Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Virus or Trojan problems

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Virus or Trojan problems

Unread postby jmw3 » September 11th, 2010, 8:42 am

Hi

Have WinPatrol disallow that change for the time being & continue with my previous instructions, now starting from the CFScript: viewtopic.php?p=544986#p544986
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia
Advertisement
Register to Remove

Re: Virus or Trojan problems

Unread postby rockspaz » September 11th, 2010, 8:17 pm

It took awhile but here they are. Computer seems to be doing fine so far.

ComboFix 10-09-09.04 - Laptop 09/11/2010 8:57.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.391 [GMT -4:00]
Running from: c:\documents and settings\Laptop\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Laptop\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((( Files Created from 2010-08-11 to 2010-09-11 )))))))))))))))))))))))))))))))
.

2010-09-09 11:45 . 2010-09-09 11:45 388096 ----a-r- c:\documents and settings\Laptop\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-09-09 11:45 . 2010-09-09 11:45 -------- d-----w- c:\program files\Trend Micro
2010-09-09 11:34 . 2010-09-09 11:34 -------- d-----w- C:\Hi This
2010-09-09 01:12 . 2010-09-09 01:12 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-09-09 00:51 . 2010-09-09 00:51 503808 ----a-w- c:\documents and settings\Laptop\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-1215e3e4-n\msvcp71.dll
2010-09-09 00:51 . 2010-09-09 00:51 499712 ----a-w- c:\documents and settings\Laptop\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-1215e3e4-n\jmc.dll
2010-09-09 00:51 . 2010-09-09 00:51 348160 ----a-w- c:\documents and settings\Laptop\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-1215e3e4-n\msvcr71.dll
2010-09-09 00:51 . 2010-09-09 00:51 61440 ----a-w- c:\documents and settings\Laptop\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-394dd786-n\decora-sse.dll
2010-09-09 00:51 . 2010-09-09 00:51 12800 ----a-w- c:\documents and settings\Laptop\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-394dd786-n\decora-d3d.dll
2010-09-09 00:50 . 2010-09-09 00:49 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-09 00:43 . 2010-09-09 00:43 79488 ----a-w- c:\documents and settings\Laptop\Application Data\Sun\Java\jre1.6.0_20\gtapi.dll
2010-09-09 00:43 . 2010-09-09 00:43 152576 ----a-w- c:\documents and settings\Laptop\Application Data\Sun\Java\jre1.6.0_20\lzma.dll
2010-09-09 00:16 . 2007-07-05 15:39 0 ----a-w- c:\documents and settings\Laptop\Application Data\WinPatrol\Config.sys
2010-09-09 00:16 . 2007-07-05 15:39 0 ----a-w- c:\documents and settings\Laptop\Application Data\WinPatrol\Autoexec.bat
2010-09-09 00:16 . 2010-09-09 00:16 -------- d-----w- c:\documents and settings\Laptop\Application Data\WinPatrol
2010-09-09 00:15 . 2010-09-09 00:15 -------- d-----w- c:\program files\BillP Studios
2010-09-08 17:25 . 2010-09-08 17:29 -------- d-----w- c:\program files\QuickTime
2010-09-08 17:24 . 2010-09-08 17:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-09-08 17:15 . 2010-09-08 17:15 -------- d-----w- c:\program files\Common Files\xing shared
2010-09-01 16:05 . 2010-09-01 16:05 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-09-01 15:56 . 2010-09-01 15:56 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-08-25 16:37 . 2010-09-10 12:40 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-25 16:37 . 2010-08-25 16:37 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google
2010-08-25 16:25 . 2010-08-25 16:25 52224 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-08-25 16:25 . 2010-09-01 20:10 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-08-25 16:24 . 2010-08-25 16:24 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-08-25 16:24 . 2010-08-25 16:24 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-08-15 22:48 . 2010-07-23 22:22 43008 ----a-w- c:\documents and settings\Laptop\Application Data\Mozilla\Firefox\Profiles\hqzsve64.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-08-15 22:48 . 2010-07-23 22:22 338944 ----a-w- c:\documents and settings\Laptop\Application Data\Mozilla\Firefox\Profiles\hqzsve64.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-08-15 22:48 . 2010-07-23 22:22 346112 ----a-w- c:\documents and settings\Laptop\Application Data\Mozilla\Firefox\Profiles\hqzsve64.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-08-15 22:48 . 2010-07-23 22:22 1496064 ----a-w- c:\documents and settings\Laptop\Application Data\Mozilla\Firefox\Profiles\hqzsve64.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-10 17:04 . 2010-07-18 22:27 -------- d-----w- c:\program files\Microsoft Silverlight
2010-09-09 10:55 . 2010-03-09 14:03 117760 ----a-w- c:\documents and settings\Laptop\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-09-09 00:51 . 2007-10-12 13:53 -------- d-----w- c:\program files\Common Files\Java
2010-09-08 17:18 . 2010-06-17 16:29 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
2010-09-08 17:18 . 2010-06-17 16:29 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
2010-09-08 17:18 . 2010-06-17 16:29 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
2010-09-08 17:18 . 2010-06-17 16:29 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
2010-09-08 17:18 . 2010-06-17 16:29 49152 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
2010-09-08 17:18 . 2010-06-17 16:29 308808 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
2010-09-08 17:18 . 2010-06-17 16:29 14848 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
2010-09-08 17:18 . 2010-02-28 22:47 341600 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
2010-09-08 17:17 . 2007-12-09 00:16 -------- d-----w- c:\program files\Common Files\Real
2010-09-08 16:29 . 2007-07-05 15:48 11336 ----a-w- c:\windows\system32\nvModes.dat
2010-09-01 12:39 . 2010-01-19 18:33 -------- d-----w- c:\program files\Ashampoo
2010-08-16 00:20 . 2008-07-14 00:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-08-08 14:37 . 2010-08-08 14:37 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}
2010-08-01 17:30 . 2009-08-29 13:50 -------- d-----w- c:\documents and settings\Laptop\Application Data\HpUpdate
2010-07-26 21:02 . 2009-06-15 01:27 -------- d-----w- c:\program files\McAfee
2010-07-26 21:00 . 2010-02-28 20:32 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-07-16 09:51 . 2007-09-27 15:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-07-15 20:18 . 2009-06-15 01:29 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2010-07-12 08:56 . 2010-08-08 14:37 2979280 -c--a-w- c:\documents and settings\All Users\Application Data\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}\Ad-AwareInstall.exe
2010-07-12 08:55 . 2010-08-08 14:45 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-07-12 08:55 . 2010-03-10 23:30 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-06-30 12:31 . 2004-08-12 13:27 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-27 22:05 . 2010-06-27 22:05 50354 ----a-w- c:\documents and settings\Laptop\Application Data\Facebook\uninstall.exe
2010-06-24 12:22 . 2004-08-12 13:33 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44 . 2004-08-12 13:33 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2004-08-12 13:30 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2004-08-12 13:19 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2007-07-05 15:36 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-14 07:41 . 2004-08-12 13:23 1172480 ----a-w- c:\windows\system32\msxml3.dll
2009-11-21 17:28 . 2009-11-21 17:29 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-27 68856]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-02-18 2012912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-10-26 4632576]
"nwiz"="nwiz.exe" [2004-10-26 921600]
"AIRPLUS"="c:\program files\D-Link\AIRPLUS.exe" [2005-08-13 548864]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-11-21 30192]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"Google Updater"="c:\program files\Google\Google Updater\GoogleUpdater.exe" [2010-07-16 161336]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-09-08 202256]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-08-10 421888]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2010-05-31 323976]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
Wireless-G Notebook Adapter Utility.lnk - c:\program files\Linksys\Wireless-G Notebook Adapter\Startup.exe [2007-9-11 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [8/8/2010 10:45 AM 64288]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 11:15 AM 66632]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [6/14/2009 9:33 PM 93320]
R2 MrHealthyService;MrHealthy;c:\program files\Norton PC Checkup\executables\mrHealthy\MrHealthy.exe -service --> c:\program files\Norton PC Checkup\executables\mrHealthy\MrHealthy.exe -service [?]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872]
S2 gupdate1c985fa2f4e5230;Google Update Service (gupdate1c985fa2f4e5230);c:\program files\Google\Update\GoogleUpdate.exe [2/3/2009 8:23 AM 133104]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [3/22/2005 10:17 PM 450400]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [12/8/2007 7:55 PM 30192]
S3 jswimd;jswimd Service;c:\windows\system32\DRIVERS\jswimd.sys --> c:\windows\system32\DRIVERS\jswimd.sys [?]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/12/2010 4:55 AM 1355928]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [8/15/2010 6:35 PM 15008]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-09-10 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-07-12 21:06]

2010-09-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-09-11 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-09-27 09:51]

2010-09-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-03 12:23]

2010-09-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-03 12:23]

2010-07-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-06-15 17:22]

2010-09-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-06-15 17:22]

2010-09-09 c:\windows\Tasks\Norton PC Checkup Weekday Scanner.job
- c:\program files\Norton PC Checkup\PC_Checkup.exe [2009-01-29 22:10]

2010-08-29 c:\windows\Tasks\Norton PC Checkup Weekend Scanner.job
- c:\program files\Norton PC Checkup\PC_Checkup.exe [2009-01-29 22:10]

2010-09-10 c:\windows\Tasks\Norton Security Scan for Laptop.job
- c:\program files\Norton Security Scan\Nss.exe [2008-09-19 01:20]

2010-09-11 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1935655697-1004336348-839522115-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]

2010-09-11 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1935655697-1004336348-839522115-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://att.my.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-11 09:05
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(996)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\program files\Funk Software\Odyssey Client\odLogin.dll

- - - - - - - > 'explorer.exe'(1880)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-09-11 09:08:12
ComboFix-quarantined-files.txt 2010-09-11 13:08
ComboFix2.txt 2010-09-10 16:46

Pre-Run: 30,732,795,904 bytes free
Post-Run: 30,721,404,928 bytes free

- - End Of File - - 44127DE2DEEC28503C8F6F1C561E5763


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Saturday, September 11, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Saturday, September 11, 2010 15:18:39
Records in database: 4208367
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Objects scanned: 80063
Threats found: 2
Infected objects found: 2
Suspicious objects found: 0
Scan duration: 03:27:23


File name / Threat / Threats count
C:\System Volume Information\_restore{795EB6E9-DED0-4AC2-94D6-7C60AEDF023D}\RP278\A0056413.exe Infected: Trojan.Win32.FakeAv.eka 1
C:\System Volume Information\_restore{795EB6E9-DED0-4AC2-94D6-7C60AEDF023D}\RP278\A0056414.exe Infected: Trojan.Win32.FakeAv.fby 1

Selected area has been scanned.
rockspaz
Regular Member
 
Posts: 48
Joined: February 17th, 2010, 5:19 pm

Re: Virus or Trojan problems

Unread postby jmw3 » September 12th, 2010, 7:33 am

Hi

Apologies for the delay.

Looks good. Those two items flagged by the Kaspersky scan are old infected System Restore points.... harmless unless you roll back to one. We'll deal with those shortly.

Clean Up
Now we need to clear out the programs we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if used inappropriately.
Remove ComboFix
The following will implement some cleanup procedures as well as reset System Restore points:
Click Start > Run then copy/paste the following bolded text into the Run box and click OK:
ComboFix /Uninstall
OTC
Download OTC by Old Timer here & save it to your desktop.
Double click on OTC.exe. Click on CleanUp!.
You will receive a prompt that it needs to restart the computer to remove the files. Click Yes.
It will restart your computer automatically. If it doesn't, please restart your computer manually.
You can delete the following from your desktop:
TFC.exe
RKUnhookerLE.exe
The Gmer.exe file (it will be randomly named .exe file)
Any logs that may have been saved to your desktop

You can remove the Kaspersky & Eset Online Scanners. This can be done via Add or Remove Programs
You should also remove HijackThis. This can be done via Add or Remove Programs

All Clean
Now that your system is safe we would like you to keep it that way.
Take the time to follow these recommendations & it will greatly reduce the risk of further infections and greatly diminish the chances of you having to visit here again.

Create a Clean System Restore Point
Create a new, clean System Restore point which you can use in case of future system problems:
Press Start->All Programs->Accessories->System Tools->System Restore
Select Create a restore point, then Next, type a name like All Clean then press the Create button and once it's done press Close
Now remove old, infected System Restore points:
Next click Start->Run and type cleanmgr in the box and click OK
Ensure the boxes for Temporary Files & Temporary Internet Files are checked. You can choose to check other boxes if you wish but they are not required.
Select the More Options tab, under System Restore click Clean up... and click Yes to the prompt
Click OK and Yes to confirm.

Microsoft Windows Update
Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office products loopholes and fix any bugs found. Install the updates immediately if they are found.
To update Windows
Go to Start > All Programs > Windows Update
To update Office
Open up any Office program.
Go to Help > Check for Updates

Malwarebytes' Anti-Malware
Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is totally free but for real-time protection you will have to pay a small one-time fee.
You can find a tutorial here. Keep it updated & run it regularly.

SpywareBlaster
Download and install Javacools SpywareBlaster from here
SpywareBlaster adds a list of ActiveX controls, tracking cookies and sites which will be blocked in either Internet Explorer or Firefox browsers. You need to manually check for updates regularly.

Download and Install a HOSTS File
A HOSTS file is a big list of bad web sites. The list has a specific format, a specific name, (name is just HOSTS with no file extension), and a specific location. Your machine always looks at that file in that location before connecting to a web site to verify the address. So the HOSTS listing can be used to "short circuit" a request to a bad website by giving it the address of your own machine.
Install MVPS Hosts File From Here
The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
You can Find the Tutorial HERE

Install WinPatrol
Good to see you already have it installed. Make sure you keep it up to date with the latest version.
You can find information about how WinPatrol works here

Read some information here on how to prevent Malware.

Hopefully these steps will help keep your computer clean.

If there are any other questions then feel free to ask or in future do not hesitate to contact us here at The Malware Removal Forums
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: Virus or Trojan problems

Unread postby rockspaz » September 12th, 2010, 1:38 pm

Hello. I didn't mean the delay was caused by you. I just meant that the Kaspersky scan took a long time to complete. I realize you are on the other side of the world. I've never met an Australian I didn't like. (Actually, I've never met an Australian but I still like Australians).

Thank you so much for your help!
rockspaz
Regular Member
 
Posts: 48
Joined: February 17th, 2010, 5:19 pm

Re: Virus or Trojan problems

Unread postby jmw3 » September 12th, 2010, 5:38 pm

I didn't mean the delay was caused by you.
I knew what you meant ;) The Kaspersky scan can be painfully slow at times.
I was apologising as it took me nearly 12 hours to get back to you... due to a busy work day.

Thank you so much for your help!

No problem at all.... Glad I could help

Good Luck & Surf Safe
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: Virus or Trojan problems

Unread postby jmw3 » September 13th, 2010, 9:03 am

As your problems appear to have been resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 51 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware