Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Security Suite


  • This topic is locked This topic is locked
12 replies to this topic

#1 Clurion

Clurion

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:35 PM

Posted 12 September 2010 - 06:34 AM

I have had similar problems like this with Anti-Virus Soft and other programs, that have been removed successfully. I did the same when this appeared. Start in Safe Mode/Networking, open internet and reconfigure LAN, look up how to remove, used RKill/Malwarebytes Anti-Malware as suggested, and restarted computer. It still said it was there, but now my computer would go black then enter the blue screen, saying it was dumping the memory to protect it, then restart itself. I'm not sure if it could be, but I still had the Malwarebytes installed from the last time. Do I need to uninstall and reinstall to make it work? If not, please notify me with what needs to be done, as college starts soon and a working computer may be essential to my classes.

.:Edit:. I'm currently in Safe Mode/Networking, and it is running fine. But I had something happen last night, when I first started doing the required procedures in Link. I got everything done, had the topic up and waiting, and was running the DDS program. It was scanning and had 3 things on it's list, then my computer just restarted. I logged back in under Safe Mode/Networking and re-opened internet, instruction and posting topic page were saved, but when I ran DDS this time, it only found 1 thing total. I'm not sure if this something to be mentioned, but I thought I would just in case.

QUOTE
DDS (Ver_10-03-17.01) - NTFSx86 NETWORK
Run by Cody_2 at 22:28:43.46 on Sat 09/11/2010
Internet Explorer: 8.0.6001.18241 BrowserJavaVersion: 1.6.0_13
Microsoft Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.894.295 [GMT -4:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\Explorer.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Users\Cody_2\Downloads\Defogger.exe
C:\Windows\system32\DllHost.exe
C:\Users\Cody_2\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = about:blank
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Presario&pf=desktop
mStart Page = hxxp://www.yahoo.com
mDefault_Page_URL = hxxp://www.yahoo.com
uInternet Settings,ProxyServer = http=127.0.0.1:6092
uInternet Settings,ProxyOverride = <local>
mSearchAssistant = hxxp://www.google.com/ie
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [HPADVISOR] c:\program files\hewlett-packard\hp advisor\HPAdvisor.exe view=DOCKVIEW,SYSTRAY
uRun: [Pando Media Booster] c:\program files\pando networks\media booster\PMB.exe
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [rqpcymgi] c:\users\cody_2\appdata\local\qcutrwqqx\pdrcuihuqiw.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [KBD] c:\hp\kbd\KbdStub.EXE
mRun: [OsdMaestro] "c:\program files\hewlett-packard\on-screen osd indicator\OSD.exe"
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [SnapfishMediaDetector] c:\program files\snapfish media detector\SnapfishMediaDetector.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [WPCUMI] c:\windows\system32\WpcUmi.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [Malwarebytes Anti-Malware (rootkit-scan)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [ClickPotatoLiteSA] "c:\program files\clickpotatolite\bin\10.0.528.0\ClickPotatoLiteSA.exe"
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10e.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\snapfi~1.lnk - c:\program files\snapfish media detector\SnapfishMediaDetector.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\users\cody_2\appdata\roaming\microsoft\windows\start menu\programs\imvu\Run IMVU.lnk
IE: {B58926D6-CFB0-45d2-9C28-4B5A0F0368AE} - {7A3D6D17-9DD5-4C60-8076-D1784DABAF8C} - c:\program files\clickpotatolite\bin\10.0.528.0\ClickPotatoLiteSABHO.dll
LSP: c:\windows\system32\wpclsp.dll
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} -
Hosts: 127.0.0.1 www.spywareinfo.com
Hosts: 208.43.47.212 a1.review.zdnet.com
Hosts: 208.43.47.212 reviews.riverstreams.co.uk
Hosts: 208.43.47.212 d1.reviews.cnet.com
Hosts: 208.43.47.212 review.2009softwarereviews.com

Note: multiple HOSTS entries found. Please refer to Attach.txt

================= FIREFOX ===================

FF - ProfilePath - c:\users\cody_2\appdata\roaming\mozilla\firefox\profiles\fbh0sum2.default\
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - prefs.js: network.proxy.type - 0
FF - component: c:\users\cody_2\appdata\roaming\mozilla\firefox\profiles\fbh0sum2.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
FF - component: c:\users\cody_2\appdata\roaming\mozilla\firefox\profiles\fbh0sum2.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npclntax_ClickPotatoLiteSA.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npclntax_HotbarSA.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - HiddenExtension: XULRunner: {04C0F76B-8C7E-4F75-B85C-4A318651D6FB} - c:\users\cody_2\appdata\local\{04C0F76B-8C7E-4F75-B85C-4A318651D6FB}
FF - HiddenExtension: XULRunner: {8B2145B2-B732-4F5F-AC66-3D7E0F050C84} - c:\windows\system32\config\systemprofile\appdata\local\{8B2145B2-B732-4F5F-AC66-3D7E0F050C84}
FF - HiddenExtension: XULRunner: {DD100782-8621-46DF-84C2-F4854C57D048} - c:\windows\system32\config\systemprofile\appdata\local\{DD100782-8621-46DF-84C2-F4854C57D048}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - truec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-5-31 21504]

=============== Created Last 30 ================

2010-09-12 02:27:08 0 ----a-w- c:\users\cody_2\defogger_reenable
2010-08-28 11:46:36 815104 ----a-w- c:\windows\system32\xvidcore.dll
2010-08-28 11:46:36 77824 ----a-w- c:\windows\system32\xvid.ax
2010-08-28 11:46:36 180224 ----a-w- c:\windows\system32\xvidvfw.dll
2010-08-28 11:46:36 0 d-----w- c:\program files\Xvid
2010-08-28 11:45:17 0 d-----w- c:\programdata\ClickPotatoLiteSA
2010-08-28 11:45:16 0 d-----w- c:\users\cody_2\appdata\roaming\ClickPotatoLite
2010-08-28 11:45:16 0 d-----w- c:\program files\ClickPotatoLite
2010-08-14 01:17:35 76569 ----a-w- c:\windows\War3Unin.dat
2010-08-14 01:17:34 2829 ----a-w- c:\windows\War3Unin.pif
2010-08-14 01:17:34 139264 ----a-w- c:\windows\War3Unin.exe

==================== Find3M ====================

2010-09-12 02:06:08 110112 ----a-w- c:\windows\system32\drivers\nvstor32.sys
2010-09-09 02:32:34 3018 ----a-w- c:\users\cody_2\appdata\roaming\wklnhst.dat
2010-07-15 20:33:29 287488 ----a-w- c:\windows\exe.exe
2010-07-10 04:45:20 86016 ----a-w- c:\windows\inf\infstor.dat
2010-07-10 04:45:20 51200 ----a-w- c:\windows\inf\infpub.dat
2010-07-10 04:45:20 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-05-15 23:54:07 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-06-04 14:43:57 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2010-05-24 02:37:05 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012010052520100526\index.dat
2010-05-24 02:37:36 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012010052620100527\index.dat
2010-06-05 13:18:40 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012010060520100606\index.dat
2010-06-09 15:19:30 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012010060920100610\index.dat
2009-06-13 11:53:45 16384 --sha-w- c:\windows\temp\cookies\index.dat
2009-06-13 11:53:45 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2009-06-13 11:53:45 32768 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 22:31:08.04 ===============

Attached Files


Edited by Clurion, 12 September 2010 - 06:46 AM.


BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,693 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:11:35 PM

Posted 12 September 2010 - 10:41 AM

Hi, Clurion smile.gif

welcome.gif

Follow these steps in Safe Mode for the time being.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  1. Please, never rename Combofix unless instructed.
  2. Close any open browsers.
  3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    -----------------------------------------------------------
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      -----------------------------------------------------------
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    -----------------------------------------------------------
    • Copy the entire contents of the Quote Box below to Notepad.
    • Name the file as CFScript.txt
    • Change the Save as Type to All Files
    • and Save it on the desktop
    QUOTE
    Folder::
    c:\users\cody_2\appdata\local\qcutrwqqx




    Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report.
  4. Install the Recovery Console if prompted.
  5. When finished, it will produce a report for you.
  6. Please post the "C:\ComboFix.txt" .
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 Clurion

Clurion
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:35 PM

Posted 13 September 2010 - 10:48 AM

Ok, Here is the requested file after it ran it's course. Not sure if relevant or not, but the process was very sluggish, taking about 30 minutes just for the black box to appear, then it took 8+ hours to run it. After it ran, my computer slowed down dramatically. I couldn't even pull open internet. So I shut it down for the night, which took it 15 minutes just to exit the screen to the "Logging Off" screen. I booted it back up in Safe Mode/Networking and awaiting further instructions.

ComboFix 10-09-11.04 - Cody_2 09/12/2010 14:42:34.1.2 - x86 NETWORK
Running from: c:\users\Cody_2\Desktop\ComboFix.exe
Command switches used :: c:\users\Cody_2\Desktop\CFScript.txt
.
PEV Error: AppFile
PEV Error: AppFolder

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\cody\AppData\Local\Microsoft\Windows\Temporary Internet Files\ijjistarter_verinfo.dat
c:\users\Cody_2\AppData\Local\qcutrwqqx
c:\users\Cody_2\AppData\Local\qcutrwqqx\pdrcuihuqiw.exe
c:\windows\system32\PRAGMAerrors.log
c:\windows\system32\system

.
((((((((((((((((((((((((( Files Created from 2010-08-13 to 2010-09-13 )))))))))))))))))))))))))))))))
.

2010-09-13 01:25 . 2010-09-13 01:25 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-09-13 01:25 . 2010-09-13 01:25 -------- d-----w- c:\users\cody\AppData\Local\temp
2010-09-13 01:25 . 2010-09-13 01:25 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2010-09-13 01:25 . 2010-09-13 01:25 -------- d-----w- c:\users\Cody_2\AppData\Local\temp
2010-08-28 11:46 . 2010-08-28 11:46 -------- d-----w- c:\program files\Xvid
2010-08-28 11:46 . 2008-12-05 01:46 180224 ----a-w- c:\windows\system32\xvidvfw.dll
2010-08-28 11:46 . 2008-12-05 01:42 815104 ----a-w- c:\windows\system32\xvidcore.dll
2010-08-28 11:45 . 2010-09-11 23:40 -------- d-----w- c:\programdata\ClickPotatoLiteSA
2010-08-28 11:45 . 2010-08-28 11:45 -------- d-----w- c:\users\Cody_2\AppData\Roaming\ClickPotatoLite
2010-08-28 11:45 . 2010-08-28 11:45 -------- d-----w- c:\program files\ClickPotatoLite
2010-08-22 16:47 . 2010-08-22 16:47 0 ----a-w- c:\windows\system32\config\systemprofile\AppData\Local\ujilosupu.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-12 03:17 . 2009-08-28 22:39 -------- d-----w- c:\users\Cody_2\AppData\Roaming\BitTorrent
2010-09-12 02:06 . 2007-08-17 18:02 110112 ----a-w- c:\windows\system32\drivers\nvstor32.sys
2010-09-11 03:33 . 2010-08-14 01:10 -------- d-----w- c:\program files\Warcraft III
2010-09-09 02:32 . 2009-07-28 00:28 3018 ----a-w- c:\users\Cody_2\AppData\Roaming\wklnhst.dat
2010-08-24 19:55 . 2010-02-10 23:23 -------- d-----w- c:\users\Cody_2\AppData\Roaming\vlc
2010-08-21 00:46 . 2009-10-27 21:57 -------- d-----w- c:\users\Cody_2\AppData\Roaming\IMVU
2010-08-14 02:34 . 2010-08-14 01:17 76569 ----a-w- c:\windows\War3Unin.dat
2010-08-14 01:33 . 2010-08-14 01:17 2829 ----a-w- c:\windows\War3Unin.pif
2010-08-14 01:33 . 2010-08-14 01:17 139264 ----a-w- c:\windows\War3Unin.exe
2010-08-10 02:55 . 2010-08-10 02:55 -------- d-----w- c:\programdata\Blizzard
2010-08-06 14:23 . 2010-07-10 04:33 0 ----a-w- c:\windows\system32\config\systemprofile\AppData\Local\Hseqiwimanitesu.bin
2010-07-31 03:17 . 2010-07-31 03:17 0 ----a-w- c:\windows\system32\config\systemprofile\AppData\Local\unayupunep.dll
2010-07-21 23:47 . 2009-10-27 21:56 -------- d-----w- c:\users\Cody_2\AppData\Roaming\IMVUClient
2010-07-19 02:09 . 2010-05-09 13:58 -------- d-----w- c:\program files\Windows Defender
2010-07-17 03:46 . 2010-07-17 03:46 0 ----a-w- c:\users\Cody_2\AppData\Local\ayekaqibiyovoxan.dll
2010-07-17 02:41 . 2010-07-17 02:41 0 ----a-w- c:\users\Cody_2\AppData\Local\ogifidequbefo.dll
2010-07-15 20:33 . 2010-07-15 20:33 287488 ----a-w- c:\windows\exe.exe
2010-07-10 04:33 . 2010-07-10 04:33 120 ----a-w- c:\windows\system32\config\systemprofile\AppData\Local\Rdilobuzitowa.dat
2010-07-10 03:33 . 2010-03-18 22:06 0 ----a-w- c:\users\Cody_2\AppData\Local\prvlcl.dat
2010-07-08 17:39 . 2010-07-08 17:39 2724 ----a-w- c:\users\Cody_2\AppData\Local\aqicosaqo.dll
2010-07-08 17:24 . 2010-07-08 17:24 2724 ----a-w- c:\windows\system32\config\systemprofile\AppData\Local\acaqihojiseciy.dll
2010-07-08 14:20 . 2010-07-08 14:20 2724 ----a-w- c:\users\Cody_2\AppData\Local\uvadeneq.dll
2010-07-08 03:19 . 2010-07-08 03:19 2724 ----a-w- c:\users\Cody_2\AppData\Local\Rdilobuzitowa.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"HPADVISOR"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2009-08-05 1644088]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2010-04-28 2938552]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2009-11-10 5244216]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2009-12-01 6373376]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2006-09-28 65536]
"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-15 4874240]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-22 13539872]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-22 92704]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-13 342312]
"WPCUMI"="c:\windows\system32\WpcUmi.exe" [2006-11-02 176128]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-06-03 1144104]
"Malwarebytes Anti-Malware (rootkit-scan)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]
"ClickPotatoLiteSA"="c:\program files\ClickPotatoLite\bin\10.0.528.0\ClickPotatoLiteSA.exe" [2010-08-12 739632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2009-12-01 6373376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10e.exe" [2010-01-27 256280]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001

--- Other Services/Drivers In Memory ---

*Deregistered* - kwldqpob

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = hxxp://www.yahoo.com
uInternet Settings,ProxyServer = http=127.0.0.1:6092
uInternet Settings,ProxyOverride = <local>
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\users\Cody_2\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IMVU\Run IMVU.lnk
IE: {{B58926D6-CFB0-45d2-9C28-4B5A0F0368AE} - {7A3D6D17-9DD5-4C60-8076-D1784DABAF8C} - c:\program files\ClickPotatoLite\bin\10.0.528.0\ClickPotatoLiteSABHO.dll
LSP: c:\windows\system32\wpclsp.dll
FF - ProfilePath - c:\users\Cody_2\AppData\Roaming\Mozilla\Firefox\Profiles\fbh0sum2.default\
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - prefs.js: network.proxy.type - 0
FF - component: c:\users\Cody_2\AppData\Roaming\Mozilla\Firefox\Profiles\fbh0sum2.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
FF - component: c:\users\Cody_2\AppData\Roaming\Mozilla\Firefox\Profiles\fbh0sum2.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npclntax_ClickPotatoLiteSA.dll
FF - plugin: c:\program files\Pando Networks\Media Booster\npPandoWebPlugin.dll
FF - HiddenExtension: XULRunner: {04C0F76B-8C7E-4F75-B85C-4A318651D6FB} - c:\users\Cody_2\AppData\Local\{04C0F76B-8C7E-4F75-B85C-4A318651D6FB}
FF - HiddenExtension: XULRunner: {8B2145B2-B732-4F5F-AC66-3D7E0F050C84} - c:\windows\system32\config\systemprofile\AppData\Local\{8B2145B2-B732-4F5F-AC66-3D7E0F050C84}
FF - HiddenExtension: XULRunner: {DD100782-8621-46DF-84C2-F4854C57D048} - c:\windows\system32\config\systemprofile\AppData\Local\{DD100782-8621-46DF-84C2-F4854C57D048}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-rqpcymgi - c:\users\Cody_2\AppData\Local\qcutrwqqx\pdrcuihuqiw.exe
HKLM-Run-SnapfishMediaDetector - c:\program files\Snapfish Media Detector\SnapfishMediaDetector.exe
HKLM-RunOnce-<NO NAME> - (no file)
SafeBoot-klmdb.sys
MSConfigStartUp-09803874569874596 - c:\programdata\gra\gra.exe
MSConfigStartUp-29837465982736455 - c:\programdata\gra\mradll.exe
AddRemove-My HP Game Console - c:\program files\HP Games\My HP Game Console\Uninstall.exe
AddRemove-RealAlt_is1 - c:\program files\Real Alternative\unins000.exe
AddRemove-ShopperReportsSA - c:\program files\ShopperReports3\bin\3.0.307.0\ShopperReportsUninstaller.exe
AddRemove-WildTangent hpdesktop Master Uninstall - c:\program files\HP Games\Uninstall.exe
AddRemove-WT017697 - c:\program files\HP Games\Bejeweled 2 Deluxe\Uninstall.exe
AddRemove-WT017707 - c:\program files\HP Games\Blackhawk Striker 2\Uninstall.exe
AddRemove-WT017717 - c:\program files\HP Games\Blasterball 3\Uninstall.exe
AddRemove-WT017727 - c:\program files\HP Games\Bookworm Deluxe\Uninstall.exe
AddRemove-WT017737 - c:\program files\HP Games\Bounce Symphony\Uninstall.exe
AddRemove-WT017757 - c:\program files\HP Games\Chuzzle Deluxe\Uninstall.exe
AddRemove-WT017767 - c:\program files\HP Games\Crystal Maze\Uninstall.exe
AddRemove-WT017777 - c:\program files\HP Games\Diner Dash\Uninstall.exe
AddRemove-WT017787 - c:\program files\HP Games\Family Feud\Uninstall.exe
AddRemove-WT017797 - c:\program files\HP Games\FATE\Uninstall.exe
AddRemove-WT017807 - c:\program files\HP Games\Final Drive Nitro\Uninstall.exe
AddRemove-WT017817 - c:\program files\HP Games\Flip Words\Uninstall.exe
AddRemove-WT017827 - c:\program files\HP Games\Insaniquarium Deluxe\Uninstall.exe
AddRemove-WT017837 - c:\program files\HP Games\JEOPARDY\Uninstall.exe
AddRemove-WT017847 - c:\program files\HP Games\Jewel Quest\Uninstall.exe
AddRemove-WT017877 - c:\program files\HP Games\Mah Jong Quest\Uninstall.exe
AddRemove-WT017887 - c:\program files\HP Games\Otto\Uninstall.exe
AddRemove-WT017897 - c:\program files\HP Games\Overball\Uninstall.exe
AddRemove-WT017907 - c:\program files\HP Games\Penguins!\Uninstall.exe
AddRemove-WT017917 - c:\program files\HP Games\Phoenix Assault\Uninstall.exe
AddRemove-WT017927 - c:\program files\HP Games\Polar Bowler\Uninstall.exe
AddRemove-WT017937 - c:\program files\HP Games\Polar Golfer\Uninstall.exe
AddRemove-WT017947 - c:\program files\HP Games\Polar Tubing\Uninstall.exe
AddRemove-WT017967 - c:\program files\HP Games\Ricochet Lost Worlds\Uninstall.exe
AddRemove-WT017977 - c:\program files\HP Games\SCRABBLE\Uninstall.exe
AddRemove-WT018007 - c:\program files\HP Games\Super Granny\Uninstall.exe
AddRemove-WT018017 - c:\program files\HP Games\Tradewinds\Uninstall.exe
AddRemove-WT018027 - c:\program files\HP Games\Wheel of Fortune\Uninstall.exe
AddRemove-WT018037 - c:\program files\HP Games\Zuma Deluxe\Uninstall.exe
AddRemove-WT018860 - c:\program files\HP Games\Cue Master\Uninstall.exe
AddRemove-WT020464 - c:\program files\HP Games\Cake Mania\Uninstall.exe
AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\program files\DivX\DivXCodecUninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-12 22:15
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-09-13 06:23:28
ComboFix-quarantined-files.txt 2010-09-13 10:18

Pre-Run: 174,016,520,192 bytes free
Post-Run: 177,421,369,344 bytes free

- - End Of File - - B0BBE4690F578EDDDC2890AD37687CB9

Attached Files


Edited by JSntgRvr, 13 September 2010 - 11:50 AM.


#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,693 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:11:35 PM

Posted 13 September 2010 - 12:05 PM

Please remove the copy of Combofix on your desktop and download a fresh one.
  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop
CODE
http://www.bleepingcomputer.com/forums/index.php?act=ST&f=22&t=346789

Folder::
c:\windows\system32\config\systemprofile\AppData\Local\ujilosupu.dll

Collect::
c:\windows\system32\config\systemprofile\AppData\Local\Hseqiwimanitesu.bin
c:\windows\system32\config\systemprofile\AppData\Local\unayupunep.dll
c:\users\Cody_2\AppData\Local\ayekaqibiyovoxan.dll
c:\users\Cody_2\AppData\Local\ogifidequbefo.dll
c:\windows\exe.exe
c:\windows\system32\config\systemprofile\AppData\Local\Rdilobuzitowa.dat
c:\users\Cody_2\AppData\Local\prvlcl.dat
c:\windows\system32\config\systemprofile\AppData\Local\acaqihojiseciy.dll
c:\users\Cody_2\AppData\Local\uvadeneq.dll
c:\users\Cody_2\AppData\Local\Rdilobuzitowa.dat

RegLock::
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]




Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report.

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
If the upload fails, Combofix created a zipped file in the C:\Qoobox\Quarantine folder labeled in the form of [4]-Submit_Date_Time.zip. Please have this file uploaded to the following location:

http://www.bleepingcomputer.com/submit-malware.php?channel=4

Indicate a link to this address and let me know when ready.

Edited by JSntgRvr, 13 September 2010 - 12:06 PM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 Clurion

Clurion
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:35 PM

Posted 13 September 2010 - 01:12 PM

Ok, Internet connection was working and the analysis was sent in. If need to manually send it in, let me know. Including the new combofix log in case it is needed. It was much more smoothly this time, taking less than 30 minutes. I take this as a good sign that my computer is on it's way to being fixed.

QUOTE
ComboFix 10-09-12.04 - Cody_2 09/13/2010 13:44:20.2.2 - x86 NETWORK
Microsoft Windows Vista Home Premium 6.0.6002.2.1252.1.1033.18.894.355 [GMT -4:00]
Running from: c:\users\Cody_2\Desktop\ComboFix.exe
Command switches used :: c:\users\Cody_2\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point

file zipped: c:\users\Cody_2\AppData\Local\ayekaqibiyovoxan.dll
file zipped: c:\users\Cody_2\AppData\Local\ogifidequbefo.dll
file zipped: c:\users\Cody_2\AppData\Local\prvlcl.dat
file zipped: c:\users\Cody_2\AppData\Local\Rdilobuzitowa.dat
file zipped: c:\users\Cody_2\AppData\Local\uvadeneq.dll
file zipped: c:\windows\exe.exe
file zipped: c:\windows\system32\config\systemprofile\AppData\Local\acaqihojiseciy.dll
file zipped: c:\windows\system32\config\systemprofile\AppData\Local\Hseqiwimanitesu.bin
file zipped: c:\windows\system32\config\systemprofile\AppData\Local\Rdilobuzitowa.dat
file zipped: c:\windows\system32\config\systemprofile\AppData\Local\unayupunep.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Cody_2\AppData\Local\{04C0F76B-8C7E-4F75-B85C-4A318651D6FB}
c:\users\Cody_2\AppData\Local\{04C0F76B-8C7E-4F75-B85C-4A318651D6FB}\chrome.manifest
c:\users\Cody_2\AppData\Local\{04C0F76B-8C7E-4F75-B85C-4A318651D6FB}\chrome\content\_cfg.js
c:\users\Cody_2\AppData\Local\{04C0F76B-8C7E-4F75-B85C-4A318651D6FB}\chrome\content\overlay.xul
c:\users\Cody_2\AppData\Local\{04C0F76B-8C7E-4F75-B85C-4A318651D6FB}\install.rdf
c:\users\Cody_2\AppData\Local\ayekaqibiyovoxan.dll
c:\users\Cody_2\AppData\Local\ogifidequbefo.dll
c:\users\Cody_2\AppData\Local\prvlcl.dat
c:\users\Cody_2\AppData\Local\Rdilobuzitowa.dat
c:\users\Cody_2\AppData\Local\uvadeneq.dll
c:\windows\exe.exe
c:\windows\System32\config\systemprofile\AppData\Local\{8B2145B2-B732-4F5F-AC66-3D7E0F050C84}
c:\windows\System32\config\systemprofile\AppData\Local\{8B2145B2-B732-4F5F-AC66-3D7E0F050C84}\chrome.manifest
c:\windows\System32\config\systemprofile\AppData\Local\{8B2145B2-B732-4F5F-AC66-3D7E0F050C84}\chrome\content\_cfg.js
c:\windows\System32\config\systemprofile\AppData\Local\{8B2145B2-B732-4F5F-AC66-3D7E0F050C84}\chrome\content\overlay.xul
c:\windows\System32\config\systemprofile\AppData\Local\{8B2145B2-B732-4F5F-AC66-3D7E0F050C84}\install.rdf
c:\windows\System32\config\systemprofile\AppData\Local\{DD100782-8621-46DF-84C2-F4854C57D048}
c:\windows\System32\config\systemprofile\AppData\Local\{DD100782-8621-46DF-84C2-F4854C57D048}\chrome.manifest
c:\windows\System32\config\systemprofile\AppData\Local\{DD100782-8621-46DF-84C2-F4854C57D048}\chrome\content\_cfg.js
c:\windows\System32\config\systemprofile\AppData\Local\{DD100782-8621-46DF-84C2-F4854C57D048}\chrome\content\overlay.xul
c:\windows\System32\config\systemprofile\AppData\Local\{DD100782-8621-46DF-84C2-F4854C57D048}\install.rdf
c:\windows\system32\config\systemprofile\AppData\Local\acaqihojiseciy.dll
c:\windows\system32\config\systemprofile\AppData\Local\Hseqiwimanitesu.bin
c:\windows\system32\config\systemprofile\AppData\Local\Rdilobuzitowa.dat
c:\windows\system32\config\systemprofile\AppData\Local\unayupunep.dll

.
((((((((((((((((((((((((( Files Created from 2010-08-13 to 2010-09-13 )))))))))))))))))))))))))))))))
.

2010-09-13 17:58 . 2010-09-13 17:58 -------- d-----w- c:\users\Cody_2\AppData\Local\temp
2010-09-13 17:58 . 2010-09-13 17:58 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2010-09-13 17:58 . 2010-09-13 17:58 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-09-13 17:58 . 2010-09-13 17:58 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-09-13 17:58 . 2010-09-13 17:58 -------- d-----w- c:\users\cody\AppData\Local\temp
2010-09-13 17:37 . 2010-09-13 17:37 -------- d-----w- C:\32788R22FWJFW
2010-08-28 11:46 . 2010-08-28 11:46 -------- d-----w- c:\program files\Xvid
2010-08-28 11:46 . 2008-12-05 01:46 180224 ----a-w- c:\windows\system32\xvidvfw.dll
2010-08-28 11:46 . 2008-12-05 01:42 815104 ----a-w- c:\windows\system32\xvidcore.dll
2010-08-28 11:45 . 2010-09-11 23:40 -------- d-----w- c:\programdata\ClickPotatoLiteSA
2010-08-28 11:45 . 2010-08-28 11:45 -------- d-----w- c:\users\Cody_2\AppData\Roaming\ClickPotatoLite
2010-08-28 11:45 . 2010-08-28 11:45 -------- d-----w- c:\program files\ClickPotatoLite
2010-08-22 16:47 . 2010-08-22 16:47 0 ----a-w- c:\windows\system32\config\systemprofile\AppData\Local\ujilosupu.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-13 15:44 . 2010-03-24 10:55 680 ----a-w- c:\users\Cody_2\AppData\Local\d3d9caps.dat
2010-09-12 03:17 . 2009-08-28 22:39 -------- d-----w- c:\users\Cody_2\AppData\Roaming\BitTorrent
2010-09-12 02:06 . 2007-08-17 18:02 110112 ----a-w- c:\windows\system32\drivers\nvstor32.sys
2010-09-11 03:33 . 2010-08-14 01:10 -------- d-----w- c:\program files\Warcraft III
2010-09-09 02:32 . 2009-07-28 00:28 3018 ----a-w- c:\users\Cody_2\AppData\Roaming\wklnhst.dat
2010-08-24 19:55 . 2010-02-10 23:23 -------- d-----w- c:\users\Cody_2\AppData\Roaming\vlc
2010-08-21 00:46 . 2009-10-27 21:57 -------- d-----w- c:\users\Cody_2\AppData\Roaming\IMVU
2010-08-14 02:34 . 2010-08-14 01:17 76569 ----a-w- c:\windows\War3Unin.dat
2010-08-14 01:33 . 2010-08-14 01:17 2829 ----a-w- c:\windows\War3Unin.pif
2010-08-14 01:33 . 2010-08-14 01:17 139264 ----a-w- c:\windows\War3Unin.exe
2010-08-10 02:55 . 2010-08-10 02:55 -------- d-----w- c:\programdata\Blizzard
2010-07-21 23:47 . 2009-10-27 21:56 -------- d-----w- c:\users\Cody_2\AppData\Roaming\IMVUClient
2010-07-19 02:09 . 2010-05-09 13:58 -------- d-----w- c:\program files\Windows Defender
2010-07-08 17:39 . 2010-07-08 17:39 2724 ----a-w- c:\users\Cody_2\AppData\Local\aqicosaqo.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"HPADVISOR"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2009-08-05 1644088]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2010-04-28 2938552]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2009-11-10 5244216]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2009-12-01 6373376]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2006-09-28 65536]
"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-15 4874240]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-22 13539872]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-22 92704]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-13 342312]
"WPCUMI"="c:\windows\system32\WpcUmi.exe" [2006-11-02 176128]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-06-03 1144104]
"Malwarebytes Anti-Malware (rootkit-scan)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]
"ClickPotatoLiteSA"="c:\program files\ClickPotatoLite\bin\10.0.528.0\ClickPotatoLiteSA.exe" [2010-08-12 739632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2009-12-01 6373376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10e.exe" [2010-01-27 256280]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = hxxp://www.yahoo.com
uInternet Settings,ProxyServer = http=127.0.0.1:6092
uInternet Settings,ProxyOverride = <local>
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\users\Cody_2\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IMVU\Run IMVU.lnk
IE: {{B58926D6-CFB0-45d2-9C28-4B5A0F0368AE} - {7A3D6D17-9DD5-4C60-8076-D1784DABAF8C} - c:\program files\ClickPotatoLite\bin\10.0.528.0\ClickPotatoLiteSABHO.dll
LSP: c:\windows\system32\wpclsp.dll
FF - ProfilePath - c:\users\Cody_2\AppData\Roaming\Mozilla\Firefox\Profiles\fbh0sum2.default\
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - prefs.js: network.proxy.type - 0
FF - component: c:\users\Cody_2\AppData\Roaming\Mozilla\Firefox\Profiles\fbh0sum2.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
FF - component: c:\users\Cody_2\AppData\Roaming\Mozilla\Firefox\Profiles\fbh0sum2.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npclntax_ClickPotatoLiteSA.dll
FF - plugin: c:\program files\Pando Networks\Media Booster\npPandoWebPlugin.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

HKLM-RunOnce-<NO NAME> - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-13 13:58
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

&4Y؜άY؝ [-1748058401] 0x00790073

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-09-13 14:06:30
ComboFix-quarantined-files.txt 2010-09-13 18:06
ComboFix2.txt 2010-09-13 10:27

Pre-Run: 177,484,169,216 bytes free
Post-Run: 177,395,859,456 bytes free

- - End Of File - - 7BFBAA4D2DDBE31D2FE75EF7995641F2
Upload was successful


#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,693 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:11:35 PM

Posted 13 September 2010 - 04:36 PM

Lets remove some of the remnats:
  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop
CODE
http://www.bleepingcomputer.com/forums/index.php?act=ST&f=22&t=346789

Collect::
c:\windows\system32\config\systemprofile\AppData\Local\ujilosupu.dll
c:\users\Cody_2\AppData\Local\aqicosaqo.dll




Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report.

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
If the upload fails, Combofix created a zipped file in the C:\Qoobox\Quarantine folder labeled in the form of [4]-Submit_Date_Time.zip. Please have this file uploaded to the following location:

http://www.bleepingcomputer.com/submit-malware.php?channel=4

Indicate a link to this address and let me know when ready.

Please do an online scan with Kaspersky WebScanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instructions below under Upgrading Java, to download and install the latest version.
  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure the following are checked
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply.
Attention! Kaspersky Online Scanner 7.0 may fail to start if another anti-virus program is already installed and running on your computer. Please deactivate the anti-virus software installed on your computer prior to starting Kaspersky Online Scanner 7.0.

Upgrading Java :
  • Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 21 .
  • Click the JDK 6 Update 21 (JDK or JRE) "Download JRE" button to the right.
  • Select your Platform, Register and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation ( jre-6u21-windows-i586.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u21-windows-i586.exe and select "Run as an Administrator.")

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 Clurion

Clurion
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:35 PM

Posted 14 September 2010 - 09:55 AM

Ok, I have done the combofix with a successful report online. I have also run the Kaspersky successfully. The Java update ccan't be done yet, because it says I can't change those programs while under safe mode. What is my next step?

QUOTE
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Tuesday, September 14, 2010
Operating system: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 2 (build 6002)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Monday, September 13, 2010 19:01:44
Records in database: 4214112
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
G:\
H:\
I:\
J:\

Scan statistics:
Objects scanned: 284370
Threats found: 8
Infected objects found: 10
Suspicious objects found: 0
Scan duration: 05:19:35


File name / Threat / Threats count
C:\Qoobox\Quarantine\C\Users\Cody_2\AppData\Local\qcutrwqqx\pdrcuihuqiw.exe.vir Infected: Trojan.Win32.FraudPack.bjva 1
C:\Qoobox\Quarantine\C\WINDOWS\exe.exe.vir Infected: Packed.Win32.Krap.hc 1
C:\Qoobox\Quarantine\[4]-Submit_2010-09-13_13.43.50.zip Infected: Trojan.Win32.FraudPack.azvc 1
C:\Users\Cody_2\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\18\c3b9152-59f08d65 Infected: Exploit.OSX.Smid.d 1
C:\Users\Cody_2\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\45\c657bed-746a7399 Infected: Trojan-Downloader.Java.OpenStream.ak 1
C:\Users\Cody_2\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\45\c657bed-746a7399 Infected: Trojan-Dropper.Java.Small.h 1
C:\Users\Cody_2\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\61\757db4fd-76a3880f Infected: Exploit.Java.Agent.f 1
C:\WINDOWS\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\11\51bd4ccb-612db6f5 Infected: Trojan-Downloader.Java.Agent.cf 1
C:\WINDOWS\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\26\575401da-126e2f13 Infected: Trojan-Downloader.Java.Agent.cf 1
C:\WINDOWS\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\52\e649f74-68be2940 Infected: Exploit.Java.Agent.f 1

Selected area has been scanned.


#8 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,693 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:11:35 PM

Posted 14 September 2010 - 10:31 AM

I thought you were in Normal Mode already. What seems to be the problem in Normal Mode.?

Download TFC by OldTimer to your desktop
  • Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
  • Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

Edited by JSntgRvr, 14 September 2010 - 10:31 AM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#9 Clurion

Clurion
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:35 PM

Posted 14 September 2010 - 11:28 AM

I didn't know if it was safe or not to run in normal, so I just kept in safe mode this time. I will try it on normal mode and see what happens. If it goes smoothly, I will remove/update the java and run the TFC program.

#10 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,693 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:11:35 PM

Posted 14 September 2010 - 12:16 PM

Let me know the outcome.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#11 Clurion

Clurion
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:35 PM

Posted 15 September 2010 - 04:02 PM

Ok, both have been done and computer is running much more smoothly, anything else needs to be done.

#12 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,693 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:11:35 PM

Posted 15 September 2010 - 07:01 PM

Congratulations.

Since the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, as well as the folders created by these tools.

Follow these steps to uninstall Combofix.
  • Rename Combofix to Uninstall and click on it. That should remove the application.

Manually remove any tool left.

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
  1. Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  2. AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  3. Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  4. Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  5. Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  6. ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Miekiemoes.

Best wishes! icon_hello.gif

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#13 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,693 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:11:35 PM

Posted 02 October 2010 - 12:55 AM

Resolved.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users