Unsolved
This post is more than 5 years old
12 Posts
0
2859
Searches using different search engines being redirected to ad sites. Problems started after a fake Yahoo IM sent.
Hi,
I know you are all volunteers and are inundated with requests for help. I sent a request on August 23rd then replied to my own post (being new to these kinds of posts) to add information. I am not sure that doing that made it seem like my help request was responded too as I have seen newer posts being addressed so I thought it best to send another. I am attaching a brand new Trend Micro log even though I have not used the internet since my original post. I got a fake Yahoo IM a few weeks ago. Started problems with taking over my mouse and such. I uninstalled and reinstalled Yahoo and that helped. Ran Lavasoft Ad-aware. added and ran Microsoft Security Essentials and Malwarebyte Anti-malware software. Got rid of some trojan horses and Exploit entries. Still having problems with my search engine. I do a search (tried Google and Yahoo using both IE8 and Mozilla) and if I click on a result, it takes me to an ad page unrelated to my search. Any assistance with this matter will be greatly appreciated.
Thanks,
Lisa
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:53:16 AM, on 8/30/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\RocketFish\Rocketfish Bluetooth Combo\TSR\xDaemon.exe
C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.com/
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Rocketfish Input Device Main Program] C:\Program Files\RocketFish\Rocketfish Bluetooth Combo\TSR\xDaemon.exe
O4 - HKLM\..\Run: [EEventManager] C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MSSE] "C:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Windows Defender (WinDefend) - Unknown owner - C:\Program Files\Windows Defender\MsMpEng.exe (file missing)
--
End of file - 7830 bytes
kevinf80_1d0ac6
1.1K Posts
0
August 30th, 2010 10:00
I'm kevinf80 and I will be helping with any issues you may have. Please be aware that some of the logs I may ask for can be very complex and can take a long time to decipher. I am a volunteer here with a job and family so I ask that you be patient when waiting for replies.
Please DO NOT run any scans/tools/fixes on your own as this will conflict with the tools we are going to use.
Please Print or Save to Notepad all instructions and please follow them carefully and if there's something you don't understand or that will not work please let me know and we will go through it together.
Malware is often buggy and can be very unstable, with that in mind it is advisable to backup any important data before we begin.
If you do not reply within 72 hours the thread will be closed, if you need more time let me know. Likewise if I do not respond within 48 hours feel free to PM me.
Please be aware of Forum policy. If you are using any P2P software, then uninstall it before posting anymore logs. Also if you are using Cracked software or Keygens etc, all help will cease and your thread removed.
If there is anything you do not understand or agree with, post back and let me know and we`ll work through it together...
Apologies for the wait, the forum is extremely busy and helpers are a bit thin on the ground.
Please proceed as follows :-
Step 1
We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
Combofix
Don`t forget Combofix must be saved to your desktop. <--Very important
Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. <---Very important
Please include the C:\ComboFix.txt in your next reply for further review.
Examples of how to disable realtime protection available at the following link :-
Disable realtime protection
Note: Do not click combofix's window with your mouse while it's running. That action may cause it to stall.
Step 2
Download Security Check by screen317 from HERE or HERE.
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box. Press any key when asked.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.
What i`d like in your reply :-
Kevin
lisab0303
12 Posts
0
August 30th, 2010 13:00
Hi Kevin,
First I want to thank you for your assistance. Secondly, I tried 5 times to post my log results from my problem computer and it kept coming up with a connection failure message, so I shared the logs on my problem computer and am posting them on another computer on my home network. Here are the logs you requested:
ComboFix 10-08-29.04 - Lisa531 08/30/2010 14:45:46.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1982.1085 [GMT -4:00]
Running from: c:\documents and settings\Lisa531\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FW: ActiveArmor Firewall *disabled* {EDC10449-64D1-46c7-A59A-EC20D662F26D}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Start Menu\Programs\Rocketfish
c:\documents and settings\All Users\Start Menu\Programs\Rocketfish \Rocketfish Bluetooth Combo\Help.lnk
c:\documents and settings\All Users\Start Menu\Programs\Rocketfish \Rocketfish Bluetooth Combo\Rocketfish Bluetooth Combo.lnk
c:\documents and settings\All Users\Start Menu\Programs\Rocketfish \Rocketfish Bluetooth Combo\Uninstall Rocketfish Bluetooth Combo.lnk
e:\jim 531\Favorites\Thumbs.db
.
((((((((((((((((((((((((( Files Created from 2010-07-28 to 2010-08-30 )))))))))))))))))))))))))))))))
.
2010-08-23 15:13 . 2010-08-23 15:13 388096 ----a-r- c:\documents and settings\Lisa531\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-08-23 02:09 . 2010-08-23 02:09 -------- d-----w- c:\documents and settings\Jim-531\Application Data\Malwarebytes
2010-08-22 18:44 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-22 18:44 . 2010-08-22 18:44 -------- d-----w- c:\program files\Bobby MB
2010-08-22 18:44 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-22 18:27 . 2008-04-13 17:45 26368 ----a-w- c:\windows\system32\dllcache\usbstor.sys
2010-08-22 17:33 . 2010-08-22 17:33 -------- d-----w- c:\documents and settings\Lisa531\Application Data\PeaZip
2010-08-22 15:31 . 2010-08-22 15:31 -------- d-----w- c:\program files\Trend Micro
2010-08-21 20:56 . 2010-08-21 20:56 -------- d-----w- c:\documents and settings\Lisa531\Application Data\Malwarebytes
2010-08-21 20:56 . 2010-08-22 18:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-21 20:56 . 2010-08-21 20:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-21 18:15 . 2010-08-21 18:15 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-08-21 18:05 . 2010-08-21 21:38 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\tyunstwff
2010-08-20 18:57 . 2010-08-20 18:57 -------- d-----w- c:\documents and settings\Lisa531\Local Settings\Application Data\Threat Expert
2010-08-20 18:37 . 2010-08-20 19:03 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-08-20 13:03 . 2010-08-20 13:03 -------- d-----w- c:\program files\Common Files\Java
2010-08-20 13:03 . 2010-08-20 13:03 -------- d-----w- c:\program files\Java
2010-08-18 15:43 . 2010-08-18 15:43 -------- d-----w- c:\documents and settings\All Users\Application Data\MSNDynFiles
2010-08-18 15:43 . 2010-07-26 09:58 150016 ----a-w- c:\documents and settings\All Users\Application Data\MSNDynFiles\vid_wide.dll
2010-08-18 15:43 . 2010-07-26 09:58 148992 ----a-w- c:\documents and settings\All Users\Application Data\MSNDynFiles\vid_fly.dll
2010-08-18 15:43 . 2010-07-26 09:58 123392 ----a-w- c:\documents and settings\All Users\Application Data\MSNDynFiles\msndupd.exe
2010-08-18 15:43 . 2010-07-26 09:49 388608 ----a-w- c:\documents and settings\All Users\Application Data\MSNDynFiles\txsrvc.dll
2010-08-18 15:43 . 2010-07-26 09:48 476672 ----a-w- c:\documents and settings\All Users\Application Data\MSNDynFiles\unicows.dll
2010-08-18 15:43 . 2010-07-21 03:56 536960 ----a-w- c:\documents and settings\All Users\Application Data\MSNDynFiles\SpellChecker\mssp7en.dll
2010-08-18 12:11 . 2010-08-18 12:11 -------- d-----w- c:\documents and settings\Lisa531\Application Data\AVG9
2010-08-18 00:20 . 2010-08-18 00:20 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-08-17 23:46 . 2010-01-27 20:28 38200 ----a-w- c:\documents and settings\Lisa531\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-08-13 22:01 . 2010-08-13 22:01 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-08-13 21:47 . 2010-04-20 20:45 607472 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\yupdater.exe
2010-08-11 12:51 . 2010-08-11 12:51 -------- d-----w- c:\program files\AC3Filter
2010-08-11 09:44 . 2010-08-13 11:36 27591840 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\msgup1000_1270_us_u2.exe
2010-08-09 19:49 . 2010-08-09 19:49 61440 ----a-w- c:\documents and settings\Tim-531\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-53c85e7f-n\decora-sse.dll
2010-08-09 19:49 . 2010-08-09 19:49 503808 ----a-w- c:\documents and settings\Tim-531\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-36fe99ba-n\msvcp71.dll
2010-08-09 19:49 . 2010-08-09 19:49 499712 ----a-w- c:\documents and settings\Tim-531\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-36fe99ba-n\jmc.dll
2010-08-09 19:49 . 2010-08-09 19:49 348160 ----a-w- c:\documents and settings\Tim-531\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-36fe99ba-n\msvcr71.dll
2010-08-09 19:49 . 2010-08-09 19:49 12800 ----a-w- c:\documents and settings\Tim-531\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-53c85e7f-n\decora-d3d.dll
2010-08-05 15:17 . 2010-08-05 15:17 503808 ----a-w- c:\documents and settings\Lisa531\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-2f06a25d-n\msvcp71.dll
2010-08-05 15:17 . 2010-08-05 15:17 499712 ----a-w- c:\documents and settings\Lisa531\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-2f06a25d-n\jmc.dll
2010-08-05 15:17 . 2010-08-05 15:17 348160 ----a-w- c:\documents and settings\Lisa531\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-2f06a25d-n\msvcr71.dll
2010-08-05 15:17 . 2010-08-05 15:17 61440 ----a-w- c:\documents and settings\Lisa531\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-1ecb30a8-n\decora-sse.dll
2010-08-05 15:17 . 2010-08-05 15:17 12800 ----a-w- c:\documents and settings\Lisa531\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-1ecb30a8-n\decora-d3d.dll
2010-08-03 06:26 . 2010-08-03 06:26 503808 ----a-w- c:\documents and settings\Jim-531\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-245746c9-n\msvcp71.dll
2010-08-03 06:26 . 2010-08-03 06:26 499712 ----a-w- c:\documents and settings\Jim-531\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-245746c9-n\jmc.dll
2010-08-03 06:26 . 2010-08-03 06:26 348160 ----a-w- c:\documents and settings\Jim-531\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-245746c9-n\msvcr71.dll
2010-08-03 06:26 . 2010-08-03 06:26 61440 ----a-w- c:\documents and settings\Jim-531\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-2dd0dbf1-n\decora-sse.dll
2010-08-03 06:26 . 2010-08-03 06:26 12800 ----a-w- c:\documents and settings\Jim-531\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-2dd0dbf1-n\decora-d3d.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-30 16:01 . 2010-01-29 21:30 0 ----a-w- c:\documents and settings\Tim-531\Local Settings\Application Data\prvlcl.dat
2010-08-23 15:34 . 2010-03-13 22:58 -------- d-----w- c:\documents and settings\Lisa531\Application Data\MSN6
2010-08-22 17:19 . 2010-03-13 19:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2010-08-22 17:19 . 2010-03-13 19:23 -------- d-----w- c:\program files\Yahoo!
2010-08-21 14:53 . 2010-01-27 02:11 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-20 19:50 . 2010-03-15 13:45 -------- d-----w- c:\documents and settings\Lisa531\Application Data\Skype
2010-08-20 19:14 . 2010-03-15 13:46 -------- d-----w- c:\documents and settings\Lisa531\Application Data\skypePM
2010-08-20 13:03 . 2010-04-17 12:08 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-19 00:54 . 2010-01-28 17:08 -------- d-----w- c:\program files\Defraggler
2010-08-13 21:52 . 2010-03-13 22:03 -------- d-----w- c:\documents and settings\Lisa531\Application Data\Yahoo!
2010-07-15 22:25 . 2010-01-27 22:06 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-15 22:25 . 2010-07-15 22:25 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-15 22:25 . 2010-01-27 22:06 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-06-30 12:31 . 2001-08-18 12:00 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22 . 2001-08-18 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44 . 2001-08-18 12:00 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2001-08-18 12:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2001-08-18 12:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2010-01-25 21:06 744448 ----a-w- c:\windows\PCHEALTH\HELPCTR\Binaries\helpsvc.exe
2010-06-14 07:41 . 2001-08-18 12:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
2010-06-08 16:32 . 2010-06-08 16:32 50354 ----a-w- c:\documents and settings\Lisa531\Application Data\Facebook\uninstall.exe
2010-06-02 22:15 . 2010-01-27 22:06 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-03-01 524632]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-07-15 2065760]
"RTHDCPL"="RTHDCPL.EXE" [2007-09-03 16132608]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2007-09-03 53248]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"Rocketfish Input Device Main Program"="c:\program files\RocketFish\Rocketfish Bluetooth Combo\TSR\xDaemon.exe" [2009-07-02 376832]
"EEventManager"="c:\program files\EPSON\Creativity Suite\Event Manager\EEventManager.exe" [2005-04-08 102400]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-04-03 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-04-03 13670504]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-06-01 1093208]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-6-20 607584]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-15 22:25 12536 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [1/27/2010 3:40 PM 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [1/27/2010 6:06 PM 216400]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [1/27/2010 6:06 PM 243024]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [7/15/2010 6:25 PM 921952]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [7/15/2010 6:25 PM 308136]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 3:06 PM 1029456]
R2 rbmouse;Rocketfish Mouse Suite Driver;c:\windows\system32\drivers\rbmouse.SYS [2/3/2010 2:38 PM 18432]
S2 WinDefend;Windows Defender;"c:\program files\Windows Defender\MsMpEng.exe" --> c:\program files\Windows Defender\MsMpEng.exe [?]
S3 rbbtm;Rocketfish BT Mouse Filter Driver;c:\windows\system32\drivers\rbbtm.SYS [2/3/2010 2:38 PM 13312]
S3 rbusblf;Rocketfish Bluetooth Combo Mouse Low Filter Driver;c:\windows\system32\drivers\rbusblf.sys [2/3/2010 2:38 PM 18432]
.
Contents of the 'Scheduled Tasks' folder
2010-08-18 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 19:40]
2010-06-18 c:\windows\Tasks\Defraggler Volume C Task.job
- c:\program files\Defraggler\df.exe [2010-07-30 19:18]
2010-08-30 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-26 01:40]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
Trusted Zone: microsoft.com\update
Trusted Zone: microsoft.com\windowsupdate
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Lisa531\Application Data\Mozilla\Firefox\Profiles\1ejj9yrq.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - plugin: c:\documents and settings\Lisa531\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-nwiz - nwiz.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-30 14:57
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A373ACE]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xb80ecf28
\Driver\ACPI -> ACPI.sys @ 0xb7f7fcb8
\Driver\atapi -> atapi.sys @ 0xb7f37852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
SecurityProcedure -> ntkrnlpa.exe @ 0x80583d4a
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
SecurityProcedure -> ntkrnlpa.exe @ 0x80583d4a
NDIS: NVIDIA nForce 10/100 Mbps Ethernet #3 -> SendCompleteHandler -> NDIS.sys @ 0xb7e16bb0
PacketIndicateHandler -> NDIS.sys @ 0xb7e23a21
SendHandler -> NDIS.sys @ 0xb7e0187b
user & kernel MBR OK
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e5,7e,6a,99,0b,ba,c9,40,bd,6f,70,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e5,7e,6a,99,0b,ba,c9,40,bd,6f,70,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(696)
c:\windows\system32\WININET.dll
- - - - - - - > 'lsass.exe'(756)
c:\windows\system32\WININET.dll
- - - - - - - > 'explorer.exe'(1176)
c:\windows\system32\WININET.dll
c:\windows\system32\btmmhook.dll
c:\windows\system32\ieframe.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\program files\ArcSoft\PhotoImpression 5\share\pihook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Microsoft Security Essentials\MsMpEng.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\windows\System32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\RUNDLL32.EXE
.
**************************************************************************
.
Completion time: 2010-08-30 15:04:41 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-30 19:04
Pre-Run: 149,773,307,904 bytes free
Post-Run: 150,157,156,352 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
- - End Of File - - F23B178BBA8ABB94B3696AC117FB42BD
Results of screen317's Security Check version 0.99.5
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!
AVG Free 9.0
Microsoft Security Essentials
AVG9 successfully updated!
```````````````````````````````
Anti-malware/Other Utilities Check:
Ad-Aware
Malwarebytes' Anti-Malware
CCleaner
Java(TM) 6 Update 21
Adobe Flash Player 10.1.82.76
Adobe Reader 9.3.3
Mozilla Firefox (3.6.6) Firefox Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent
Windows Defender MSMpEng.exe
Ad-Aware AAWService.exe
Ad-Aware AAWTray.exe
AVG avgwdsvc.exe
AVG avgtray.exe
AVG avgrsx.exe
AVG avgnsx.exe
AVG avgemc.exe
Microsoft Security Essentials msseces.exe
````````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)
``````````End of Log````````````
kevinf80_1d0ac6
1.1K Posts
0
August 30th, 2010 13:00
Hiya Lisa,
You`re running two Anti-virus programs together, AVG and Microsoft Security Essentials. This is not good, two AV`s will clash and may even negate security. Personally i`d keep MSE and get rid of AVG.
Has there been any improvement, are you still being re-directed. Let me know if you still have any issues
Thanks,
Kevin
lisab0303
12 Posts
0
August 30th, 2010 15:00
Hi Kevin,
Thanks for getting back to me so quickly. I had just installed MSE when this problem started, but per your advice I am keeping it. I uninstalled AVG. I just did a quick check on a few search results and got to the correct pages, so hopefully I am all set. I will let you know if I find this not to be the case. Thank you sooooooooo much. I worked as hard as I could and resolved most things but that last part was beyond me. Your assistance was vital to me getting my computer back running smoothly. Thank you and have a great day!
Lisa
Bugbatter
3 Apprentice
3 Apprentice
•
20.5K Posts
0
August 30th, 2010 16:00
Hi Lisa,
Kevin and I are in different time zones, and I have a question about the Rocketfish deletions. Were you using any Rocketfish hardware (I believe that is Best Buy's house brand)? I just want to make sure ComboFix has not removed something that it shouldn't have, or learn if malware writers are using the name of a legitimate product.
Thanks. :emotion-1:
lisab0303
12 Posts
0
August 31st, 2010 05:00
Hi,
I was curious when I saw the Rocketfish deletions myself, but I asked my husband and he said the Rocketfish hardware isn't on this computer anymore, so I think when he moved the wireless mouse and keyboard to another computer, the Rocketfish entries were left behind. Hope this helps.
Lisa
lisab0303
12 Posts
0
August 31st, 2010 06:00
Hi Kevin,
I hate to have to say this but it's back. I had uninstalled Combofix and the Security Check programs so will need to reinstall them if I have to run them again. Please advise. Thanks again for your assistance.
Lisa
kevinf80_1d0ac6
1.1K Posts
0
August 31st, 2010 09:00
Yep I thought you would still have problems when I saw the CF log, I take it the removal of the Rocketfish entries is not a problem for you. Try to refrain from uninstalling any Tools we use such as Combofix, until I ask. Lets run the AVG removal utility to make sure no remnants remain that may give issues
Step 1
Download and save to your Desktop the AVG removal utility from Here Double click to run the program and follow the prompts, this will remove any remnants.
Step 2
Please read carefully and follow these steps.
Kevin
lisab0303
12 Posts
0
August 31st, 2010 12:00
Hi Kevin,
First let me apologize for removing software. I thought my problem was resolved, and I have an autistic son who loves computers so I didn't want him to accidentally click on Combofix. I ran the software you requested. Here is the log:
2010/08/31 14:10:01.0203 TDSS rootkit removing tool 2.4.1.4 Aug 31 2010 16:55:25
2010/08/31 14:10:01.0203 ================================================================================
2010/08/31 14:10:01.0203 SystemInfo:
2010/08/31 14:10:01.0203
2010/08/31 14:10:01.0203 OS Version: 5.1.2600 ServicePack: 3.0
2010/08/31 14:10:01.0203 Product type: Workstation
2010/08/31 14:10:01.0203 ComputerName: LISA39GQ0DW7FCZ
2010/08/31 14:10:01.0203 UserName: Lisa531
2010/08/31 14:10:01.0203 Windows directory: C:\WINDOWS
2010/08/31 14:10:01.0203 System windows directory: C:\WINDOWS
2010/08/31 14:10:01.0203 Processor architecture: Intel x86
2010/08/31 14:10:01.0203 Number of processors: 2
2010/08/31 14:10:01.0203 Page size: 0x1000
2010/08/31 14:10:01.0203 Boot type: Normal boot
2010/08/31 14:10:01.0203 ================================================================================
2010/08/31 14:10:01.0453 Initialize success
2010/08/31 14:10:03.0593 ================================================================================
2010/08/31 14:10:03.0593 Scan started
2010/08/31 14:10:03.0593 Mode: Manual;
2010/08/31 14:10:03.0593 ================================================================================
2010/08/31 14:10:03.0812 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/08/31 14:10:03.0843 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/08/31 14:10:03.0906 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/08/31 14:10:04.0000 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/08/31 14:10:04.0125 AmdPPM (033448d435e65c4bd72e70521fd05c76) C:\WINDOWS\system32\DRIVERS\AmdPPM.sys
2010/08/31 14:10:04.0234 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/08/31 14:10:04.0250 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/08/31 14:10:04.0281 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/08/31 14:10:04.0296 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/08/31 14:10:04.0343 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/08/31 14:10:04.0421 btaudio (d6407b9a012205e5754866e145165c29) C:\WINDOWS\system32\drivers\btaudio.sys
2010/08/31 14:10:04.0437 BTDriver (2f9f111d31aa3fbbe5781d829a4524e6) C:\WINDOWS\system32\DRIVERS\btport.sys
2010/08/31 14:10:04.0468 BTKRNL (75130181fa2fd6cbe83083c5311abe78) C:\WINDOWS\system32\DRIVERS\btkrnl.sys
2010/08/31 14:10:04.0500 BTWDNDIS (485020a1e1fc5c51a800ca69c618d881) C:\WINDOWS\system32\DRIVERS\btwdndis.sys
2010/08/31 14:10:04.0515 btwhid (c51d50cf24da69a9c499e65b0edb3bb7) C:\WINDOWS\system32\DRIVERS\btwhid.sys
2010/08/31 14:10:04.0515 BTWUSB (1166cb501e1c34750a91600579efeab3) C:\WINDOWS\system32\Drivers\btwusb.sys
2010/08/31 14:10:04.0562 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/08/31 14:10:04.0609 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/08/31 14:10:04.0656 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/08/31 14:10:04.0703 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/08/31 14:10:04.0828 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/08/31 14:10:04.0906 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/08/31 14:10:04.0921 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/08/31 14:10:04.0937 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/08/31 14:10:04.0984 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/08/31 14:10:05.0062 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/08/31 14:10:05.0140 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/08/31 14:10:05.0171 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2010/08/31 14:10:05.0203 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/08/31 14:10:05.0234 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2010/08/31 14:10:05.0296 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/08/31 14:10:05.0343 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/08/31 14:10:05.0406 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/08/31 14:10:05.0453 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/08/31 14:10:05.0484 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2010/08/31 14:10:05.0515 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/08/31 14:10:05.0609 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/08/31 14:10:05.0687 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\drivers\i8042prt.sys
2010/08/31 14:10:05.0750 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/08/31 14:10:05.0906 IntcAzAudAddService (b45a576ad280dd4f605f58b24cdaafe1) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2010/08/31 14:10:06.0000 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/08/31 14:10:06.0015 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/08/31 14:10:06.0031 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/08/31 14:10:06.0078 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/08/31 14:10:06.0156 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/08/31 14:10:06.0171 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/08/31 14:10:06.0234 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/08/31 14:10:06.0281 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/08/31 14:10:06.0296 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/08/31 14:10:06.0343 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/08/31 14:10:06.0421 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/08/31 14:10:06.0484 Lbd (419590ebe7855215bb157ea0cf0d0531) C:\WINDOWS\system32\DRIVERS\Lbd.sys
2010/08/31 14:10:06.0546 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/08/31 14:10:06.0578 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/08/31 14:10:06.0593 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/08/31 14:10:06.0625 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/08/31 14:10:06.0671 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/08/31 14:10:06.0765 MpFilter (c98301ad8173a2235a9ab828955c32bb) C:\WINDOWS\system32\DRIVERS\MpFilter.sys
2010/08/31 14:10:06.0812 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/08/31 14:10:06.0921 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/08/31 14:10:06.0968 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/08/31 14:10:07.0015 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/08/31 14:10:07.0031 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/08/31 14:10:07.0046 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/08/31 14:10:07.0078 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/08/31 14:10:07.0140 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/08/31 14:10:07.0203 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/08/31 14:10:07.0265 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/08/31 14:10:07.0281 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/08/31 14:10:07.0296 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/08/31 14:10:07.0312 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/08/31 14:10:07.0359 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/08/31 14:10:07.0500 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/08/31 14:10:07.0578 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/08/31 14:10:07.0640 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/08/31 14:10:07.0687 NuidFltr (cf7e041663119e09d2e118521ada9300) C:\WINDOWS\system32\DRIVERS\NuidFltr.sys
2010/08/31 14:10:07.0718 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/08/31 14:10:07.0984 nv (30913cbf518396912e54c2c9f1dd0f09) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2010/08/31 14:10:08.0312 nvata (947c4a0e7b25bcecc3b40f0f1070378b) C:\WINDOWS\system32\DRIVERS\nvata.sys
2010/08/31 14:10:08.0328 NVENETFD (7d275ecda4628318912f6c945d5cf963) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys
2010/08/31 14:10:08.0375 nvnetbus (b64aacefad2be5bff5353fe681253c67) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys
2010/08/31 14:10:08.0421 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/08/31 14:10:08.0453 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/08/31 14:10:08.0468 OMCI (e1e54131462b63efefaf14aca8e4012b) C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS
2010/08/31 14:10:08.0515 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
2010/08/31 14:10:08.0562 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/08/31 14:10:08.0593 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/08/31 14:10:08.0640 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/08/31 14:10:08.0687 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/08/31 14:10:08.0718 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/08/31 14:10:08.0843 pfc (6c1618a07b49e3873582b6449e744088) C:\WINDOWS\system32\drivers\pfc.sys
2010/08/31 14:10:08.0890 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/08/31 14:10:08.0953 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2010/08/31 14:10:08.0968 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/08/31 14:10:08.0984 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/08/31 14:10:09.0046 PxHelp20 (b572ed0c3e6165643fa116af20425a54) C:\WINDOWS\system32\DRIVERS\PxHelp20.sys
2010/08/31 14:10:09.0140 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/08/31 14:10:09.0203 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/08/31 14:10:09.0218 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/08/31 14:10:09.0234 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/08/31 14:10:09.0281 rbbtm (98628664069af9ad2004569b936a2023) C:\WINDOWS\system32\DRIVERS\rbbtm.sys
2010/08/31 14:10:09.0312 rbmouse (4033b81de76626f7d881dba8cbfaed11) C:\WINDOWS\system32\DRIVERS\rbmouse.sys
2010/08/31 14:10:09.0328 rbusblf (ff37ed9e5afdf1513fba106dbc851e9c) C:\WINDOWS\system32\DRIVERS\rbusblf.sys
2010/08/31 14:10:09.0390 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/08/31 14:10:09.0437 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/08/31 14:10:09.0468 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/08/31 14:10:09.0515 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/08/31 14:10:09.0562 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/08/31 14:10:09.0609 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
2010/08/31 14:10:09.0671 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/08/31 14:10:09.0750 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/08/31 14:10:09.0812 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/08/31 14:10:09.0890 Srv (da852e3e0bf1cea75d756f9866241e57) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/08/31 14:10:09.0921 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/08/31 14:10:09.0937 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/08/31 14:10:10.0031 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/08/31 14:10:10.0125 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/08/31 14:10:10.0171 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/08/31 14:10:10.0187 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/08/31 14:10:10.0218 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/08/31 14:10:10.0281 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/08/31 14:10:10.0343 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/08/31 14:10:10.0421 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2010/08/31 14:10:10.0453 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/08/31 14:10:10.0468 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/08/31 14:10:10.0484 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/08/31 14:10:10.0500 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2010/08/31 14:10:10.0531 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/08/31 14:10:10.0640 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/08/31 14:10:10.0718 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/08/31 14:10:10.0750 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/08/31 14:10:10.0812 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/08/31 14:10:10.0859 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/08/31 14:10:10.0921 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
2010/08/31 14:10:10.0984 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/08/31 14:10:11.0109 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
2010/08/31 14:10:11.0140 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2010/08/31 14:10:11.0234 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/08/31 14:10:11.0281 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/08/31 14:10:11.0312 \HardDisk1\MBR - detected Rootkit.Win32.TDSS.tdl4 (0)
2010/08/31 14:10:11.0312 ================================================================================
2010/08/31 14:10:11.0312 Scan finished
2010/08/31 14:10:11.0312 ================================================================================
2010/08/31 14:10:11.0328 Detected object count: 1
2010/08/31 14:10:19.0125 \HardDisk1\MBR - will be cured after reboot
2010/08/31 14:10:19.0125 Rootkit.Win32.TDSS.tdl4(\HardDisk1\MBR) - User select action: Cure
2010/08/31 14:10:23.0250 Deinitialize success
Thanks again for you help,
Lisa
Bugbatter
3 Apprentice
3 Apprentice
•
20.5K Posts
0
August 31st, 2010 13:00
Thank you for the information, Lisa. I'm sure Kevin will help you get things cleaned up.:emotion-21:
kevinf80_1d0ac6
1.1K Posts
0
August 31st, 2010 13:00
Hiya Lisa,
Combofix uses ERUNT to back up the registry, it also quarantines stuff it removes into Qoobox. This is so anything removed can be replaced if necessary. If you uninstall CF those two backups go also, if we need to get something back, we can`t.
In your case those Rocketfish entries didn`t matter so its ok. Back to the case in hand, TDSSKiller has found and dealt with an infected MBR, lets run CF again and see if it has any friends hiding.
Download Combofix from either of these links and save to your Desktop <-- Very important
Link 1
Link 2
Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. <---Very important
Double click the CF icon to start the program. Combofix instructions if required
Please include the C:\ComboFix.txt in your next reply for further review.
Examples of how to disable realtime protection available at the following link :-
Disable realtime protection
Note: Do not click combofix's window with your mouse while it's running. That action may cause it to stall.
Kevin.
lisab0303
12 Posts
0
August 31st, 2010 16:00
Hi Kevin,
Again I apologize. I've never used this service before and really thought yesterday that my problem was solved. Hopefully I won't need this resource again but a lesson has been learned. Here is the Combofix log:
ComboFix 10-08-31.01 - Lisa531 08/31/2010 18:12:43.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1982.1364 [GMT -4:00]
Running from: c:\documents and settings\Lisa531\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FW: ActiveArmor Firewall *disabled* {EDC10449-64D1-46c7-A59A-EC20D662F26D}
.
((((((((((((((((((((((((( Files Created from 2010-07-28 to 2010-08-31 )))))))))))))))))))))))))))))))
.
2010-08-23 15:13 . 2010-08-23 15:13 388096 ----a-r- c:\documents and settings\Lisa531\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-08-23 02:09 . 2010-08-23 02:09 -------- d-----w- c:\documents and settings\Jim-531\Application Data\Malwarebytes
2010-08-22 18:44 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-22 18:44 . 2010-08-22 18:44 -------- d-----w- c:\program files\Bobby MB
2010-08-22 18:44 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-22 18:27 . 2008-04-13 17:45 26368 ----a-w- c:\windows\system32\dllcache\usbstor.sys
2010-08-22 17:33 . 2010-08-22 17:33 -------- d-----w- c:\documents and settings\Lisa531\Application Data\PeaZip
2010-08-22 15:31 . 2010-08-22 15:31 -------- d-----w- c:\program files\Trend Micro
2010-08-21 20:56 . 2010-08-21 20:56 -------- d-----w- c:\documents and settings\Lisa531\Application Data\Malwarebytes
2010-08-21 20:56 . 2010-08-22 18:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-21 20:56 . 2010-08-21 20:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-21 18:15 . 2010-08-21 18:15 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-08-21 18:05 . 2010-08-21 21:38 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\tyunstwff
2010-08-20 18:57 . 2010-08-20 18:57 -------- d-----w- c:\documents and settings\Lisa531\Local Settings\Application Data\Threat Expert
2010-08-20 18:37 . 2010-08-20 19:03 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-08-20 13:03 . 2010-08-20 13:03 -------- d-----w- c:\program files\Common Files\Java
2010-08-20 13:03 . 2010-08-20 13:03 -------- d-----w- c:\program files\Java
2010-08-18 15:43 . 2010-08-18 15:43 -------- d-----w- c:\documents and settings\All Users\Application Data\MSNDynFiles
2010-08-18 15:43 . 2010-07-26 09:58 150016 ----a-w- c:\documents and settings\All Users\Application Data\MSNDynFiles\vid_wide.dll
2010-08-18 15:43 . 2010-07-26 09:58 148992 ----a-w- c:\documents and settings\All Users\Application Data\MSNDynFiles\vid_fly.dll
2010-08-18 15:43 . 2010-07-26 09:58 123392 ----a-w- c:\documents and settings\All Users\Application Data\MSNDynFiles\msndupd.exe
2010-08-18 15:43 . 2010-07-26 09:49 388608 ----a-w- c:\documents and settings\All Users\Application Data\MSNDynFiles\txsrvc.dll
2010-08-18 15:43 . 2010-07-26 09:48 476672 ----a-w- c:\documents and settings\All Users\Application Data\MSNDynFiles\unicows.dll
2010-08-18 15:43 . 2010-07-21 03:56 536960 ----a-w- c:\documents and settings\All Users\Application Data\MSNDynFiles\SpellChecker\mssp7en.dll
2010-08-18 12:11 . 2010-08-18 12:11 -------- d-----w- c:\documents and settings\Lisa531\Application Data\AVG9
2010-08-18 00:20 . 2010-08-18 00:20 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-08-17 23:46 . 2010-01-27 20:28 38200 ----a-w- c:\documents and settings\Lisa531\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-08-13 22:01 . 2010-08-13 22:01 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-08-13 21:47 . 2010-04-20 20:45 607472 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\yupdater.exe
2010-08-11 12:51 . 2010-08-11 12:51 -------- d-----w- c:\program files\AC3Filter
2010-08-11 09:44 . 2010-08-13 11:36 27591840 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\msgup1000_1270_us_u2.exe
2010-08-09 19:49 . 2010-08-09 19:49 61440 ----a-w- c:\documents and settings\Tim-531\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-53c85e7f-n\decora-sse.dll
2010-08-09 19:49 . 2010-08-09 19:49 503808 ----a-w- c:\documents and settings\Tim-531\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-36fe99ba-n\msvcp71.dll
2010-08-09 19:49 . 2010-08-09 19:49 499712 ----a-w- c:\documents and settings\Tim-531\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-36fe99ba-n\jmc.dll
2010-08-09 19:49 . 2010-08-09 19:49 348160 ----a-w- c:\documents and settings\Tim-531\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-36fe99ba-n\msvcr71.dll
2010-08-09 19:49 . 2010-08-09 19:49 12800 ----a-w- c:\documents and settings\Tim-531\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-53c85e7f-n\decora-d3d.dll
2010-08-05 15:17 . 2010-08-05 15:17 503808 ----a-w- c:\documents and settings\Lisa531\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-2f06a25d-n\msvcp71.dll
2010-08-05 15:17 . 2010-08-05 15:17 499712 ----a-w- c:\documents and settings\Lisa531\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-2f06a25d-n\jmc.dll
2010-08-05 15:17 . 2010-08-05 15:17 348160 ----a-w- c:\documents and settings\Lisa531\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-2f06a25d-n\msvcr71.dll
2010-08-05 15:17 . 2010-08-05 15:17 61440 ----a-w- c:\documents and settings\Lisa531\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-1ecb30a8-n\decora-sse.dll
2010-08-05 15:17 . 2010-08-05 15:17 12800 ----a-w- c:\documents and settings\Lisa531\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-1ecb30a8-n\decora-d3d.dll
2010-08-03 06:26 . 2010-08-03 06:26 503808 ----a-w- c:\documents and settings\Jim-531\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-245746c9-n\msvcp71.dll
2010-08-03 06:26 . 2010-08-03 06:26 499712 ----a-w- c:\documents and settings\Jim-531\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-245746c9-n\jmc.dll
2010-08-03 06:26 . 2010-08-03 06:26 348160 ----a-w- c:\documents and settings\Jim-531\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-245746c9-n\msvcr71.dll
2010-08-03 06:26 . 2010-08-03 06:26 61440 ----a-w- c:\documents and settings\Jim-531\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-2dd0dbf1-n\decora-sse.dll
2010-08-03 06:26 . 2010-08-03 06:26 12800 ----a-w- c:\documents and settings\Jim-531\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-2dd0dbf1-n\decora-d3d.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-31 19:59 . 2010-03-15 13:45 -------- d-----w- c:\documents and settings\Lisa531\Application Data\Skype
2010-08-31 19:59 . 2010-03-15 13:46 -------- d-----w- c:\documents and settings\Lisa531\Application Data\skypePM
2010-08-31 18:24 . 2010-03-13 22:58 -------- d-----w- c:\documents and settings\Lisa531\Application Data\MSN6
2010-08-30 21:32 . 2010-01-28 16:51 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-08-30 16:01 . 2010-01-29 21:30 0 ----a-w- c:\documents and settings\Tim-531\Local Settings\Application Data\prvlcl.dat
2010-08-22 17:19 . 2010-03-13 19:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2010-08-22 17:19 . 2010-03-13 19:23 -------- d-----w- c:\program files\Yahoo!
2010-08-21 14:53 . 2010-01-27 02:11 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-20 13:03 . 2010-04-17 12:08 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-19 00:54 . 2010-01-28 17:08 -------- d-----w- c:\program files\Defraggler
2010-08-13 21:52 . 2010-03-13 22:03 -------- d-----w- c:\documents and settings\Lisa531\Application Data\Yahoo!
2010-06-30 12:31 . 2001-08-18 12:00 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22 . 2001-08-18 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44 . 2001-08-18 12:00 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2001-08-18 12:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2001-08-18 12:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2010-01-25 21:06 744448 ----a-w- c:\windows\PCHEALTH\HELPCTR\Binaries\helpsvc.exe
2010-06-14 07:41 . 2001-08-18 12:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
2010-06-08 16:32 . 2010-06-08 16:32 50354 ----a-w- c:\documents and settings\Lisa531\Application Data\Facebook\uninstall.exe
.
((((((((((((((((((((((((((((( SnapShot@2010-08-30_18.58.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-08-31 18:11 . 2010-08-31 18:11 16384 c:\windows\Temp\Perflib_Perfdata_258.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-03-01 524632]
"RTHDCPL"="RTHDCPL.EXE" [2007-09-03 16132608]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2007-09-03 53248]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"Rocketfish Input Device Main Program"="c:\program files\RocketFish\Rocketfish Bluetooth Combo\TSR\xDaemon.exe" [2009-07-02 376832]
"EEventManager"="c:\program files\EPSON\Creativity Suite\Event Manager\EEventManager.exe" [2005-04-08 102400]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-04-03 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-04-03 13670504]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-06-01 1093208]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-6-20 607584]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [1/27/2010 3:40 PM 64160]
R2 rbmouse;Rocketfish Mouse Suite Driver;c:\windows\system32\drivers\rbmouse.SYS [2/3/2010 2:38 PM 18432]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 3:06 PM 1029456]
S2 WinDefend;Windows Defender;"c:\program files\Windows Defender\MsMpEng.exe" --> c:\program files\Windows Defender\MsMpEng.exe [?]
S3 rbbtm;Rocketfish BT Mouse Filter Driver;c:\windows\system32\drivers\rbbtm.SYS [2/3/2010 2:38 PM 13312]
S3 rbusblf;Rocketfish Bluetooth Combo Mouse Low Filter Driver;c:\windows\system32\drivers\rbusblf.sys [2/3/2010 2:38 PM 18432]
.
Contents of the 'Scheduled Tasks' folder
2010-08-18 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 19:40]
2010-06-18 c:\windows\Tasks\Defraggler Volume C Task.job
- c:\program files\Defraggler\df.exe [2010-07-30 19:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
Trusted Zone: microsoft.com\update
Trusted Zone: microsoft.com\windowsupdate
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Lisa531\Application Data\Mozilla\Firefox\Profiles\1ejj9yrq.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - plugin: c:\documents and settings\Lisa531\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-31 18:17
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
c:\docume~1\Lisa531\LOCALS~1\Temp\catchme.dll 53248 bytes executable
scan completed successfully
hidden files: 1
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e5,7e,6a,99,0b,ba,c9,40,bd,6f,70,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e5,7e,6a,99,0b,ba,c9,40,bd,6f,70,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(888)
c:\windows\system32\WININET.dll
c:\windows\system32\btmmhook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-08-31 18:18:58
ComboFix-quarantined-files.txt 2010-08-31 22:18
ComboFix2.txt 2010-08-30 19:04
Pre-Run: 150,080,294,912 bytes free
Post-Run: 150,155,710,464 bytes free
- - End Of File - - B15DB524E21822E98999BC06E6BA4621
Thanks again,
Lisa
lisab0303
12 Posts
0
August 31st, 2010 16:00
Kevin,
I disabled my antivirus and Microsoft Security Essentials but forgot to disable the Microsoft Firewall. Should I run the Combofix again?
kevinf80_1d0ac6
1.1K Posts
0
September 1st, 2010 02:00
Combofix has not identified anymore specific malware, there is however some cleaning up to do. Can you confirm that you are finished with Rocketfish altogether, there are drivers and residual files left in place. I`ve included them in the fix in bold text. If you are sure they are not required, leave them in the fix.
Regarding your Firewall, you have Active Armour Firewall and that was disabled, you can see confirmation in the CF header. If you use Active Armour, then you dont use Windows Firewall as they will clash and may even negate their purpose. Windows Firewall was not flagged in the CF header, so must be OFF.
Please proceedas follows:-
Step 1
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text between the dotted lines below into it:
---------------------------------------------------------------------------
KillAll::
Folder::
c:\documents and settings\Lisa531\Application Data\AVG9
c:\documents and settings\All Users\Application Data\avg9
DirLook::
c:\documents and settings\NetworkService\Local Settings\Application Data\tyunstwff
Driver::
rbmouse
rbbtm
rbusblf
File::
c:\windows\system32\drivers\rbmouse.SYS
c:\windows\system32\drivers\rbbtm.SYS
c:\windows\system32\drivers\rbusblf.sys
RegLock::
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
---------------------------------------------------------------------------
Save this as CFScript.txt, in the same location as ComboFix.exe
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Step 2
Run an online virus scan with Kaspersky from HERE. This scan is very thorough and may take several hours to run, please allow it to complete.
1. At the main page. Press on " Accept". After reading the contents.
2. At the next window Select Update. Allow the Database to update.
Note: If prompted to run or update your Java, then follow the prompts to do so. Kaspersky requires Java to run.
3. Once the Database has finished, under the Scan icon Select My Computer to start the scan.
4. Select Scan Report.
5. If any threats were found they will appear in the report
6. Select "Save error report as"
Then in the file name just type in kaspersky
Under "save as type" select text .txt
Save it to your Desktop.
Copy and post the results of the Kaspersky Online scan. If no threats were found then report that as well.
The following animation may help.
Kaspersky Gif
Let me see the logs from Combofix and Kaspersky in your reply. Also give me a system update, any specific issues?
Kevin..
kevinf80_1d0ac6
1.1K Posts
0
September 1st, 2010 09:00
Hiya Lisa,
Dont remove Combofix from your Desktop, there is a procedure for removing it correctly, this also carries out other important functions for us. Surf about freely and see how your browser and system respond. Make sure you`ve turned your security system back on first.
When you`re happy all is OK, post back and we`ll clean up and set you free....
Kevin..