[Solved] Csrss.exe cleaned but can't access to Firefox

Bobbye · Mar 13, 2011

Please run this Custom CFScript:

[1]. Close any open browsers.
[2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
[3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
Code:
File::
c:\windows\system32\drivers\Trufos.sys
c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

Folder::
c:\windows\system32\dumprep 0 -k
RegLock::
[HKEY_USERS\.Default\Software\SetId\Internal]

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"MSConfig"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe"=-
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
"18656:TCP"=-
Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
====================
Please reopen HijackThis to 'do system scan only.'. Check each of the following, if resent:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank See Option 1

Option 1:
IF you have set 2 Main Startup pages to come up Blank, leave the 2 entries in Green. If you have not, check for removal.

Close all Windows except HijackThis and click on "Fix Checked."

tradingmax · Mar 13, 2011

Aww, alright man. I got it. I'm gonna change back to FF 3.6 after the scan =D.

tradingmax · Mar 13, 2011

Log from ComboFix again

ComboFix 11-03-10.02 - Abby 03/14/2011 2:00.4.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2710 [GMT 8:00]
Running from: c:\documents and settings\Abby\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Abby\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1368 [VPS 110306-0] *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
FILE ::
"c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto"
"c:\windows\system32\drivers\Trufos.sys"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Abby\Application Data\oembios.exe
c:\windows\system32\drivers\Trufos.sys
.
.
((((((((((((((((((((((((( Files Created from 2011-02-13 to 2011-03-13 )))))))))))))))))))))))))))))))
.
.
2011-03-12 03:12 . 2010-05-14 08:08 388608 ----a-w- C:\HijackThis.exe
2011-03-11 12:49 . 2011-03-11 12:49 -------- d-----w- c:\program files\Common Files\Java
2011-03-11 12:49 . 2011-03-11 12:49 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-03-11 12:39 . 2011-03-11 12:49 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-03-09 12:24 . 2011-03-09 12:24 153104 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-03-09 02:11 . 2011-03-09 02:11 -------- d-----w- c:\program files\MSSOAP
2011-03-09 01:38 . 2011-03-09 01:38 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-03-06 17:03 . 2011-03-06 17:03 -------- d-----w- c:\program files\ESET
2011-03-06 07:49 . 2011-03-06 07:49 -------- d-----w- c:\documents and settings\Abby\Application Data\Malwarebytes
2011-03-06 07:49 . 2010-12-20 10:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-06 07:49 . 2011-03-06 07:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-03-06 07:49 . 2011-03-06 07:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-06 07:49 . 2010-12-20 10:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-06 02:53 . 2011-03-06 02:53 -------- d-----w- c:\documents and settings\Administrator
2011-03-05 10:06 . 2011-03-05 10:06 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2011-03-05 08:35 . 2011-03-05 08:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-03-05 08:35 . 2011-03-05 08:39 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-03-04 08:52 . 2011-03-11 10:46 -------- d-----w- c:\program files\Mozilla Firefox 4.0 Beta 12
2011-02-21 08:18 . 2011-02-21 08:18 -------- d-----w- c:\program files\Common Files\Skype
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-08 01:37 . 2010-07-08 01:37 101544 ----a-w- c:\program files\Common Files\LinkInstaller.exe
.
.
((((((((((((((((((((((((((((( SnapShot@2011-03-06_16.57.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-03-13 17:36 . 2011-03-13 17:36 16384 c:\windows\Temp\Perflib_Perfdata_2d8.dat
+ 2004-08-04 11:00 . 2011-03-13 17:40 78900 c:\windows\system32\perfc009.dat
- 2004-08-04 11:00 . 2011-03-06 15:20 78900 c:\windows\system32\perfc009.dat
+ 2011-03-09 02:12 . 2011-03-09 02:12 57344 c:\windows\Installer\{73FAD870-C7A8-4344-BA8F-DF8675276E91}\texticon.exe
+ 2011-03-09 02:12 . 2011-03-09 02:12 32768 c:\windows\Installer\{73FAD870-C7A8-4344-BA8F-DF8675276E91}\maintenance_icon.exe
+ 2011-03-09 02:12 . 2011-03-09 02:12 61440 c:\windows\Installer\{73FAD870-C7A8-4344-BA8F-DF8675276E91}\helpicon.exe
+ 2007-01-31 05:50 . 2007-01-31 05:50 913408 c:\windows\system32\xreglib.dll
+ 2001-09-07 03:41 . 2001-09-07 03:41 290816 c:\windows\system32\WINHTTP5.DLL
+ 2004-08-04 11:00 . 2011-03-13 17:40 464632 c:\windows\system32\perfh009.dat
- 2004-08-04 11:00 . 2011-03-06 15:20 464632 c:\windows\system32\perfh009.dat
+ 2011-03-11 12:49 . 2011-03-11 12:49 157472 c:\windows\system32\javaws.exe
+ 2011-03-11 12:49 . 2011-03-11 12:49 145184 c:\windows\system32\javaw.exe
- 2009-08-07 13:22 . 2009-08-07 13:22 145184 c:\windows\system32\javaw.exe
+ 2011-03-11 12:49 . 2011-03-11 12:49 145184 c:\windows\system32\java.exe
- 2009-08-07 13:22 . 2009-08-07 13:22 145184 c:\windows\system32\java.exe
+ 2010-11-29 05:12 . 2010-11-29 05:12 535824 c:\windows\system32\drivers\avc3.sys
+ 2007-04-11 02:11 . 2007-04-11 02:11 511328 c:\windows\system32\capicom.dll
+ 2011-03-11 12:49 . 2011-03-11 12:49 180224 c:\windows\Installer\3f1ccb.msi
+ 2011-03-11 12:49 . 2011-03-11 12:49 675840 c:\windows\Installer\3f1cc5.msi
+ 2011-03-11 12:46 . 2011-03-11 12:46 677888 c:\windows\Installer\3f1cc0.msi
+ 2011-03-11 12:46 . 2011-03-11 12:46 292878 c:\windows\Installer\{AC76BA86-7AD7-5670-0000-A00000000003}\ARPPRODUCTICON.exe
+ 2011-03-09 02:12 . 2011-03-09 02:12 336782 c:\windows\Installer\{73FAD870-C7A8-4344-BA8F-DF8675276E91}\register_icon.exe
+ 2011-03-09 02:11 . 2011-03-09 02:11 1230336 c:\windows\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.1.0.0_x-ww_b319d8da\msxml4.dll
+ 2010-11-29 05:12 . 2010-11-29 05:12 1066232 c:\windows\system32\drivers\avckf.sys
+ 2011-03-09 02:12 . 2011-03-09 02:12 2640896 c:\windows\Installer\5613e.msi
+ 2011-03-09 02:11 . 2011-03-09 02:11 1470464 c:\windows\Installer\56137.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-16 3872080]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-06-07 13902440]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
.
c:\documents and settings\Abby\Start Menu\Programs\Startup\
RealTemp.lnk - c:\program files\RealTemp_3.00\RealTemp.exe [2009-8-7 172032]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^Abby^Start Menu^Programs^Startup^ashDisp.lnk]
path=c:\documents and settings\Abby\Start Menu\Programs\Startup\ashDisp.lnk
backup=c:\windows\pss\ashDisp.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Abby^Start Menu^Programs^Startup^desktop.ini]
path=c:\documents and settings\Abby\Start Menu\Programs\Startup\desktop.ini
backup=c:\windows\pss\desktop.iniStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Abby^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Abby\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-11-10 04:49 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-01-30 15:45 35736 ----a-w- c:\program files\Adobe\Reader 10.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-03 18:43 69632 -c----r- c:\windows\Alcmtr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
2008-04-14 02:42 110592 ----a-w- c:\windows\system32\bthprops.cpl
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamWizard]
2005-05-13 05:42 184320 -c----w- c:\program files\Common Files\Logitech\QCDRV\BIN\CamWizrd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 03:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-03-11 13:34 49152 -c--a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
2009-08-07 08:17 16384 -c--a-w- c:\program files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechGalleryRepair]
2002-12-10 10:32 155648 -c--a-w- c:\program files\Logitech\ImageStudio\ISStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechImageStudioTray]
2002-12-10 10:31 61440 -c--a-w- c:\program files\Logitech\ImageStudio\LogiTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]
2005-06-08 06:44 196608 -c--a-w- c:\program files\Logitech\Video\ManifestEngine.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
2005-06-08 07:24 458752 -c--a-w- c:\program files\Logitech\Video\ISStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
2005-06-08 07:14 217088 -c--a-w- c:\program files\Logitech\Video\LogiTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
2005-07-19 09:32 221184 ----a-w- c:\windows\system32\LVCOMSX.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2010-06-07 09:34 13902440 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2010-06-07 09:34 110696 ----a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2010-06-02 16:48 1753192 ----a-w- c:\program files\NVIDIA Corporation\nView\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
2008-04-13 19:13 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 09:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2008-03-26 16:14 16859136 -c----r- c:\windows\RTHDCPL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
2009-09-24 06:41 434176 ----a-w- c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 08:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-08-07 10:14 39408 -c--a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Torrent2Exe[6a5fbcaf9402d578fa4795f5a39bb264ea229e2f]]
2010-09-29 09:29 624527 -c----w- c:\o2jam latino\jukebox.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2010-12-09 10:45 74752 ----a-w- c:\program files\Winamp\winampa.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Apple Mobile Device"=2 (0x2)
"iPod Service"=3 (0x3)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"FreeRAM XP"="c:\program files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"nwiz"=c:\program files\NVIDIA Corporation\nView\nwiz.exe /install
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"NeroFilterCheck"=c:\program files\Common Files\Nero\Lib\NeroCheck.exe
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe"
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
"PHIME2002ASync"=c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
"Ad-Watch"=c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe"=
"c:\\Program Files\\Sony Ericsson\\Update Service\\Update Service.exe"=
"h:\\Games\\Warcraft III\\Warcraft III.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"h:\\Games\\Left 4 Dead 2\\left4dead2.exe"=
"h:\\Games\\MapleStory\\Patcher.exe"=
"h:\\Games\\MapleStory\\hshield\\HSUpdate.exe"=
"h:\\Games\\Borderlands\\Binaries\\Borderlands.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"c:\\Program Files\\TeamViewer\\Version5\\TeamViewer.exe"=
"h:\\Games\\Left 4 Dead\\left4dead.exe"=
"c:\\O2Jam Latino\\jukebox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Winamp\\winamp.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"h:\\Abby\\NETBIG2.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"18656:TCP"= 18656:TCP:BitComet 18656 TCP
"3389:TCP"= 3389:TCPxpsp2res.dll,-22009
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [8/6/2009 5:27 PM 64288]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [8/7/2009 8:26 PM 114768]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 11:52 PM 1352832]
R2 OMSI download service;Sony Ericsson OMSI download service;c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe [2/5/2010 9:01 AM 90112]
R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [2/5/2010 9:01 AM 27632]
S2 gupdate1ca17481f252976;Google Update Service (gupdate1ca17481f252976);c:\program files\Google\Update\GoogleUpdate.exe [8/7/2009 6:16 PM 133104]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [8/8/2009 4:06 PM 13224]
S3 Mkd2kfNt;Mkd2kfNt;c:\windows\system32\drivers\Mkd2kfNT.sys [5/18/2010 6:36 PM 133632]
S3 Mkd2Nadr;Mkd2Nadr;c:\windows\system32\drivers\Mkd2Nadr.sys [5/18/2010 6:36 PM 79360]
S3 PID_0920;Logitech QuickCam Express(PID_0920);c:\windows\system32\drivers\LV532AV.SYS [8/7/2009 4:15 PM 163328]
S3 s0017bus;Sony Ericsson Device 0017 driver (WDM);c:\windows\system32\drivers\s0017bus.sys [8/8/2009 3:58 PM 86824]
S3 s0017mdfl;Sony Ericsson Device 0017 USB WMC Modem Filter;c:\windows\system32\drivers\s0017mdfl.sys [8/8/2009 3:58 PM 15016]
S3 s0017mdm;Sony Ericsson Device 0017 USB WMC Modem Driver;c:\windows\system32\drivers\s0017mdm.sys [8/8/2009 3:58 PM 114600]
S3 s0017mgmt;Sony Ericsson Device 0017 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0017mgmt.sys [8/8/2009 3:58 PM 108328]
S3 s0017nd5;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (NDIS);c:\windows\system32\drivers\s0017nd5.sys [8/8/2009 3:58 PM 26024]
S3 s0017obex;Sony Ericsson Device 0017 USB WMC OBEX Interface;c:\windows\system32\drivers\s0017obex.sys [8/8/2009 3:58 PM 104616]
S3 s0017unic;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (WDM);c:\windows\system32\drivers\s0017unic.sys [8/8/2009 3:58 PM 109736]
S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [3/3/2010 4:28 PM 874240]
S4 avc3;avc3;c:\windows\system32\drivers\avc3.sys [11/29/2010 1:12 PM 535824]
S4 avckf;avckf;c:\windows\system32\drivers\avckf.sys [11/29/2010 1:12 PM 1066232]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-13 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 01:09]
.
2011-03-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 04:34]
.
2011-03-13 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-08-07 10:14]
.
2011-03-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-07 10:16]
.
2011-03-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-07 10:16]
.
2011-03-13 c:\windows\Tasks\User_Feed_Synchronization-{30C6A3C0-FC91-49C5-AAC5-25230F5FC83F}.job
- c:\windows\system32\msfeedssync.exe [2009-03-07 20:31]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = about:blank
uInternet Settings,ProxyOverride = localhost
IE: Download with GetRight - c:\program files\GetRight\GRdownload.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Open with GetRight Browser - c:\program files\GetRight\GRbrowse.htm
FF - ProfilePath - c:\documents and settings\Abby\Application Data\Mozilla\Firefox\Profiles\qg34kjc9.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.my/firefox?client=firefox-a&rls=prg.mozilla:en-USfficial
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 62364
FF - prefs.js: network.proxy.type - 0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-14 02:29
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2011-03-14 02:32:18
ComboFix-quarantined-files.txt 2011-03-13 18:32
ComboFix.txt 2011-03-06 16:59
ComboFix2.txt 2011-03-12 02:40
.
Pre-Run: 40,734,846,976 bytes free
Post-Run: 40,716,566,528 bytes free
.
- - End Of File - - 5167872F51999DF7AE30943F83A6899A

tradingmax · Mar 13, 2011

I'm done with HijackThis too. Is everything fine now ? Waiting for declaration =X

Bobbye · Mar 13, 2011

Look clean to me! I do recommend you close the open port for BitComet in the firewall. There is still one open. I closed it with script, but it's still open.

Removing all of the tools we used and the files and folders they created

Uninstall ComboFix and all Backups of the files it deleted

Click START> then RUN

Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

Download OTCleanIt by OldTimer and save it to your Desktop.

Double click OTCleanIt.exe.

Click the CleanUp! button.

If you are prompted to Reboot during the cleanup, select Yes.

The tool will delete itself once it finishes.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.

Go to Start > All Programs > Accessories > System Tools

Click "System Restore".

Choose "Create a Restore Point" on the first screen then click "Next".

Give the Restore Point a name> click "Create".

Go back and follow the path to > System Tools.
[*]Choose Disc Cleanup
[*]Click "OK" to select the partition or drive you want.
[*]Click the "More Options" Tab.
[*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Empty the Recycle Bin
Let me know if you have any more questions.

tradingmax · Mar 13, 2011

Maybe i pressed something that's why it's still open. But i think doesn't matter about that, the most important is clean now. I will check on that later =D

I've done all the steps. Thank you for your precious time Bob, and all ur effort =D

Bobbye · Mar 14, 2011

You're welcome. Here are some tips to help you stay clean!

Tips for added security and safer browsing:

Browser Security Settings: Custom is fine if the user did the settings. Mine are Custom. Default is okay too, but sometimes too restrictive.
This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features: Make Internet Explorer safer.

Have layered Security:

Antivirus Software(only one):Both of the following programs are free and known to be good:
[o]Avira-AntiVir-Personal-Free-Antivirus
[o]Avast Free Version

Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
[o]Comodo
[o]Zone Alarm

Antispyware: I recommend all of the following:
[o]Spywareblaster: SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.

[o]Download ZonedOut and save to your desktop. this replaces IE/Spyad and manages the Zones in Internet explorer. This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
For IE7 and IE8, Windows 2000 thru Vista. No Windows 7 yet.
IE/Spyad is not longer being supported. If you have this on your system, you should replace it with the following program. Make sure your IE8 is Up-to-date before adding sites to your restricted zone.
Known issue: If you have "immunized" your computer with Spybot Search and Destroy, and use ZonedOut to "Remove All" restricted sites - ZonedOut will remove your trusted sites as well. Note that if you remove Spybot Search and Destroys Immunization the problem goes away...
[o]Replace the Host Files
MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
[o]Google Toolbar Get the free google toolbar to help stop pop up windows.

Stay current on updates:
[o] Visit the Microsoft Download Sitefrequently. You should get All updates marked Critical and the current SP updates.
[o]Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
[o]Check this site .Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.

Reset Cookies to prevent Tracking Cookies:
[o]For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> check 'override automatic Cookie handling'> check 'accept first party Cookies'> check 'Block third party Cookies'> check 'allow per session Cookies'> Apply> OK.
[o]For Firefox: Tools> Options> Privacy> Cookies> check ‘accept Cookies from Sites’> Uncheck 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')
I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
AdBlock Plus
Easy List

Do regular Maintenance
Remove Temporary Internet Files regularly:
[o]ATF Cleaner by Atribune
OR
[o]TFC
Disable and Enable System Restore:
[o]See System Restore Guide This will help you understand what this is, why you need to clean and set restore points and what information is in them.

Practice Safe Email Handling
[o] Don't open email from anyone you don't know.
[o] Don't open Attachments in the email. Safe to your desktop and scan for viruses using a right click
[o] Don't leave your personal email address on the internet. Have a separate email account at one of the free web-based emails like Yahoo.

Use a Site Advisor!
The Web of Trust (WOT) add-on is a safe surfing tool for your browser. Traffic-light rating symbols show which rate the site for Trustworthiness, Vendor Reliability, Privacy, Child Safety.Your online email account – Google Mail, Yahoo! Mail and Hotmail is also protected.

Every time to do a search and the screen comes up with the sites, they will have the rating light. Green (2 shades), Amber/Yellow Caution, Red> not advised. A few sites haven't been rated and show as a blue flashlight.

Give it a try- http://www.mywot.com/en/download

TechSpot

[Solved] Csrss.exe cleaned but can't access to Firefox

Bobbye Helper on the Fringe

tradingmax Newcomer, in training

tradingmax Newcomer, in training

tradingmax Newcomer, in training

Bobbye Helper on the Fringe

tradingmax Newcomer, in training

Bobbye Helper on the Fringe