Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My computer constantly sends out spam mails


  • This topic is locked This topic is locked
5 replies to this topic

#1 Randy Franklin

Randy Franklin

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:52 AM

Posted 14 July 2010 - 06:48 AM

Hi, my ISP warned me I am constantly sending out spam mails.

Both Malwarebytes and AVG recognize this file:
C:\Windows\system32\Drivers\gfpfx.sys

They both say they will remove it, but this file does not get removed, not even after a restart.

I tried to delete it manually (via the Windows Explorer and via a DOS Window), but I can't delete this file.

More info about gfpfx.sys:
Size is 724 KB
Date Modified is always the current date and time.
Date Created is March 23, 2010.

The Registry also contains several entries related to gfpfx.sys. I did not change the Registry, just browsed it via regedit.

Can you please help me remove this infection?

I ran DDS as requested. But I when I try to run GMER, at first I get a warning screen telling me my system files were changed due to a possible ROOTKIT infection (I see the gfpfx.sys mentioned in red) and then after a few seconds, my computer just freezes. I waited (over 15 minutes) but nothing happened. Ctrl-Alt-Del and Task Manager was no solution, the screen went black. I had to reboot manually. I tried to run GMER a second time, same thing: freeze.

Thank you for your help.

DDS.txt


DDS (Ver_10-03-17.01) - NTFSx86
Run by Bart at 12:18:07,68 on wo 14/07/2010
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_20
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.32.1033.18.3071.1539 [GMT 2:00]

SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
c:\hp\HPEZBTN\HPBtnSrv.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Windows\system32\wbem\unsecapp.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\ehome\ehRecvr.exe
C:\Windows\system32\sdclt.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\conime.exe
C:\Windows\explorer.exe
C:\Windows\System32\mobsync.exe
C:\Windows\ehome\ehsched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Digital Imaging\smart web printing\hpswp_clipbook.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AVG\AVG9\avgscanx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Users\Bart\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://my.yahoo.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=NL_BE&c=74&bd=Pavilion&pf=desktop
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Hotspot Shield Class: {f9e4a054-e9b1-4bc3-83a3-76a1ae736170} - c:\program files\hotspot shield\hssie\HssIE.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [Google Update] "c:\users\bart\appdata\local\google\update\GoogleUpdate.exe" /c
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {72EFBFE4-C74F-4187-AEFD-73EA3BE968D6} - c:\program files\icq7.2\ICQ.exe
IE: {B863453A-26C3-4e1f-A54D-A2CD196348E9} - c:\program files\icqlite\ICQLite.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
Trusted Zone: fgov.be\ccff02.minfin
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
AppInit_DLLs: c:\windows\system32\avgrsstx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\bart\appdata\roaming\mozilla\firefox\profiles\j66qnplm.default\
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpClipBook.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpClipBookDB.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpNeoLogger.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSaturn.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSeymour.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSmartSelect.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSmartWebPrinting.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSWPOperation.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPLogging.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPMTC.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPMTL.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXREStub.dll
FF - component: c:\programdata\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\plugins\nphpclipbook.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\opera\program\plugins\nppl3260.dll
FF - plugin: c:\program files\opera\program\plugins\nprjplug.dll
FF - plugin: c:\program files\opera\program\plugins\nprpjplug.dll
FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\users\bart\appdata\local\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-6-30 64288]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-6-29 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-6-29 29584]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-6-29 242896]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-6-29 308064]
R2 DQLWinService;DQLWinService;c:\program files\common files\intel\inteldh\nms\adpplugins\DQLWinService.exe [2006-9-3 208896]
R2 HPBtnSrv;HP Chasis Button Service;c:\hp\hpezbtn\HPBtnSrv.exe [2007-9-13 198240]
R3 HCW85BDA;Hauppauge WinTV 885 Video Capture;c:\windows\system32\drivers\HCW85BDA.sys [2009-7-14 1443584]
S2 gupdate;Google Updateservice (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-5 135664]
S3 ACSSCR;ACR38 Smart Card Reader;c:\windows\system32\drivers\a38usb.sys [2009-1-22 36736]
S3 LTXMD_VAC;Litex Media Virtual Audio Cable (WDM);c:\windows\system32\drivers\lmvac.sys [2008-11-5 18912]
S3 netr73;USB Wireless 802.11 b/g Adaptor Driver for Vista;c:\windows\system32\drivers\netr73.sys [2009-5-24 501248]

=============== Created Last 30 ================

2010-07-13 10:41:46 0 d-sh--w- C:\$RECYCLE.BIN
2010-07-13 10:09:27 98816 ----a-w- c:\windows\sed.exe
2010-07-13 10:09:27 77312 ----a-w- c:\windows\MBR.exe
2010-07-13 10:09:27 256512 ----a-w- c:\windows\PEV.exe
2010-07-13 10:09:27 161792 ----a-w- c:\windows\SWREG.exe
2010-07-13 10:09:24 0 d-----w- C:\ComboFix
2010-07-13 09:41:35 0 ----a-w- c:\windows\system32\cd.dat
2010-07-13 09:40:35 196454693 ----a-w- c:\windows\MEMORY.DMP
2010-07-12 13:32:56 38848 ----a-w- c:\windows\avastSS.scr
2010-07-12 13:32:27 0 d-----w- c:\programdata\Alwil Software
2010-07-10 17:39:34 0 d-----w- c:\programdata\WEBREG
2010-07-10 17:29:31 0 d-----w- c:\programdata\HP Product Assistant
2010-07-10 17:23:16 0 d-----w- c:\program files\common files\Hewlett-Packard
2010-07-10 17:16:39 172491 ----a-w- c:\windows\hpoins44.dat
2010-07-04 12:15:52 0 d-----w- C:\111
2010-07-02 11:04:26 0 d-----w- c:\program files\ICQ7.2
2010-07-02 09:58:52 452408 ----a-w- c:\windows\system32\hpzids01.dll
2010-07-02 09:56:52 123904 ----a-w- c:\windows\system32\hpf3l70v.dll
2010-07-02 09:53:43 712704 ----a-w- c:\windows\system32\hposwia_d02c.dll
2010-07-02 09:53:43 589824 ----a-w- c:\windows\system32\hpost_d02c.dll
2010-07-02 09:53:43 372736 ----a-w- c:\windows\system32\hppldcoi.dll
2010-07-02 09:53:43 315392 ----a-w- c:\windows\system32\hposc_d02a.dll
2010-07-02 09:53:43 309760 ----a-w- c:\windows\system32\difxapi.dll
2010-06-30 18:59:49 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-06-30 17:04:23 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-06-30 17:00:41 0 dc-h--w- c:\programdata\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-06-30 17:00:20 0 d-----w- c:\program files\Lavasoft
2010-06-29 18:41:11 0 d-----w- C:\$AVG
2010-06-29 15:48:39 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-06-29 15:48:36 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-06-29 15:48:31 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-06-29 15:48:27 0 d-----w- c:\windows\system32\drivers\Avg
2010-06-29 11:57:19 0 d--h--w- c:\windows\PIF
2010-06-16 09:16:17 2036224 ----a-w- c:\windows\system32\win32k.sys

==================== Find3M ====================

2010-07-14 10:18:29 741376 ----a-w- c:\windows\system32\drivers\gfpfx.sys
2010-07-13 09:42:54 48032 ----a-w- c:\programdata\nvModes.dat
2010-07-02 10:02:59 51200 ----a-w- c:\windows\inf\infpub.dat
2010-07-02 10:02:59 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-07-02 10:00:13 86016 ----a-w- c:\windows\inf\infstor.dat
2010-05-26 16:16:50 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-26 14:25:15 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-05-21 12:14:28 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-04 18:42:57 833024 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 18:37:45 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 16:53:56 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2010-04-23 13:55:52 2048 ----a-w- c:\windows\system32\tzres.dll
2010-04-16 16:10:05 1314816 ----a-w- c:\windows\system32\quartz.dll
2008-08-08 12:06:05 174 --sha-w- c:\program files\desktop.ini
2008-08-08 11:57:21 665600 ----a-w- c:\windows\inf\drvindex.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2007-12-25 14:21:52 22 --sha-w- c:\windows\sminst\HPCD.sys
2007-09-13 06:26:06 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 12:24:48,45 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Randy Franklin

Randy Franklin
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:52 AM

Posted 15 July 2010 - 08:37 AM

(I'm really sorry to bump my own thread. I realize there are many other threads to read and reply.)

My ISP is threatening to suspend my account. I'm a bit desperate. Your help is really be appreciated. Thank you.

EDIT: Please be patient. There are over 300 unanswered topics in this forum at present and the current average wait time to receive help is 5 days. ~BP

Edited by Budapest, 15 July 2010 - 04:43 PM.


#3 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:06:52 AM

Posted 19 July 2010 - 02:51 PM

Hi Randy Franklin, and welcome to Bleeping Computer.

I see you have already run ComboFix on your own (a failed run, it seems)...

Please note: ComboFix is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert." It is NOT for private use. Please read Combofix's Disclaimer.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.


Delete your current copy of ComboFix (just delete a file), and download a new one from any of the links below; save it to your Desktop:

Link 1
Link 2

Then, run a scan with it, as instructed in the guide (http://www.bleepingcomputer.com/combofix/how-to-use-combofix) but use Safe Mode this time... Post the logfile and let me know how it goes...
c18903e63196580f.gif
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#4 Randy Franklin

Randy Franklin
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:52 AM

Posted 22 July 2010 - 04:24 AM

Hi snemelk, thank you for your reply. I also want to apologize for my impatience in my previous reply.

My situation has changed a little in the meantime:
As I explained in my first message: a file named gfpfx was constantly sending out spam mails from my computer. I could not remove the file because it was activated every time Windows started, even in Safe Mode. Same with Malwarebytes and AVG, they recognized the file as malicious software, a Rootkit Agent, but they couldn't remove it, not even after a restart.

I tried to find a way to start my computer without having to launch Windows. So, I downloaded and created a Live CD, a bootable computer operating system (Linux based), I rebooted my PC from that disc, and this time I was able to manually delete the malware from the system32 directory.

When I restarted normally, in Windows, I wasn't sending out spam mails anymore :-)

I realize this is probably not the definitive solution. I see there are still a number of entries in the Registry that mention "gfpfx". So please advise me, should I still run Combofix? Or do you suggest another solution (to clean up my Registry)?

Thank you for your help, I certainly appreciate it.


#5 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:06:52 AM

Posted 22 July 2010 - 03:18 PM

Hi again Randy Franklin!!.. smile.gif

QUOTE(Randy Franklin @ Jul 22 2010, 11:24 AM) View Post
So, I downloaded and created a Live CD, a bootable computer operating system (Linux based), I rebooted my PC from that disc, and this time I was able to manually delete the malware from the system32 directory.

thumbup2.gif Not always the best choice, but in this case it was the right move...

QUOTE
I realize this is probably not the definitive solution. I see there are still a number of entries in the Registry that mention "gfpfx". So please advise me, should I still run Combofix? Or do you suggest another solution (to clean up my Registry)?

Yep, we need to remove any leftovers and make sure we leave nothing behind... ComboFix will be a better move than any "Registry cleaners" ...

So, as stated in my previous post: delete your current copy of ComboFix, download a new one and perform a scan with it as instructed in the guide - run the scan in Normal Mode, post the logfile...
c18903e63196580f.gif
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#6 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:06:52 AM

Posted 05 August 2010 - 03:50 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, just send me a PM (Send message from my profile) with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
c18903e63196580f.gif
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users