Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Re-direct virus to "delivery.jemacpv.com", "9newstoday.net" and others


  • This topic is locked This topic is locked
7 replies to this topic

#1 kmanz

kmanz

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Regina, SK., CANADA
  • Local time:05:33 AM

Posted 31 January 2012 - 03:53 PM

Acquired this trojan virus around Jan.25/12 and it is causing increasing problems with numerous re-directs to various unwanted sites when clicking on "favorites" links, links in emails, links on Google searches, etc. AVG 2012 has done a computer scan and found and isolated two trojan problems; but they are not eliminated! Am running Windows XP with SP3. Tried system restores under safe mode back to dates prior to Jan. 25th but each time get message that restore is unsuccessful because system has not changed. Link to Microsoft updates is no longer accessible. Recent pages button quite working in IE8. 60% of my "favorites" links had "hidden" attributes which I had to correct.
Found a similar topic in your website from "tonyTrout2001" dated Jan.18/12 under "topic438778" which was resolved by "Gringo", that I want to try. HOWEVER, I'll wait until someone from you site contacts me to direct me on the proper steps to get rid of this problem with re-directs first and see if the other incidents get resolved from there. I wish to get this addressed asap, if possible.
I've done the first 4 staps of your "preparation guide" and working on the rest ...
Thanks in advance for your help.
Regards;
... Ken Manz

BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:33 PM

Posted 31 January 2012 - 04:48 PM

Hello,Please follow the instructions in ==>This Guide<== starting at step 6. If you cannot complete a step, skip it and continue.Once the proper logs are created, then post them in a reply to this topic by using the Add Reply button.If you can produce at least some of the logs, then please create the post and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the reply and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.Please note that I am not a member of the Malware Removal Team and will not be assisting you in removing the infection. I'm simply helping you to post the information they need in order to assist you.If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 kmanz

kmanz
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Regina, SK., CANADA
  • Local time:05:33 AM

Posted 01 February 2012 - 11:08 AM

See "topic440788.html" in this forum for initial info.
The following comments are observations on executing steps in "the Guide" starting at Step 6:
1. Step 6: Ran Defogger to "Finished" and OK'd it.
2. Step 7: Ran DDS.scr; got DDS.txt and Attach.txt files on Desktop after a few AVG threat detected messages about "Trojan horse Crytic.DWO".
3. Step 8: Took three runs to get GMER log:
a. First time 4kq77jor.exe was inadvertently loaded and run from "Programs" file, encounter a problem and closed.
b. Second time was run correctly from desktop but ended up looping in C:\Documents and Settings\Ken Manz\Temporary Internet Files\Content.IE5\1GZYTREB\constant looping here ...
c. Third time ran only GMER (no internet on) all night and in morning saved the file to "ark.txt" on desktop. However nothing else would run on computer. No emails, no saves, no opening of files - eventually had to power off and reboot. It luckily came up again, normally.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Ken Manz at 19:49:12 on 2012-01-31
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1279.349 [GMT -6:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\V0350Mon.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\Documents and Settings\All Users\Application Data\Anti-phishing Domain Advisor\visicom_antiphishing.exe
C:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe
C:\Documents and Settings\Ken Manz\Local Settings\Application Data\TheWeatherNetwork\WeatherEye\WeatherEye.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Documents and Settings\All Users\Application Data\bProtector\bProtect.exe
C:\Documents and Settings\All Users\Application Data\bProtector\bProtect.exe
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\Program Files\InstallBrainService\InstallBrainService.exe
C:\WINDOWS\system32\lxdbcoms.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.myaccess.ca/Home/Communities/Regina/tabid/77/zone/Regina/Default.aspx
uInternet Settings,ProxyOverride = *.local;<local>
uURLSearchHooks: H - No File
mURLSearchHooks: H - No File
BHO: AutorunsDisabled - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
BHO: Radio Bar 2 Toolbar: {9bb815eb-3f9f-4e11-9150-cb70e29b40fc} - c:\program files\radio_bar_2\tbRadi.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: File2LinkIB: {c23b756a-bd9f-4ca6-aded-17ab8ccf3e8b} - c:\program files\file2linkib\file2linkibX.dll
TB: Radio Bar 2 Toolbar: {9bb815eb-3f9f-4e11-9150-cb70e29b40fc} - c:\program files\radio_bar_2\tbRadi.dll
TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll
TB: File2LinkIB: {c23b756a-bd9f-4ca6-aded-17ab8ccf3e8b} - c:\program files\file2linkib\file2linkibX.dll
uRun: [Creative Live! Cam Manager] "c:\program files\creative\creative live! cam\live! cam manager\CTLCMgr.exe"
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [WeatherEye] c:\documents and settings\ken manz\local settings\application data\theweathernetwork\weathereye\WeatherEye.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Microsoft Works Portfolio] c:\program files\microsoft works\WksSb.exe /AllUsers
mRun: [LXDBCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXDBtime.dll,_RunDLLEntry@16
mRun: [V0350Mon.exe] c:\windows\V0350Mon.exe
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [LGODDFU] "c:\program files\lg_fwupdate\fwupdate.exe" blrun
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Anti-phishing Domain Advisor] "c:\documents and settings\all users\application data\anti-phishing domain advisor\visicom_antiphishing.exe"
dRun: [ALUAlert] c:\program files\symantec\liveupdate\ALUNotify.exe
StartupFolder: c:\docume~1\kenman~1\startm~1\programs\startup\mailwa~1.lnk - c:\program files\firetrust\mailwasher free\MailWasher.exe
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,77,65,62,5c,72,65,6c-,61,74,65,64,2e,68,74,6d,00
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
LSP: mswsock.dll
Trusted Zone: adobe.com\www
Trusted Zone: advisor.ca\www
Trusted Zone: aeroplan.com\www
Trusted Zone: aircanada.com\www
Trusted Zone: avg.com\www.guru
Trusted Zone: ci.com\www
Trusted Zone: ezblast.ca\www
Trusted Zone: google.com\maps
Trusted Zone: greatwestlife.com\ykc
Trusted Zone: grsaccess.com\www
Trusted Zone: microsoft.com
Trusted Zone: microsoft.com\support
Trusted Zone: myaccess.ca\www
Trusted Zone: nascar.com\www
Trusted Zone: newstalgiawheel.com\www
Trusted Zone: quadrusinvestment.com\www
Trusted Zone: staceydavid.com\www
Trusted Zone: wotif.com\www
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/3.0.1.0/GarminAxControl.CAB
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: TruePass EPF 7,0,0,478 - hxxps://standards.fundserv.com/TruePassSample/applets/entrusttruepassapplet-epf.cab
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {41F17733-B041-4099-A042-B518BB6A408C} - hxxp://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {5CB1506E-1DEA-4E63-89A7-E40E52AEA1FD} - hxxp://fulfillment.puretracks.com/onager.cab
DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://www.photogize.com/bponet/ImageUploader5.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1135378966609
DPF: {7F245E01-651F-48E5-8A85-4752EC65E4ED} - hxxp://www.saharavegas.com/dining/Nascar-cafe/Cisco210Viewer.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {A3256902-51FA-45A0-8A97-FC1143C169D9} - hxxp://support.microsoft.com/mats/DiagWebControl.cab
DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://www.photolab.ca/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D4B68B83-8710-488B-A692-D74B50BA558E} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPIDPDE.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E56347B0-6C2B-4C2E-939F-EE513EAC80BC} - hxxps://register.creative.com/register/OCXs/CtORWebClientNoMFC.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPID.cab
TCP: DhcpNameServer = 65.87.230.4 65.87.230.5
TCP: Interfaces\{7A082C3B-EE77-4705-9EDF-D2B8575A4E05} : DhcpNameServer = 65.87.230.4 65.87.230.5
Handler: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} - c:\program files\quicktax 2007\ic2007pp.dll
Handler: intu-qt2008 - {05E53CE9-66C8-4a9e-A99F-FDB7A8E7B596} - c:\program files\quicktax 2008\ic2008pp.dll
Handler: intu-qt2009 - {03947252-2355-4e9b-B446-8CCC75C43370} - c:\program files\quicktax 2009\ic2009pp.dll
Handler: intu-tt2010 - {97A0575E-2309-4e75-8509-B1F9390C4DE7} - c:\program files\turbotax 2010\ic2010pp.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
AppInit_DLLs: protector.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Notification Packages = :\windows\syste
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 230608]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 40016]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 295248]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\AVGIDSAgent.exe [2011-10-12 4433248]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]
R2 bProtector;bProtector;c:\documents and settings\all users\application data\bprotector\bProtect.exe [2011-12-10 803328]
R2 InstallBrainService;InstallBrain Updater Service;c:\program files\installbrainservice\InstallBrainService.exe [2011-12-10 273912]
R2 lxdb_device;lxdb_device;c:\windows\system32\lxdbcoms.exe -service --> c:\windows\system32\lxdbcoms.exe -service [?]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 16720]
R3 VF0350Afx;VF0350 Audio FX;c:\windows\system32\drivers\V0350Afx.sys [2009-7-13 142656]
R3 VF0350Vfx;VF0350 Video FX;c:\windows\system32\drivers\V0350Vfx.sys [2009-7-13 7424]
R3 VF0350Vid;Live! Cam Video IM (VF0350);c:\windows\system32\drivers\V0350Vid.sys [2009-7-13 170368]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate1ca03d381f67178;Google Update Service (gupdate1ca03d381f67178);c:\program files\google\update\GoogleUpdate.exe [2009-7-13 133104]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-7-13 133104]
S3 MTK;Media Technology Kernel Driver; [x]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 ATMhelpr;ATMhelpr;c:\windows\system32\drivers\ATMHELPR.SYS [2002-12-12 4064]
S4 mrtRate;mrtRate; [x]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-1-10 24652]
.
=============== Created Last 30 ================
.
2012-01-31 22:07:03 50477 ----a-w- c:\program files\Defogger.exe
2012-01-28 19:54:03 -------- d-----w- c:\documents and settings\all users\application data\PC Tools
2012-01-28 04:43:54 -------- d-----w- c:\documents and settings\ken manz\application data\Windows Search
2012-01-28 04:25:59 -------- d-----w- c:\documents and settings\ken manz\application data\Windows Desktop Search
2012-01-28 04:24:01 -------- d-----w- c:\program files\Windows Desktop Search
2012-01-28 04:24:00 -------- d-----w- c:\windows\system32\GroupPolicy
2012-01-28 04:20:49 98304 ------w- c:\windows\system32\dllcache\nlhtml.dll
2012-01-28 04:20:49 29696 ------w- c:\windows\system32\dllcache\mimefilt.dll
2012-01-28 04:20:48 192000 ------w- c:\windows\system32\dllcache\offfilt.dll
2012-01-27 21:41:29 -------- d-----w- c:\documents and settings\ken manz\local settings\application data\PCHealth
2012-01-27 21:38:35 -------- dc-h--w- c:\windows\ie8
2012-01-27 04:56:42 -------- d-----w- c:\documents and settings\ken manz\application data\MailWasherFree
2012-01-27 04:56:21 -------- d-----w- c:\documents and settings\ken manz\local settings\application data\blekkotb
2012-01-27 04:56:17 -------- d-----w- c:\documents and settings\all users\application data\Anti-phishing Domain Advisor
2012-01-27 04:48:11 -------- d-----w- c:\documents and settings\ken manz\application data\Firetrust
2012-01-27 02:51:15 -------- d-----w- c:\documents and settings\ken manz\application data\AVG
2012-01-26 23:29:45 -------- d-----w- c:\windows\system32\wbem\repository\FS
2012-01-26 23:29:45 -------- d-----w- c:\windows\system32\wbem\Repository
2012-01-26 14:59:25 3348632 ---ha-w- c:\documents and settings\all users\SPL22D0.tmp
2012-01-03 14:22:02 103864 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
.
==================== Find3M ====================
.
2011-12-10 19:45:05 748544 ----a-w- c:\windows\system32\protector.dll
2011-11-25 21:57:19 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 12:35:08 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-16 14:21:44 354816 ----a-w- c:\windows\system32\winhttp.dll
2011-11-16 14:21:44 152064 ----a-w- c:\windows\system32\schannel.dll
2011-11-11 16:22:34 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-04 19:20:51 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20:51 43520 ------w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20:51 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23:59 385024 ------w- c:\windows\system32\html.iec
2011-11-03 15:28:36 386048 ----a-w- c:\windows\system32\qdvd.dll
2011-11-03 15:28:36 1292288 ----a-w- c:\windows\system32\quartz.dll
2009-07-13 15:59:41 2032936 ----a-w- c:\program files\SkypeSetup.exe
2009-05-12 03:29:59 157 ----a-w- c:\program files\restoreregistry.reg
2006-11-12 03:40:33 3401978 ----a-w- c:\program files\MailWasher_Free_setup.exe
2004-04-20 14:52:53 10135688 ----a-w- c:\program files\MPSetupXP.exe
2003-02-03 19:44:45 10091750 ----a-w- c:\program files\PAF5EnglishSetup.exe
.
============= FINISH: 19:52:20.39 ===============

EDIT: Topics merged ~Budapest

Attached Files


Edited by Budapest, 01 February 2012 - 04:56 PM.


#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:33 AM

Posted 01 February 2012 - 10:21 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 kmanz

kmanz
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Regina, SK., CANADA
  • Local time:05:33 AM

Posted 03 February 2012 - 10:52 AM

Have some critical work to be done on my infected computer so I'll not take the chance of running ComboFix until the end of next week. Hopefully will respond by Feb. 10th.
Regards;
... Ken Manz

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:33 AM

Posted 03 February 2012 - 02:59 PM

Hello ken


I will close this then and when you have the combofix report just send me a pm and I will open it for you is this alright with you



gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 kmanz

kmanz
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Regina, SK., CANADA
  • Local time:05:33 AM

Posted 03 February 2012 - 05:39 PM

Fine with me Gringo, hope to send you a pm next week. ... Ken Manz

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:33 AM

Posted 03 February 2012 - 05:42 PM

see you next week



gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users