TechSpot

Browser Hijacked

By schlitz
Jun 19, 2010
  1. Like many posters I too have experienced the browser hijacking and can't get rid of it even though I've run half a dozen programs.

    Malware Bytes Log

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4192

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    6/19/2010 8:35:57 AM
    mbam-log-2010-06-19 (08-35-57).txt

    Scan type: Quick scan
    Objects scanned: 148558
    Time elapsed: 17 minute(s), 32 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    ************************************************'


    DDS (Ver_10-03-17.01) - NTFSx86
    Run by MARKAG at 15:45:40.92 on Sat 06/19/2010
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3325.2089 [GMT -5:00]

    AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
    AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
    FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    C:\WINDOWS\system32\svchost -k rpcss
    c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k NetworkService
    C:\WINDOWS\system32\svchost.exe -k LocalService
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\svchost.exe -k LocalService
    C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
    C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
    C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
    C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
    C:\WINDOWS\system32\nvraidservice.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Spyware Doctor\pctsTray.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\Program Files\Microsoft Security Essentials\msseces.exe
    C:\Program Files\Zamaan's Software\Browser Hijack Retaliator 4.5\BHR.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe
    C:\Program Files\DNA\btdna.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
    C:\Program Files\TechSmith\SnagIt 9\Snagit32.exe
    C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
    C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
    C:\Program Files\eFax Messenger 4.4\J2GTray.exe
    C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Spyware Doctor\pctsAuxs.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
    C:\Program Files\Spyware Doctor\pctsSvc.exe
    C:\Program Files\TechSmith\SnagIt 9\TSCHelp.exe
    C:\Program Files\TechSmith\SnagIt 9\SnagPriv.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
    C:\Program Files\TechSmith\SnagIt 9\snagiteditor.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\system32\wbem\unsecapp.exe
    C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe
    C:\Documents and Settings\Mark Agostino\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.yahoo.com
    uSearch Page = hxxp://www.google.com
    uSearch Bar = hxxp://www.google.com/ie
    uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
    mSearch Page = hxxp://www.google.com
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
    BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 9\SnagitBHO.dll
    BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20100518200515.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
    BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
    BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
    BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0311.0\msneshellx.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
    TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0311.0\msneshellx.dll
    TB: Snagit: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 9\SnagitIEAddin.dll
    TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
    TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
    TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
    TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
    uRun: [NVIDIA nTune] c:\program files\nvidia corporation\ntune\nTuneCmd.exe resetprofile
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
    uRun: [DW6] "c:\program files\the weather channel fw\desktop\DesktopWeather.exe"
    uRun: [eFax 4.4] "c:\program files\efax messenger 4.4\J2GDllCmd.exe" /R
    uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
    mRun: [VirtualCloneDrive] "c:\program files\elaborate bytes\virtualclonedrive\VCDDaemon.exe" /s
    mRun: [RTHDCPL] RTHDCPL.EXE
    mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc\DrgToDsc.exe"
    mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
    mRun: [NVRaidService] c:\windows\system32\nvraidservice.exe
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
    mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
    mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
    mRun: [CloneCDTray] "c:\program files\slysoft\clonecd\CloneCDTray.exe" /s
    mRun: [Alcmtr] ALCMTR.EXE
    mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
    mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
    mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
    mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
    mRun: [<NO NAME>]
    mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
    mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
    mRun: [BHR] c:\program files\zamaan's software\browser hijack retaliator 4.5\BHR.exe
    StartupFolder: c:\docume~1\markag~1\startm~1\programs\startup\efax44~1.lnk - c:\program files\efax messenger 4.4\J2GTray.exe
    StartupFolder: c:\docume~1\markag~1\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\1.0.150\SSScheduler.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\snagit~1.lnk - c:\program files\techsmith\snagit 9\Snagit32.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ymetray.lnk - c:\program files\yahoo!\yahoo! music jukebox\ymetray.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {2E5E800E-6AC0-411E-940A-369530A35E43} - {A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB}
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
    Trusted Zone: internet
    Trusted Zone: mcafee.com
    DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
    Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\markag~1\applic~1\mozilla\firefox\profiles\eho0tdmb.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - chicago-ninjutsu.org
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

    ============= SERVICES / DRIVERS ===============


    =============== Created Last 30 ================


    ==================== Find3M ====================

    2009-06-11 08:20:14 245760 -csha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
    2008-09-07 20:37:31 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090720080908\index.dat

    ============= FINISH: 15:50:02.85 ===============


    I cannot run GMER, every time I do, I get the blue screen of death. I did get this error message.

    Error Signature

    BCCode : 100000d1 BCP1 : BA2C8174 BCP2 : 00000002 BCP3 : 00000000
    BCP4 : BA4A2CE3 OSVer : 5_1_2600 SP : 3_0 Product : 256_1

    C:\DOCUME~1\MARKAG~1\LOCALS~1\Temp\WERcab1.dir00\Mini021509-01.dmp
    C:\DOCUME~1\MARKAG~1\LOCALS~1\Temp\WERcab1.dir00\sysdata.xml
     

    Attached Files:

  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You have multiple antivirus programs:
    AV: Spyware Doctor with AntiVirus
    AV: McAfee VirusScan *
    AV: Microsoft Security Essentials


    Please decide which one you want to keep and removed the others. Multiple antivirus programs can make the system more vulnerable and slow it down.You should have one antivirus program and one software firewall.
    Be sure to reboot the computer when done.

    Try unchecking Devices in GMER. IF that doesn't work, try scanning in Safe Mode. Quite a few members are having a problem with GMER- hard to tell if it's because of a Rootkit or problem with program.

    Remove the Internet from the Trusted Zone now. It has lower security and you are defeating the purpose of having security programs if the internet is in this zone. Nothing needs to be in the Trusted Zone
    =========================================
    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..
    =====================================
    Run Eset NOD32 Online AntiVirus Scanner HERE
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    Please either uninstall BitTorrent or do not use it while we are cleaning> I will leave information about that in my next reply.

    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.

    EDIT: The part of the DDS log named Attach.txt does not show any ==== Installed Programs ======================
    Did you miss part of the log?
     
  3. schlitz

    schlitz TS Rookie Topic Starter

    I tried doing what you said for GMER before my post and not luck. Still get the Blue Screen of Death.

    I run multiple AV programs because, as I'm sure you know, there is not one program that catches everything. I've done this for years, this is the first issue I've ever had that I couldn't fix myself.

    Bit Torrent hasn't been used in 2 years.

    I did not do anything to the DDS log named Attach.txt, all I did was save the file.

    Please note ESET did find a virus Olmarik.zctrojan


    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner.ocx - registred OK
    # version=7
    # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=ad7b8d04024c004db2bc8dfc71833242
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-06-20 03:03:53
    # local_time=2010-06-19 10:03:53 (-0600, Central Daylight Time)
    # country="United States"
    # lang=9
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=512 16777215 100 0 0 0 0 0
    # compatibility_mode=5121 16777189 100 75 4253913 7850142 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=114854
    # found=1
    # cleaned=0
    # scan_time=2328
    C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\rasacd.sys.vir Win32/Olmarik.ZC trojan 00000000000000000000000000000000 I

    *****************************************

    ComboFix 10-06-19.01 - Mark Ag 06/19/2010 21:03:00.1.4 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3325.2905 [GMT -5:00]
    Running from: c:\documents and settings\Mark Ag\Desktop\ComboFix.exe
    AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\Mark Ag\Application Data\inst.exe
    c:\documents and settings\Mark Ag\GoToAssistDownloadHelper.exe
    c:\documents and settings\Mark Ag\System
    c:\documents and settings\Mark Ag\System\win_qs8.jqx
    c:\windows\system32\_000005_.tmp.dll
    c:\windows\xpsp1hfm.log

    Infected copy of c:\windows\system32\drivers\rasacd.sys was found and disinfected
    Restored copy from - Kitty had a snack :p
    .
    ((((((((((((((((((((((((( Files Created from 2010-05-20 to 2010-06-20 )))))))))))))))))))))))))))))))
    .

    2010-06-18 01:07 . 2010-06-18 01:08 -------- d-----w- C:\107c5917714814f5c8
    2010-06-17 12:14 . 2010-06-18 04:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2010-06-17 12:14 . 2010-06-17 12:14 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2010-06-12 20:31 . 2010-06-12 20:31 -------- d-----w- c:\documents and settings\Mark Ag\Application Data\Malwarebytes
    2010-06-12 20:30 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-06-12 20:30 . 2010-06-12 20:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-06-12 20:30 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-06-12 20:30 . 2010-06-12 20:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-06-12 19:58 . 2010-06-12 19:58 -------- d-----w- c:\program files\Zamaan's Software
    2010-06-11 11:46 . 2010-06-11 11:46 -------- d-----w- c:\documents and settings\Mark Ag\Local Settings\Application Data\Threat Expert
    2010-06-11 04:44 . 2010-06-11 04:44 -------- d-----w- c:\program files\Trend Micro
    2010-06-10 01:16 . 2010-06-10 01:16 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
    2010-05-26 19:14 . 2010-05-26 19:14 503808 ----a-w- c:\documents and settings\Mark Ag\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-14e005ba-n\msvcp71.dll
    2010-05-26 19:14 . 2010-05-26 19:14 499712 ----a-w- c:\documents and settings\Mark Ag\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-14e005ba-n\jmc.dll
    2010-05-26 19:14 . 2010-05-26 19:14 348160 ----a-w- c:\documents and settings\Mark Ag\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-14e005ba-n\msvcr71.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-06-20 02:01 . 2008-04-04 19:29 -------- d-----w- c:\program files\Spyware Doctor
    2010-06-20 02:01 . 2008-07-12 13:10 -------- d-----w- c:\program files\Common Files\PC Tools
    2010-06-20 01:57 . 2008-04-04 19:35 -------- d-----w- c:\documents and settings\Mark Ag\Application Data\DNA
    2010-06-20 01:34 . 2008-04-04 21:09 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
    2010-06-20 01:29 . 2008-03-28 22:12 -------- d-----w- c:\program files\Dell
    2010-06-19 21:20 . 2008-04-04 19:35 -------- d-----w- c:\program files\DNA
    2010-06-19 13:30 . 2009-05-16 23:30 -------- d-----w- c:\documents and settings\Mark Ag\Application Data\Skype
    2010-06-19 13:29 . 2009-05-16 23:31 -------- d-----w- c:\documents and settings\Mark Ag\Application Data\skypePM
    2010-06-15 18:52 . 2010-03-31 18:30 439816 ----a-w- c:\documents and settings\Mark Ag\Application Data\Real\Update\setup3.10\setup.exe
    2010-06-11 05:04 . 2010-02-17 23:29 -------- d-----w- c:\program files\Business-in-a-Box
    2010-06-09 22:46 . 2008-06-06 12:55 -------- d-----w- c:\program files\Microsoft Silverlight
    2010-05-16 05:07 . 2010-05-16 05:07 -------- d-----w- c:\program files\Common Files\Skype
    2010-05-12 08:03 . 2008-07-03 05:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
    2010-05-11 14:49 . 2010-05-11 14:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
    2010-05-11 14:49 . 2010-05-11 14:49 -------- d-----w- c:\documents and settings\Mark Ag\Application Data\Office Genuine Advantage
    2010-04-30 21:44 . 2008-04-25 02:57 -------- d-----w- c:\program files\McAfee.com
    2010-04-30 20:46 . 2008-04-25 02:57 -------- d-----w- c:\program files\McAfee
    2010-04-30 20:45 . 2008-04-25 02:57 -------- d-----w- c:\program files\Common Files\McAfee
    2010-04-27 22:16 . 2010-04-20 07:25 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
    2010-04-27 22:16 . 2010-04-20 07:25 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys
    2010-04-27 22:16 . 2010-04-20 07:25 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys
    2010-04-27 22:16 . 2010-04-20 07:25 82952 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
    2010-04-27 22:16 . 2010-04-20 07:25 95568 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
    2010-04-27 22:16 . 2010-04-20 07:25 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys
    2010-04-27 22:16 . 2010-04-20 07:25 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys
    2010-04-27 22:16 . 2010-04-20 07:25 385880 ----a-w- c:\windows\system32\drivers\mfehidk.sys
    2010-04-27 22:16 . 2010-04-20 07:25 312616 ----a-w- c:\windows\system32\drivers\mfefirek.sys
    2010-04-27 22:16 . 2010-04-20 07:25 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
    2010-03-22 18:38 . 2010-03-22 18:38 3600384 ----a-w- c:\windows\system32\GPhotos.scr
    2010-03-04 09:18 . 2010-03-04 09:18 207 ----a-w- c:\program files\pctlsp.log
    2010-04-27 22:16 . 2010-05-19 01:05 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2008-01-15 106496]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-03-28 68856]
    "DW6"="c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2009-10-08 818288]
    "eFax 4.4"="c:\program files\eFax Messenger 4.4\J2GDllCmd.exe" [2008-10-07 95744]
    "BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-10-03 323392]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2005-04-12 45056]
    "RTHDCPL"="RTHDCPL.EXE" [2008-01-15 16855552]
    "RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]
    "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 124200]
    "NVRaidService"="c:\windows\system32\nvraidservice.exe" [2007-10-26 184352]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-01-15 8523776]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
    "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
    "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-03-28 1838592]
    "CloneCDTray"="c:\program files\SlySoft\CloneCD\CloneCDTray.exe" [2005-05-19 57344]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-01-24 185896]
    "CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-11 689488]
    "CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2008-03-18 1848648]
    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-01-19 149280]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
    "mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-04-02 1180976]

    c:\documents and settings\Mark Ag\Start Menu\Programs\Startup\
    eFax 4.4.lnk - c:\program files\eFax Messenger 4.4\J2GTray.exe [2008-10-7 656896]
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-4-4 110592]
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
    HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
    @=""

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
    @=""

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
    @=""

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SnagIt 9.lnk]
    backup=c:\windows\pss\SnagIt 9.lnkCommon Startup
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SnagIt 9.lnk

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
    2006-01-03 08:44 458752 -c--a-w- c:\program files\SlySoft\AnyDVD\AnyDVD.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter]
    2008-01-18 02:40 17920 -c--a-w- c:\dell\E-Center\EULALauncher.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
    2008-10-25 16:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe]
    2010-04-02 04:05 1180976 ----a-w- c:\program files\McAfee.com\Agent\mcagent.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
    "c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
    "c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
    "c:\\Program Files\\DNA\\btdna.exe"=
    "c:\\Program Files\\BitTorrent\\bittorrent.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
    "c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=

    R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [4/20/2010 2:25 AM 82952]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [9/5/2008 7:59 AM 93320]
    R2 McMPFSvc;McAfee Personal Firewall;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [4/20/2010 2:24 AM 271480]
    R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [4/20/2010 2:24 AM 271480]
    R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [4/20/2010 2:25 AM 188136]
    R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [4/20/2010 2:25 AM 141792]
    R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [4/20/2010 2:25 AM 55456]
    R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [4/20/2010 2:25 AM 312616]
    R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [4/20/2010 2:25 AM 88480]
    R3 physX32;physX32;c:\windows\system32\drivers\physX32.sys [3/28/2008 4:38 PM 117888]
    S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
    S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
    S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [4/20/2010 2:25 AM 88480]
    S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [4/20/2010 2:25 AM 83496]
    S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]

    --- Other Services/Drivers In Memory ---

    *Deregistered* - mfeavfk01
    .
    Contents of the 'Scheduled Tasks' folder

    2010-06-20 c:\windows\Tasks\OGALogon.job
    - c:\windows\system32\OGAEXEC.exe [2009-08-03 20:07]

    2010-06-20 c:\windows\Tasks\SDMsgUpdate (TE).job
    - c:\progra~1\SMARTD~1\Messages\SDNotify.exe [2009-03-05 12:29]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.yahoo.com
    uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    Trusted Zone: internet
    Trusted Zone: mcafee.com
    FF - ProfilePath - c:\documents and settings\Mark Ag\Application Data\Mozilla\Firefox\Profiles\eho0tdmb.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - chicago-ninjutsu.org
    FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
    FF - component: c:\program files\Mozilla Firefox\components\Scriptff.dll
    FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
    FF - component: c:\program files\Mozilla Firefox\extensions\browserhighlighter@ebay.com\components\Shim.dll
    FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    .
    - - - - ORPHANS REMOVED - - - -

    WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
    WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
    HKLM-Run-Acrobat Assistant 8.0 - c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
    HKLM-Run-BHR - c:\program files\Zamaan's Software\Browser Hijack Retaliator 4.5\BHR.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-06-19 21:09
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2010-06-19 21:12:01
    ComboFix-quarantined-files.txt 2010-06-20 02:11

    Pre-Run: 452,604,166,144 bytes free
    Post-Run: 452,753,317,888 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

    - - End Of File - - C530B3A47758132CE14500E19620C41C
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Yes, I know this and I also know there shouldn't be a problem asking for help. Sometimes a user will download all kinds of programs trying to 'do it them selves.' then, not only do we have to help with the malware, but also undo some of the damage done by those random, unguided programs.

    If you haven't used BitTorrent in 2 years, why don't you uninstall it?

    Yes, I always note what it finds and handle it accordingly. The file in Eset is in the Qoobox, which is where Combofix puts the files it quarantined as noted here:
    Eset: C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\rasacd.sys.vir
    Combofix: Infected copy of c:\windows\system32\drivers\rasacd.sys was found and disinfected
    Restored copy from - Kitty had a snack


    So I gather you have no programs installed and have not had any Errors in the Event Viewer in the past week>
    ==== Installed Programs ======================
    There is no input in this section

    ==== Event Viewer Messages From Past Week ========
    There is no input in this section

    ==== End Of File ===========================

    Is there anything else you'd like to 'clarify' before I help you?
    =========================
    Custom CFScript

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    KillAll::
    File::
    C:\Program Files\DNA\btdna.exe
    c:\windows\system32\drivers\TfFsMon.sys
    c:\windows\system32\drivers\TfSysMon.sys
    Folder::
    c:\documents and settings\Mark Ag\Application Data\DNA
    c:\documents and settings\All Users\Application Data\TEMP
    c:\program files\DNA
    c:\windows\system32\drivers\TfNetMon.sys
    
    Extra::
    File::
    c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
    Firefox-:- Profile - c:\documents and settings\Mark Ag\Application Data\Mozilla\Firefox\Profiles\eho0tdmb.default\
    Firefox-: 
    Firefox-: 
    Registry::
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "BitTorrent DNA"= -
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\BitTorrent\\bittorrent.exe"= -
    
    Driver::
    TfFsMon
    TfSysMon
    TfNetMon
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
    ====================
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...