Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PRAGMAevpfdibcim and various PRAGM infections


  • This topic is locked This topic is locked
21 replies to this topic

#1 Lancod

Lancod

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:33 AM

Posted 18 June 2010 - 02:22 PM

Hi

I would be really grateful if someone would help me out with this problem. It all started when my computer started opening
strange pop ups for news-11. This would happen randomly whether I was doing anything or not. I ran a couple of AVG scans and they didn't pick anything up though. I was going to look it up and see if there was some way to fix it, but before I could do that my brother downloaded one of the bogus anti-spyware programs that are "recommended". Defense Center was then on my computer and I couldn't get it off and of course it made my computer wig out. I read on a help site how to make avg more thorough though and ran AVG again. This time it got rid of Defense Center and many Trojans. I thought that I was okay and my problems were solved except... the pop ups were still there. And recently whenever I search for something, say using Google, if I click on a link it will take me to some bogus site that has nothing to do with what I'm searching for. Most often it is some kind of add for cars. After running the GMER there seems to lots of PRAGM things. As you can probably tell I'm over my head with this one and I would GREATLY apreciate some help. Here's the logs.


DDS (Ver_10-03-17.01) - NTFSx86
Run by dvd at 12:46:31.39 on Fri 06/18/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1279.601 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Defense Center *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}

============== Running Processes ===============

C:\WINDOWS\System32\Ati2evxx.exe
c:\windows\system32\svchost -k dcomlaunch
svchost.exe
c:\windows\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\dvd\Desktop\dds.scr

============== Pseudo HJT Report ===============

mStart Page = hxxp://www.yahoo.com/?fr=fp-yma2
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=10607&gct=&gc=1&q=%s
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program

files\avg\avg9\toolbar\IEToolbar.dll
uURLSearchHooks: D-Link Toolbar Search Class: {e917fc61-7f80-4f1f-a882-cdffffbe4c8d} - c:\program files\d-link

toolbar\dlinktb.dll
mURLSearchHooks: D-Link Toolbar Search Class: {e917fc61-7f80-4f1f-a882-cdffffbe4c8d} - c:\program files\d-link

toolbar\dlinktb.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common

files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and

settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google

toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program

files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: FrostWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program

files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: D-Link Toolbar Loa

Attached Files


Edited by Lancod, 18 June 2010 - 04:54 PM.


BC AdBot (Login to Remove)

 


#2 Lancod

Lancod
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:33 AM

Posted 18 June 2010 - 04:29 PM

files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: D-Link Toolbar: {61874dfa-9adf-44e5-8e61-f3913707e7d7} - c:\program files\d-link toolbar\dlinktb.dll
TB: FrostWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [EA Core] c:\program files\electronic arts\eadm\Core.exe -silent
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [HydraVisionDesktopManager] c:\program files\ati technologies\ati hydravision\HydraDM.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\

files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: D-Link Toolbar: {61874dfa-9adf-44e5-8e61-f3913707e7d7} - c:\program files\d-link toolbar\dlinktb.dll
TB: FrostWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [EA Core] c:\program files\electronic arts\eadm\Core.exe -silent
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [HydraVisionDesktopManager] c:\program files\ati technologies\ati hydravision\HydraDM.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\

files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: D-Link Toolbar: {61874dfa-9adf-44e5-8e61-f3913707e7d7} - c:\program files\d-link toolbar\dlinktb.dll
TB: FrostWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [EA Core] c:\program files\electronic arts\eadm\Core.exe -silent
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [HydraVisionDesktopManager] c:\program files\ati technologies\ati hydravision\HydraDM.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\

#3 Lancod

Lancod
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:33 AM

Posted 18 June 2010 - 04:35 PM

I can't even finish putting up the rest of the post. I don't whats wrong but everytime i post it says this page cannot be found and I have to resend it. Then when i resend it it doesn't even put the right part in it just repeats the same part over and over again.

Edited by Lancod, 18 June 2010 - 04:51 PM.


#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:33 AM

Posted 19 June 2010 - 04:33 AM

Hi Lancod,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

If the issue is not resolved please update me on the current condition of your computer. No need for new logs.

#5 Lancod

Lancod
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:33 AM

Posted 19 June 2010 - 09:31 AM

I do agree. And everything is like I explained earlier. I'm still getting strange pop ups from news 11 and the bogus search results. AVG has found a couple of things which I've added to the vault but other than that nothing has changed.

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:33 AM

Posted 19 June 2010 - 09:49 AM

We are going to run this special tool.
  • Please download TDSSKiller.exe and save it to your desktop.
  • Run TDSSKiller.exe.
  • When it finished press any key to continue.
  • Let reboot if needed and tell me if it needed a reboot.
  • Also it makes a txt file on the C:\ directory (like TDSSKiller.2.3.2.0_Date_Time_log.txt). Please attach it to your replay.



#7 Lancod

Lancod
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:33 AM

Posted 19 June 2010 - 05:36 PM

Hi again,

I ran it and it did reboot. The log is attached.

Attached Files



#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:33 AM

Posted 20 June 2010 - 09:20 AM

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with the tool. (Information on A/V control HERE)
  • Double click on ComboFix.exe & follow the prompts.
  • You will get a warning about the not trusted download sites for ComboFix, click Yes.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.

#9 Lancod

Lancod
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:33 AM

Posted 20 June 2010 - 01:52 PM

I ran combofix and installed the backup program, clicked yes and it told me avg was still running. I went back and double checked to make sure that I had disabled the e-mail, resident shield, and link scanner as the link instructed. I also turned off ad-aware completely. I also have malwarebytes but I don't think it has the real time protection in the free version. I pressed ok and it said avg was still running. I checked again just to make sure and then pressed okay. It was scanning so I assumed it would take a few minuets. I came back and my computer was in the process of rebooting. Whenever it booted up I had notices in the system tray that said the computer didn't pass the genuine windows license thing. I've reactivated my anti virus programs. Here is the log but just in case it doesn't post it all I've attached it also.

ComboFix 10-06-19.04 - dvd 06/20/2010 13:35:44.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1279.629 [GMT -5:00]
Running from: c:\documents and settings\dvd\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
ADS - WINDOWS: deleted 24 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\pragmamfeklnmal.dll
c:\program files\AskSearch\bin\DefaultSearch.dll
c:\windows\PRAGMAevpfdibcim
c:\windows\PRAGMAevpfdibcim\PRAGMAc.dll
c:\windows\PRAGMAevpfdibcim\PRAGMAcfg.ini
c:\windows\PRAGMAevpfdibcim\PRAGMAsrcr.dat
c:\windows\system32\certstore.dat
c:\windows\system32\Drivers\ifcgb.sys
c:\windows\system32\PRAGMAerrors.log
c:\windows\system32\winlogon.bak
c:\windows\system32\WORK.DAT

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IAS
-------\Legacy_PRAGMAEVPFDIBCIM
-------\Service_Ias
-------\Service_PRAGMAevpfdibcim
-------\Legacy_odorevdv
-------\Service_odorevdv


((((((((((((((((((((((((( Files Created from 2010-05-20 to 2010-06-20 )))))))))))))))))))))))))))))))
.

2010-06-20 00:33 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-20 00:28 . 2009-08-07 00:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-06-20 00:28 . 2009-08-07 00:23 215920 ----a-w- c:\windows\system32\muweb.dll
2010-06-19 15:15 . 2010-06-19 15:15 503808 ----a-w- c:\documents and settings\dvd\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-765579ee-n\msvcp71.dll
2010-06-19 15:15 . 2010-06-19 15:15 499712 ----a-w- c:\documents and settings\dvd\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-765579ee-n\jmc.dll
2010-06-19 15:15 . 2010-06-19 15:15 348160 ----a-w- c:\documents and settings\dvd\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-765579ee-n\msvcr71.dll
2010-06-18 22:30 . 2010-06-18 22:30 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-06-18 17:06 . 2010-06-18 17:06 -------- d--h--r- c:\documents and settings\dvd\Application Data\SecuROM
2010-06-18 17:06 . 2010-06-18 17:06 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-06-18 17:05 . 2010-06-18 17:05 1216 ----a-w- c:\windows\system32\ealregsnapshot1.reg
2010-06-18 17:05 . 2010-06-18 17:05 -------- d-----w- c:\documents and settings\dvd\Local Settings\Application Data\Downloaded Installations
2010-06-18 16:08 . 2010-06-18 17:05 -------- d-----w- c:\program files\Electronic Arts
2010-06-17 19:52 . 2010-06-17 19:52 -------- d-----w- c:\documents and settings\dvd\Application Data\Malwarebytes
2010-06-17 19:52 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-17 19:52 . 2010-06-17 19:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-17 19:52 . 2010-06-17 19:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-17 19:52 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-15 20:26 . 2010-06-15 20:26 0 ----a-w- c:\windows\nsreg.dat
2010-06-15 20:26 . 2010-06-15 20:26 -------- d-----w- c:\documents and settings\dvd\Local Settings\Application Data\Mozilla
2010-06-14 16:56 . 2010-06-14 16:54 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-06-14 16:56 . 2010-06-14 16:56 -------- dc----w- c:\windows\system32\DRVSTORE
2010-06-14 16:56 . 2010-06-14 16:56 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-06-14 16:48 . 2010-06-14 16:48 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-06-14 16:48 . 2010-02-04 15:53 2954656 -c--a-w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2010-06-14 16:47 . 2010-06-14 16:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-06-14 16:47 . 2010-06-14 16:48 -------- d-----w- c:\program files\Lavasoft
2010-06-14 16:20 . 2010-06-14 16:56 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-06-14 05:47 . 2010-06-18 21:22 -------- d-----w- c:\windows\system32\NtmsData
2010-06-13 07:35 . 2010-06-13 07:36 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-06-09 21:34 . 2010-06-09 21:34 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-09 19:11 . 2010-06-18 17:56 -------- d-----w- c:\documents and settings\dvd\Local Settings\Application Data\AskToolbar
2010-06-09 19:08 . 2010-06-11 02:51 4506256 ----a-w- c:\documents and settings\dvd\Application Data\FrostWire\.NetworkShare\LimeWireWin4.16.6.exe
2010-06-09 18:43 . 2010-06-11 03:40 -------- d-----w- c:\documents and settings\dvd\Application Data\FrostWire
2010-06-09 18:42 . 2010-06-09 18:42 -------- d-----w- c:\program files\Ask.com
2010-06-09 18:41 . 2010-06-09 18:44 -------- d-----w- c:\program files\FrostWire
2010-06-07 05:14 . 2010-06-07 05:14 -------- d-----w- c:\windows\system32\wbem\Repository
2010-06-07 05:11 . 2010-06-07 05:11 -------- d-----w- c:\documents and settings\dvd\Application Data\VirtualStore
2010-06-07 05:11 . 2010-06-07 05:11 -------- d-----w- c:\program files\Common Files\Software Update Utility
2010-06-07 05:11 . 2010-06-07 05:11 -------- d-----w- c:\windows\pcidevice
2010-06-07 05:11 . 2010-06-07 05:11 -------- d-----w- c:\documents and settings\dvd\Application Data\InstallShield
2010-05-30 03:38 . 2010-05-30 03:38 -------- d-----w- c:\documents and settings\dvd\Local Settings\Application Data\D-Link Toolbar
2010-05-30 03:36 . 2010-05-30 03:36 -------- d-----w- c:\documents and settings\All Users\Application Data\D-Link Toolbar
2010-05-30 03:36 . 2010-06-07 05:10 -------- d-----w- c:\program files\D-Link Toolbar
2010-05-30 03:35 . 2010-06-07 05:10 -------- d-----w- c:\documents and settings\dvd\Local Settings\Application Data\Adobe
2010-05-30 03:34 . 2010-06-07 05:10 -------- d-----w- c:\program files\Common Files\Adobe
2010-05-30 03:31 . 2010-05-30 03:31 21361 ----a-w- c:\windows\system32\drivers\AegisP.sys
2010-05-30 03:30 . 2010-05-30 03:30 -------- d-----w- c:\documents and settings\All Users\Application Data\D-Link
2010-05-30 03:30 . 2010-05-30 03:30 -------- d-----w- c:\program files\D-Link
2010-05-30 03:30 . 2008-02-27 15:54 20480 ----a-w- c:\windows\system32\wlndis50.sys
2010-05-30 03:30 . 2008-02-27 15:54 20480 ----a-w- c:\windows\system32\drivers\WLNdis50.sys
2010-05-30 03:29 . 2009-08-06 03:23 588032 ----a-w- c:\windows\system32\drivers\RTL8192su.sys
2010-05-26 01:01 . 2010-05-26 20:54 -------- d-----w- c:\documents and settings\dvd\Local Settings\Application Data\khndcbajx

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-19 22:30 . 2009-11-21 03:05 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-06-18 17:37 . 2010-06-18 17:37 4 ----a-w- c:\windows\Fonts\icerpnfj
2010-06-18 17:05 . 2009-11-21 02:39 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-17 19:56 . 2009-12-02 16:26 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-06-15 18:44 . 2009-12-04 11:31 -------- d-----w- c:\program files\Common Files\Akamai
2010-06-09 06:03 . 2009-12-29 00:15 -------- d-----w- c:\documents and settings\dvd\Application Data\MxBoost
2010-06-08 14:29 . 2002-01-01 06:29 -------- d-----w- c:\program files\CCleaner
2010-06-07 05:28 . 2009-12-02 16:26 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-06-07 05:28 . 2009-12-02 16:26 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-05-21 01:59 . 2010-05-21 01:59 9200 ------w- c:\windows\system32\drivers\cdralw2k.sys
2010-05-21 01:59 . 2010-05-21 01:59 9072 ------w- c:\windows\system32\drivers\cdr4_xp.sys
2010-05-21 01:59 . 2010-05-21 01:59 45200 ------w- c:\windows\system32\drivers\PxHelp20.sys
2010-05-21 01:59 . 2010-05-21 01:59 59888 ------w- c:\windows\system32\pxwma.dll
2010-05-06 10:41 . 2002-08-29 03:41 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-03 23:23 . 2010-03-15 13:01 75 ----a-w- c:\documents and settings\dvd\jagex_runescape_preferences2.dat
2010-05-03 23:17 . 2010-03-15 12:59 41 ----a-w- c:\documents and settings\dvd\jagex_runescape_preferences.dat
2010-05-02 05:22 . 2002-08-29 02:14 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-27 21:32 . 2010-04-27 21:32 0 ----a-w- c:\documents and settings\dvd\jagex__preferences3.dat
2010-04-20 05:30 . 2001-08-23 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-08 21:34 . 2009-12-11 23:04 3580 ----a-w- c:\windows\system32\d3d9caps.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2010-04-19 15:25 2117704 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-02-04 21:50 1197448 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-02-12 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-06-07 2065248]
"HydraVisionDesktopManager"="c:\program files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe" [2003-06-27 270336]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-08 202256]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2002-01-04 149280]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-07-20 335872]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"Malwarebytes Anti-Malware (rootkit-scan)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2002-01-01 06:10 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Wireless Connection Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Wireless Connection Manager.lnk
backup=c:\windows\pss\Wireless Connection Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\D-Link\\DWA-130 revE\\wirelesscm.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [6/14/2010 11:56 AM 64288]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [12/2/2009 11:26 AM 216200]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [12/2/2009 11:26 AM 242896]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [1/1/2002 1:09 AM 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [12/2/2009 11:26 AM 308064]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 10:52 AM 1352832]
R2 WLNdis50;Wireless Lan NDIS Protocol I/O Control;c:\windows\system32\drivers\WLNdis50.sys [5/29/2010 10:30 PM 20480]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/13/2010 5:05 PM 135664]
S2 WLSVC;WLSVC;c:\program files\D-Link\DWA-130 revE\WLSVC.exe [5/29/2010 10:30 PM 167936]
S3 dialmgr;dialmgr;\??\c:\windows\system32\dialmgr.sys --> c:\windows\system32\dialmgr.sys [?]
S3 pcidisk;pcidisk;c:\windows\system32\pcidisk.sys [8/23/2001 7:00 AM 2304]
S3 RTL8192su;%RTL8192su.DeviceDesc.DispName%;c:\windows\system32\drivers\RTL8192su.sys [5/29/2010 10:29 PM 588032]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-06-20 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:36]

2010-06-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-13 22:05]

2010-06-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-13 22:05]

2010-06-20 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1292428093-1965331169-1417001333-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 04:09]

2010-06-20 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1292428093-1965331169-1417001333-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 04:09]

2010-06-20 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-02-04 21:50]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.yahoo.com/?fr=fp-yma2
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=10607&gct=&gc=1&q=%s
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {88D8E8B7-A33B-4417-A385-8373484D43ED} - file://c:\docume~1\dvd\LOCALS~1\Temp\ThereInstallHelper.dll
FF - ProfilePath - c:\documents and settings\dvd\Application Data\Mozilla\Firefox\Profiles\ulmujek2.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - component: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\real\realone player\Netscape6\nppl3260.dll
FF - plugin: c:\program files\real\realone player\Netscape6\nprjplug.dll
FF - plugin: c:\program files\real\realone player\Netscape6\nprpjplug.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
SafeBoot-klmdb.sys
MSConfigStartUp-Defense Center - c:\program files\Defense Center\defcnt.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-20 13:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HydraVisionDesktopManager = c:\program files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe?e?s?\?A?T?I? ?H?Y?D?R?A?V?I?S?I?O?N?\?H?y?d?r?a?D?M?.?e?x?e??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1292428093-1965331169-1417001333-1003\Software\SecuROM\License information*]
"datasecu"=hex:88,62,2b,b1,f7,86,85,d6,7b,85,87,55,e1,d9,12,f2,4d,f3,8b,81,8f,
98,18,73,28,5c,45,e2,91,64,4c,95,9a,76,b9,12,51,3d,ea,3b,07,e0,22,f7,a4,5c,\
"rkeysecu"=hex:5b,1b,0f,4e,31,d3,7a,91,15,5f,72,14,8a,42,3f,8d
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(364)
c:\windows\system32\WININET.dll
c:\program files\ATI Technologies\ATI HYDRAVISION\HydraDMH.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\Audiodev.dll
c:\windows\system32\WMVCore.DLL
c:\windows\system32\WMASF.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\Ati2evxx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\WgaTray.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\System32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-06-20 13:43:17 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-20 18:43

Pre-Run: 60,732,825,600 bytes free
Post-Run: 61,052,682,240 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - 89DC970E2A4616E748123133B8732126

Attached Files

  • Attached File  log.txt   20.21KB   3 downloads

Edited by Lancod, 20 June 2010 - 01:54 PM.


#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:33 AM

Posted 20 June 2010 - 02:03 PM

  1. Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.
    Download JavaRa from Javara for Java update or directly from here.
    Use the tool to remove old and redundant versions of the Java Runtime Environment. The latest version is Java 6 update 20. Please uninstall any version remaining versions if the tool could not uninstall them.

  2. Open your Malwarebytes' Anti-Malware.
    • First update it, to do that under the Update tab press "Check for Updates".
    • Under Scanner tab select "Perform Quick Scan", then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.

    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


  3. Tell me also how your computer running now.


#11 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:33 AM

Posted 20 June 2010 - 02:05 PM

Just forgot to mention: Please don't attach the post unless asked.

#12 Lancod

Lancod
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:33 AM

Posted 20 June 2010 - 02:44 PM

I ran MalwareBytes and it removed some infections. Since then I've tried a couple searches and I haven't been taken to any strange sites yet also I haven't had any new-11 pop ups. The only thing that is any different from before my computer started acting strange is the windows genuine version notice. Well here is the log from MalwareBytes.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4219

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/20/2010 2:36:04 PM
mbam-log-2010-06-20 (14-36-04).txt

Scan type: Quick scan
Objects scanned: 117019
Time elapsed: 5 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Defense Center (Rogue.DefenseCenter) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\pcidisk (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\pcidisk.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\dvd\Application Data\Microsoft\Internet Explorer\Quick Launch\Defense Center.LNK (Rogue.DefenseCenter) -> Quarantined and deleted successfully.


#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:33 AM

Posted 20 June 2010 - 03:07 PM

This is because the rootkit had prevented the connection to Windows server and the Windows could not be validated at the time. This is the second system I see with this infection doing this.

Now go to Run => All Programs => select Windows Update.
Then select Custom Scan. Download and install all critical updated.
Note down any error if you get one.

#14 Lancod

Lancod
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:33 AM

Posted 22 June 2010 - 12:25 PM

Hi,

I'm currently working on getting a valid windows software. This will probably take a few more days. So I can't update until then. Is there anyway we can continue until I have a valid windows?


#15 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:33 AM

Posted 22 June 2010 - 02:11 PM

Yes we can finish the malware part. The next post we are going to round off. This is just to make sure of any leftover.
  1. We are going to remove a proxy setting added by the malware.
    Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box (without the word CODE) into a new file:


    CODE
    @ECHO OFF
    Reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /f
    Reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /f
    proxycfg -d

    • Go to the File menu at the top of the Notepad and select Save as.
    • Select Save in: desktop
    • Fill in File name: fix.bat
    • Save as type: All file types (*.*)
    • Click save.
    • Close the Notepad.
    • Locate fix.bat on the desktop. It should look like this:
    • Double-click to run it.
    • A window flashes, this is normal.

  2. I'd like us to scan your machine with ESET OnlineScan
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESET OnlineScan
    • Click the button.
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      • Click on to download the ESET Smart Installer. Save it to your desktop.
      • Double click on the icon on your desktop.
    • Check
    • Click the button.
    • Accept any security warnings from your browser.
    • Check
    • Push the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, push
    • Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • Push the button.
    • Push

    A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users