Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Desktop Security 2010 persistant


  • Please log in to reply
6 replies to this topic

#1 Mooregard

Mooregard

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:09 AM

Posted 11 August 2010 - 11:14 AM

Hi, we have a user with a laptop latitude D620 XP SP3. Has been infected with Desktop Security 2010. Malware bytes removes it "Rogue Desktop Security". However, as soon as the user logs in again, the popup recurs. The admin user account does not incur the popup. Can combofix help with this? or another program?

Thanks Deb

I have just found instructions on this site to remove this threat using malware bytes.

http://www.bleepingcomputer.com/virus-remo...p-security-2010

i will try it.

Edited by Mooregard, 11 August 2010 - 11:34 AM.


BC AdBot (Login to Remove)

 


#2 Mooregard

Mooregard
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:09 AM

Posted 11 August 2010 - 01:39 PM

I tried the procedure I found on this site. http://www.bleepingcomputer.com/virus-remo...p-security-2010
i.e. Use rkill then malware bytes. rkill did stop the desktop security 2010 popups. malware bytes found the infections (69) and removed them, but upon reboot, the infection returned (same popups). i ran the scan in safe mode because it is much faster. Would that have made a difference?

here are the threats malware bytes found and removed in safe mode:

67 x Rogue.Desktop.Security file
1 x TrojanFakeAlert reg value
1 x Rogue Desktop Security reg key

I am now running the same procedure in normal mode. It is 1 hour into the malware bytes scan and has not found any infections yet.

Any help appreciated.

Update:

malware scan completed in normal mode after 1.25 hours. no threats were found. However, when i logged back in as the user, the popups were there again. rkill closed them. so it seems that running malware in normal mode is not effective at finding the threats. I am intending to rebuild this laptop and upgrade to Win7 tomorrow. However, as an experiment, I have just run combofix twice. I am no longer getting the popup on login. Perhaps the infections have been cleared up. I can upload my combofix log if someone would like to look it over. let me know.

Interestingly, earlier today I attempted to backup the user's data (my documents) using explorer (copy/paste to external HD). I received an error message - access denied. Only one file was copied. However, all the data in my documents for that user vanished. no record in recycle bin. I copy/paste data a lot to back it up for various users, and so I don't think I messed this part up. I'm wondering if this could be associated with an infection. Fortunately the user had backed up his documents independently last night.

thanks for any and all help, Deb

Edited by Mooregard, 11 August 2010 - 02:36 PM.


#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,493 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:09 AM

Posted 11 August 2010 - 03:25 PM

Hello please post yher infected MBAm log.
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.


Next run ATF and SAS: If you cannot access Safe Mode,run in normal ,but let me know.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 Mooregard

Mooregard
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:09 AM

Posted 13 August 2010 - 03:19 PM

Hi, thanks for the reply. Unfortunately I don't have the MBAM logs anymore. I wiped the laptop and installed a Windows 7 upgrade. I did save the combofix log if you are interested in seeing that. Thanks very much for the info on other scans I can try if this happens again. Here's the combo fix log:

ComboFix 10-08-11.02 - kwebb 11/08/2010 19:15:11.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.369 [GMT -4:00]
Running from: c:\documents and settings\kwebb\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.

((((((((((((((((((((((((( Files Created from 2010-07-11 to 2010-08-11 )))))))))))))))))))))))))))))))
.

2010-08-11 19:33 . 2010-08-11 19:33 -------- d-----w- c:\documents and settings\admin.OMC-KUMPF\Application Data\Windows Search
2010-08-11 13:42 . 2010-08-11 13:42 -------- d-----w- c:\documents and settings\admin.OMC-KUMPF\Local Settings\Application Data\PCHealth
2010-08-10 14:53 . 2010-08-10 14:53 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-08-10 14:42 . 2010-08-10 14:42 -------- d-----w- c:\documents and settings\admin.OMC-KUMPF\Local
2010-08-10 14:30 . 2010-08-10 14:30 61440 ----a-w- c:\documents and settings\admin.OMC-KUMPF\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-6317acbc-n\decora-sse.dll
2010-08-10 14:30 . 2010-08-10 14:30 503808 ----a-w- c:\documents and settings\admin.OMC-KUMPF\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-499c7fb8-n\msvcp71.dll
2010-08-10 14:30 . 2010-08-10 14:30 499712 ----a-w- c:\documents and settings\admin.OMC-KUMPF\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-499c7fb8-n\jmc.dll
2010-08-10 14:30 . 2010-08-10 14:30 348160 ----a-w- c:\documents and settings\admin.OMC-KUMPF\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-499c7fb8-n\msvcr71.dll
2010-08-09 21:10 . 2010-08-10 13:39 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Desktop Security
2010-08-09 21:10 . 2010-08-09 17:45 1613824 ----a-w- c:\windows\system32\config\systemprofile\Application Data\Desktop Security\Desktop Security 2010.exe
2010-08-06 07:13 . 2010-08-06 07:13 61440 ----a-w- c:\documents and settings\kwebb\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-35e9bf29-n\decora-sse.dll
2010-08-06 07:13 . 2010-08-06 07:13 503808 ----a-w- c:\documents and settings\kwebb\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-4f8541e7-n\msvcp71.dll
2010-08-06 07:13 . 2010-08-06 07:13 348160 ----a-w- c:\documents and settings\kwebb\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-4f8541e7-n\msvcr71.dll
2010-08-06 07:13 . 2010-08-06 07:13 499712 ----a-w- c:\documents and settings\kwebb\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-4f8541e7-n\jmc.dll
2010-08-06 07:13 . 2010-08-06 07:13 12800 ----a-w- c:\documents and settings\kwebb\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-35e9bf29-n\decora-d3d.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-11 18:54 . 2007-02-11 05:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-08-11 12:59 . 2007-02-01 07:10 240398 ----a-w- c:\windows\system32\nvModes.dat
2010-08-10 14:30 . 2010-08-10 14:30 12800 ----a-w- c:\documents and settings\admin.OMC-KUMPF\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-6317acbc-n\decora-d3d.dll
2010-08-10 14:25 . 2010-08-10 14:25 -------- d-----w- c:\documents and settings\admin.OMC-KUMPF\Application Data\Apple Computer
2010-08-10 14:25 . 2010-08-10 14:25 -------- d-----w- c:\documents and settings\admin.OMC-KUMPF\Application Data\Windows Desktop Search
2010-08-10 13:04 . 2010-08-10 13:04 -------- d-----w- c:\documents and settings\admin.OMC-KUMPF\Application Data\Malwarebytes
2010-08-10 13:04 . 2010-02-10 02:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-10 12:32 . 2010-08-09 21:20 28 ----a-w- c:\documents and settings\NetworkService\Application Data\ikvyhq.dat
2010-08-09 21:09 . 2010-08-09 21:09 20 ----a-w- c:\documents and settings\LocalService\Application Data\ikvyhq.dat
2010-07-16 07:13 . 2010-03-05 08:13 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-24 15:32 . 2007-02-11 04:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-06-24 15:20 . 2010-02-10 02:12 -------- d-----w- c:\program files\CCleaner
2010-06-23 13:09 . 2010-06-23 13:09 501936 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb11C.tmp.exe
2010-06-21 15:31 . 2008-03-19 13:50 -------- d-----w- c:\program files\ASAP Utilities
2010-06-01 17:37 . 2009-12-07 20:16 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-28 07:13 . 2010-05-28 07:13 61440 ----a-w- c:\documents and settings\kwebb\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-512dbba3-n\decora-sse.dll
2010-05-28 07:13 . 2010-05-28 07:13 503808 ----a-w- c:\documents and settings\kwebb\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-7c89a741-n\msvcp71.dll
2010-05-28 07:13 . 2010-05-28 07:13 499712 ----a-w- c:\documents and settings\kwebb\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-7c89a741-n\jmc.dll
2010-05-28 07:13 . 2010-05-28 07:13 348160 ----a-w- c:\documents and settings\kwebb\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-7c89a741-n\msvcr71.dll
2010-05-28 07:13 . 2010-05-28 07:13 12800 ----a-w- c:\documents and settings\kwebb\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-512dbba3-n\decora-d3d.dll
2010-05-19 20:23 . 2007-02-01 07:35 54680 -c--a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WeatherEye"="c:\documents and settings\kwebb\Local Settings\Application Data\TheWeatherNetwork\WeatherEye\WeatherEye.exe" [2009-10-27 718232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-04 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-01-19 7401472]
"nwiz"="nwiz.exe" [2006-01-19 1519616]
"NVHotkey"="nvHotkey.dll" [2006-01-19 73728]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-06-29 1032192]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-10-06 866584]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-07-07 576320]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2006-07-07 600896]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-04-16 819200]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-04-16 970752]
"NvMediaCenter"="NvMCTray.dll" [2006-01-19 86016]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-06-01 1093208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Firewall Client Management.lnk - c:\program files\Microsoft Firewall Client 2004\FwcMgmt.exe [2006-12-9 117568]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\wxvault.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Document Manager]
2006-05-16 18:35 102400 ----a-w- c:\program files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-03-26 05:10 142120 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 01:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-04-04 14:45 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"PSEXESVC"=3 (0x3)
"Lavasoft Ad-Aware Service"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"iPod Service"=3 (0x3)
"gusvc"=2 (0x2)
"gupdate"=2 (0x2)
"Apple Mobile Device"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SonicWALL\\SonicWALL Global VPN Client\\SWGVpnClient.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 RCFOX;SonicWALL IPsec Driver;c:\windows\system32\drivers\RCFOX.SYS [11/02/2007 12:22 AM 91136]
R2 FwcAgent;Firewall Client Agent;c:\program files\Microsoft Firewall Client 2004\FwcAgent.exe [09/12/2006 7:04 PM 128832]
R3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\drivers\rcvpn.sys [11/02/2007 12:20 AM 23180]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [09/02/2010 10:12 PM 135664]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [05/10/2006 11:11 PM 13592]
S3 GTKCMOS;GTKCMOS;c:\windows\system32\GTKCMOS.sys [15/06/2004 4:55 PM 7882]
S3 RTL8187B;Realtek RTL8187B Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187B.sys --> c:\windows\system32\DRIVERS\RTL8187B.sys [?]
S3 SjyPkt;SjyPkt;\??\c:\windows\System32\Drivers\SjyPkt.sys --> c:\windows\System32\Drivers\SjyPkt.sys [?]
S4 PSEXESVC;PsExec;c:\windows\PSEXESVC.EXE [13/03/2009 10:08 AM 99592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-08-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-08-11 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-11 14:47]

2010-08-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-10 02:12]

2010-08-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-10 02:12]

2010-08-11 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-26 01:40]

2010-08-11 c:\windows\Tasks\User_Feed_Synchronization-{588D3642-C28F-4E4E-9781-2E4DFB668D6B}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 16:58]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = omc-isa:8080
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
LSP: c:\program files\Microsoft Firewall Client 2004\FwcWsp.dll
DPF: {DCA94B48-119B-453C-8863-DE6B9186A81B} - hxxps://sb.smartborder.com/newsb/Client/InstallFiles/SB_INIT_V3.CAB
FF - ProfilePath - c:\documents and settings\kwebb\Application Data\Mozilla\Firefox\Profiles\b1fpmdxn.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1484)
c:\windows\SYSTEM32\wxvault.dll
c:\windows\SYSTEM32\detoured.dll

- - - - - - - > 'lsass.exe'(1540)
c:\windows\system32\wxvault.dll
c:\windows\system32\detoured.dll
c:\windows\system32\wvauth.dll
c:\windows\system32\biolsp.dll

- - - - - - - > 'explorer.exe'(1284)
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-08-11 19:24:06
ComboFix-quarantined-files.txt 2010-08-11 23:24
ComboFix2.txt 2010-08-11 23:05

Pre-Run: 10,554,732,544 bytes free
Post-Run: 10,529,689,600 bytes free

- - End Of File - - BFE8864D02800592D103D5CE63BD178F

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,493 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:09 AM

Posted 13 August 2010 - 10:57 PM

Hello, from the outside forum description. No DDS, HijackThis, or ComboFix logs should be posted in this forum.

I can no longer reply to the log it needs to be posted wouth a DDs log here
Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If Gmer won't run,skip it and move on.
Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 Mooregard

Mooregard
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:09 AM

Posted 16 August 2010 - 08:11 AM

Hi, and thanks for your info. I have returned the laptop to the user after formatting and upgrading to win7. So, the next time I have a virus issue, I will follow your instructions and post in the correct forum. Thanks for your help.

Deb

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,493 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:09 AM

Posted 16 August 2010 - 09:01 AM

Thanks for the update and happy computing.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users