Live Chat & Podcast at 1:00PM Eastern on Sunday!
There's no such thing as a stupid question, but they're the easiest to answer.
JoinTour
Login
Search
Virus & Other Malware Removal
Go to first new post Something is very wrong with pc it takes ...
Go to first new post How did you find PC CLEANER PRO on my c ...
Go to first new post Trojan: Win32/Alureon.FK - hijack this l ...
Go to first new post Black desktop, missing all shortcuts, fi ...
Go to first new post Missing Photos/Black Desktop/Phantom Use ...
Go to first new post Network, good; Internet, bad
Go to first new post Need Help
Go to first new post Odd Processes/SCODEF-CREDAT/possible vir ...
Go to first new post Google Hijacker/Google Search Result vir ...
Go to first new post server not found
Go to first new post slow computer, downloads over a few mb f ...
Go to first new post Ramnit virus, nearly cleared
Go to first new post Windows live Messenger Virus
Go to first new post We Got System Checked :-(
Go to first new post This setup thing keeps popping up everyd ...
Tag Cloud
access acer asus bios bsod crash desktop driver drivers error ethernet excel freeze gaming graphics hard drive hardware hdmi internet laptop lcd malware memory monitor motherboard network operating system printer problem ram registry router slow software sound toshiba trojan ubuntu 11.10 uninstall usb video virus vista wifi windows windows 7 windows 7 32 bit windows 7 64 bit windows xp wireless
Search
Search for:
Tech Support Guy Forums > Security & Malware Removal > Virus & Other Malware Removal >
Solved: Trojans Detected

Page 2 of 3 1 2 3
Reply  
Thread Tools
patmac's Avatar
Computer Specs
Senior Member with 615 posts.
  
Join Date: May 2004
Location: Earth
Experience: Beginner
11-Nov-2009, 05:05 PM #16
attaching OTS. Am I doing this right??
Attachment Blocked
Attachments in the HJT forum are often designed to solve a specific issue and not meant to be used without instructions specific to your computer. If you want help specific to your computer, please post a HiJackThis Log. If you started this thread, please make sure you are logged in to be able to view attachments.
Register for free to hide this ad!
NeonFx's Avatar
Senior Member with 4,817 posts.
  
Join Date: Oct 2008
Location: California, USA
11-Nov-2009, 05:28 PM #17
Good. Let's get rid of the most serious stuff first and then take care of the rest.

1. Please download The Avenger by Swandog46 to your Desktop.
  • Right click on the Avenger.zip folder and select "Extract All..."
  • Follow the prompts and extract the avenger folder to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Code:
Files to move:
C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_45f67928\nvstor.sys | C:\Windows\System32\drivers\nvstor.sys
C:\Windows\System32\logevent.dll | C:\Windows\System32\cngaudit.dll

Files to delete:
C:\Windows\wmqr74340.exe
C:\Windows\win32k.sys
C:\Windows\System32\tdlwsp.dll

Folders to delete:
C:\ProgramData\57084529

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.
  • Right click on the window under Input script here:, and select Paste.
  • You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
5. Please copy/paste the content of c:\avenger.txt into your reply.



============


Then double click on TheHammer.exe and attach or copy and paste the results (C:\ComboFix.txt) to your next reply for me.
__________________
Please post the final results, good or bad. Let me know if you won't be responding any longer.
Please don't send me requests for help. Use the forums instead.
patmac's Avatar
Computer Specs
Senior Member with 615 posts.
  
Join Date: May 2004
Location: Earth
Experience: Beginner
11-Nov-2009, 05:56 PM #18
Please bear with me. Copy and paste the avenger.txt into one reply. Then, run Combofix again and reply with that txt file in another reply? I take it the attachments work, and are blocked to all except you?
NeonFx's Avatar
Senior Member with 4,817 posts.
  
Join Date: Oct 2008
Location: California, USA
11-Nov-2009, 05:59 PM #19
The attachments do work and yes, only malware removal staff can see them. It doesn't really matter if you copy and paste or attach the results for avenger or combofix. Do whatever you're most comfortable with. Just as long as I can see the results
patmac's Avatar
Computer Specs
Senior Member with 615 posts.
  
Join Date: May 2004
Location: Earth
Experience: Beginner
11-Nov-2009, 06:30 PM #20
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_45f67928\nvstor. sys|C:\Windows\System32\drivers\nvstor.sys" completed successfully.
File move operation "C:\Windows\System32\logevent.dll|C:\Windows\System32\cngaudit.dll" completed successfully.
File "C:\Windows\wmqr74340.exe" deleted successfully.
File "C:\Windows\win32k.sys" deleted successfully.
File "C:\Windows\System32\tdlwsp.dll" deleted successfully.
Folder "C:\ProgramData\57084529" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.
NeonFx's Avatar
Senior Member with 4,817 posts.
  
Join Date: Oct 2008
Location: California, USA
11-Nov-2009, 06:52 PM #21
Good Job. That step doesn't always work and it did in your case. Let me know when you have the other results to confirm that it worked.
patmac's Avatar
Computer Specs
Senior Member with 615 posts.
  
Join Date: May 2004
Location: Earth
Experience: Beginner
11-Nov-2009, 07:01 PM #22
ComboFix 09-11-09.02 - Dixie 11/11/2009 17:35.2.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1022.315 [GMT -5:00]
Running from: c:\users\Dixie\Desktop\TheHammer.exe
AV: AVG Anti-Virus *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Virus *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\tdlwsp.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}


((((((((((((((((((((((((( Files Created from 2009-10-11 to 2009-11-11 )))))))))))))))))))))))))))))))
.

2009-11-11 22:48 . 2009-11-11 22:51 -------- d-----w- c:\users\Dixie\AppData\Local\temp
2009-11-11 22:48 . 2009-11-11 22:48 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-11-11 22:48 . 2009-11-11 22:48 -------- d-----w- c:\users\Guest\AppData\Local\temp
2009-11-11 22:48 . 2009-11-11 22:48 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-11-11 04:45 . 2009-08-14 14:01 2031104 ----a-w- c:\windows\system32\win32k.sys
2009-11-11 04:45 . 2009-08-10 13:08 321536 ----a-w- c:\windows\system32\WSDApi.dll
2009-11-06 13:50 . 2009-10-21 17:31 2064152 ----a-w- c:\programdata\avg8\update\backup\avgcorex.dll
2009-11-04 00:55 . 2009-11-04 00:55 -------- d-----w- c:\program files\Air Mouse
2009-11-04 00:06 . 2009-11-04 00:14 -------- d-----w- c:\program files\TightVNC
2009-11-02 13:50 . 2009-10-21 17:31 2025752 ----a-w- c:\programdata\avg8\update\backup\avgtray.exe
2009-10-25 14:54 . 2009-10-25 15:12 -------- d-----w- C:\AVGTemp
2009-10-22 21:34 . 2009-10-22 21:34 680 ----a-w- c:\users\Dixie\AppData\Local\d3d9caps.dat
2009-10-20 22:05 . 2007-05-21 03:45 1140312 ------w- c:\programdata\HP\Installer\Temp\hpzmsi01.exe
2009-10-20 22:05 . 2007-05-21 03:39 1099352 ------w- c:\programdata\HP\Installer\Temp\hpzscr01.exe
2009-10-19 22:48 . 2009-08-07 02:24 44768 ----a-w- c:\windows\system32\wups2.dll
2009-10-19 22:48 . 2009-08-07 02:24 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-10-19 22:48 . 2009-08-07 02:23 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-10-19 22:48 . 2009-08-07 01:45 2421760 ----a-w- c:\windows\system32\wucltux.dll
2009-10-19 22:47 . 2009-08-07 02:24 35552 ----a-w- c:\windows\system32\wups.dll
2009-10-19 22:47 . 2009-08-07 02:23 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-10-19 22:47 . 2009-08-07 01:44 87552 ----a-w- c:\windows\system32\wudriver.dll
2009-10-19 22:47 . 2009-08-06 23:23 171608 ----a-w- c:\windows\system32\wuwebv.dll
2009-10-19 22:47 . 2009-08-06 22:44 33792 ----a-w- c:\windows\system32\wuapp.exe
2009-10-14 01:12 . 2009-10-14 01:12 -------- d-----w- c:\users\Dixie\AppData\Local\AIM
2009-10-13 21:42 . 2009-09-04 12:38 60928 ----a-w- c:\windows\system32\msasn1.dll
2009-10-13 21:40 . 2009-09-14 09:50 130048 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-10-13 21:37 . 2009-04-02 11:50 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-10 01:38 . 2008-01-08 20:32 13238 ----a-w- c:\users\Dixie\AppData\Roaming\wklnhst.dat
2009-11-06 13:52 . 2008-09-29 00:44 4096 d-----w- c:\programdata\avg8
2009-11-03 01:42 . 2009-10-03 06:40 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-23 20:01 . 2008-10-19 14:24 -------- d-----w- c:\program files\LimeWire
2009-10-23 00:32 . 2008-07-02 13:28 8192 d-----w- c:\users\Dixie\AppData\Roaming\LimeWire
2009-10-20 21:53 . 2007-10-28 11:51 4096 d-----w- c:\program files\Google
2009-10-20 21:43 . 2008-01-06 01:22 -------- d-----w- c:\programdata\Viewpoint
2009-10-14 07:16 . 2006-11-02 11:18 4096 d-----w- c:\program files\Windows Mail
2009-09-10 17:38 . 2009-10-13 21:43 216576 ----a-w- c:\windows\system32\msv1_0.dll
2009-08-31 15:21 . 2009-10-13 21:43 292352 ----a-w- c:\windows\system32\psisdecd.dll
2009-08-31 15:17 . 2009-10-13 21:43 1244672 ----a-w- c:\windows\system32\mcmde.dll
2009-08-31 15:16 . 2009-10-13 21:43 428032 ----a-w- c:\windows\system32\EncDec.dll
2009-08-29 03:41 . 2009-09-03 00:12 1686528 ----a-w- c:\windows\system32\gameux.dll
2009-08-29 03:40 . 2009-09-03 00:12 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-28 23:31 . 2009-09-03 00:12 4247552 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-27 14:02 . 2009-10-13 21:43 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-27 13:57 . 2009-10-13 21:43 56320 ----a-w- c:\windows\system32\iesetup.dll
2009-08-27 13:57 . 2009-10-13 21:43 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-27 13:56 . 2009-10-13 21:43 72704 ----a-w- c:\windows\system32\admparse.dll
2009-08-27 11:24 . 2009-10-13 21:43 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-08-27 09:51 . 2009-10-13 21:43 48128 ----a-w- c:\windows\system32\mshtmler.dll
2009-08-16 00:32 . 2009-09-09 10:07 214104 ----a-w- c:\windows\system32\drivers\netio.sys
2009-08-15 23:58 . 2009-09-09 10:07 167424 ----a-w- c:\windows\system32\tcpipcfg.dll
2009-08-15 23:54 . 2009-09-09 10:07 416768 ----a-w- c:\windows\system32\IKEEXT.DLL
2009-08-15 23:54 . 2009-09-09 10:07 543232 ----a-w- c:\windows\system32\FWPUCLNT.DLL
2009-08-15 23:53 . 2009-09-09 10:07 317440 ----a-w- c:\windows\system32\BFE.DLL
2009-08-15 21:30 . 2009-09-09 10:07 816640 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-08-15 21:30 . 2009-09-09 10:07 22016 ----a-w- c:\windows\system32\netiougc.exe
2009-08-15 21:29 . 2009-09-09 10:07 85504 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS
2009-08-14 16:40 . 2009-09-09 10:07 103936 ----a-w- c:\windows\system32\netiohlp.dll
2009-08-14 16:40 . 2009-09-09 10:07 15360 ----a-w- c:\windows\system32\netevent.dll
2009-08-14 14:25 . 2009-09-09 10:07 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-08-14 14:25 . 2009-09-09 10:07 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-08-14 14:25 . 2009-09-09 10:07 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-08-14 14:25 . 2009-09-09 10:07 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-08-14 14:25 . 2009-09-09 10:07 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-08-14 14:25 . 2009-09-09 10:07 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-08-14 14:25 . 2009-09-09 10:07 10240 ----a-w- c:\windows\system32\finger.exe
2007-10-28 19:13 . 2007-10-28 19:04 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2007-10-28 1006264]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-05-24 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-24 8429568]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-05-24 81920]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"dscactivate"="c:\dell\dsca.exe" [2007-07-30 16384]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-11-02 2028312]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2007-03-15 4390912]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Air Mouse.lnk - c:\program files\Air Mouse\Air Mouse\Air Mouse.exe [2009-2-16 269824]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDef end]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

R0 AvgRkx86;avgrkx86.sys;c:\windows\System32\drivers\avgrkx86.sys [9/28/2008 7:44 PM 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [9/28/2008 7:44 PM 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [10/23/2008 1:41 PM 108552]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [1/23/2009 7:48 PM 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [1/23/2009 7:48 PM 297752]
R2 dlbc_device;dlbc_device;c:\windows\system32\dlbccoms.exe -service --> c:\windows\system32\dlbccoms.exe -service [?]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\System32\drivers\LMIRfsDriver.sys [2/19/2008 3:03 PM 45848]
S2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe --> c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.bearshare.com/
uInternet Settings,ProxyOverride = *.local
IE: &AIM Toolbar Search - c:\programdata\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
FF - ProfilePath - c:\users\Dixie\AppData\Roaming\Mozilla\Firefox\Profiles\27oct4gy.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - MyWebSearch
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZKfox000&fl=0&ptb=_HFuCcxKOdmy33yS03dxuA&st=kwd&o=kwd&url =http://search.mywebsearch.com/mywebsearch/dft_redir.jhtml&searchfor=
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npoji610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\users\Dixie\AppData\Roaming\Move Networks\plugins\npqmp071503000010.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File Exts\.aif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File Exts\.aifc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File Exts\.aiff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File Exts\.au\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File Exts\.flac\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File Exts\.m3u\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File Exts\.mid\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File Exts\.midi\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File Exts\.mp3\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File Exts\.ogg\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File Exts\.pcm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File Exts\.pls\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File Exts\.snd\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File Exts\.spx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File Exts\.wav\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File Exts\.wma\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\dlbccoms.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
c:\progra~1\AVG\AVG8\avgam.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\WUDFHost.exe
c:\windows\System32\rundll32.exe
c:\program files\AVG\AVG8\avgtray.exe
c:\windows\System32\rundll32.exe
c:\windows\ehome\ehmsas.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\windows\system32\msiexec.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2009-11-11 17:58 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-11 22:58
ComboFix2.txt 2009-11-11 19:54

Pre-Run: 159,840,088,064 bytes free
Post-Run: 159,705,231,360 bytes free

- - End Of File - - 0B6CECB882985902CB2EB35B74B7072B
NeonFx's Avatar
Senior Member with 4,817 posts.
  
Join Date: Oct 2008
Location: California, USA
11-Nov-2009, 07:13 PM #23
Alright, let's get the rest of it by doing the following:

STEP 1

1. Close any open open programs before running the fix.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open Notepad (Start > Programs > Accessories) and copy/paste the text in the codebox below into it:

Code:
Firefox::
FF - ProfilePath - c:\users\Dixie\AppData\Roaming\Mozilla\Firefox\Profiles\27oct4gy.default\
FF - prefs.js: browser.search.selectedEngine - MyWebSearch
FF - prefs.js: keyword.URL - hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZKfox000&fl=0&ptb=_HFuCcxKOdmy33yS03dxuA&st=kwd&o=kwd&url =http://search.mywebsearch.com/mywebsearch/dft_redir.jhtml&searchfor=
 
RegLock::
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File  Exts\.aif\UserChoice]
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File  Exts\.aifc\UserChoice]
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File  Exts\.aiff\UserChoice]
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File  Exts\.au\UserChoice]
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File  Exts\.flac\UserChoice]
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File  Exts\.m3u\UserChoice]
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File  Exts\.mid\UserChoice]
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File  Exts\.midi\UserChoice]
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File  Exts\.mp3\UserChoice]
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File  Exts\.ogg\UserChoice]
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File  Exts\.pcm\UserChoice]
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File  Exts\.pls\UserChoice]
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File  Exts\.snd\UserChoice]
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File  Exts\.spx\UserChoice]
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File  Exts\.wav\UserChoice]
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File  Exts\.wma\UserChoice]
NOTE: Make sure WordWrap is unchecked in Notepad by clicking on the "Format" menu icon.

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


STEP 2

Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan. Scan all of your harddrives.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.


Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

STEP 3

Run OTS again and click on the Quick Scan button at the top. Attach the results of this scan in your next reply.
__________________
Please post the final results, good or bad. Let me know if you won't be responding any longer.
Please don't send me requests for help. Use the forums instead.
patmac's Avatar
Computer Specs
Senior Member with 615 posts.
  
Join Date: May 2004
Location: Earth
Experience: Beginner
11-Nov-2009, 08:59 PM #24
ComboFix 09-11-09.02 - Dixie 11/11/2009 19:28.3.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1022.277 [GMT -5:00]
Running from: c:\users\Dixie\Desktop\TheHammer.exe
Command switches used :: c:\users\Dixie\Desktop\CFScript.txt
AV: AVG Anti-Virus *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Virus *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}


((((((((((((((((((((((((( Files Created from 2009-10-12 to 2009-11-12 )))))))))))))))))))))))))))))))
.

2009-11-12 00:35 . 2009-11-12 00:38 -------- d-----w- c:\users\Dixie\AppData\Local\temp
2009-11-12 00:35 . 2009-11-12 00:35 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-11-12 00:35 . 2009-11-12 00:35 -------- d-----w- c:\users\Guest\AppData\Local\temp
2009-11-12 00:35 . 2009-11-12 00:35 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-11-11 04:45 . 2009-08-14 14:01 2031104 ----a-w- c:\windows\system32\win32k.sys
2009-11-11 04:45 . 2009-08-10 13:08 321536 ----a-w- c:\windows\system32\WSDApi.dll
2009-11-06 13:50 . 2009-10-21 17:31 2064152 ----a-w- c:\programdata\avg8\update\backup\avgcorex.dll
2009-11-04 00:55 . 2009-11-04 00:55 -------- d-----w- c:\program files\Air Mouse
2009-11-04 00:06 . 2009-11-04 00:14 -------- d-----w- c:\program files\TightVNC
2009-11-02 13:50 . 2009-10-21 17:31 2025752 ----a-w- c:\programdata\avg8\update\backup\avgtray.exe
2009-10-25 14:54 . 2009-10-25 15:12 -------- d-----w- C:\AVGTemp
2009-10-22 21:34 . 2009-10-22 21:34 680 ----a-w- c:\users\Dixie\AppData\Local\d3d9caps.dat
2009-10-20 22:05 . 2007-05-21 03:45 1140312 ------w- c:\programdata\HP\Installer\Temp\hpzmsi01.exe
2009-10-20 22:05 . 2007-05-21 03:39 1099352 ------w- c:\programdata\HP\Installer\Temp\hpzscr01.exe
2009-10-19 22:48 . 2009-08-07 02:24 44768 ----a-w- c:\windows\system32\wups2.dll
2009-10-19 22:48 . 2009-08-07 02:24 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-10-19 22:48 . 2009-08-07 02:23 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-10-19 22:48 . 2009-08-07 01:45 2421760 ----a-w- c:\windows\system32\wucltux.dll
2009-10-19 22:47 . 2009-08-07 02:24 35552 ----a-w- c:\windows\system32\wups.dll
2009-10-19 22:47 . 2009-08-07 02:23 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-10-19 22:47 . 2009-08-07 01:44 87552 ----a-w- c:\windows\system32\wudriver.dll
2009-10-19 22:47 . 2009-08-06 23:23 171608 ----a-w- c:\windows\system32\wuwebv.dll
2009-10-19 22:47 . 2009-08-06 22:44 33792 ----a-w- c:\windows\system32\wuapp.exe
2009-10-14 01:12 . 2009-10-14 01:12 -------- d-----w- c:\users\Dixie\AppData\Local\AIM
2009-10-13 21:42 . 2009-09-04 12:38 60928 ----a-w- c:\windows\system32\msasn1.dll
2009-10-13 21:40 . 2009-09-14 09:50 130048 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-10-13 21:37 . 2009-04-02 11:50 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-10 01:38 . 2008-01-08 20:32 13238 ----a-w- c:\users\Dixie\AppData\Roaming\wklnhst.dat
2009-11-06 13:52 . 2008-09-29 00:44 4096 d-----w- c:\programdata\avg8
2009-11-03 01:42 . 2009-10-03 06:40 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-23 20:01 . 2008-10-19 14:24 -------- d-----w- c:\program files\LimeWire
2009-10-23 00:32 . 2008-07-02 13:28 8192 d-----w- c:\users\Dixie\AppData\Roaming\LimeWire
2009-10-20 21:53 . 2007-10-28 11:51 4096 d-----w- c:\program files\Google
2009-10-20 21:43 . 2008-01-06 01:22 -------- d-----w- c:\programdata\Viewpoint
2009-10-14 07:16 . 2006-11-02 11:18 4096 d-----w- c:\program files\Windows Mail
2009-09-10 17:38 . 2009-10-13 21:43 216576 ----a-w- c:\windows\system32\msv1_0.dll
2009-08-31 15:21 . 2009-10-13 21:43 292352 ----a-w- c:\windows\system32\psisdecd.dll
2009-08-31 15:17 . 2009-10-13 21:43 1244672 ----a-w- c:\windows\system32\mcmde.dll
2009-08-31 15:16 . 2009-10-13 21:43 428032 ----a-w- c:\windows\system32\EncDec.dll
2009-08-29 03:41 . 2009-09-03 00:12 1686528 ----a-w- c:\windows\system32\gameux.dll
2009-08-29 03:40 . 2009-09-03 00:12 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-28 23:31 . 2009-09-03 00:12 4247552 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-27 14:02 . 2009-10-13 21:43 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-27 13:57 . 2009-10-13 21:43 56320 ----a-w- c:\windows\system32\iesetup.dll
2009-08-27 13:57 . 2009-10-13 21:43 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-27 13:56 . 2009-10-13 21:43 72704 ----a-w- c:\windows\system32\admparse.dll
2009-08-27 11:24 . 2009-10-13 21:43 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-08-27 09:51 . 2009-10-13 21:43 48128 ----a-w- c:\windows\system32\mshtmler.dll
2009-08-16 00:32 . 2009-09-09 10:07 214104 ----a-w- c:\windows\system32\drivers\netio.sys
2009-08-15 23:58 . 2009-09-09 10:07 167424 ----a-w- c:\windows\system32\tcpipcfg.dll
2009-08-15 23:54 . 2009-09-09 10:07 416768 ----a-w- c:\windows\system32\IKEEXT.DLL
2009-08-15 23:54 . 2009-09-09 10:07 543232 ----a-w- c:\windows\system32\FWPUCLNT.DLL
2009-08-15 23:53 . 2009-09-09 10:07 317440 ----a-w- c:\windows\system32\BFE.DLL
2009-08-15 21:30 . 2009-09-09 10:07 816640 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-08-15 21:30 . 2009-09-09 10:07 22016 ----a-w- c:\windows\system32\netiougc.exe
2009-08-15 21:29 . 2009-09-09 10:07 85504 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS
2009-08-14 16:40 . 2009-09-09 10:07 103936 ----a-w- c:\windows\system32\netiohlp.dll
2009-08-14 16:40 . 2009-09-09 10:07 15360 ----a-w- c:\windows\system32\netevent.dll
2009-08-14 14:25 . 2009-09-09 10:07 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-08-14 14:25 . 2009-09-09 10:07 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-08-14 14:25 . 2009-09-09 10:07 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-08-14 14:25 . 2009-09-09 10:07 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-08-14 14:25 . 2009-09-09 10:07 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-08-14 14:25 . 2009-09-09 10:07 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-08-14 14:25 . 2009-09-09 10:07 10240 ----a-w- c:\windows\system32\finger.exe
2007-10-28 19:13 . 2007-10-28 19:04 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2007-10-28 1006264]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-05-24 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-24 8429568]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-05-24 81920]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"dscactivate"="c:\dell\dsca.exe" [2007-07-30 16384]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-11-02 2028312]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2007-03-15 4390912]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Air Mouse.lnk - c:\program files\Air Mouse\Air Mouse\Air Mouse.exe [2009-2-16 269824]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDef end]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

R0 AvgRkx86;avgrkx86.sys;c:\windows\System32\drivers\avgrkx86.sys [9/28/2008 7:44 PM 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [9/28/2008 7:44 PM 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [10/23/2008 1:41 PM 108552]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [1/23/2009 7:48 PM 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [1/23/2009 7:48 PM 297752]
R2 dlbc_device;dlbc_device;c:\windows\system32\dlbccoms.exe -service --> c:\windows\system32\dlbccoms.exe -service [?]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\System32\drivers\LMIRfsDriver.sys [2/19/2008 3:03 PM 45848]
S2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe --> c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [?]
S2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe --> c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.bearshare.com/
uInternet Settings,ProxyOverride = *.local
IE: &AIM Toolbar Search - c:\programdata\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
FF - ProfilePath - c:\users\Dixie\AppData\Roaming\Mozilla\Firefox\Profiles\27oct4gy.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npoji610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\users\Dixie\AppData\Roaming\Move Networks\plugins\npqmp071503000010.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File Exts\.aif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File Exts\.aifc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File Exts\.aiff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File Exts\.au\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File Exts\.flac\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File Exts\.m3u\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File Exts\.mid\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File Exts\.midi\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File Exts\.mp3\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File Exts\.ogg\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File Exts\.pcm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File Exts\.pls\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File Exts\.snd\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File Exts\.spx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File Exts\.wav\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File Exts\.wma\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WUDFHost.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\dlbccoms.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
c:\progra~1\AVG\AVG8\avgam.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\WUDFHost.exe
c:\windows\System32\rundll32.exe
c:\program files\AVG\AVG8\avgtray.exe
c:\windows\System32\rundll32.exe
c:\windows\ehome\ehmsas.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\windows\system32\msiexec.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2009-11-12 19:45 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-12 00:45
ComboFix2.txt 2009-11-11 22:58
ComboFix3.txt 2009-11-11 19:54

Pre-Run: 159,730,769,920 bytes free
Post-Run: 159,593,709,568 bytes free

- - End Of File - - 1C762FA28349B78036B90DB7778F2149
NeonFx's Avatar
Senior Member with 4,817 posts.
  
Join Date: Oct 2008
Location: California, USA
11-Nov-2009, 09:06 PM #25
Good Let me know when you have the results from the other two steps.

I don't mean to hurry you. Take all the time you need. I just like being the last to reply so that I can keep track of which topics I have reviewed.
patmac's Avatar
Computer Specs
Senior Member with 615 posts.
  
Join Date: May 2004
Location: Earth
Experience: Beginner
11-Nov-2009, 10:03 PM #26
Malwarebytes' Anti-Malware 1.41
Database version: 3151
Windows 6.0.6000

11/11/2009 8:56:08 PM
mbam-log-2009-11-11 (20-56-08).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 242810
Time elapsed: 49 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 16
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\Windows\9129837.exe.vir (Spyware.Zbot) -> Quarantined and deleted successfully.
patmac's Avatar
Computer Specs
Senior Member with 615 posts.
  
Join Date: May 2004
Location: Earth
Experience: Beginner
11-Nov-2009, 10:13 PM #27
I didn't select "Scan All Users". I saved this one as OTS2. It's getting late here, I'm on the east coast, just so you know if I don't get back with you tonight.
Attachment Blocked
Attachments in the HJT forum are often designed to solve a specific issue and not meant to be used without instructions specific to your computer. If you want help specific to your computer, please post a HiJackThis Log. If you started this thread, please make sure you are logged in to be able to view attachments.
NeonFx's Avatar
Senior Member with 4,817 posts.
  
Join Date: Oct 2008
Location: California, USA
11-Nov-2009, 10:33 PM #28
There's two minor things in the OTS log that we need to take care of but you seem to be in the clear

I want to run an online scan. This can take a while but it's well worth it as it can often find things all other scanners will miss.

STEP 1

Run OTS

  • Under the Paste Fix Here box on the right, paste in the contents of following code box


Code:
[Kill All Processes]
[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{DB87BFA2-A2E3-451E-8E5A-C89982D87CBF}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< ShellExecuteHooks [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
YN -> "{AEB6717E-7E19-11d0-97EE-00C04FD91972}" [HKLM] -> Reg Error: Key error. []
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • This will create a log in C:\_OTS\MovedFiles\<date>_<time>.txt where date and time are those of when the fix was run. Open it from there if it does not appear automatically on reboot. Please copy and paste or attach the contents of that file here.


Note: You may receive some errors while running the fix. Just press Ok and the fix should continue normally.
If it seems to get stuck, give it some time. It's probably still working.


STEP 2

Before we do, I need you to update Internet Explorer to IE8. Even if you don't use it, we need to have it updated as its components are deeply connected with Windows itself.

Please go here to download the installer:

http://www.microsoft.com/windows/internet-explorer/


STEP 3

The online scanner uses Java, so I will need you to download and install the latest version for that.

Please go here to download the installer:

http://java.com/en/download/index.jsp


STEP 4

Using Internet Explorer or Firefox, visit Kaspersky Online Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.



2. To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan. Click HERE to see how to disable the most common antivirus programs.

3. Click Run at the Security prompt.


The program will then begin downloading and installing and will also update the database.


Please be patient as this can take quite a long time to download.
  • Once the update is complete, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, adware, dialers, and other riskware
    • Archives
    • E-mail databases

  • Click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View report... at the bottom.
  • Click the Save report... button.

  • Change the Files of type dropdown box to Text file (.txt) and name the file KasReport.txt to save the file to your desktop so that you may post it in your next reply
__________________
Please post the final results, good or bad. Let me know if you won't be responding any longer.
Please don't send me requests for help. Use the forums instead.
patmac's Avatar
Computer Specs
Senior Member with 615 posts.
  
Join Date: May 2004
Location: Earth
Experience: Beginner
12-Nov-2009, 11:48 AM #29
Here's the OTS log, but a few questions please;
During this whole process of malware removal, IE has just showed up on the Desktop, is this normal? Keep getting "Windows has blocked some startup programs" message, is this ok? Anfinally, When (if ) I get to the online scan part, how do we keep things from notifiying the computer while the scan is running? I'm assuming we don't want any interruptions? One more thing, the scan went really fast, almost as soon as I clicked run fix, it told me to reboot to finish, not sure if that's pertinent info or not. Thanks

All Processes Killed
[Registry - Safe List]
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DB87BFA2-A2E3-451E-8E5A-C89982D87CBF}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell ExecuteHooks\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\ not found.
< End of fix log >
OTS by OldTimer - Version 3.1.5.0 fix logfile created on 11122009_103758
Last edited by patmac; 12-Nov-2009 at 12:54 PM.. Reason: Needed to add a comment about the scan
NeonFx's Avatar
Senior Member with 4,817 posts.
  
Join Date: Oct 2008
Location: California, USA
12-Nov-2009, 02:37 PM #30
You can delete the IE icon on your desktop, but yes, it's normal for it to be there. A setting was probably reset at some stage.

To disable the Blocked some startup programs message see HERE

And... I'm not sure I know what you mean by "how do we keep things from notifiying the computer while the scan is running?" Do you mean the UAC prompt where it asks you for permission to continue? See HERE for how to temporarily disable that. You can reenable it once its done.
__________________
Please post the final results, good or bad. Let me know if you won't be responding any longer.
Please don't send me requests for help. Use the forums instead.
Email This Email  Print This Print  Tweet This Send to Facebook Send to MySpace Send to StumbleUpon Digg This | More Services More
Reply
Page 2 of 3 1 2 3

THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!

« Previous Thread | Virus & Other Malware Removal | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
WELCOME TO TECH SUPPORT GUY! Are you looking for the solution to your computer problem? Join our site today to ask your question -- for free! Our site is run completely by volunteers who want to help you solve your computer problems. See our Welcome Guide to get started.
Thread Tools



Facebook Facebook Twitter Twitter TechGuy.tv TechGuy.tv Mobile TSG Mobile
Contact Us - HelpOnThe.Net - Archive - Terms of Service - Top
You Are Using:
Server ID
Advertisements do not imply our endorsement of that product or service.
All times are GMT -4. The time now is 03:15 AM.
Copyright © 1996 - 2011 TechGuy, Inc. All rights reserved.

 Powered by Cermak Technologies, Inc.