1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Hacked Browser/Redirect Virus?

Discussion in 'Virus & Other Malware Removal' started by mmariecrys, Nov 26, 2011.

Thread Status:
Not open for further replies.
Advertisement
  1. mmariecrys

    mmariecrys Thread Starter

    Joined:
    Apr 18, 2007
    Messages:
    25
    Hello, I am having redirect errors on my laptop over the past few days it has gotten progressively worse. Now I cannot connect to directly typed websites or perform any searches. I am pasting the HJT and DDS reports. I ran GMER, but it scanned for 3 hours and at the end there was no ark.txt file available to save. Thank you for your help.

    Dell Latitude D630
    XP SP 3
    IE 7

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 1:42:21 PM, on 11/26/2011
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Safe mode with network support

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=6080422
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blackboard.ecu.edu/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=6080422
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://partnerpage.google.com/small...n&client=dell-usuk&channel=us-smb&ibd=6080422
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:52848
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
    O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
    O4 - HKLM\..\Run: [WavXMgr] C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
    O4 - HKLM\..\Run: [SecureUpgrade] C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
    O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
    O4 - HKLM\..\Run: [KADxMain] C:\WINDOWS\system32\KADxMain.exe
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
    O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [37465982736455] C:\Documents and Settings\All Users\Application Data\gwr\mradll.exe
    O4 - HKLM\..\Run: [03874569874596] C:\Documents and Settings\All Users\Application Data\gwr\rwg.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [C23.exe] C:\Program Files\LP\3857\C23.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
    O4 - HKCU\..\Run: [ampmdm] C:\Program Files\Altnet Music Plugin\AMPMDM.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    O4 - Global Startup: Bluetooth Manager.lnk = ?
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O9 - Extra 'Tools' menuitem: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
    O16 - DPF: {036F8A56-0BC8-4607-8F98-D3231E6FF5ED} (CentraUpdaterAxCtl Class) - https://de207.centra.com/SiteRoots/main/Install/win32/CentraUpdaterAx.cab
    O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
    O16 - DPF: {528C14CD-CF9E-489C-A365-5999F17B69B9} (LightSurfUploadCtl Class) - http://pictures.sprintpcs.com/activex/LightSurfUploadControl.cab
    O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX28.cab
    O16 - DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} (Battlefield Heroes Updater) - https://www.battlefieldheroes.com/static/updater/BFHUpdater_4.0.23.0.cab
    O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
    O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O20 - Winlogon Notify: gemsafe - C:\Program Files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll
    O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
    O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Lavasoft Ad-Aware Service - Lavasoft Limited - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
    O23 - Service: SecureStorageService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe
    O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Smc.exe
    O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\StacSV.exe
    O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
    O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: NTRU TSS v1.2.1.25 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
    O23 - Service: TdmService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
    O23 - Service: WaveEnrollmentService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Authentication Manager\WaveEnrollmentService.exe
    O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

    --
    End of file - 11407 bytes


    .
    DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
    Run by Morgan at 13:44:17 on 2011-11-26
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1626 [GMT -5:00]
    .
    AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
    AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
    FW: Symantec Endpoint Protection *Enabled*
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    C:\WINDOWS\system32\ctfmon.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.blackboard.ecu.edu/
    uSearch Page = hxxp://www.google.com
    uDefault_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=6080422
    uSearch Bar = hxxp://www.google.com/ie
    uInternet Connection Wizard,ShellNext = hxxp://partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=6080422
    uInternet Settings,ProxyServer = http=127.0.0.1:52848
    uWinlogon: Shell=explorer.exe,
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
    {555d4d79-4bd2-4094-a395-cfc534424a05}
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
    uRun: [ampmdm] c:\program files\altnet music plugin\AMPMDM.exe
    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
    mRun: [Apoint] c:\program files\apoint\Apoint.exe
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
    mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
    mRun: [WavXMgr] c:\program files\wave systems corp\services manager\docmgr\bin\WavXDocMgr.exe
    mRun: [SecureUpgrade] c:\program files\wave systems corp\SecureUpgrade.exe
    mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
    mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
    mRun: [KADxMain] c:\windows\system32\KADxMain.exe
    mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
    mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
    mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
    mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [37465982736455] c:\documents and settings\all users\application data\gwr\mradll.exe
    mRun: [03874569874596] c:\documents and settings\all users\application data\gwr\rwg.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    mRun: [<NO NAME>]
    mRun: [C23.exe] c:\program files\lp\3857\C23.exe
    mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
    StartupFolder: c:\docume~1\morgan\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
    IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
    IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
    IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
    DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
    DPF: {036F8A56-0BC8-4607-8F98-D3231E6FF5ED} - hxxps://de207.centra.com/SiteRoots/main/Install/win32/CentraUpdaterAx.cab
    DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {528C14CD-CF9E-489C-A365-5999F17B69B9} - hxxp://pictures.sprintpcs.com/activex/LightSurfUploadControl.cab
    DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - hxxp://www.nick.com/common/groove/gx/GrooveAX28.cab
    DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} - hxxps://www.battlefieldheroes.com/static/updater/BFHUpdater_4.0.23.0.cab
    DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
    DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
    TCP: DhcpNameServer = 66.76.227.40 208.180.42.68 192.168.1.1
    TCP: Interfaces\{4DCFEFAB-7F85-411C-BA0B-2A7CB484886C} : DhcpNameServer = 66.76.227.40 208.180.42.68 192.168.1.1
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
    Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    Notify: gemsafe - c:\program files\gemplus\gemsafe libraries\bin\WLEventNotify.dll
    Notify: igfxcui - igfxdev.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    LSA: Authentication Packages = msv1_0 wvauth
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\morgan\application data\mozilla\firefox\profiles\2vjfeflg.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.blackboard.ecu.edu/
    FF - prefs.js: network.proxy.http - 127.0.0.1
    FF - prefs.js: network.proxy.http_port - 52848
    FF - prefs.js: network.proxy.type - 1
    FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
    FF - plugin: c:\program files\altnet music plugin\ffxpi\plugins\npAMPff.dll
    FF - plugin: c:\program files\altnet music plugin\ffxpi\plugins\npAMPff.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
    FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\mozilla firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
    FF - Ext: Java Quick Starter: [email protected] - c:\program files\java\jre6\lib\deploy\jqs\ff
    FF - Ext: Kazaa Media Player: {494d1265-1d59-43c6-8fa1-eb1d9224278a} - c:\program files\altnet music plugin\ffXPI
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-11-25 64512]
    R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-7-8 108392]
    R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-7-8 108392]
    R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-11-3 2152152]
    R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec antivirus\Rtvscan.exe [2009-9-17 2477304]
    S2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\broadcom\asfipmon\AsfIpMon.exe [2006-12-19 79432]
    S2 LinksysUpdater;Linksys Updater;c:\program files\linksys\linksys updater\bin\LinksysUpdater.exe [2008-1-15 204800]
    S2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [2004-8-11 5120]
    S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2009-7-14 23888]
    S3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [2006-11-2 97536]
    S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-11-18 106104]
    S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2011-11-3 15232]
    S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2009-2-14 18688]
    S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2009-2-14 8320]
    S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2009-2-14 42112]
    S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2009-2-14 23680]
    S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20111125.019\NAVENG.SYS [2011-11-25 86136]
    S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20111125.019\NAVEX15.SYS [2011-11-25 1576312]
    .
    =============== Created Last 30 ================
    .
    2011-11-26 18:41:04 -------- d-----w- c:\program files\Trend Micro
    2011-11-26 18:40:49 302592 ----a-w- C:\ic1ymwxo.exe
    2011-11-26 18:40:48 812344 ----a-w- C:\HJTsetup.exe
    2011-11-26 18:40:48 1402880 ----a-w- C:\HiJackThis.msi
    2011-11-26 18:40:11 607260 ------r- C:\dds.com
    2011-11-26 04:49:28 16432 ----a-w- c:\windows\system32\lsdelete.exe
    2011-11-26 03:22:29 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
    2011-11-26 03:19:17 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
    2011-11-26 02:29:17 -------- d-----w- c:\documents and settings\morgan\local settings\application data\NTRU Cryptosystems
    2011-11-26 02:29:12 167936 ----a-w- c:\windows\system32\drivers\wpshelper.sys
    2011-11-26 02:27:50 92488 ----a-w- c:\windows\system32\drivers\SysPlant.sys
    2011-11-26 02:27:24 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
    2011-11-26 02:27:24 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
    2011-11-26 02:26:26 -------- d-----w- c:\program files\Symantec AntiVirus
    2011-11-26 02:22:58 90587136 ----a-w- C:\Endpoint.exe
    2011-11-26 02:20:42 12021760 ----a-w- C:\Ad-Aware96Install.msi
    2011-11-21 05:31:27 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2011-11-21 05:31:27 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy
    2011-11-21 00:30:28 -------- d-----w- c:\program files\78A7C
    2011-11-21 00:29:53 -------- d-----w- c:\documents and settings\morgan\application data\78078
    2011-11-21 00:29:51 -------- d-----w- c:\program files\LP
    .
    ==================== Find3M ====================
    .
    2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll
    2011-09-26 15:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
    2011-09-26 15:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
    2011-09-26 15:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
    2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys
    .
    ============= FINISH: 13:44:49.50 ===============
     

    Attached Files:

  2. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    OK, do the following :-

    Step 1

    Disable teatimer and leave off for now.
    1. Right click Spybot in the System Tray (looks like a calendar with a padlock symbol ) and choose Exit Spybot S&D Resident
    2. Run Spybot S&D
    3. Go to the Mode menu, and make sure Advanced Mode is selected.
    4. On the left hand side, choose Tools > Resident
    uncheck Resident TeaTimer and OK any prompt and Restart your computer.

    Note: If TeaTimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

    Step 2

    There is a proxy server running in Explorer and Firefox, if you did not set them up or know of them do the following:

    Check for proxy server settings in your browser, the following are the most common used.

    Internet Explorer:
    Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" and check to "Automatically detect settings". ok, apply (only if applicable), ok.

    Firefox:
    Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection. "No Proxy" should be selected, unless you have one set up yourself.

    Step 3

    Delete any versions of Combofix that you may have on your Desktop, download a fresh copy from either of the following links :-

    Link 1
    Link 2

    • Ensure that Combofix is saved directly to the Desktop <--- Very important
    • Disable all security programs as they will have a negative effect on Combofix, instructions available Here if required. Be aware the list may not have all programs listed, if you need more help please ask.
    • Close any open browsers and any other programs you might have running
    • Double click the [​IMG] icon to run the tool (Vista or Windows 7 users right click and select "Run as Administrator)
    • Instructions for running Combofix available Here if required.
    • If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
    • When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review

    ****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

    Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
    Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read Here why disabling autoruns is recommended.

    *EXTRA NOTES*
    • If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
    • If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
    • If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

    Post the log in next reply please...

    Kevin
     
  3. mmariecrys

    mmariecrys Thread Starter

    Joined:
    Apr 18, 2007
    Messages:
    25
    Thank you for responding, Kevin. BTW, I ran this under Normal mode because I could not get to the system tray in Safe mode.

    ComboFix 11-11-27.02 - Morgan 11/27/2011 13:46:54.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.759 [GMT -5:00]
    Running from: c:\documents and settings\Morgan\Desktop\ComboFix.com
    AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
    AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
    FW: Symantec Endpoint Protection *Disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\All Users\Application Data\gwr
    c:\documents and settings\All Users\Application Data\TEMP
    c:\documents and settings\All Users\Start Menu\Programs\Green AV
    c:\documents and settings\All Users\Start Menu\Programs\Green AV\ Green AV .lnk
    c:\documents and settings\Morgan\Application Data\78078
    c:\documents and settings\Morgan\Application Data\78078\8A7C.807
    c:\documents and settings\Morgan\Application Data\78078\C2A22.exe
    c:\documents and settings\Morgan\WINDOWS
    c:\program files\LP
    c:\program files\LP\2217\1.tmp
    c:\program files\LP\2217\12.tmp
    c:\program files\LP\2217\13.tmp
    c:\program files\LP\2217\18A.tmp
    c:\program files\LP\2217\18B.tmp
    c:\program files\LP\2217\2.tmp
    c:\program files\LP\2217\4E.tmp
    c:\program files\LP\2217\4F.exe
    c:\program files\LP\2217\4F.tmp
    c:\program files\LP\2217\51.tmp
    c:\program files\LP\2217\E37.exe
    c:\program files\LP\3857\5A.tmp
    c:\windows\CSC\d6
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-10-27 to 2011-11-27 )))))))))))))))))))))))))))))))
    .
    .
    2011-11-26 18:41 . 2011-11-26 18:41 -------- d-----w- c:\program files\Trend Micro
    2011-11-26 18:40 . 2011-11-26 18:38 302592 ----a-w- C:\ic1ymwxo.exe
    2011-11-26 18:40 . 2011-11-26 18:36 1402880 ----a-w- C:\HiJackThis.msi
    2011-11-26 18:40 . 2008-06-20 22:57 812344 ----a-w- C:\HJTsetup.exe
    2011-11-26 18:40 . 2011-11-26 18:37 607260 ------r- C:\dds.com
    2011-11-26 17:55 . 2011-11-26 17:55 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Wave Systems Corp
    2011-11-26 04:49 . 2011-11-26 03:22 16432 ----a-w- c:\windows\system32\lsdelete.exe
    2011-11-26 03:22 . 2011-11-26 03:22 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
    2011-11-26 03:19 . 2011-11-03 17:06 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
    2011-11-26 02:29 . 2011-11-26 02:29 -------- d-----w- c:\documents and settings\Morgan\Local Settings\Application Data\NTRU Cryptosystems
    2011-11-26 02:29 . 2011-06-23 00:05 167936 ----a-w- c:\windows\system32\drivers\wpshelper.sys
    2011-11-26 02:27 . 2009-09-17 23:38 92488 ----a-w- c:\windows\system32\drivers\SysPlant.sys
    2011-11-26 02:27 . 2011-11-26 02:27 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
    2011-11-26 02:27 . 2011-11-26 02:27 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
    2011-11-26 02:26 . 2011-11-26 05:02 -------- d-----w- c:\program files\Symantec AntiVirus
    2011-11-26 02:22 . 2011-11-26 02:15 90587136 ----a-w- C:\Endpoint.exe
    2011-11-26 02:20 . 2011-11-26 01:08 12021760 ----a-w- C:\Ad-Aware96Install.msi
    2011-11-21 05:31 . 2011-11-21 05:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2011-11-21 05:31 . 2011-11-21 05:36 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2011-11-21 00:30 . 2011-11-26 00:24 -------- d-----w- c:\program files\78A7C
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-11-27 18:33 . 2008-04-29 03:49 0 ----a-w- c:\documents and settings\Morgan\Local Settings\Application Data\WavXMapDrive.bat
    2011-10-10 14:22 . 2004-08-11 22:12 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-09-28 07:06 . 2004-08-11 22:00 599040 ----a-w- c:\windows\system32\crypt32.dll
    2011-09-26 15:41 . 2007-10-09 18:03 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
    2011-09-26 15:41 . 2004-08-11 22:00 220160 ----a-w- c:\windows\system32\oleacc.dll
    2011-09-26 15:41 . 2004-08-11 22:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
    2011-09-06 13:20 . 2004-08-11 22:00 1858944 ----a-w- c:\windows\system32\win32k.sys
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
    "ampmdm"="c:\program files\Altnet Music Plugin\AMPMDM.exe" [2010-09-21 431576]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Apoint"="c:\program files\Apoint\Apoint.exe" [2007-01-25 159744]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-05-18 138008]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-05-18 162584]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2007-05-18 138008]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-03-23 149280]
    "Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-05-14 1191936]
    "WavXMgr"="c:\program files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2007-09-10 92160]
    "SecureUpgrade"="c:\program files\Wave Systems Corp\SecureUpgrade.exe" [2007-09-14 218424]
    "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-10-09 2183168]
    "SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-12-05 405504]
    "KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
    "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 124200]
    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
    "googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
    "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-07-09 115560]
    .
    c:\documents and settings\Morgan\Start Menu\Programs\Startup\
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-1-11 2150400]
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gemsafe]
    2006-11-16 20:20 73728 ----a-w- c:\program files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Authentication Packages REG_MULTI_SZ msv1_0 wvauth
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
    "c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
    "c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
    "c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
    "c:\\Program Files\\Motorola\\Software Update\\msu.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
    "c:\\Program Files\\Symantec AntiVirus\\Smc.exe"=
    "c:\\Program Files\\Symantec AntiVirus\\SNAC.EXE"=
    "c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
    "3389:TCP"= 3389:TCP:mad:xpsp2res.dll,-22009
    .
    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [11/25/2011 10:19 PM 64512]
    R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [12/19/2006 2:21 PM 79432]
    R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [11/3/2011 12:06 PM 2152152]
    R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [8/11/2004 5:00 PM 5120]
    R3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [11/2/2006 12:32 PM 97536]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\eengine\EraserUtilRebootDrv.sys [11/18/2011 8:16 PM 106104]
    S2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [1/15/2008 9:28 AM 204800]
    S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [7/14/2009 12:51 PM 23888]
    S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [11/3/2011 12:06 PM 15232]
    S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2/14/2009 10:02 PM 18688]
    S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2/14/2009 10:02 PM 8320]
    S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2/14/2009 10:02 PM 42112]
    S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2/14/2009 10:02 PM 23680]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    HPService REG_MULTI_SZ HPSLPSVC
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-11-27 c:\windows\Tasks\Ad-Aware Update (Weekly).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-11-03 17:06]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.blackboard.ecu.edu/
    uInternet Connection Wizard,ShellNext = hxxp://partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=6080422
    uInternet Settings,ProxyServer = http=127.0.0.1:52848
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    TCP: DhcpNameServer = 66.76.227.40 208.180.42.68 192.168.1.1
    FF - ProfilePath - c:\documents and settings\Morgan\Application Data\Mozilla\Firefox\Profiles\2vjfeflg.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.blackboard.ecu.edu/
    FF - prefs.js: network.proxy.http - 127.0.0.1
    FF - prefs.js: network.proxy.http_port - 52848
    FF - prefs.js: network.proxy.type - 0
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
    FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: Java Quick Starter: [email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Ext: Kazaa Media Player: {494d1265-1d59-43c6-8fa1-eb1d9224278a} - c:\program files\Altnet Music Plugin\ffXPI
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    .
    - - - - ORPHANS REMOVED - - - -
    .
    HKLM-Run-ISUSPM Startup - c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
    HKLM-Run-ISUSScheduler - c:\program files\Common Files\InstallShield\UpdateService\issch.exe
    HKLM-Run-C23.exe - c:\program files\LP\3857\C23.exe
    Notify-NavLogon - (no file)
    SafeBoot-Symantec Antvirus
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-11-27 13:51
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'lsass.exe'(1424)
    c:\windows\system32\wvauth.dll
    c:\windows\system32\biolsp.dll
    .
    Completion time: 2011-11-27 13:53:15
    ComboFix-quarantined-files.txt 2011-11-27 18:53
    .
    Pre-Run: 94,186,704,896 bytes free
    Post-Run: 94,421,897,216 bytes free
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
    .
    - - End Of File - - EA4E4CA6FFCE2EB5C51707FD7165332F
     
  4. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    Run the following :-

    Step 1

    [​IMG] Please download Malwarebytes Anti-Malware and save it to your desktop.
    Alernative D/L mirror
    Alternative D/L mirror

    Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
    • Please save the log to a location you will remember.
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy and paste the entire report in your next reply.

    Extra Note:

    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

    Step 2

    Run ESET Online Scan
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESET OnlineScan
    • Click the [​IMG] button.
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on [​IMG] to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the [​IMG] icon on your desktop.
    • Check [​IMG]
    • Click the [​IMG] button.
    • Accept any security warnings from your browser.
    • Check [​IMG]
    • Leave the tick out of remove found threats
    • Push the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, push [​IMG]
    • Push [​IMG], and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • Push the [​IMG] button.
    • Push [​IMG]
    You can refer to this animation by neomage if needed.
    Frequently asked questions available Here Please read them before running the scan.

    Also be aware this scan can take several hours to complete depending on the size of your system.

    ESET log can be found here "C:\Program Files\ESET\EsetOnlineScanner\log.txt".

    Let me see those two logs, also give update on current issues/concerns..

    Kevin
     
  5. mmariecrys

    mmariecrys Thread Starter

    Joined:
    Apr 18, 2007
    Messages:
    25
    At this point I am able to connect to the Internet again. Upon every page change I get a dialog box which says I am connecting over a secure connection. Mbam and Eset reports follow. Thank you.

    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org

    Database version: 8254

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    11/27/2011 9:02:27 PM
    mbam-log-2011-11-27 (21-02-27).txt

    Scan type: Quick scan
    Objects scanned: 180006
    Time elapsed: 5 minute(s), 23 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 1
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer (PUM.Bad.Proxy) -> Value: ProxyServer -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    C:\Program Files\78A7C\lvvm.exe a variant of Win32/Kryptik.WDN trojan
    C:\Qoobox\Quarantine\C\Documents and Settings\Morgan\Application Data\78078\C2A22.exe.vir a variant of Win32/Kryptik.WDN trojan
    C:\Qoobox\Quarantine\C\Program Files\LP\2217\4F.exe.vir a variant of Win32/Kryptik.WDN trojan
    C:\Qoobox\Quarantine\C\Program Files\LP\2217\E37.exe.vir Win32/Cycbot.AK trojan
     
  6. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    The Qoobox entries are secure and will be dealt with later when we clean up, OK do the following:

    Step 1

    Please download OTM by OldTimer.
    Alternative Mirror 1
    Alternative Mirror 2
    Save it to your desktop.
    Double click OTM.exe to start the tool. Vista or Windows 7 users right click and select Run as Administrator
    • Copy the text between the dotted lines below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      -------------------------------------------------------------------

      :Files
      ipconfig /flushdns /c
      C:\Program Files\78A7C
      :Commands
      [emptyjava]
      [EmptyTemp]
      [ClearAllRestorePoints]
      [Reboot]

      ---------------------------------------------------------------------
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
    • Click the red [​IMG] button.
    • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
    • Close OTM
    Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

    If the machine reboots, the Results log can be found here:

    c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

    Where mmddyyyy_hhmmss is the date of the tool run.

    Step 2

    Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. It is possible that you may be running Java code in your applications that absolutely require a specific version of the JRE to run. Please follow these steps to remove older version Java components and update.

    Download the latest version of Java Runtime Environment 7 update 1 JRE 7
    • Scroll down to where it says JRE. Java SE 7
    • Check the box to: "Accept License Agreement".
    • Find the download that applies to your operating system. (Please ask if you have any questions.)
    • For Windows 32 bit systems get this Windows x86 Offline
    • For Windows 64 bit systems get this Windows x64
    • Click the "Download JRE" button to the right.

    NOTE: As always during installations, beware of any pre-checked option to install a toolbar. If you do not want it, UNcheck it.
    • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
    • Close any programs you may have running - especially your web browser.
    • Go to Start > Control Panel double-click on Add/Remove programs (Windows 7 or Vista user > Control Panel > Uninstall a Program) and remove all older versions of Java.
    • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button.
    • Repeat as many times as necessary to remove each of the Java versions.
    • You have at least the following to remove:

    J2SE Runtime Environment 5.0 Update 6
    Java(TM) 6 Update 16
    Java(TM) 6 Update 3
    Java(TM) 6 Update 5


    • In Windows Explorer, navigate to C:\Program Files\Java\ Delete the contents such as any subfolders, but NOTthe main folder.
    • Do NOT delete C:\Program Files\JavaVM if found!
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-7-windows-i586.exe to install the newest version.
    • Delete the downloaded installation file after completing the above procedure and reboot if not prompted to do so.
    • Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications.

    To disable the JQS service if you don't want to use it:
    • Go to Start-->Control Panel-->Java-->Advanced-->Miscellaneous and uncheck the box for Java Quick Starter.
    • Click Ok and reboot your computer.

    Step 3

    Your Adobe Acrobat Reader is out of date. Older versions are vulnerable to attack and exploitation.

    Please go to the link below to update.

    Adobe Reader Untick the Free McAfee® Security Scan Plus (optional) unless you want it. (Not required)

    Step 4

    Your Adobe Flash Player is out of date. Older versions are vulnerable to attack and exploitation
    Please go to the link below to update.
    Adobe Flash Player Untick the Free McAfee® Security Scan Plus (optional) unless you want it. (Not required)

    Step 4

    I notice you use Ad-Aware. Please be informed that the latest versions of Ad-Aware now have Anti-virus protection included. It is not recommended to have more than
    one anti-virus installed on a system, doing so does not provide better protection, it can actually cause additional problems. Anti-virus programs patch into the
    system kernel. Having more than one anti-virus patching into the system kernel will not only destabilize a system, it can corrupt system files and can cause crashes!

    You can turn off the anti-virus component as follows:

    • Open Ad-Aware
    • Click on switch to advanced mode
    • Click on Settings
    • Click on the Ad-watch live! tab and under Detection layers ensure Antivirus engine is UNchecked
    • Click OK and close Ad-Aware

    Let me see the log from OTM. Let me know if the other steps completed OK, also tell if you have any remaining issues or concerns...

    Kevin
     
  7. mmariecrys

    mmariecrys Thread Starter

    Joined:
    Apr 18, 2007
    Messages:
    25
    Hi, Kevin. Here is the OTM log. Steps 2-4 were completed with no problem. The browser is working normally at this time. Thanks

    All processes killed
    ========== FILES ==========
    < ipconfig /flushdns /c >
    Windows IP Configuration
    Successfully flushed the DNS Resolver Cache.
    C:\Documents and Settings\Morgan\Desktop\cmd.bat deleted successfully.
    C:\Documents and Settings\Morgan\Desktop\cmd.txt deleted successfully.
    C:\Program Files\78A7C folder moved successfully.
    ========== COMMANDS ==========

    [EMPTYJAVA]

    User: Administrator

    User: All Users

    User: Default User

    User: LocalService

    User: Morgan
    ->Java cache emptied: 72369394 bytes

    User: NetworkService

    Total Java Files Cleaned = 69.00 mb


    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: All Users

    User: Default User
    ->Temp folder emptied: 49152 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes

    User: Morgan
    ->Temp folder emptied: 13399 bytes
    ->Temporary Internet Files folder emptied: 21472761 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 46428868 bytes
    ->Flash cache emptied: 36394 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 19569 bytes
    %systemroot%\System32 .tmp files removed: 3401233 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 24152 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 68.00 mb


    Restore points cleared and new OTM Restore Point set!

    OTM by OldTimer - Version 3.1.19.0 log created on 11282011_183804

    Files moved on Reboot...

    Registry entries deleted on Reboot...
     
  8. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    OK, if no issues do the following :-

    Step 1

    Remove Combofix now that we're done with it
    • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
    • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")
      [​IMG]
    • Please follow the prompts to uninstall Combofix.
    • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
    The above procedure will delete the following:
    • ComboFix and its associated files and folders.
    • VundoFix backups, if present
    • The C:_OtMoveIt folder, if present
    • Reset the clock settings.
    • Hide file extensions, if required.
    • Hide System/Hidden files, if required.
    • Reset System Restore.
    It is very important that you get a successful uninstall because of the extra functions done at the same time, let me know if this does not happen.

    Step 2

    • Download OTC by OldTimer and save it to your desktop. Alternative mirror
    • Double click [​IMG] icon to start the program.
      If you are using Vista or Windows 7, please right-click and choose run as administrator
    • Then Click the big [​IMG] button.
    • You will get a prompt saying "Begining Cleanup Process". Please select Yes.
    • Restart your computer when prompted.
    • This will remove tools we have used and itself. Any tools/logs remaining on the Desktop can be deleted.

    Step 3

    We need to remove ESET Online Scanner.

    • Click Start, click Run, type control appwiz.cpl in the Open box, and then press ENTER.
    • Click to select ESET Online Scanner from the application list, and then click Remove. Only re-boot if prompted

    Step 4

    Download [​IMG] TFC to your desktop, from either of the following links
    Link 1
    Link 2
    • Save any open work. TFC will close all open application windows.
    • Double-click TFC.exe to run the program. Vista or Windows 7 users right click and select “Run as Administartor”
    • If prompted, click "Yes" to reboot.
    Save any open work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. TFC may re-boot your system, if not Re-boot it yourself to complete cleaning process <---- Very Important

    Keep TFC it is an excellent utility to keep your system optimized, it empties all user temp folders, Java cache etc etc. Always remember to re-boot after a run

    Let me know if those steps completed OK, also let me know if any remaining issues or concerns...

    Kevin
     
  9. mmariecrys

    mmariecrys Thread Starter

    Joined:
    Apr 18, 2007
    Messages:
    25
    Hi, Kevin. There were a few snags in the process but everything installed fine:

    *when I was unistalling ComboFix, a warning box appeared stating Symantec Endpoint was detected and needed to be turned off. I turned off the Network Security service in Endpoint and the installation continued ok.

    *after running OTC and rebooting, a message appeared stating that the locally stored profile could not load and Windows cannot find the local profile. The system logged on using a temp profile

    *]after running TFC my personal profile loaded correctly

    The browser and search appears to be working normally now. Thanks
     
  10. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    If everything is working as it should and you have no issues we can close:

    Here are some tips to reduce the potential for malware infection in the future:

    Make proper use of your antivirus and firewall

    Antivirus and Firewall programs are integral to your computer security. However, just having them installed isn't enough. The definitions of these programs are frequently updated to detect the latest malware, if you don't keep up with these updates then you'll be vulnerable to infection. Many antivirus and firewall programs have automatic update features, make use of those if you can. If your program doesn't, then get in the habit of routinely performing manual updates, because it's important.

    You should keep your antivirus and firewall guard enabled at all times, NEVER turn them off unless there's a specific reason to do so. Also, regularly performing a full system scan with your antivirus program is a good idea to make sure you're system remains clean. Once a week should be adequate. You can set the scan to run during a time when you don't plan to use the computer and just leave it to complete on its own.

    Install and use WinPatrol This will inform you of any attempted unauthorized changes to your system.

    WinPatrol features explained Here

    You will have several programs installed, these maybe outdated and vulnerable to exploits also. To be certain, please run the free online scan by Secunia, available Here Before clicking the Start scan button, please check the box for the option Enable thorough system inspection. Just below the "Scan Options:" section, you'll see the status of what's currently processing.... [​IMG]
    ...when the scan completes, the message "Detection completed successfully" will appear in the Programs/Result section. For each problem detected, Secunia will offer a "Solution" option. Please follow those instructions to download updated versions of the programs as recommended by Secunia.

    Use a safer web browser

    Internet Explorer is not the most secure tool for browsing the web. It has been known to be very susceptible to infection, and there are a few good free alternatives:

    Firefox,

    Opera, and

    Chrome.

    All of these are excellent faster, safer, more powerful and functional free alternatives to Internet Explorer. It's definitely worth the short period of adjustment to start using one of these. If you wish to continue using Internet Explorer, it would be a good idea to follow the tutorial HERE which will help you to make IE MUCH safer.

    These browser add-ons will help to make your browser safer:

    Web of Trust warns you about risky websites that try to scam visitors, deliver malware or send spam. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous ones:

    Available for Firefox and Internet Explorer.

    Green to go,
    Yellow for caution, and
    Red to stop.

    Available for Firefox only. NoScript helps to block malicious scripts and in general gives you much better control over what types of things webpages can do to your computer while you're browsing.

    These are just a couple of the most popular add-ons, if you're interested in more, take a look at THIS article.

    Here a couple of links by two security experts that will give some excellent tips and advice.

    So how did I get infected in the first place by Tony Klein

    How to prevent Malware by Miekiemoes

    Finally this link HERE will give a comprehensive upto date list of free Security programs. To include - Antivirus, Antispyware, Firewall, Antimalware, Online scanners and rescue CD`s.

    Don`t forget, the best form of defense is common sense. If you don`t recognize it, don`t open it. If something looks to good to be true, then it aint.

    If no remaining issues hit the “Mark Solved” tab at the top of the thread,

    Take care,

    Kevin
     
  11. mmariecrys

    mmariecrys Thread Starter

    Joined:
    Apr 18, 2007
    Messages:
    25
    Thank you so much for your time and help with resoliving my issues, Kevin. I will be donating! :D
     
  12. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    I`m sure the admins will appreciate your kind donation, thank you.

    Take care,

    Kevin
     
  13. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1028544

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice