Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News: Mozilla Removes 23 Firefox Add-Ons That Snooped on Users

Featured Deal: This Free Course Lets You Achieve Digital Transformation for Your Company

IExlorer starts automatically

Started by GiaUK , Apr 06 2010 11:38 AM

This topic is locked

13 replies to this topic

#1 GiaUK

Members
9 posts
OFFLINE

Local time:10:44 PM

Posted 06 April 2010 - 11:38 AM

Hey guys,

I have had problems with my friend's laptop for a while now. It uses Win Vista, the win firewall, AntiVir, and Ad-aware. I have been scanning the laptop several times, and removed the infections. However, the AV guard shows still warnings of an infection, but it says it can't access the infected files.

Also, Internet Explorer is starting automatically (I usually use only Firefox), with random ad websites, but even Ad-aware can't find any traces of malware.

Here is my HiJackThis file. If you need any further information, just ask

Thanks! Gia

________________

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:35:48, on 06/04/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v7.00 (7.00.6002.18005)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Luke\AppData\Local\Temp\smss.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Users\Luke\AppData\Local\Temp\win.exe
C:\Users\Luke\AppData\Local\Temp\avp32.exe
C:\Users\Luke\AppData\Local\Temp\csrss.exe
C:\Windows\System32\mobsync.exe
C:\Users\Luke\AppData\Local\Temp\win32.exe
C:\Users\Luke\AppData\Local\Temp\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Users\Luke\AppData\Local\Temp\system.exe
C:\Users\Luke\AppData\Local\Temp\lsass.exe
C:\Users\Luke\AppData\Local\Temp\debug.exe
C:\Users\Luke\AppData\Local\Temp\mdm.exe
C:\Users\Luke\AppData\Local\Temp\drweb.exe
C:\Users\Luke\AppData\Local\Temp\taskmgr.exe
C:\Users\Luke\AppData\Local\Temp\nvsvc32.exe
C:\Users\Luke\AppData\Local\Temp\login.exe
C:\Users\Luke\AppData\Local\Temp\winamp.exe
C:\Users\Luke\AppData\Local\Temp\services.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Users\Luke\AppData\Local\Temp\3085238048.exe
C:\Users\Luke\AppData\Local\Temp\3662608608.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\explorer.exe
C:\Users\Luke\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...ion&pf=cnnb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...ion&pf=cnnb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...ion&pf=cnnb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...ion&pf=cnnb
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [hsf87efjhdsf87f3jfsdi7fhsujfd] C:\Users\Luke\AppData\Local\Temp\winamp.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: &AOL Toolbar Search - C:\ProgramData\AOL\ieToolbar\resources\en-GB\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com/lib/anysite/support...s/ebraryRdr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: Google Update Service (gupdate1c9b20474657fc0) (gupdate1c9b20474657fc0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Recovery Service for Windows - Unknown owner - C:\Windows\SMINST\BLService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 7594 bytes

AntiVir shows the virus or unwanted program is TR/PCK.Katusha.J.628 and the application is called smss.exe, 19 other exe objects are infected, but access to the file is denied. I tried to delete it myself in a hidden folder, but again it doesn't let me.

Merged posts. ~ OB

Edited by Orange Blossom, 06 April 2010 - 09:40 PM.

BC AdBot (Login to Remove)

BleepingComputer.com
Register to remove ads

#2 m0le

Can U Dig It?

Malware Response Team
34,527 posts
OFFLINE

Gender:Male
Location:London, UK
Local time:03:44 AM

Posted 09 April 2010 - 07:35 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below I will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:

Download DDS by sUBs from one of the following links. Save it to your desktop.
- DDS.scr
- DDS.pif
Double click on the DDS icon, allow it to run.
A small box will open, with an explaination about the tool. No input is needed, the scan is running.
Notepad will open with the results.
Follow the instructions that pop up for posting the results.
Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

And

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.

The application window will appear
Click the Disable button to disable your CD Emulation drivers
Click Yes to continue
A 'Finished!' message will appear
Click OK
DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Then

Please download GMER from one of the following locations and save it to your desktop:

Main Mirror
This version will download a randomly named file (Recommended)
Zipped Mirror
This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

Disconnect from the Internet and close all running programs.
Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
Now click the Scan button. If you see a rootkit warning window, click OK.
When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
Click the Copy button and paste the results into your next reply.
Exit GMER and re-enable all active protection when done.

-- If you encounter any problems, try running GMER in Safe Mode.

m0le is a proud member of UNITE

#3 GiaUK

Topic Starter

Members
9 posts
OFFLINE

Local time:10:44 PM

Posted 11 April 2010 - 08:19 AM

DDS (Ver_10-03-17.01) - NTFSx86
Run by Luke at 14:04:24.71 on 11/04/2010
Internet Explorer: 7.0.6002.18005 BrowserJavaVersion: 1.6.0_13
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.1790.782 [GMT 1:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\SMINST\BLService.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Avira\AntiVir Desktop\avnotify.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Luke\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=83&bd=Pavilion&pf=cnnb
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=83&bd=Pavilion&pf=cnnb
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=83&bd=Pavilion&pf=cnnb
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=83&bd=Pavilion&pf=cnnb
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll
TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aol toolbar 5.0\aoltb.dll
EB: {8BCB5337-EC01-4E38-840C-A964F174255B} - No File
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &AOL Toolbar Search - c:\programdata\aol\ietoolbar\resources\en-gb\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} - hxxp://site.ebrary.com/lib/anysite/support/plugins/ebraryRdr.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

================= FIREFOX ===================

FF - ProfilePath - c:\users\luke\appdata\roaming\mozilla\firefox\profiles\x8e2xi0j.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/home.php?
FF - prefs.js: network.proxy.ftp - 10.247.6.20
FF - prefs.js: network.proxy.ftp_port - 8080
FF - prefs.js: network.proxy.gopher - 10.247.6.20
FF - prefs.js: network.proxy.gopher_port - 8080
FF - prefs.js: network.proxy.http - 10.247.6.20
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.socks - 10.247.6.20
FF - prefs.js: network.proxy.socks_port - 8080
FF - prefs.js: network.proxy.ssl - 10.247.6.20
FF - prefs.js: network.proxy.ssl_port - 8080
FF - prefs.js: network.proxy.type - 4
FF - component: c:\users\luke\appdata\roaming\mozilla\firefox\profiles\x8e2xi0j.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npBBCPlugin.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\npWebPlayerVideoPluginATL.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\users\luke\appdata\roaming\mozilla\firefox\profiles\x8e2xi0j.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\users\luke\appdata\roaming\mozilla\firefox\profiles\x8e2xi0j.default\extensions\reader_plugin@ebrary.com\plugins\NPinfotl.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-4-3 64288]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-4-3 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-4-3 267432]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-4-3 60936]
R2 ezSharedSvc;Easybits Shared Services for Windows;c:\windows\system32\svchost.exe -k netsvcs [2008-1-21 21504]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1265264]
R2 Recovery Service for Windows;Recovery Service for Windows;c:\windows\sminst\BLService.exe [2008-8-4 361808]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2008-5-3 42528]
S2 gupdate1c9b20474657fc0;Google Update Service (gupdate1c9b20474657fc0);c:\program files\google\update\GoogleUpdate.exe [2009-3-31 133104]
S3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2008-8-4 193840]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]

============== File Associations ===============

.exe=secfile

=============== Created Last 30 ================

2010-04-06 16:08:19 0 d-----w- c:\program files\TrendMicro
2010-04-03 17:55:25 0 d-----w- c:\users\luke\appdata\roaming\Avira
2010-04-03 16:58:21 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-04-03 16:58:18 0 d-----w- c:\programdata\Avira
2010-04-03 16:58:18 0 d-----w- c:\program files\Avira
2010-04-03 16:49:18 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-04-03 16:34:55 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-04-03 16:34:50 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-04-03 16:31:25 0 dc-h--w- c:\programdata\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-04-03 16:30:47 0 d-----w- c:\programdata\Lavasoft
2010-04-03 16:30:47 0 d-----w- c:\program files\Lavasoft
2010-04-03 16:16:25 0 d-----w- c:\users\luke\appdata\roaming\QuickScan
2010-04-03 16:07:19 0 d-----w- c:\windows\pss
2010-04-03 15:49:03 524 ----a-w- c:\programdata\fiosejgfse.dll
2010-04-03 15:46:00 0 d-----w- c:\users\luke\appdata\roaming\Your Protection
2010-04-02 02:01:14 293376 ----a-w- c:\windows\system32\browserchoice.exe
2010-03-31 11:57:36 834048 ----a-w- c:\windows\system32\wininet.dll
2010-03-31 11:57:30 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-17 10:13:40 56 ---ha-w- c:\windows\system32\ezsidmv.dat

==================== Find3M ====================

2010-04-11 13:02:17 109416 ----a-w- c:\programdata\nvModes.dat
2010-04-03 17:04:08 51200 ----a-w- c:\windows\inf\infpub.dat
2010-04-03 17:04:07 86016 ----a-w- c:\windows\inf\infstor.dat
2010-04-03 17:04:07 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-03-09 22:04:44 588472 ----a-w- c:\windows\system32\ezsvc7x.dll
2010-02-24 10:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-20 23:06:41 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:05:14 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-02-20 20:53:34 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-01-25 12:00:35 471552 ----a-w- c:\windows\system32\secproc_isv.dll
2010-01-25 12:00:35 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-01-25 12:00:35 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-01-25 12:00:22 471552 ----a-w- c:\windows\system32\secproc.dll
2010-01-25 11:58:52 332288 ----a-w- c:\windows\system32\msdrm.dll
2010-01-25 08:21:20 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-01-25 08:21:20 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-01-25 08:21:18 518144 ----a-w- c:\windows\system32\RMActivate.exe
2010-01-25 08:21:18 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-01-23 09:26:13 2048 ----a-w- c:\windows\system32\tzres.dll
2009-11-18 12:20:09 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-01-21 02:43:21 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2008-08-04 14:47:12 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 14:07:47.56 ===============

#4 GiaUK

Topic Starter

Members
9 posts
OFFLINE

Local time:10:44 PM

Posted 11 April 2010 - 09:33 AM

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-11 15:31:52
Windows 6.0.6002 Service Pack 2
Running: 3k05f15s.exe; Driver: C:\Users\Luke\AppData\Local\Temp\pxldapow.sys

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)

---- EOF - GMER 1.0.15 ----

#5 m0le

Can U Dig It?

Malware Response Team
34,527 posts
OFFLINE

Gender:Male
Location:London, UK
Local time:03:44 AM

Posted 11 April 2010 - 01:44 PM

Okay, can you give me a little bit more information about the problem.

Is it Iexlorer - without the P?

Is it Internet Explorer the browser that you mean or a running process?

If it is a process, how are you aware of it starting and running?

What symptoms does the startup cause?

m0le is a proud member of UNITE

#6 GiaUK

Topic Starter

Members
9 posts
OFFLINE

Local time:10:44 PM

Posted 11 April 2010 - 03:33 PM

Sorry I meant Internet Explorer, the browser. I use Firefox for browsing, yet inbetween Internet Explorer opens up itself with different ad websites. If I close it, it happens again, and again... Other than that there is no visible problem on startup.

#7 m0le

Can U Dig It?

Malware Response Team
34,527 posts
OFFLINE

Gender:Male
Location:London, UK
Local time:03:44 AM

Posted 11 April 2010 - 04:40 PM

Okay, got you now.

Please download ComboFix from one of these locations:

* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
Double click on Combofix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

m0le is a proud member of UNITE

#8 GiaUK

Topic Starter

Members
9 posts
OFFLINE

Local time:10:44 PM

Posted 11 April 2010 - 06:31 PM

Thanks btw

ComboFix 10-04-10.02 - Luke 12/04/2010 0:07.1.2 - x86
Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6002.2.1252.44.1033.18.1790.688 [GMT 1:00]
Running from: c:\users\Luke\Desktop\comfix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-3284593986-245462874-3896323831-500
c:\$recycle.bin\S-1-5-21-841141263-361029112-3710205945-500
C:\cleansweep.exe
c:\cleansweep.exe\cleansweep.exe
c:\cleansweep.exe\config.bin
c:\programdata\fiosejgfse.dll
c:\users\Luke\AppData\Local\av.exe
c:\users\Luke\AppData\Local\Microsoft\Windows\Temporary Internet Files\3y82N4.jpg
c:\users\Luke\AppData\Local\Microsoft\Windows\Temporary Internet Files\5UVfeN6C.jpg
c:\users\Luke\AppData\Local\Microsoft\Windows\Temporary Internet Files\O15Sn.jpg
c:\users\Luke\AppData\Local\Microsoft\Windows\Temporary Internet Files\OJeEuwsWI.jpg
c:\users\Luke\FAVORI~1\_favdata.dat
c:\users\Luke\Favorites\_favdata.dat

.
((((((((((((((((((((((((( Files Created from 2010-03-11 to 2010-04-11 )))))))))))))))))))))))))))))))
.

2010-04-06 16:34 . 2010-04-06 16:34 598368 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\EmailScanner.dll
2010-04-06 16:08 . 2010-04-06 16:08 388096 ----a-r- c:\users\Luke\AppData\Roaming\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-04-06 16:08 . 2010-04-06 16:08 -------- d-----w- c:\program files\TrendMicro
2010-04-03 17:55 . 2010-04-03 17:55 -------- d-----w- c:\users\Luke\AppData\Roaming\Avira
2010-04-03 16:58 . 2010-03-01 08:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-04-03 16:58 . 2010-02-16 12:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-04-03 16:58 . 2009-05-11 10:49 51992 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-04-03 16:58 . 2009-05-11 10:49 17016 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-04-03 16:58 . 2010-04-03 16:58 -------- d-----w- c:\programdata\Avira
2010-04-03 16:58 . 2010-04-03 16:58 -------- d-----w- c:\program files\Avira
2010-04-03 16:49 . 2010-04-03 16:34 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-04-03 16:31 . 2010-04-03 16:31 -------- dc-h--w- c:\programdata\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-04-03 16:31 . 2010-02-04 15:53 2954656 -c--a-w- c:\programdata\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2010-04-03 16:30 . 2010-04-03 16:34 -------- d-----w- c:\programdata\Lavasoft
2010-04-03 16:30 . 2010-04-03 16:31 -------- d-----w- c:\program files\Lavasoft
2010-04-03 16:16 . 2010-04-06 20:40 -------- d-----w- c:\users\Luke\AppData\Roaming\QuickScan
2010-04-03 16:16 . 2010-03-30 18:35 670696 ----a-w- c:\users\Luke\AppData\Roaming\Mozilla\Firefox\Profiles\x8e2xi0j.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
2010-04-03 16:16 . 2010-03-30 18:34 833448 ----a-w- c:\users\Luke\AppData\Roaming\Mozilla\Firefox\Profiles\x8e2xi0j.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
2010-04-03 15:49 . 2010-04-03 16:13 181760 --sha-w- c:\users\Luke\AppData\Local\1633618601.dll
2010-04-03 15:46 . 2010-04-03 15:46 40960 ----a-w- c:\users\Luke\AppData\Roaming\Your Protection\urpext.dll
2010-04-03 15:46 . 2010-04-03 15:46 21504 ----a-w- c:\users\Luke\AppData\Roaming\Your Protection\urphook.dll
2010-04-03 15:46 . 2010-04-03 17:28 -------- d-----w- c:\users\Luke\AppData\Roaming\Your Protection
2010-04-02 02:01 . 2010-02-12 10:32 293376 ----a-w- c:\windows\system32\browserchoice.exe
2010-03-31 11:57 . 2010-03-09 15:42 834048 ----a-w- c:\windows\system32\wininet.dll
2010-03-31 11:57 . 2010-03-09 16:25 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-30 12:39 . 2008-11-05 17:30 614400 ----a-w- c:\users\Luke\AppData\Roaming\Mozilla\Firefox\Profiles\x8e2xi0j.default\extensions\reader_plugin@ebrary.com\plugins\NPinfotl.dll
2010-03-17 10:13 . 2010-03-17 10:13 56 ---ha-w- c:\windows\system32\ezsidmv.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-11 23:19 . 2008-12-25 03:20 -------- d-----w- c:\programdata\Kontiki
2010-04-11 23:02 . 2008-12-28 17:21 109416 ----a-w- c:\programdata\nvModes.dat
2010-04-11 13:02 . 2008-12-24 18:48 -------- d-----w- c:\users\Luke\AppData\Roaming\Skype
2010-04-11 07:56 . 2008-12-24 18:49 -------- d-----w- c:\users\Luke\AppData\Roaming\skypePM
2010-04-08 01:08 . 2009-03-31 13:26 -------- d-----w- c:\program files\Google
2010-04-06 16:34 . 2010-04-03 16:34 966104 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\CEAPI.dll
2010-04-06 16:34 . 2010-04-03 16:34 1265264 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\AAWService.exe
2010-04-05 12:54 . 2008-12-25 03:20 -------- d-----w- c:\program files\Kontiki
2010-04-05 12:53 . 2008-08-04 16:25 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-04-05 12:53 . 2008-12-24 17:30 -------- d-----w- c:\users\Luke\AppData\Roaming\Symantec
2010-04-05 00:30 . 2009-11-25 11:57 -------- d-----w- c:\programdata\Norton
2010-04-05 00:30 . 2010-01-22 18:01 -------- d-----w- c:\program files\Norton Security Scan
2010-04-03 17:08 . 2008-08-04 16:25 -------- d-----w- c:\programdata\Symantec
2010-04-03 14:48 . 2008-11-13 08:33 -------- d-----w- c:\programdata\NVIDIA
2010-03-12 03:26 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-03-12 03:09 . 2008-08-04 17:47 -------- d-----w- c:\programdata\Microsoft Help
2010-03-09 22:04 . 2008-08-04 18:04 588472 ----a-w- c:\windows\system32\ezsvc7x.dll
2010-02-25 08:29 . 2008-12-24 17:31 75440 ----a-w- c:\users\Luke\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-24 10:16 . 2009-10-03 00:46 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-20 23:06 . 2010-03-12 03:01 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:05 . 2010-03-12 03:01 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-02-20 20:53 . 2010-03-12 03:01 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-02-04 15:53 . 2010-04-03 16:34 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-01-25 12:00 . 2010-02-24 11:21 471552 ----a-w- c:\windows\system32\secproc_isv.dll
2010-01-25 12:00 . 2010-02-24 11:21 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-01-25 12:00 . 2010-02-24 11:21 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-01-25 12:00 . 2010-02-24 11:21 471552 ----a-w- c:\windows\system32\secproc.dll
2010-01-25 11:58 . 2010-02-24 11:21 332288 ----a-w- c:\windows\system32\msdrm.dll
2010-01-25 08:21 . 2010-02-24 11:21 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-01-25 08:21 . 2010-02-24 11:21 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-01-25 08:21 . 2010-02-24 11:21 518144 ----a-w- c:\windows\system32\RMActivate.exe
2010-01-25 08:21 . 2010-02-24 11:21 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-01-23 13:40 . 2008-12-26 02:52 680 ----a-w- c:\users\Luke\AppData\Local\d3d9caps.dat
2010-01-23 09:26 . 2010-02-24 11:21 2048 ----a-w- c:\windows\system32\tzres.dll
2008-08-04 14:47 . 2008-08-04 14:47 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-17 1049896]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Users^Luke^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^BBC iPlayer Desktop.lnk]
path=c:\users\Luke\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BBC iPlayer Desktop.lnk
backup=c:\windows\pss\BBC iPlayer Desktop.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\4oD]
2008-02-27 17:56 1032376 ----a-w- c:\program files\Kontiki\KHost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 00:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-21 02:25 125952 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Health Check Scheduler]
2008-04-15 20:42 70912 ----a-w- c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 23:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
2008-04-15 21:51 488752 ----a-w- c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kdx]
2008-02-27 17:56 1032376 ----a-w- c:\program files\Kontiki\KHost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2009-07-23 14:39 13797920 ----a-w- c:\windows\System32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl.exe]
2008-03-14 15:45 202032 ----a-w- c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
2008-06-12 05:17 468264 ----a-w- c:\program files\HP\QuickPlay\QPService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-09-06 15:09 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2009-04-10 22:28 1233920 ----a-w- c:\program files\Windows Sidebar\sidebar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-03-09 04:19 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UCam_Menu]
2007-12-24 23:55 222504 ------w- c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-21 02:23 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Mobile Device Center]
2007-05-31 09:21 648072 ----a-w- c:\windows\WindowsMobile\wmdc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(

:a7,78,1d,ff,38,20,ca,01

R2 gupdate1c9b20474657fc0;Google Update Service (gupdate1c9b20474657fc0);c:\program files\Google\Update\GoogleUpdate.exe [2009-03-31 133104]
R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-04-03 193840]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-03-26 717296]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-02-04 64288]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-02-24 135336]
S2 ezSharedSvc;Easybits Shared Services for Windows;c:\windows\system32\svchost.exe [2008-01-21 21504]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-04-06 1265264]
S2 Recovery Service for Windows;Recovery Service for Windows;c:\windows\SMINST\BLService.exe [2008-04-26 361808]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2008-05-03 42528]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - PXLDAPOW
*Deregistered* - pxldapow

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ezSharedSvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-02-26 22:06 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-04-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-31 13:26]

2010-04-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-31 13:26]

2010-04-11 c:\windows\Tasks\User_Feed_Synchronization-{AA042E53-8B1B-4BFD-8DD4-933B2C4D5D28}.job
- c:\windows\system32\msfeedssync.exe [2008-01-21 02:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=83&bd=Pavilion&pf=cnnb
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=83&bd=Pavilion&pf=cnnb
IE: &AOL Toolbar Search - c:\programdata\AOL\ieToolbar\resources\en-GB\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Luke\AppData\Roaming\Mozilla\Firefox\Profiles\x8e2xi0j.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/home.php?
FF - prefs.js: network.proxy.ftp - 10.247.6.20
FF - prefs.js: network.proxy.ftp_port - 8080
FF - prefs.js: network.proxy.gopher - 10.247.6.20
FF - prefs.js: network.proxy.gopher_port - 8080
FF - prefs.js: network.proxy.http - 10.247.6.20
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.socks - 10.247.6.20
FF - prefs.js: network.proxy.socks_port - 8080
FF - prefs.js: network.proxy.ssl - 10.247.6.20
FF - prefs.js: network.proxy.ssl_port - 8080
FF - prefs.js: network.proxy.type - 4
FF - component: c:\users\Luke\AppData\Roaming\Mozilla\Firefox\Profiles\x8e2xi0j.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npBBCPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\users\Luke\AppData\Roaming\Mozilla\Firefox\Profiles\x8e2xi0j.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\users\Luke\AppData\Roaming\Mozilla\Firefox\Profiles\x8e2xi0j.default\extensions\reader_plugin@ebrary.com\plugins\NPinfotl.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe
MSConfigStartUp-cleansweep - c:\cleansweep.exe\cleansweep.exe
MSConfigStartUp-hf8wefhuaihf8ewfydiujhfdsfdf - c:\users\Luke\AppData\Local\Temp\t4ohen7vb8.exe
MSConfigStartUp-hsf87efjhdsf87f3jfsdi7fhsujfd - c:\users\Luke\AppData\Local\Temp\hexdump.exe
MSConfigStartUp-mplay32xe - c:\users\Luke\AppData\Local\Temp\mplay32xe.exe
MSConfigStartUp-osCheck - c:\program files\Norton 360\osCheck.exe
MSConfigStartUp-Your Protection - c:\users\Luke\AppData\Roaming\Your Protection\urpprot.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-12 00:17
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-841141263-361029112-3710205945-1000\Software\Sony Creative Software\M*e*d*i*a* *M*a*n*a*g*e*r* *f*o*r* *P*S*P*"!\3.0]
"FRT"="cbMX1lUj7Ua9ia9mLgpuzG0tVV60fi1eAZPF0iiCaNUDhFJLtRysVA=="
"PLCK"="oXJ6MUjQxTE7kfz4nsKc2qB51xoZdBBB"
"Percents"="0 0.0826 0.2208 0.4045 0.8802 0.9546 0.9607 "
"Increment"=".001548"
"PHSH"=""

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-04-12 00:22:54
ComboFix-quarantined-files.txt 2010-04-11 23:22

Pre-Run: 26,108,256,256 bytes free
Post-Run: 27,625,148,416 bytes free

- - End Of File - - 81F72D7482C0A2E3E801F9554755D060

Edited by GiaUK, 11 April 2010 - 06:33 PM.

#9 m0le

Can U Dig It?

Malware Response Team
34,527 posts
OFFLINE

Gender:Male
Location:London, UK
Local time:03:44 AM

Posted 11 April 2010 - 07:38 PM

You're welcome.

We should rerun Combofix to clear up

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE

File::
c:\users\Luke\AppData\Local\1633618601.dll

Folder::
c:\users\Luke\AppData\Roaming\Your Protection

RegLock::
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Next please go online and do a scan with ESET

I'd like us to scan your machine with ESET OnlineScan

Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
Click the button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
1. Click on to download the ESET Smart Installer. Save it to your desktop.
2. Double click on the icon on your desktop.
Check
Click the button.
Accept any security warnings from your browser.
Check
Push the Start button.
ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
When the scan completes, push
Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
Push the button.
Push

NOTE: If no malware is found there will be no option to export the text file as no log will be produced. Let me know if this is the case.

Let me know how the PC is running after these steps too.

m0le is a proud member of UNITE

#10 GiaUK

Topic Starter

Members
9 posts
OFFLINE

Local time:10:44 PM

Posted 12 April 2010 - 07:57 AM

Will do the ESET scan now... so far there are no new pop-ups of Internet Explorer, but I will let you know.

___

ComboFix 10-04-10.02 - Luke 12/04/2010 13:26:33.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.1790.1040 [GMT 1:00]
Running from: c:\users\Luke\Desktop\comfix.exe
Command switches used :: c:\users\Luke\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

FILE ::
"c:\users\Luke\AppData\Local\1633618601.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Luke\AppData\Local\1633618601.dll
c:\users\Luke\AppData\Roaming\Your Protection
c:\users\Luke\AppData\Roaming\Your Protection\about.ico
c:\users\Luke\AppData\Roaming\Your Protection\activate.ico
c:\users\Luke\AppData\Roaming\Your Protection\buy.ico
c:\users\Luke\AppData\Roaming\Your Protection\help.ico
c:\users\Luke\AppData\Roaming\Your Protection\scan.ico
c:\users\Luke\AppData\Roaming\Your Protection\settings.ico
c:\users\Luke\AppData\Roaming\Your Protection\splash.mp3
c:\users\Luke\AppData\Roaming\Your Protection\update.ico
c:\users\Luke\AppData\Roaming\Your Protection\urp.db
c:\users\Luke\AppData\Roaming\Your Protection\urpext.dll
c:\users\Luke\AppData\Roaming\Your Protection\urphook.dll
c:\users\Luke\AppData\Roaming\Your Protection\virus.mp3

.
((((((((((((((((((((((((( Files Created from 2010-03-12 to 2010-04-12 )))))))))))))))))))))))))))))))
.

2010-04-12 12:34 . 2010-04-12 12:34 -------- d-----w- c:\users\Luke\AppData\Local\temp
2010-04-12 12:34 . 2010-04-12 12:34 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-04-12 12:34 . 2010-04-12 12:34 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-04-06 16:34 . 2010-04-06 16:34 598368 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\EmailScanner.dll
2010-04-06 16:08 . 2010-04-06 16:08 388096 ----a-r- c:\users\Luke\AppData\Roaming\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-04-06 16:08 . 2010-04-06 16:08 -------- d-----w- c:\program files\TrendMicro
2010-04-03 17:55 . 2010-04-03 17:55 -------- d-----w- c:\users\Luke\AppData\Roaming\Avira
2010-04-03 16:58 . 2010-03-01 08:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-04-03 16:58 . 2010-02-16 12:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-04-03 16:58 . 2009-05-11 10:49 51992 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-04-03 16:58 . 2009-05-11 10:49 17016 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-04-03 16:58 . 2010-04-03 16:58 -------- d-----w- c:\programdata\Avira
2010-04-03 16:58 . 2010-04-03 16:58 -------- d-----w- c:\program files\Avira
2010-04-03 16:49 . 2010-04-03 16:34 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-04-03 16:31 . 2010-04-03 16:31 -------- dc-h--w- c:\programdata\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-04-03 16:31 . 2010-02-04 15:53 2954656 -c--a-w- c:\programdata\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2010-04-03 16:30 . 2010-04-03 16:34 -------- d-----w- c:\programdata\Lavasoft
2010-04-03 16:30 . 2010-04-03 16:31 -------- d-----w- c:\program files\Lavasoft
2010-04-03 16:16 . 2010-04-06 20:40 -------- d-----w- c:\users\Luke\AppData\Roaming\QuickScan
2010-04-03 16:16 . 2010-03-30 18:35 670696 ----a-w- c:\users\Luke\AppData\Roaming\Mozilla\Firefox\Profiles\x8e2xi0j.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
2010-04-03 16:16 . 2010-03-30 18:34 833448 ----a-w- c:\users\Luke\AppData\Roaming\Mozilla\Firefox\Profiles\x8e2xi0j.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
2010-04-02 02:01 . 2010-02-12 10:32 293376 ----a-w- c:\windows\system32\browserchoice.exe
2010-03-31 11:57 . 2010-03-09 15:42 834048 ----a-w- c:\windows\system32\wininet.dll
2010-03-31 11:57 . 2010-03-09 16:25 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-30 12:39 . 2008-11-05 17:30 614400 ----a-w- c:\users\Luke\AppData\Roaming\Mozilla\Firefox\Profiles\x8e2xi0j.default\extensions\reader_plugin@ebrary.com\plugins\NPinfotl.dll
2010-03-17 10:13 . 2010-03-17 10:13 56 ---ha-w- c:\windows\system32\ezsidmv.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-12 12:34 . 2008-12-25 03:20 -------- d-----w- c:\programdata\Kontiki
2010-04-12 12:21 . 2008-12-28 17:21 109416 ----a-w- c:\programdata\nvModes.dat
2010-04-11 13:02 . 2008-12-24 18:48 -------- d-----w- c:\users\Luke\AppData\Roaming\Skype
2010-04-11 07:56 . 2008-12-24 18:49 -------- d-----w- c:\users\Luke\AppData\Roaming\skypePM
2010-04-08 01:08 . 2009-03-31 13:26 -------- d-----w- c:\program files\Google
2010-04-06 16:34 . 2010-04-03 16:34 966104 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\CEAPI.dll
2010-04-06 16:34 . 2010-04-03 16:34 1265264 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\AAWService.exe
2010-04-05 12:54 . 2008-12-25 03:20 -------- d-----w- c:\program files\Kontiki
2010-04-05 12:53 . 2008-08-04 16:25 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-04-05 12:53 . 2008-12-24 17:30 -------- d-----w- c:\users\Luke\AppData\Roaming\Symantec
2010-04-05 00:30 . 2009-11-25 11:57 -------- d-----w- c:\programdata\Norton
2010-04-05 00:30 . 2010-01-22 18:01 -------- d-----w- c:\program files\Norton Security Scan
2010-04-03 17:08 . 2008-08-04 16:25 -------- d-----w- c:\programdata\Symantec
2010-04-03 14:48 . 2008-11-13 08:33 -------- d-----w- c:\programdata\NVIDIA
2010-03-12 03:26 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-03-12 03:09 . 2008-08-04 17:47 -------- d-----w- c:\programdata\Microsoft Help
2010-03-09 22:04 . 2008-08-04 18:04 588472 ----a-w- c:\windows\system32\ezsvc7x.dll
2010-02-25 08:29 . 2008-12-24 17:31 75440 ----a-w- c:\users\Luke\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-24 10:16 . 2009-10-03 00:46 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-20 23:06 . 2010-03-12 03:01 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:05 . 2010-03-12 03:01 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-02-20 20:53 . 2010-03-12 03:01 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-02-04 15:53 . 2010-04-03 16:34 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-01-25 12:00 . 2010-02-24 11:21 471552 ----a-w- c:\windows\system32\secproc_isv.dll
2010-01-25 12:00 . 2010-02-24 11:21 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-01-25 12:00 . 2010-02-24 11:21 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-01-25 12:00 . 2010-02-24 11:21 471552 ----a-w- c:\windows\system32\secproc.dll
2010-01-25 11:58 . 2010-02-24 11:21 332288 ----a-w- c:\windows\system32\msdrm.dll
2010-01-25 08:21 . 2010-02-24 11:21 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-01-25 08:21 . 2010-02-24 11:21 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-01-25 08:21 . 2010-02-24 11:21 518144 ----a-w- c:\windows\system32\RMActivate.exe
2010-01-25 08:21 . 2010-02-24 11:21 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-01-23 13:40 . 2008-12-26 02:52 680 ----a-w- c:\users\Luke\AppData\Local\d3d9caps.dat
2010-01-23 09:26 . 2010-02-24 11:21 2048 ----a-w- c:\windows\system32\tzres.dll
2008-08-04 14:47 . 2008-08-04 14:47 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((( SnapShot@2010-04-11_23.17.28 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-11-02 13:05 . 2010-04-12 09:56 92330 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-12-24 17:25 . 2010-04-12 09:56 11594 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-841141263-361029112-3710205945-1000_UserData.bin
+ 2008-11-13 07:43 . 2010-04-12 09:54 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-11-13 07:43 . 2010-04-11 13:13 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-11-13 07:43 . 2010-04-12 09:54 81920 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-11-13 07:43 . 2010-04-11 13:13 81920 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-11-13 07:43 . 2010-04-11 13:13 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-11-13 07:43 . 2010-04-12 09:54 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-01-05 14:30 . 2010-04-05 12:54 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-01-05 14:30 . 2010-04-12 09:54 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-01-05 14:30 . 2010-04-05 12:54 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-01-05 14:30 . 2010-04-12 09:54 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-01-05 14:30 . 2010-04-12 09:54 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-01-05 14:30 . 2010-04-05 12:54 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-04-11 13:13 . 2010-04-12 09:54 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2010-04-11 13:13 . 2010-04-11 13:13 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2010-04-11 13:13 . 2010-04-12 09:54 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2010-04-11 13:13 . 2010-04-11 13:13 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-12-24 21:02 . 2010-04-12 12:21 378628 c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-17 1049896]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Users^Luke^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^BBC iPlayer Desktop.lnk]
path=c:\users\Luke\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BBC iPlayer Desktop.lnk
backup=c:\windows\pss\BBC iPlayer Desktop.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\4oD]
2008-02-27 17:56 1032376 ----a-w- c:\program files\Kontiki\KHost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 00:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-21 02:25 125952 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Health Check Scheduler]
2008-04-15 20:42 70912 ----a-w- c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 23:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
2008-04-15 21:51 488752 ----a-w- c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kdx]
2008-02-27 17:56 1032376 ----a-w- c:\program files\Kontiki\KHost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2009-07-23 14:39 13797920 ----a-w- c:\windows\System32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl.exe]
2008-03-14 15:45 202032 ----a-w- c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
2008-06-12 05:17 468264 ----a-w- c:\program files\HP\QuickPlay\QPService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-09-06 15:09 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2009-04-10 22:28 1233920 ----a-w- c:\program files\Windows Sidebar\sidebar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-03-09 04:19 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UCam_Menu]
2007-12-24 23:55 222504 ------w- c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-21 02:23 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Mobile Device Center]
2007-05-31 09:21 648072 ----a-w- c:\windows\WindowsMobile\wmdc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(

:a7,78,1d,ff,38,20,ca,01

R2 gupdate1c9b20474657fc0;Google Update Service (gupdate1c9b20474657fc0);c:\program files\Google\Update\GoogleUpdate.exe [2009-03-31 133104]
R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-04-03 193840]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-03-26 717296]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-02-04 64288]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-02-24 135336]
S2 ezSharedSvc;Easybits Shared Services for Windows;c:\windows\system32\svchost.exe [2008-01-21 21504]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-04-06 1265264]
S2 Recovery Service for Windows;Recovery Service for Windows;c:\windows\SMINST\BLService.exe [2008-04-26 361808]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2008-05-03 42528]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ezSharedSvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-02-26 22:06 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-04-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-31 13:26]

2010-04-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-31 13:26]

2010-04-12 c:\windows\Tasks\User_Feed_Synchronization-{AA042E53-8B1B-4BFD-8DD4-933B2C4D5D28}.job
- c:\windows\system32\msfeedssync.exe [2008-01-21 02:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=83&bd=Pavilion&pf=cnnb
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=83&bd=Pavilion&pf=cnnb
IE: &AOL Toolbar Search - c:\programdata\AOL\ieToolbar\resources\en-GB\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Luke\AppData\Roaming\Mozilla\Firefox\Profiles\x8e2xi0j.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/home.php?
FF - prefs.js: network.proxy.ftp - 10.247.6.20
FF - prefs.js: network.proxy.ftp_port - 8080
FF - prefs.js: network.proxy.gopher - 10.247.6.20
FF - prefs.js: network.proxy.gopher_port - 8080
FF - prefs.js: network.proxy.http - 10.247.6.20
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.socks - 10.247.6.20
FF - prefs.js: network.proxy.socks_port - 8080
FF - prefs.js: network.proxy.ssl - 10.247.6.20
FF - prefs.js: network.proxy.ssl_port - 8080
FF - prefs.js: network.proxy.type - 4
FF - component: c:\users\Luke\AppData\Roaming\Mozilla\Firefox\Profiles\x8e2xi0j.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npBBCPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\users\Luke\AppData\Roaming\Mozilla\Firefox\Profiles\x8e2xi0j.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\users\Luke\AppData\Roaming\Mozilla\Firefox\Profiles\x8e2xi0j.default\extensions\reader_plugin@ebrary.com\plugins\NPinfotl.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-12 13:34
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-841141263-361029112-3710205945-1000\Software\Sony Creative Software\M*e*d*i*a* *M*a*n*a*g*e*r* *f*o*r* *P*S*P*"!\3.0]
"FRT"="cbMX1lUj7Ua9ia9mLgpuzG0tVV60fi1eAZPF0iiCaNUDhFJLtRysVA=="
"PLCK"="oXJ6MUjQxTE7kfz4nsKc2qB51xoZdBBB"
"Percents"="0 0.0826 0.2208 0.4045 0.8802 0.9546 0.9607 "
"Increment"=".001548"
"PHSH"=""
.
Completion time: 2010-04-12 13:37:53
ComboFix-quarantined-files.txt 2010-04-12 12:37
ComboFix2.txt 2010-04-11 23:22

Pre-Run: 27,539,709,952 bytes free
Post-Run: 27,399,700,480 bytes free

- - End Of File - - A3AF4FADAE10D981DE88137C31CCA518

#11 GiaUK

Topic Starter

Members
9 posts
OFFLINE

Local time:10:44 PM

Posted 12 April 2010 - 01:46 PM

ESET results:

C:\Qoobox\Quarantine\C\cleansweep.exe\cleansweep.exe.vir a variant of Win32/Kryptik.DLO trojan cleaned by deleting - quarantined

Edited by GiaUK, 12 April 2010 - 03:20 PM.

#12 m0le

Can U Dig It?

Malware Response Team
34,527 posts
OFFLINE

Gender:Male
Location:London, UK
Local time:03:44 AM

Posted 12 April 2010 - 05:26 PM

You look clean now. The ESET log shows only what was already in Combofix.

Any more problems with IE?

m0le is a proud member of UNITE

#13 GiaUK

Topic Starter

Members
9 posts
OFFLINE

Local time:10:44 PM

Posted 12 April 2010 - 05:45 PM

Oh okay, great! I haven´t had any problems with IE yet (anymore). I guess you can close the topic, and if it should come up again I can contact an admin.

Thanks for your help, you guys are doing a great job

#14 m0le

Can U Dig It?

Malware Response Team
34,527 posts
OFFLINE

Gender:Male
Location:London, UK
Local time:03:44 AM

Posted 12 April 2010 - 05:51 PM

Thanks, glad I could help. I will also close the topic - feel free to PM me direct if you need to.

Before you go please read and action the following:

You're clean. Good stuff!

Let's do some clearing up

Download and Run OTC

We will now remove the tools we used during this fix using OTC.

Download OTC by OldTimer and save it to your desktop.
Double click icon to start the program. If you are using Vista, please right-click and choose run as administrator
Then Click the big button.
You will get a prompt saying "Being Cleanup Process". Please select Yes.
Restart your computer when prompted.

Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:

Go to Start > Programs > Accessories > System Tools and click "System Restore".
Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
Then go to Start > Run and type: Cleanmgr
Click "OK".
Click the "More Options" Tab.
Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

------------------------------------------------------------------------------------------------------------------------

Here's some advice on how you can keep your PC clean

Update your AntiVirus Software

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.

Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Install an AntiSpyware Program

A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.

Installing this or another recommended program will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.

Finally, here's a treasure trove of antivirus, antimalware and antispyware resources

That's it GiaUK, happy surfing!

Cheers.

m0le

m0le is a proud member of UNITE

Back to Virus, Trojan, Spyware, and Malware Removal Help