Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect, Symantec Auto-update blocked


  • This topic is locked This topic is locked
13 replies to this topic

#1 IgorHallduck

IgorHallduck

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:36 AM

Posted 21 March 2011 - 10:01 PM

Hello,
I want to start by saying thanks for your time in looking over my problem, you guys are awesome. I am having a problem with my computer automatically redirecting me to different search engines as well as slowed performance and problems getting Firefox to start up initially and Internet Explorer will not come up at all. Symantec Antivirus runs pretty regularly but I noticed after I started having problems that the last autoupdate was in October and when I tried to run liveupdate it said LU1803: LiveUpdate failed while getting your updates. I also have Super anti-spyware and it is not finding anything. I hope this is enough information to begin with. Here is the DDS results and the GMER log.

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Owner at 21:21:20.46 on Mon 03/21/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1085 [GMT -4:00]
.
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Symantec AntiVirus Corporate Edition *Enabled/Outdated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
C:\WINDOWS\ehome\RMSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iTunes\iTunes.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Owner\My Documents\Downloads\rplt1sur.exe
C:\Documents and Settings\Owner\My Documents\Downloads\dds.scr
.
============== Pseudo HJT Report ===============
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} -
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [AutoStartNPSAgent] c:\program files\samsung\samsung new pc studio\NPSAgent.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Adupifohah] rundll32.exe "c:\windows\tprpst.dll",Startup
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [amd_dc_opt] c:\program files\amd\dual-core optimizer\amd_dc_opt.exe
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Dell AIO Printer A940] "c:\program files\dell aio printer a940\dlbabmgr.exe"
mRun: [Ayalajijohap] rundll32.exe "c:\windows\edahixusoyaqoxi.dll",Startup
StartupFolder: c:\documents and settings\owner\start menu\programs\startup\CurseClientStartup.ccip
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {95D88B35-A521-472B-A182-BB1A98356421} - hxxp://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} - hxxp://asp.mathxl.com/books/_Players/MathPlayer.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\sp6ky6n7.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: XULRunner: {CBF2FE56-8F2E-499C-A72B-8547059192EF} - c:\documents and settings\owner\local settings\application data\{CBF2FE56-8F2E-499C-A72B-8547059192EF}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
============= SERVICES / DRIVERS ===============
.
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-9-4 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-9-4 67656]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-7-19 192160]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-7-19 169632]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2010-8-22 10384]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\McrdSvc.exe [2005-10-20 96256]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\common files\pc tools\smonitor\StartManSvc.exe [2010-11-11 632792]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-9-27 1813232]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-28 102448]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-11-12 38224]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20101117.002\naveng.sys [2010-11-18 86064]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20101117.002\navex15.sys [2010-11-18 1371184]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-6-7 136176]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2010-7-30 36608]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-9-4 12872]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-9-27 116464]
S4 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2010-7-30 233472]
S4 lxdp_device;lxdp_device;c:\windows\system32\lxdpcoms.exe -service --> c:\windows\system32\lxdpcoms.exe -service [?]
S4 lxdpCATSCustConnectService;lxdpCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdpserv.exe [2009-1-12 98984]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-3-25 24652]
.
=============== Created Last 30 ================
.
2011-03-22 01:05:59 -------- d-----w- c:\program files\Free Window Registry Repair
2011-03-22 00:39:43 -------- d-----w- c:\program files\SpywareBlaster
2011-03-21 02:55:37 -------- d-----w- C:\8fc6e1d1a56167e4575591aa1c7b5a78
2011-02-24 04:34:16 0 ----a-w- c:\windows\Scaluvayadep.bin
2011-02-24 04:34:15 -------- d-----w- c:\docume~1\owner\locals~1\applic~1\{CBF2FE56-8F2E-499C-A72B-8547059192EF}
.
==================== Find3M ====================
.
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD3200BB-22KEA0 rev.08.05J08 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A7AB439]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a7b17b8]; MOV EAX, [0x8a7b1834]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A6FC030]
3 CLASSPNP[0xBA188FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\000000a4[0x8A6FDE98]
5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A883D98]
\Driver\atapi[0x8A6F76A0] -> IRP_MJ_CREATE -> 0x8A7AB439
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskWDC_WD3200BB-22KEA0_____________________08.05J08#5&60ba549&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A7AB27F
user & kernel MBR OK
copy of MBR has been found in sector 9 !
copy of MBR has been found in sector 59 !
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 21:22:33.29 ===============


GMER 1.0.15.15570 - http://www.gmer.net
Rootkit scan 2011-03-21 22:34:17
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 WDC_WD3200BB-22KEA0 rev.08.05J08
Running: rplt1sur.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\pxtdrpob.sys


---- System - GMER 1.0.15 ----

SSDT 8A272CB8 ZwConnectPort
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xA3630350]
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xA3630580]

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB4D5B000, 0x230C27, 0xE8000020]
init C:\WINDOWS\SYSTEM32\drivers\samfilt.sys entry point in "init" section [0xA45EAD00]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[968] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00F8000A
.text C:\WINDOWS\System32\svchost.exe[968] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00F9000A
.text C:\WINDOWS\System32\svchost.exe[968] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00F7000C
.text C:\WINDOWS\System32\svchost.exe[968] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 0305000A
.text C:\WINDOWS\System32\svchost.exe[968] USER32.dll!WindowFromPoint 7E429766 5 Bytes JMP 0306000A
.text C:\WINDOWS\System32\svchost.exe[968] USER32.dll!GetForegroundWindow 7E429823 5 Bytes JMP 0326000A
.text C:\WINDOWS\System32\svchost.exe[968] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 0108000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3668] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0182000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3668] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0183000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3668] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0167000C
.text C:\WINDOWS\Explorer.EXE[3896] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0153000A
.text C:\WINDOWS\Explorer.EXE[3896] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0154000A
.text C:\WINDOWS\Explorer.EXE[3896] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0152000C

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T1L0-17 8A78127F
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8A78127F
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8A78127F
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-f 8A78127F

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskWDC_WD3200BB-22KEA0_____________________08.05J08#5&60ba549&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL@
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@NoChange 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS@

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- EOF - GMER 1.0.15 ----

Attached Files



BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:36 PM

Posted 22 March 2011 - 04:10 PM

Good evening. :)

The golden rule with anti-virus programs is that you have only one running in real-time at any one time, so you need to pick one and uninstall the other before we continue.

As the tool that we, or more accurately you, are going to use doesn't get on with AVG very well, this reduces the choice that you have. If Norton is still able to update - your subscription hasn't elapsed - then I suggest that you remove AVG, at least for now. If Norton is out of date, then I suggest that you download a copy of the AVG installer, available here, and then uninstall both programs.

Whichever way you choose to go, you want to download the ComboFix executable, as per the instructions below, BEFORE you disconnect from the internet and uninstall one or both of your anti-virus programs. Run CF and then, if necessary if you have uninstalled both anti-virus programs, install AVG and then update it once you get back online - you don't want to be connected to the internet without any AV protection.

Take a trip to this webpage for download links and instructions for running Combofix by sUBs.*

  • Please be aware that this tool may require the PC to be rebooted so close any programs you have open before you start.
  • When CF has finished, it will produce a log - C:\ComboFix.txt - copy and paste it into your next reply.
  • Let me know how the PC is behaving.
* There are two points to note from the instructions page:

1) The Recovery Console.

It is recommended that you install this as, in certain circumstances, it may be the difference between a successful repair and a reformat. If you are uncertain as to whether or not you already have the Recovery Console installed, simply run CF and it will prompt you if it does not detect it.
CF will complete some, but not all, of it's removal tasks without the installation of the Console so, should you choose not to allow the installation, you may not get the results you hoped for.

2) Disabling your Anti-Virus.

CF has been the victim of false-positive detections on occasion and a resident AV may incorrectly identify and delete part of the tool which won't do it much good. If you don't disable your AV, you may not get the results you hoped for either.


If you have any questions please ask them BEFORE you begin.

So long, and thanks for all the fish.

 

 


#3 IgorHallduck

IgorHallduck
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:36 AM

Posted 22 March 2011 - 05:28 PM

Hello
Thank you for such a quick response, wasn't expecting one for a while because it seems like yall are quite busy. Ok I am to the point where I am redownloading my antivirus and getting ready to delete Symantec, but I cannot find the AVG one on the add/remove programs list. I went through the list four or five times and I dont think I am overlooking it. Is there a better way to do this? sorry to be a pain!

Also, would you recommend AVG or Symantec anti-virus(or any others for that matter)? I use the corporate version of Symantec provided to me through my university for free. I am a college student so I cant exactly go out and spend a large chunk of change on a program at this moment.

#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:36 PM

Posted 22 March 2011 - 05:46 PM

it seems like yall are quite busy.

Yup - lucky for you I stick to XP logs and they are becoming rarer as people upgrade their versions of Windows.

Is there a better way to do this?

Download AppRemover by OPSWAT from here and save it to your Desktop.

Follow the instructions here and let the tool take the strain.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The "usual suspects" when it comes to free AVs are as follows:

AVG Free Edition: Available here.
avast! 4 Home Edition: Available here
AntiVir Personal Edition Classic : Available here
Microsoft Security Essentials: Available here

I've used all four at one time or another and got on well enough with each of them, so it's down to personal preference.
At the moment i'm using MSE on a couple of laptops, but that doesn't constitute any great recommendation as I don't tend to pick up infections on my machines regardless of AV protection - you get a feel for what not to do after a while, so not exposing the PC to a threat means that an AV never gets to fail to protect against that threat.

I am a college student so I cant exactly go out and spend a large chunk of change on a program at this moment.

I imagine that the price of beer must be an issue! :whistle:

So long, and thanks for all the fish.

 

 


#5 IgorHallduck

IgorHallduck
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:36 AM

Posted 22 March 2011 - 06:29 PM

OK I ran that program and it found everything but the AVG anti virus. The log said it is enable and updated, but it doesn't appear to be on my computer at all. I found the AVG folder in my program files though. I don't ever even remember having AVG on my computer in the first place. I have not ran CF yet because it says to make sure that my antivirus is disabled.

Haha lucky for me that I didnt like Windows Vista and am not nearly cool enough for Windows 7.

I got Microsoft Security Essentials to install when then this is done.

Beer prices arent that big of a problem because I just substitute beer for food, its book prices that keep me broke.

#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:36 PM

Posted 23 March 2011 - 02:57 PM

Good evening. :)

It could be that the Security Center still thinks that it's present, and so we'll need to get it to re-audit the system:

1) Right-click My Computer.
2) Click Manage.
3) Click on the plus sign "+" next to Services and Applications in the left-hand pane.
4) Click Services.
5) Locate the service called Windows Management Instrumentation in the right hand pane, you may need to drag the divider next to Description at the top to better see the various entries, right-click it and choose Stop.
6) Open My Computer or Windows Explorer and navigate to the C:\Windows\System32\WBEM[/b] folder.
7) Right-click on the Repository folder and click Delete to remove it
8) Return to the Windows services screen using steps 1 - 4 shown above.9) Locate the service Windows Management Instrumentation, right-click on it, and choose Start - restarting this service will rebuild the repository folder information.
10) Restart your computer.

All being well this will remove the AVG entry from the Security Center and you should be able to run CF and install an AV etc...

Let me know if you have an problems.

Beer prices arent that big of a problem because I just substitute beer for food

And they say further education teaches nothing!

So long, and thanks for all the fish.

 

 


#7 IgorHallduck

IgorHallduck
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:36 AM

Posted 24 March 2011 - 01:00 AM

Hey,
You have talent! That Combofix program is pretty picky, it took me around 5 tries to get it to work.(user errors) As of now the computer has gotten a little faster and I have Microsoft Security Essentials installed. Google has stopped jumping to other websites from what I can tell. Upon start-up I did receive two error messages saying that windows could not start the tprpst.dll and edahixusoyaqoxi.dll files, which judging by the names of the files sounds like a good thing. Other than that I couldn't really tell any other performance differences because I have only had around 10 minutes to play around on here. One thing I did want to mention though is that I attempted to remove Superantispyware from the computer but the icon is still there on startup, but the program you gave me no longer can find it and its no longer listed in program files, this isnt a big deal, just thought Id let you know in case this alters any of the other steps taken

I wanted to also apologize for taking a while to get back to you, I had to give a presentation today and pretend to be professional for a while so it has been a long day.


ComboFix 11-03-23.04 - Owner 03/24/2011 0:13.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1639 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\ntuser.pol
c:\documents and settings\Owner\Application Data\igxpgd32.dat
c:\documents and settings\Owner\Local Settings\Application Data\{CBF2FE56-8F2E-499C-A72B-8547059192EF}
c:\documents and settings\Owner\Local Settings\Application Data\{CBF2FE56-8F2E-499C-A72B-8547059192EF}\chrome.manifest
c:\documents and settings\Owner\Local Settings\Application Data\{CBF2FE56-8F2E-499C-A72B-8547059192EF}\chrome\content\_cfg.js
c:\documents and settings\Owner\Local Settings\Application Data\{CBF2FE56-8F2E-499C-A72B-8547059192EF}\chrome\content\overlay.xul
c:\documents and settings\Owner\Local Settings\Application Data\{CBF2FE56-8F2E-499C-A72B-8547059192EF}\install.rdf
c:\windows\edahixusoyaqoxi.dll
c:\windows\tprpst.dll
.
.
\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_usnjsvc
.
.
((((((((((((((((((((((((( Files Created from 2011-02-24 to 2011-03-24 )))))))))))))))))))))))))))))))
.
.
2011-03-24 04:32 . 2011-03-24 04:32 -------- d-----w- c:\windows\LastGood
2011-03-24 03:10 . 2011-03-24 03:10 -------- d-----w- c:\windows\system32\wbem\Repository
2011-03-22 22:48 . 2011-03-22 22:48 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2011-03-22 01:42 . 2011-03-22 01:42 -------- d-----w- C:\4f24a53c394c14303661a4c88d4da78b
2011-03-22 01:05 . 2011-03-22 22:39 -------- d-----w- c:\program files\Free Window Registry Repair
2011-03-21 02:55 . 2011-03-21 02:55 -------- d-----w- C:\8fc6e1d1a56167e4575591aa1c7b5a78
2011-02-24 04:34 . 2011-03-24 01:18 0 ----a-w- c:\windows\Scaluvayadep.bin
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-21 14:44 . 2004-08-10 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2004-08-10 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2004-08-10 12:00 1854976 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-11-29 2424560]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-07-15 98304]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-08 61952]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-10-08 47904]
"RTHDCPL"="RTHDCPL.EXE" [2005-09-14 14820864]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-01-25 421160]
"Dell AIO Printer A940"="c:\program files\Dell AIO Printer A940\dlbabmgr.exe" [2003-02-17 86102]
.
c:\documents and settings\Owner\Start Menu\Programs\Startup\
CurseClientStartup.ccip [2010-12-13 0]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 16:28 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
backup=c:\windows\pss\BigFix.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Extender Resource Monitor.lnk]
backup=c:\windows\pss\Extender Resource Monitor.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-01-12 03:16 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-09-14 17:38 69632 ----a-w- c:\windows\ALCMTR.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 10:42 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-06 04:56 64512 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]
2010-02-04 08:17 107176 ----a-w- c:\program files\Lexmark Z2300 Series\ezprint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
2005-01-08 01:07 61952 ----a-w- c:\windows\system32\HdAShCut.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
2005-03-23 23:26 217088 ----a-w- c:\program files\Microsoft IntelliPoint\point32.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-01-25 20:08 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxdpmon.exe]
2010-02-04 08:17 672424 ----a-w- c:\program files\Lexmark Z2300 Series\lxdpmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2007-01-19 16:54 5674352 ----a-w- c:\program files\MSN Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\readericon]
2005-08-27 13:09 139264 ----a-w- c:\program files\Digital Media Reader\readericon45G.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2002-09-14 06:42 212992 ----a-w- c:\windows\SMINST\Recguard.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
2005-02-26 01:24 966656 ----a-w- c:\windows\creator\Remind_XP.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2005-09-14 17:38 14820864 ----a-w- c:\windows\RTHDCPL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-05-20 03:46 1238352 ----a-w- c:\program files\Steam\steam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-01-12 05:05 136600 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-12-28 04:06 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\type32]
2005-03-15 09:46 196608 ----a-w- c:\program files\Microsoft IntelliType Pro\type32.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"JavaQuickStarterService"=2 (0x2)
"gusvc"=3 (0x3)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\WINDOWS\\system32\\lxdpcoms.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdppswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdptime.exe"=
"c:\\Program Files\\Lexmark Z2300 Series\\lxdpmon.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdpjswx.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdpwbgw.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\america's army 3\\Binaries\\AA3Game.exe"=
"c:\\Program Files\\PFPortChecker\\PFPortChecker.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\S.W.A.T. 4\\ContentExpansion\\System\\Swat4X.exe"=
"c:\\Program Files\\S.W.A.T. 4\\ContentExpansion\\System\\Swat4XDedicatedServer.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Documents and Settings\\Owner\\Local Settings\\Apps\\2.0\\E59YJA8M.NVR\\7EQ9RXT5.E6W\\curs..tion_eee711038731a406_0004.0000_efb506202a7c3b08\\CurseClient.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3776:UDP"= 3776:UDP:Media Center Extender Service
"3390:TCP"= 3390:TCP:Remote Media Center Experience
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [9/4/2009 3:50 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/4/2009 3:49 PM 67656]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [8/22/2010 7:42 PM 10384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [6/7/2010 10:44 PM 136176]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [7/30/2010 2:33 PM 36608]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S4 lxdp_device;lxdp_device;c:\windows\system32\lxdpcoms.exe -service --> c:\windows\system32\lxdpcoms.exe -service [?]
S4 lxdpCATSCustConnectService;lxdpCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdpserv.exe [1/12/2009 10:36 PM 98984]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [3/25/2007 12:22 AM 24652]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE REG_MULTI_SZ QWAVE
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
2011-03-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-08 02:44]
.
2011-03-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-08 02:44]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\sp6ky6n7.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-Adupifohah - c:\windows\tprpst.dll
HKLM-Run-Ayalajijohap - c:\windows\edahixusoyaqoxi.dll
Notify-NavLogon - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-24 00:43
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"
@=""
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"NoChange"="1"
"Installed"="1"
@=""
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
@=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(540)
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
.
- - - - - - - > 'explorer.exe'(680)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\windows\ehome\RMSvc.exe
c:\windows\ehome\McrdSvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Dell AIO Printer A940\dlbabmon.exe
c:\windows\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-03-24 00:57:19 - machine was rebooted
ComboFix-quarantined-files.txt 2011-03-24 04:57
ComboFix2.txt 2010-11-29 20:02
.
Pre-Run: 216,965,013,504 bytes free
Post-Run: 216,976,064,512 bytes free
.
- - End Of File - - D514A6E5C8A5DFC039258DC03D7B575B

And they say further education teaches nothing!


Hey! aside from my forensic accounting education I have learned a lot in college:

Budgeting- Beer to food cost ratio
Negotiation tactics- women...
Culinary skills- What to mix with raman noodles to make them edible
Carpentry- built a beer pong table and a bar in my apartment
Time Management- how much time I can spend at the bar without letting my grades slip
Improvisation- Oh crap! I am supposed to give a presentation today

And I have a new found respect for the working man, because without them, I wouldn't have the HOPE scholarship to pay for my education

#8 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:36 PM

Posted 24 March 2011 - 04:28 PM

Good evening. :)

I wanted to also apologize for taking a while to get back to you, I had to give a presentation today and pretend to be professional for a while so it has been a long day.

Consider it not.

OK, we'll go with an online scan to see if there are any leftovers and then tidy-up and see you on your way after that if all is well.

Pay a visit to the ESET Online Scanner.

  • Click the ESET Online Scanner button and a new window will open - you may need to maximise it.
  • Click the Run ESET Online Scanner button in the new window.
  • If you are using any other browser than IE, you will be prompted to download and run esetsmartinstaller_enu.exe and the scan will run from within the window that the executable opens.
  • Regardless of which browser you are using, you will be shown some terms and conditions and you will need to accept these to continue.
  • If you are running IE for this scan you will then be prompted to allow an ActiveX component to be downloaded, unless you already have it installed, and the scan will run inside IE.
  • When you see the Computer Scan Settings window, you will need to make the following changes:

    • UNCHECK Remove found threats - this is important.
    • Check Scan archives
    • Click on Advanced settings
    • Check Scan for potentially unsafe applications
  • Once ready, click Start to begin - not a surprise really!
  • The anti-virus definitions will now be downloaded, so don't forget to allow them through your firewall if prompted.
  • The above will take a little time, so now is a good time to fire up the kettle and open the biccies.
  • Once the scan has completed you will be shown the results - assuming that the scanner has found anything.
  • Click List of found threats and then Export to text file... and save the log somewhere convenient.
  • You can then close out the scanner - don't bother uninstalling it as you may need to use it again.
  • Please post the contents of this file in your next reply, or let me know that nothing was identified.

Will you also throw in a fresh DDS log and let me know how the PC is behaving.

So long, and thanks for all the fish.

 

 


#9 IgorHallduck

IgorHallduck
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:36 AM

Posted 25 March 2011 - 01:12 AM

Hey!
Hope you are doing well. Just wanted to let you know that I have tried to run the online scan a few times today and it keeps freezing. I have had another busy day but I'll be around tomorrow all day and I'll try it again. I didn't want to try it on Internet explorer because it is outdated still but if you are ok with it I'll update explorer and try it again there

#10 IgorHallduck

IgorHallduck
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:36 AM

Posted 25 March 2011 - 02:14 PM

Hey finally got it to work. PC is still behaving fine, browser may be a tiny bit laggy but no other performance issues I can see as of right now... and the sluggishness may be a result of my gfx card overheating, just turned the fan up on it as it was only at like 5% of full speed and it recommends running at like 20% I think

Here is what have:

C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\igxpgd32.dat.vir probably a variant of Win32/KillAV.DVMEMQE trojan


.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Owner at 15:11:06.81 on Fri 03/25/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1113 [GMT -4:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\ehome\RMSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Owner\Desktop\Toolbox\dds.scr
.
============== Pseudo HJT Report ===============
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} -
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [amd_dc_opt] c:\program files\amd\dual-core optimizer\amd_dc_opt.exe
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Dell AIO Printer A940] "c:\program files\dell aio printer a940\dlbabmgr.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
StartupFolder: c:\documents and settings\owner\start menu\programs\startup\CurseClientStartup.ccip
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {95D88B35-A521-472B-A182-BB1A98356421} - hxxp://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} - hxxp://asp.mathxl.com/books/_Players/MathPlayer.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\sp6ky6n7.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60129.0\npctrlui.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
R1 MpKsl2381b343;MpKsl2381b343;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{4a144372-1752-416c-b512-fcc4f5034e12}\MpKsl2381b343.sys [2011-3-25 28752]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-9-4 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-9-4 67656]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2010-8-22 10384]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\McrdSvc.exe [2005-10-20 96256]
S2 AVGIDSAgent;AVGIDSAgent;"c:\program files\avg\avg10\identity protection\agent\bin\avgidsagent.exe" --> c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [?]
S2 avgwd;AVG WatchDog;"c:\program files\avg\avg10\avgwdsvc.exe" --> c:\program files\avg\avg10\avgwdsvc.exe [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-6-7 136176]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2010-7-30 36608]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-3-25 24652]
.
=============== Created Last 30 ================
.
2011-03-25 17:48:33 28752 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{4a144372-1752-416c-b512-fcc4f5034e12}\MpKsl2381b343.sys
2011-03-25 17:46:41 6792528 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{4a144372-1752-416c-b512-fcc4f5034e12}\mpengine.dll
2011-03-25 00:03:51 -------- d-----w- c:\program files\ESET
2011-03-24 16:16:48 711632 ----a-w- c:\program files\mozilla firefox\uninstall\helper.exe
2011-03-24 16:16:48 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-03-24 16:16:31 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-03-24 16:16:31 719832 ----a-w- c:\program files\mozilla firefox\mozcpp19.dll
2011-03-24 16:16:31 1874904 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-03-24 16:16:31 16856 ----a-w- c:\program files\mozilla firefox\plugin-container.exe
2011-03-24 16:16:31 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-03-24 16:16:30 728024 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-03-24 16:16:30 142296 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-03-24 16:16:29 924632 ----a-w- c:\program files\mozilla firefox\firefox.exe
2011-03-24 16:16:29 1975768 ----a-w- c:\program files\mozilla firefox\D3DCompiler_42.dll
2011-03-24 16:16:29 1893336 ----a-w- c:\program files\mozilla firefox\d3dx9_42.dll
2011-03-24 05:40:39 6792528 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2011-03-24 05:35:32 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-03-24 05:05:14 -------- d-----w- c:\program files\Microsoft Security Client
2011-03-24 03:54:31 -------- d-----w- C:\ComboFix
2011-03-24 03:10:26 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-03-24 03:10:25 -------- d-----w- c:\windows\system32\wbem\Repository
2011-03-22 22:48:32 -------- d-----w- c:\docume~1\owner\applic~1\SUPERAntiSpyware.com
2011-03-22 22:09:26 -------- d-----w- c:\windows\system32\appmgmt
2011-03-22 01:42:12 -------- d-----w- C:\4f24a53c394c14303661a4c88d4da78b
2011-03-22 01:05:59 -------- d-----w- c:\program files\Free Window Registry Repair
2011-03-21 02:55:37 -------- d-----w- C:\8fc6e1d1a56167e4575591aa1c7b5a78
2011-02-24 04:34:16 0 ----a-w- c:\windows\Scaluvayadep.bin
.
==================== Find3M ====================
.
2011-02-04 21:48:32 456192 ----a-w- c:\windows\system32\encdec.dll
2011-02-04 21:48:30 291840 ----a-w- c:\windows\system32\sbe.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 15:13:38.90 ===============

#11 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:36 PM

Posted 25 March 2011 - 03:01 PM

Good evening. :)

ESET has been updating it's site and probably it's scanner too, and they are likely the cause of the scan issues you had - a number of people are reporting similar problems.

The ESET detection is a file that ComboFix quarantined, so it poses no risk to your system.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The following steps will serve as a spring clean for your PC. Not all of them will be of benefit to your PC as this is a general post, but the overall effect should be positive.

1) Go to Start > Control Panel > Add/Remove Programs and remove any programs that you no longer use and then reboot your PC.

2) Download TFC by OldTimer from here and save it to your Desktop.

  • You will need to close all open programs and save any work as TFC will require a reboot.
  • Double-click TFC.exe to run it. (Note: If you are using Vista, right-click the file and select Run As Administrator from the menu that appears).
  • Click the Start button to begin. Depending on how often you clean temp files, execution time could be anywhere from a few seconds to a minute or two - just sit back and enjoy the view.
  • Once it has finished it should reboot your PC all by itself. If it does not, please manually reboot.
  • Once rebooted your PC will run like a Cray supercomputer, or at least have less junk on the hard drive - OT's not a miracle worker you know!
  • Please note that this tool will empty the Recycle Bin as part of it's actions. If you have anything in there that you haven't finished with, move it first.

3) Double click My Computer.
Right click the disc drive you wish to check.
Click Properties.
In the Properties dialog box, click the Tools Tab.
Under Error-checking, click the Check Now button.
In the "Check Disc Local Disk (C:)" dialog box, check both Automatically fix file system errors and Scan for and attempt recovery of bad sectors, and then click Start.

This will look for and attempt to repair any errors that your hard drive has.

4) Defragment your hard drive. A tutorial for disc defragmentation is available here.

I happen to prefer a third-party defrag tool to the one that Windows offers. You can read about it, and find a linky, here - it's free too!

Let me know how you get on.

So long, and thanks for all the fish.

 

 


#12 IgorHallduck

IgorHallduck
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:36 AM

Posted 29 March 2011 - 04:50 PM

Hey!
I ran these steps and the computer is running better than it did when I bought it, or at least it feels like it. Is there anything else that needs to be done? Sorry I went out of town for a job fair last week and forgot all about fixing my computer. I just want to say you are a life saver, I cant thank you enough for getting my computer better.

#13 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:36 PM

Posted 30 March 2011 - 02:31 PM

Good evening. :)

Sorry I went out of town for a job fair last week and forgot all about fixing my computer.

I do find it hard to believe that people have better things to do than sit in front of computers all evening - jealousy is a baaaaad thing! :angry:

I've got some good news, and potentially some bad, depending on whether or not your computer came with any recovery disks. One of the nasties that your PC had messes with the Master Boot Record. ComboFix removed it and wrote a standard mbr in it's place, but your PC may have had a custom mbr, which isn't what you now have.

Your computer looks like a Dell, and some Dell's come with a recovery partition and Dell System Restore software to enable you to reinstall the operating system in the event it gets all bent out of shape. The custom mbr is the way that you access this system recovery software, which is different to Windows System Restore, and without the correct mbr you can no longer recover the PC in the worst of cases.

If the system came with a recovery disk, or disks, then you have nothing to worry about, but if not, you have two choices:
1) Contact Dell and get hold of the disks.
2) Write a custom mbr to the correct area of the hard drive to restore things to how they were.

Option 2 is a little involved, but nothing that we can't manage between us, so if you don't have disks and your PC does have a recovery partition, which we can check on if necessary, you'll need to decide whether to take the plunge or not - let me know.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The good news is that unless the above applies, you're about done. Regardless of the above, work through the following:

Free Window Registry Repair - found in Add/Remove Programs. There are two schools of thought with regard to registry tools and i'm in the second: no, no and thrice NO!!!!!!!!
The Windows registry is a vital part of the computer and it is best left alone. There is very little to be gained by messing with it and the potential for disaster if something important is removed outweighs any of those possible gains - and the second school of thought doesn't think there are that many gains to be had anyway.

Look at it this way, I would only run a registry cleaning/repair tool if my PC was so badly behaved I was one step away from reformating it and if that was the case, i'd skip the registry play and just reformat and save time.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Your copy of Adobe Reader is out of date. You can get the latest version here, feel free to uncheck the McAfee download first, or you can update from within the program itself: Help > Check for Updates...

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Your version of Sun Java needs updating:

1) Go here and click on the Windows XP/Vista/2000/2003/2008 Offline link in the Windows section near the top and save it to your Desktop.

2) Download JavaRa from here and save it to your Desktop.
You will need to extract the file(s):

Right click on the zipped folder and from the menu that appears, click on Extract All...
In the 'Extraction Wizard' window that opens, click on Next> and in the next window that appears, click on Next> again.
In the final window, click on Finish


***Please close any instances of Internet Explorer before continuing!***

  • Double-click JavaRa.exe to begin.
  • Pick your preferred language from the drop-down menu and click Select.
  • Click on Remove Older Versions to remove older version of Java - obvious really, isn't it!
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location, just in case you have any problems with Java afterwards.
3) Run the installer that you downloaded earlier.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Your log doesn't appear to show a third-party software firewall installed - if you have one, and i've missed it, please ignore this.
If you are relying the firewall that comes with Service Pack 2, then you need to install one. While the SP2 firewall is better than nothing, it doesn't monitor outgoing traffic, so anything malicious on your computer can 'phone home' at will.
If you are using a wireless router that comes with a NAT hardware firewall, this also doesn't monitor outgoing connections.

There are a few free firewalls available, of which the following are just three (all of which i've used at one time or another) :

Comodo Firewall Pro, available here.
PC Tools Firewall Plus, available here.
Online Armor Free, available here.

It is important to note that you should only have one firewall installed at a time, but you can download them all to your Desktop and install each in turn to see which one you prefer.

Understanding and Using Firewalls: http://www.bleepingcomputer.com/tutorials/understanding-and-using-firewalls/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I want you to run your PC as normal for a few days and when you are happy that everything is fine, do the following:

Go to Start > Run, enter the following into the textbox and click OK: ComboFix /Uninstall
This will uninstall Combofix and do a little housework besides.

Create a new Restore Point with a memorable name - this will give a clean one should you need it in the future. If you use a Restore Point from before this point you may reinstall any infection that was present at the time, so only do so if using this latest one doesn't solve any issues.
A tutorial for System Restore is available here.

Some bedtime reading: This is a very good tutorial about keeping your computer safe and secure on the internet. It's a little old, but still contains some good ideas.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Don't forget to let me know where you stand on the recovery issue.

So long, and thanks for all the fish.

 

 


#14 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:36 PM

Posted 04 April 2011 - 04:08 PM

As this issue appears to have been resolved, this thread is now closed.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users