we could help thumbup2.gif

This topic is now closed. If you need it re-opened, please send me a PM. Everyone else, please start a new topic.
Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users