TechSpot

[Active] IE popups, clicking sounds, and volume issues - logs attached

Solved
By MM225
Jul 20, 2010
  1. Hi,

    I have read through several threads where users have similar issues: a clicking sound in the background, iexplore.exe in the task manager that I can't kill, IE pop-ups (I use Chrome) and random audio ads without pop-ups.

    I was switching from AVG to Avast and picked up some malware in the few minutes that my computer was unprotected. I've uninstalled Java & Adobe, as I read that those can be vulnerabilities.

    I'm running XP SP3, and I thought it was fully updated but it is now asking me to download updates that I am pretty sure I already had.

    I have an installation of Linux on a separate partition of my C drive and a bootloader menu (GRUB) that allows me to select my OS when I boot up. I installed this because I thought it would be interesting to mess with Linux, but I haven't used it in months. The bootloader is still around, though. (not sure if this will show up on the logs, so hopefully this will clear up any confusion.)

    I've run the six steps, and all logs will be pasted in my next post(s). Thanks in advance for any help you can give me.
     
  2. MM225

    MM225 TS Rookie Topic Starter Posts: 22

    Malwarebytes, GMER, & DDS logs

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4299

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 7.0.5730.11

    7/19/2010 8:11:44 AM
    mbam-log-2010-07-19 (08-11-44).txt

    Scan type: Quick scan
    Objects scanned: 149853
    Time elapsed: 6 minute(s), 42 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    --



    DDS (Ver_10-03-17.01) - NTFSx86
    Run by Matt at 14:53:41.31 on Tue 07/20/2010
    Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.5.0_10
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3062.2181 [GMT -4:00]

    AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning enabled* (Updated) {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
    AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
    FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    svchost.exe
    svchost.exe 4
    svchost.exe
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    svchost.exe 4
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    svchost.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Intel\IDU\awServ.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
    C:\WINDOWS\System32\svchost.exe -k imgsvc
    C:\WINDOWS\system32\wuauclt.exe
    C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\WINDOWS\sttray.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Intel\IDU\iptray.exe
    C:\Program Files\Microsoft IntelliPoint\point32.exe
    C:\Program Files\HP\Dfawep\bin\hpbdfawep.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Launchy\Launchy.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\WINDOWS\system32\wuauclt.exe
    C:\Documents and Settings\Matt\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Matt\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Matt\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Matt\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Matt\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Matt\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Matt\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Matt\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Matt\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Matt\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Matt\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Matt\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    C:\Documents and Settings\Matt\Desktop\dds.scr
    C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.google.com/
    uInternet Settings,ProxyServer = http=127.0.0.1:5577
    BHO: CitiUSBrowserHelper Class: {387edf53-1cf2-4523-bc2f-13462651be8c} - c:\program files\virtual account numbers\BhoCitUS.dll
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [SigmatelSysTrayApp] sttray.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [nwiz] nwiz.exe /install
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [ipTray.exe] "c:\program files\intel\idu\iptray.exe"
    mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\point32.exe"
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [hpbdfawep] c:\program files\hp\dfawep\bin\hpbdfawep.exe 1
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
    mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
    mRun: [Citi Virtual Account Numbers] c:\progra~1\virtua~1\CitiVAN.exe /lang=en_RG /dontopenmycards
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\launchy.lnk - c:\program files\launchy\Launchy.exe
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: {DE700910-58F7-4D2E-B7E6-3BA2DA1B6806} - c:\progra~1\virtua~1\CitiVAN.exe
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_10\bin\ssv.dll
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
    DPF: {0067DBFC-A752-458C-AE6E-B9C7E63D4824} - hxxp://www.logitech.com/devicedetector/plugins/LogitechDeviceDetection32.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
    Notify: igfxcui - igfxdev.dll
    AppInit_DLLs: c:\windows\system32\guard32.dll
    SSODL: 0aMCPClient - {F5DF91F9-15E9-416B-A7C3-7519B11ECBFC} - No File
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\matt\applic~1\mozilla\firefox\profiles\xnkrl9ok.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en
    FF - plugin: c:\documents and settings\matt\application data\mozilla\firefox\profiles\xnkrl9ok.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dll
    FF - plugin: c:\documents and settings\matt\application data\mozilla\plugins\npgoogletalk.dll
    FF - plugin: c:\documents and settings\matt\application data\mozilla\plugins\npgtpo3dautoplugin.dll
    FF - plugin: c:\documents and settings\matt\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
    FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
    FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava11.dll
    FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava12.dll
    FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava13.dll
    FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava14.dll
    FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava32.dll
    FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJPI150_10.dll
    FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPOJI610.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

    ============= SERVICES / DRIVERS ===============

    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-7-10 64288]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-7-10 165456]
    R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2010-6-4 229312]
    R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2010-6-1 25240]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-7-10 17744]
    R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-10 40384]
    R2 AWService;Admin Works Agent X8;c:\program files\intel\idu\awServ.exe [2006-8-18 67072]
    R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2010-6-1 1778480]
    R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-7-6 1352832]
    R2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\postgresql\8.3\bin\pg_ctl.exe [2008-9-19 65536]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-8 135664]
    S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-10 40384]
    S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-10 40384]
    S3 bkn50USB;Belkin 54Mbps Wireless USB Network Adapter;c:\windows\system32\drivers\rt2500usb.sys [2007-3-25 140416]
    S3 pbfilter;pbfilter;c:\program files\peerblock_r181__win32_release\pbfilter.sys [2009-9-28 14424]
    S3 PciCon;PciCon;\??\d:\pcicon.sys --> d:\PciCon.sys [?]
    S3 tbcspud;Santa Cruz Driver;c:\windows\system32\drivers\tbcspud.sys --> c:\windows\system32\drivers\tbcspud.sys [?]
    S3 tbcwdm;Santa Cruz WDM Driver;c:\windows\system32\drivers\tbcwdm.sys --> c:\windows\system32\drivers\tbcwdm.sys [?]
    S3 vtdg46xx;vtdg46xx;\??\c:\progra~1\turtle~1\santac~1\contro~1\vtdg46xx.sys --> c:\progra~1\turtle~1\santac~1\contro~1\vtdg46xx.sys [?]

    =============== Created Last 30 ================

    2010-07-19 11:37:43 0 d-sha-r- C:\cmdcons
    2010-07-19 11:35:40 98816 ----a-w- c:\windows\sed.exe
    2010-07-19 11:35:40 77312 ----a-w- c:\windows\MBR.exe
    2010-07-19 11:35:40 256512 ----a-w- c:\windows\PEV.exe
    2010-07-19 11:35:40 161792 ----a-w- c:\windows\SWREG.exe
    2010-07-14 02:54:11 49265 ----a-w- c:\windows\system32\jpicpl32.cpl
    2010-07-10 20:10:06 15880 ----a-w- c:\windows\system32\lsdelete.exe
    2010-07-10 16:45:38 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
    2010-07-10 16:45:36 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
    2010-07-10 16:39:15 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{65893B95-F47B-4483-B883-86BA181E9B54}
    2010-07-10 15:50:37 0 d-----w- c:\windows\pss
    2010-07-10 15:00:57 0 d-----w- c:\program files\PeerBlock_r181__Win32_Release
    2010-07-10 14:51:20 0 d-----w- c:\docume~1\alluse~1\applic~1\COMODO
    2010-07-10 14:49:31 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
    2010-07-10 14:47:58 0 d-----w- c:\program files\COMODO
    2010-07-10 14:46:57 411368 ----a-w- c:\windows\system32\deployJava1.dll
    2010-07-10 14:45:18 0 d-----w- c:\docume~1\alluse~1\applic~1\Comodo Downloader
    2010-07-10 14:36:54 664 ----a-w- c:\windows\system32\d3d9caps.dat
    2010-07-10 14:32:32 0 d-----w- c:\docume~1\matt\applic~1\Malwarebytes
    2010-07-10 14:32:18 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-07-10 14:32:17 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-07-10 14:32:17 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-07-10 14:32:17 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2010-07-10 14:09:54 38848 ----a-w- c:\windows\avastSS.scr
    2010-07-10 14:09:49 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
    2010-07-01 13:03:33 0 d-----w- c:\program files\iPod
    2010-07-01 13:03:23 0 d-----w- c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
    2010-07-01 12:55:55 0 d-----w- c:\program files\Bonjour

    ==================== Find3M ====================

    2010-06-15 00:02:56 256 ----a-w- c:\documents and settings\matt\pool.bin
    2010-06-04 15:55:58 229312 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
    2010-06-01 23:00:52 278288 ----a-w- c:\windows\system32\guard32.dll
    2010-06-01 23:00:22 25240 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
    2010-06-01 23:00:20 15464 ----a-w- c:\windows\system32\drivers\cmderd.sys
    2010-05-18 20:35:16 91424 ----a-w- c:\windows\system32\dnssd.dll
    2010-05-18 20:35:16 197920 ----a-w- c:\windows\system32\dnssdX.dll
    2010-05-18 20:35:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
    2007-07-10 19:24:50 88 --sh--r- c:\windows\system32\F6A9BE14DE.sys
    2007-07-10 19:25:10 2672 --sha-w- c:\windows\system32\KGyGaAvL.sys
    2009-01-03 20:33:49 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009010320090104\index.dat

    ============= FINISH: 14:54:31.26 ===============
     

    Attached Files:

  3. MM225

    MM225 TS Rookie Topic Starter Posts: 22

    Attach log

    DDS (Ver_10-03-17.01)

    Microsoft Windows XP Home Edition
    Boot Device: \Device\HarddiskVolume5
    Install Date: 11/28/2006 8:23:37 PM
    System Uptime: 7/20/2010 2:46:52 PM (0 hours ago)

    Motherboard: Intel Corporation | | DG965WH
    Processor: Intel(R) Core(TM)2 CPU 6300 @ 1.86GHz | LGA 775 | 1864/266mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 128 GiB total, 11.603 GiB free.
    D: is FIXED (NTFS) - 170 GiB total, 25.748 GiB free.
    Y: is CDROM ()

    ==== Disabled Device Manager Items =============

    Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
    Description:
    Device ID: ACPI\AWY0001\4&12686F5B&0
    Manufacturer:
    Name:
    PNP Device ID: ACPI\AWY0001\4&12686F5B&0
    Service:

    ==== System Restore Points ===================

    RP954: 4/22/2010 6:55:23 PM - System Checkpoint
    RP955: 4/23/2010 8:14:41 PM - System Checkpoint
    RP956: 4/24/2010 9:17:50 AM - Avg Update
    RP957: 4/24/2010 9:18:40 AM - Avg Update
    RP958: 4/25/2010 11:15:11 AM - System Checkpoint
    RP959: 4/26/2010 11:29:30 AM - System Checkpoint
    RP960: 4/27/2010 5:58:03 PM - System Checkpoint
    RP961: 4/28/2010 6:29:33 PM - System Checkpoint
    RP962: 4/30/2010 7:44:54 PM - System Checkpoint
    RP963: 5/1/2010 8:10:06 PM - System Checkpoint
    RP964: 5/2/2010 8:21:07 PM - System Checkpoint
    RP965: 5/3/2010 9:39:37 PM - System Checkpoint
    RP966: 5/6/2010 9:26:39 AM - Avg Update
    RP967: 5/10/2010 6:29:57 PM - System Checkpoint
    RP968: 5/11/2010 7:53:44 PM - System Checkpoint
    RP969: 5/12/2010 9:25:18 PM - System Checkpoint
    RP970: 5/15/2010 9:29:30 AM - System Checkpoint
    RP971: 5/16/2010 11:00:15 AM - System Checkpoint
    RP972: 5/19/2010 8:18:59 PM - System Checkpoint
    RP973: 5/22/2010 10:41:09 AM - System Checkpoint
    RP974: 5/23/2010 11:16:04 AM - System Checkpoint
    RP975: 5/26/2010 9:02:00 AM - System Checkpoint
    RP976: 5/27/2010 6:10:35 PM - System Checkpoint
    RP977: 5/28/2010 7:23:22 PM - System Checkpoint
    RP978: 5/29/2010 7:40:19 PM - System Checkpoint
    RP979: 5/31/2010 10:56:48 AM - System Checkpoint
    RP980: 6/1/2010 1:06:38 PM - System Checkpoint
    RP981: 6/3/2010 5:38:32 PM - Avg Update
    RP982: 6/11/2010 8:11:05 AM - System Checkpoint
    RP983: 6/12/2010 11:03:33 AM - System Checkpoint
    RP984: 6/13/2010 12:01:41 PM - System Checkpoint
    RP985: 6/14/2010 7:46:04 PM - System Checkpoint
    RP986: 6/14/2010 8:18:15 PM - Removed BlackBerry Desktop Software 4.7.
    RP987: 6/14/2010 8:33:59 PM - Installed BlackBerry Desktop Software 5.0.1.
    RP988: 6/14/2010 9:22:50 PM - Removed BlackBerry Desktop Software 5.0.1.
    RP989: 6/14/2010 9:34:19 PM - Installed BlackBerry Desktop Software 5.0.1.
    RP990: 6/17/2010 10:41:36 PM - System Checkpoint
    RP991: 6/21/2010 7:59:15 AM - System Checkpoint
    RP992: 6/22/2010 7:39:25 PM - System Checkpoint
    RP993: 6/23/2010 8:51:48 PM - System Checkpoint
    RP994: 6/25/2010 7:31:49 AM - System Checkpoint
    RP995: 6/26/2010 3:08:58 PM - Avg Update
    RP996: 6/27/2010 4:08:54 PM - System Checkpoint
    RP997: 6/29/2010 6:26:57 PM - System Checkpoint
    RP998: 6/30/2010 7:18:57 PM - System Checkpoint
    RP999: 7/1/2010 7:30:37 PM - System Checkpoint
    RP1000: 7/2/2010 8:55:17 PM - System Checkpoint
    RP1001: 7/3/2010 10:55:17 PM - System Checkpoint
    RP1002: 7/5/2010 12:55:17 AM - System Checkpoint
    RP1003: 7/6/2010 7:48:04 AM - System Checkpoint
    RP1004: 7/8/2010 8:22:53 AM - System Checkpoint
    RP1005: 7/10/2010 9:57:58 AM - Removed AVG Free 9.0
    RP1006: 7/10/2010 10:09:49 AM - avast! Free Antivirus Setup
    RP1007: 7/10/2010 10:45:53 AM - Installed Java(TM) 6 Update 20
    RP1008: 7/10/2010 10:47:55 AM - Installed COMODO Internet Security
    RP1009: 7/10/2010 11:00:27 AM - Removed BlackBerry Desktop Software 5.0.1.
    RP1010: 7/10/2010 11:47:29 AM - Software Distribution Service 3.0
    RP1011: 7/10/2010 12:29:05 PM - Removed Ad-Aware
    RP1012: 7/10/2010 9:17:41 PM - Software Distribution Service 3.0
    RP1013: 7/11/2010 9:35:18 PM - System Checkpoint
    RP1014: 7/13/2010 7:49:46 AM - System Checkpoint
    RP1015: 7/13/2010 10:48:53 PM - Removed Adobe Reader 9.1.2.
    RP1016: 7/13/2010 10:50:06 PM - Removed Java(TM) 6 Update 7
    RP1017: 7/13/2010 10:51:11 PM - Removed Java(TM) 6 Update 5
    RP1018: 7/13/2010 10:52:02 PM - Removed Java(TM) 6 Update 3
    RP1019: 7/13/2010 10:53:45 PM - Removed Java(TM) 6 Update 11
    RP1020: 7/15/2010 8:30:34 AM - System Checkpoint
    RP1021: 7/16/2010 8:15:03 PM - System Checkpoint
    RP1022: 7/17/2010 8:25:32 PM - System Checkpoint
    RP1023: 7/19/2010 7:23:51 AM - Removed Xmarks for IE

    ==== Installed Programs ======================


    ĀµTorrent
    AAC Decoder
    Acrobat.com
    Ad-Aware
    Adobe AIR
    Adobe Bridge 1.0
    Adobe Common File Installer
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Help Center 1.0
    Adobe Photoshop CS2
    Adobe Shockwave Player
    Adobe Stock Photos 1.0
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    Audacity 1.2.6
    AutoUpdate
    avast! Free Antivirus
    Bonjour
    BurnAware Free Edition 1.2.9
    Canon Utilities EOS Utility
    Canon Utilities PhotoStitch
    Comcast High-Speed Internet Install Wizard
    COMODO Internet Security
    Critical Update for Windows Media Player 11 (KB959772)
    DellTouch
    Deus Ex
    DivX Codec
    DivX Converter
    DivX Plus DirectShow Filters
    DivX Version Checker
    EAX4 Unified Redist
    ffdshow [rev 1723] [2007-12-24]
    Full Tilt Poker
    Google Chrome
    Google Earth
    Google SketchUp 7.1
    Google Talk Plugin
    Google Update Helper
    H.264 Decoder
    High Definition Audio Driver Package - KB888111
    Hotfix for Windows Internet Explorer 7 (KB947864)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB981793)
    HP LaserJet P1000 series
    HPCarePackCore
    HPCarePackProducts
    HPSSupply
    Image Resizer Powertoy for Windows XP
    ImgBurn
    Intel(R) Desktop Utilities
    Intel(R) Graphics Media Accelerator Driver
    Intel(R) Management Engine Interface
    Intel(R) PRO Network Connections
    IsoBuster 2.1
    iTunes
    J2SE Runtime Environment 5.0 Update 10
    J2SE Runtime Environment 5.0 Update 9
    Japanese Fonts Support For Adobe Reader 9
    Java Auto Updater
    Launchy 2.1.2
    LimeWire 4.12.6
    LiveUpdate 3.1 (Symantec Corporation)
    Logitech Gaming Software
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft Bootvis
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft English TTS Engine
    Microsoft Flight Simulator X
    Microsoft IntelliPoint 5.2
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
    Microsoft National Language Support Downlevel APIs
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Enterprise 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Groove MUI (English) 2007
    Microsoft Office Groove Setup Metadata MUI (English) 2007
    Microsoft Office InfoPath MUI (English) 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Silverlight
    Microsoft Software Update for Web Folders (English) 12
    Microsoft Streets & Trips 2007
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft XML Parser and SDK
    MKV Splitter
    mkv2vob
    Mozilla Firefox (3.5.10)
    MrvlUsgTracking
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 4.0 SP2 Parser and SDK
    MSXML 6.0 Parser (KB933579)
    NVIDIA Drivers
    Pandora
    PC Inspector File Recovery
    Picasa 3
    PokerStars
    PokerTracker 3 (remove only)
    PostgreSQL 8.3
    PowerISO
    QuickTime
    RealPlayer
    Safari
    Scientific-Atlanta WebSTAR 2000 series Cable Modem
    Security Update for Windows Internet Explorer 7 (KB928090)
    Security Update for Windows Internet Explorer 7 (KB929969)
    Security Update for Windows Internet Explorer 7 (KB933566)
    Security Update for Windows Internet Explorer 7 (KB938127)
    Security Update for Windows Internet Explorer 7 (KB944533)
    Security Update for Windows Internet Explorer 7 (KB953838)
    Security Update for Windows Internet Explorer 7 (KB958215)
    Security Update for Windows Internet Explorer 7 (KB960714)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 7 (KB972260)
    Security Update for Windows Internet Explorer 7 (KB978207)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 11 (KB936782)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923789)
    Security Update for Windows XP (KB938464-v2)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371-v2)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB981349)
    SigmaTel Audio
    Snes9x
    Supercast
    SyncBack
    The Rosetta Stone
    TTS Wrapper
    TVersity Codec Pack 1.2
    TVersity Media Server 1.0.0.8 RC5
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    VC80CRTRedist - 8.0.50727.4053
    VideoLAN VLC media player 0.8.6i
    Virtual Account Numbers
    Visual C++ 2008 x86 Runtime - (v9.0.30729)
    Visual C++ 2008 x86 Runtime - v9.0.30729.01
    VoiceOver Kit
    WebFldrs XP
    Windows Essentials Media Codec Pack 1.0
    Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Internet Explorer 7
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows XP Service Pack 3
    WinRAR archiver

    ==== Event Viewer Messages From Past Week ========

    7/20/2010 7:18:57 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the avast! Web Scanner service.
    7/20/2010 7:18:52 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the avast! Mail Scanner service.
    7/19/2010 8:01:39 AM, error: Service Control Manager [7034] - The SigmaTel Audio Service service terminated unexpectedly. It has done this 1 time(s).
    7/19/2010 8:01:39 AM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
    7/19/2010 8:01:39 AM, error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
    7/19/2010 8:01:39 AM, error: Service Control Manager [7034] - The Admin Works Agent X8 service terminated unexpectedly. It has done this 1 time(s).
    7/19/2010 8:01:39 AM, error: Service Control Manager [7031] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
    7/19/2010 8:01:39 AM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    7/19/2010 7:49:47 AM, error: Service Control Manager [7023] - The HID Input Service service terminated with the following error: The specified module could not be found.
    7/18/2010 7:47:53 PM, error: Service Control Manager [7034] - The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).
    7/18/2010 7:15:57 PM, error: Service Control Manager [7006] - The ScRegSetValueExW call failed for Type with the following error: Access is denied.
    7/15/2010 11:31:08 PM, error: PlugPlayManager [12] - The device 'PHILIPS SPD2413P' (IDE\CdRomPHILIPS_SPD2413P________________________GP03____\6&2295197d&0&0.0.0) disappeared from the system without first being prepared for removal.
    7/13/2010 11:13:05 PM, error: PlugPlayManager [12] - The device 'ST3120814A' (IDE\DiskST3120814A______________________________3.AAD___\6&2295197d&0&0.1.0) disappeared from the system without first being prepared for removal.
    7/13/2010 10:54:35 PM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
    7/13/2010 10:46:04 PM, error: Service Control Manager [7006] - The ScRegSetValueExW call failed for Start with the following error: Access is denied.
    7/13/2010 10:43:10 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    7/13/2010 10:30:54 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
    7/13/2010 10:30:47 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Aavmker4 AFD aswSP aswTdi cmdGuard cmdHlp Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SCDEmu Tcpip
    7/13/2010 10:30:47 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.
    7/13/2010 10:30:47 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
    7/13/2010 10:30:47 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    7/13/2010 10:30:47 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
    7/13/2010 10:30:47 PM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    7/13/2010 10:30:47 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

    ==== End Of File ===========================
     
  4. Broni

    Broni Malware Annihilator Posts: 47,020   +255

    Download MBRCheck to your desktop

    Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
    It will show a black screen with some data on it.
    A report called MBRcheckxxxx.txt will be on your desktop
    Open this report and post its content in your next reply.
     
  5. MM225

    MM225 TS Rookie Topic Starter Posts: 22

    The MBRcheck link appears to be broken - is there another link where I can download it? Thanks!
     
  6. Broni

    Broni Malware Annihilator Posts: 47,020   +255

    Hmmm...it doesn't work indeed.

    Download Bootkit Remover to your Desktop.

    • You then need to extract the remover.exe file from the RAR using a program capable of extracing RAR compressed files. If you don't have an extraction program, you can use 7-Zip: http://www.7-zip.org/
    • After extracing remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator.
    • It will show a Black screen with some data on it.
    • Right click on the screen and click Select All.
    • Press CTRL+C
    • Open a Notepad and press CTRL+V
    • Post the output back here.
     
  7. MM225

    MM225 TS Rookie Topic Starter Posts: 22

    remover.exe results

    Bootkit Remover version 1.0.0.1
    (c) 2009 eSage Lab
    www.esagelab.com

    \\.\C: -> \\.\PhysicalDrive1
    MD5: b19ee33a0168d5f0bb9afbe12e2bc035
    \\.\D: -> \\.\PhysicalDrive1

    Size Device Name MBR Status
    --------------------------------------------
    298 GB \\.\PhysicalDrive1 Unknown boot code

    Unknown boot code has been found on some of your physical disks.
    To inspect the boot code manually, dump the master boot sector:
    remover.exe dump <device_name> [output_file]
    To disinfect the master boot sector, use the following command:
    remover.exe fix <device_name>


    Press any key to quit...
     
  8. Broni

    Broni Malware Annihilator Posts: 47,020   +255

    Somehow, email notification about your reply missed me. I apologize for that :)
    If you're still out there, please reply to my post.
     
  9. MM225

    MM225 TS Rookie Topic Starter Posts: 22

    Hi Broni,

    Thanks for the reply. I'm still here & haven't changed anything since my last post.
     
  10. Broni

    Broni Malware Annihilator Posts: 47,020   +255

    Cool :)
    I apologize one more time :)

    Rerun MBRCheck.
    Enter 'Y' and hit ENTER for more options and select option "2".
    When asked for physical disk number, enter 1.
    Next, enter 1 (Windows XP) for MBR code.
    Post resulting log.
     
  11. MM225

    MM225 TS Rookie Topic Starter Posts: 22

    MBRCheck, version 1.1.1

    (c) 2010, AD



    \\.\C: --> \\.\PhysicalDrive1

    \\.\D: --> \\.\PhysicalDrive1



    Size Device Name MBR Status

    --------------------------------------------

    298 GB \\.\PhysicalDrive1 Unknown MBR code





    Found non-standard or infected MBR.

    Enter 'Y' and hit ENTER for more options, or 'N' to exit:

    Options:

    [1] Dump the MBR of a physical disk to file.

    [2] Restore the MBR of a physical disk with a standard boot code.

    [3] Exit.



    Enter your choice: Enter the physical disk number to dump (0-99, -1 to exit): Dumping \\.\PhysicalDisk1...

    Enter filename to dump to:
     
     
  12. MM225

    MM225 TS Rookie Topic Starter Posts: 22

    The above was all I could get - I tried to enter a filename to dump to but couldn't get the format to be readable. Let me know if I'm doing that wrong. Thanks!
     
  13. Broni

    Broni Malware Annihilator Posts: 47,020   +255

    That's fine. We'll approach it in different way...

    Restart computer
    When you reboot you will see an option to boot into the Recovery Console or the normal Windows installation.
    You have to use the up/down arrows to choose the Recovery Console. Then press Enter but you only have 2 seconds by default.
    If you find this hard to do then you can go into Control Panel, System, Advanced, Startup and Recovery, Settings. Where it says Time to Display List of Operating Systems, change it to 10 or more seconds. OK Then reboot.

    You should get a black screen with a C:\> prompt. Type with an Enter after each line:

    fixmbr

    (If it asks you if you are sure then say "Y".)

    exit

    Reboot computer.

    Post fresh MBRCheck log.
     
  14. MM225

    MM225 TS Rookie Topic Starter Posts: 22

    MBRCheck, version 1.1.1

    (c) 2010, AD



    \\.\C: --> \\.\PhysicalDrive1

    \\.\D: --> \\.\PhysicalDrive1



    Size Device Name MBR Status

    --------------------------------------------

    298 GB \\.\PhysicalDrive1 Windows XP MBR code detected





    Done! Press ENTER to exit...
     
  15. MM225

    MM225 TS Rookie Topic Starter Posts: 22

    And FYI, the rogue iexplore.exe is not currently appearing in my Task Manager.
     
  16. Broni

    Broni Malware Annihilator Posts: 47,020   +255

    Excellent :)

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  17. MM225

    MM225 TS Rookie Topic Starter Posts: 22

    Here's the combofix log:
     

    Attached Files:

  18. Broni

    Broni Malware Annihilator Posts: 47,020   +255

    Please, restart computer BEFORE running what's below...


    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    c:\windows\system32\F6A9BE14DE.sys
    
    FCopy::
    c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys | c:\windows\system32\drivers\TCPIP.SYS
    c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys | c:\windows\system32\dllcache\TCPIP.SYS
    
    DDS::
    uInternet Settings,ProxyServer = http=127.0.0.1:5577
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
  19. MM225

    MM225 TS Rookie Topic Starter Posts: 22

    OK, here's the resulting log:
     

    Attached Files:

  20. MM225

    MM225 TS Rookie Topic Starter Posts: 22

    BTW this is amazing - thank you so much for the help so far.
     
  21. Broni

    Broni Malware Annihilator Posts: 47,020   +255

    You're very welcome :)

    Uninstall Combofix:
    Go Start > Run [Vista users, go Start>"Start search"]
    Type in:
    Combofix /Uninstall
    Note the space between the "Combofix" and the "/Uninstall"
    Click OK (Vista users - press Enter).
    Restart computer.

    ====================================================================

    Download OTL to your Desktop.

    * Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    * Under the Custom Scan box paste this in:



    netsvcs
    drivers32 /all
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\system32\*.wt
    %systemroot%\system32\*.ruy
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\system32\spool\prtprocs\w32x86\*.tmp
    %systemroot%\*. /mp /s
    /md5start
    /md5stop
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\user32.dll /md5
    %systemroot%\system32\ws2_32.dll /md5
    %systemroot%\system32\ws2help.dll /md5
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs



    * Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  22. Broni

    Broni Malware Annihilator Posts: 47,020   +255

    When you're done with OTL....

    There is a new Combofix version, which deals with MBR infection, so I want to make sure, that infection is really gone.
    You uninstalled Combofix, but make sure, there is no any Combofix file on your desktop.
    Then...
    Download fresh copy from HERE
    Run it and post resulting log.
     
  23. MM225

    MM225 TS Rookie Topic Starter Posts: 22

    OTL & Extras logs

    Here are the logs from OTL:
     

    Attached Files:

  24. Broni

    Broni Malware Annihilator Posts: 47,020   +255

    Before I review your OTL log, please read my previous reply (#22).
     
  25. MM225

    MM225 TS Rookie Topic Starter Posts: 22

    Here's the new combofix log - sorry but it's also too long to copy/paste.
     

    Attached Files:

Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.