TechSpot

Infected by Vista recovery virus/malware

By rookieWV
May 28, 2011
  1. Hey guys,

    it seems I got infected with the Windows Vista Recovery malware, and I have completed the steps of your 7-step malware removal instructions.

    I'm attaching the logs as per to your instructions, and hope to receive further info on how to restore all the functions and icons that are still missing.

    Should I also remove the icon the malware installed on my desktop?


    Here are the logs:

    ***************#####****************

    mbm log


    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 6701

    Windows 6.0.6001 Service Pack 1
    Internet Explorer 8.0.6001.19048

    5/28/2011 9:57:37 AM
    mbam-log-2011-05-28 (09-57-37).txt

    Scan type: Quick scan
    Objects scanned: 164963
    Time elapsed: 9 minute(s), 18 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 5

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\programdata\abwhpxgioqcwl.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    c:\programdata\heypptdmgklwj.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    c:\Users\Sari\AppData\Local\Temp\adobe_flash_player.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\Users\Sari\local settings\temporary internet files\Content.IE5\N7XD6W00\about[1].exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    c:\programdata\35970808.exe (Trojan.Agent) -> Quarantined and deleted successfully.


    **********#########**********

    GMER log

    GMER 1.0.15.15627 - http://www.gmer.net
    Rootkit quick scan 2011-05-28 10:19:44
    Windows 6.0.6001 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 ST316081 rev.3.CH
    Running: ph5jfcgj.exe; Driver: C:\Users\Sari\AppData\Local\Temp\kwldypod.sys


    ---- Devices - GMER 1.0.15 ----



    AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \Driver\tdx \Device\Ip cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
    AttachedDevice \Driver\tdx \Device\Tcp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
    AttachedDevice \Driver\tdx \Device\Udp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
    AttachedDevice \Driver\tdx \Device\RawIp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)

    ---- EOF - GMER 1.0.15 ----



    ************########****************


    DDS.txt

    .
    DDS (Ver_11-05-19.01) - NTFSx86
    Internet Explorer: 8.0.6001.19048 BrowserJavaVersion: 1.6.0_24
    Run by Sari at 10:35:13 on 2011-05-28
    Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.1.1033.18.3574.2514 [GMT -5:00]
    .
    AV: COMODO Defense+ *Disabled/Updated* {A7500527-8708-6548-7035-7F679C5FCEA5}
    SP: COMODO Defense+ *Disabled/Updated* {1C31E4C3-A132-6AC6-4A85-4415E7D88418}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    FW: COMODO Defense+ *Disabled* {9F6B8402-CD67-6410-5B6A-D652628C89DE}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    E:\Program Files\Comodo\COMODO Internet Security\cmdagent.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\svchost.exe -k secsvcs
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    E:\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\DRIVERS\xaudio.exe
    C:\Windows\System32\alg.exe
    C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Google\Update\1.3.21.53\GoogleCrashHandler.exe
    C:\WINDOWS\RtHDVCpl.exe
    C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
    C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
    C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
    C:\hp\support\hpsysdrv.exe
    C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
    E:\Program Files\Comodo\COMODO Internet Security\cfp.exe
    C:\WINDOWS\System32\igfxpers.exe
    E:\itunes\iTunesHelper.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\Compaq Connections\3572475\Program\Compaq Connections.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Users\Sari\Downloads\dds.scr
    C:\Windows\system32\WSCRIPT.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.altavista.com/
    mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Presario&pf=desktop
    mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Presario&pf=desktop
    uInternet Settings,ProxyOverride = *.local
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
    BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
    TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
    TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
    uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messen~1\YahooMessenger.exe" -quiet
    uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
    uRun: [Google Update] "c:\users\sari\appdata\local\google\update\GoogleUpdate.exe" /c
    uRun: [CAHeadless] e:\adobe\elements organizer 8.0\caheadless\ElementsAutoAnalyzer.exe
    uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
    mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    mRun: [RtHDVCpl] RtHDVCpl.exe
    mRun: [OsdMaestro] "c:\program files\hewlett-packard\on-screen osd indicator\OSD.exe"
    mRun: [Nikon Transfer Monitor] c:\program files\common files\nikon\monitor\NkMonitor.exe
    mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
    mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
    mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
    mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    mRun: [DPService] "c:\program files\hp\dvdplay\DPService.exe"
    mRun: [COMODO Internet Security] "e:\program files\comodo\comodo internet security\cfp.exe" -h
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [iTunesHelper] "e:\itunes\iTunesHelper.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
    mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
    StartupFolder: c:\users\sari\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 2.4\program\quickstart.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\compaq~1.lnk - c:\program files\compaq connections\3572475\program\Compaq Connections.exe
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
    IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
    DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.1.0/GarminAxControl.CAB
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    Notify: igfxcui - igfxdev.dll
    AppInit_DLLs: c:\windows\system32\guard32.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\users\sari\appdata\roaming\mozilla\firefox\profiles\9pklsz25.default\
    FF - prefs.js: browser.startup.homepage - www.altavista.com
    FF - component: c:\program files\google\google gears\firefox\lib\ff36\gears.dll
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
    FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
    FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll
    FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
    FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
    FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\microsoft silverlight\4.0.60310.0\npctrlui.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
    FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
    FF - plugin: c:\users\sari\appdata\local\google\update\1.3.21.53\npGoogleUpdate3.dll
    FF - plugin: e:\itunes\mozilla plugins\npitunes.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2009-9-24 130960]
    R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2009-9-24 29520]
    R2 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8;e:\adobe\elements organizer 8.0\PhotoshopElementsFileAgent.exe [2009-9-6 169312]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-29 135664]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-12-29 135664]
    S3 netr28u;Linksys USB Wireless LAN Card Driver for Vista;c:\windows\system32\drivers\netr28u.sys [2007-12-14 570880]
    S3 rt70x86;Linksys Home Wireless-G USB Adaptor Driver;c:\windows\system32\drivers\WUSB54Gv4x86.sys [2007-3-12 245248]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    .
    =============== Created Last 30 ================
    .
    2011-05-28 14:46:17 -------- d-----w- c:\users\sari\appdata\roaming\Malwarebytes
    2011-05-28 14:46:01 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-05-28 14:46:00 -------- d-----w- c:\programdata\Malwarebytes
    2011-05-28 14:45:54 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-05-28 14:45:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-05-27 13:02:15 6962000 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{73bf2de0-43a5-4a03-8c75-d0594d79fa1e}\mpengine.dll
    2011-05-17 15:57:53 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-05-11 20:47:42 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
    .
    ==================== Find3M ====================
    .
    2011-03-10 16:12:54 1161728 ----a-w- c:\windows\system32\mfc42u.dll
    2011-03-10 16:12:54 1136640 ----a-w- c:\windows\system32\mfc42.dll
    2011-03-03 15:00:15 738816 ----a-w- c:\windows\system32\inetcomm.dll
    2011-03-03 14:56:40 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
    2011-03-03 14:56:29 173056 ----a-w- c:\windows\apppatch\AcXtrnal.dll
    2011-03-03 14:56:26 459776 ----a-w- c:\windows\apppatch\AcSpecfc.dll
    2011-03-03 14:56:25 541696 ----a-w- c:\windows\apppatch\AcLayers.dll
    2011-03-03 14:56:25 2153984 ----a-w- c:\windows\apppatch\AcGenral.dll
    2011-03-03 13:01:01 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
    2011-03-03 12:53:48 2040832 ----a-w- c:\windows\system32\win32k.sys
    2011-03-02 14:49:43 86528 ----a-w- c:\windows\system32\dnsrslvr.dll
    .
    ============= FINISH: 10:36:16.21 ===============




    **************###########***********

    attach.txt


    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_11-05-19.01)
    .
    Microsoft® Windows Vista™ Home Basic
    Boot Device: \Device\HarddiskVolume6
    Install Date: 9/25/2007 8:17:40 PM
    System Uptime: 5/28/2011 9:58:57 AM (1 hours ago)
    .
    Motherboard: ASUSTek Computer INC. | | LEONITE
    Processor: Intel(R) Pentium(R) 4 CPU 3.20GHz | Socket 775 | 3200/200mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 142 GiB total, 64.038 GiB free.
    D: is FIXED (NTFS) - 7 GiB total, 0.878 GiB free.
    E: is FIXED (FAT32) - 15 GiB total, 3.375 GiB free.
    F: is FIXED (FAT32) - 15 GiB total, 0.458 GiB free.
    G: is FIXED (FAT32) - 15 GiB total, 15.082 GiB free.
    H: is FIXED (FAT32) - 15 GiB total, 10.126 GiB free.
    I: is FIXED (FAT32) - 14 GiB total, 14.085 GiB free.
    J: is CDROM ()
    K: is FIXED (FAT32) - 931 GiB total, 560.768 GiB free.
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Microsoft Tun Miniport Adapter
    Device ID: ROOT\*TUNMP\0001
    Manufacturer: Microsoft
    Name: Microsoft Tun Miniport Adapter #2
    PNP Device ID: ROOT\*TUNMP\0001
    Service: tunmp
    .
    ==== System Restore Points ===================
    .
    .
    ==== Installed Programs ======================
    .
    Update for Microsoft Office 2007 (KB2508958)
    32 Bit HP CIO Components Installer
    Adobe AIR
    Adobe Flash Player 10 Plugin
    Adobe Photoshop Elements 8.0
    Adobe Photoshop.com Inspiration Browser
    Adobe Premiere Elements 8.0
    Adobe Premiere Elements 8.0 Templates
    Adobe Reader 8.1.3
    Adobe Shockwave Player 11
    Advanced SystemCare 3
    AIO_Scan
    Amazon MP3 Downloader 1.0.3
    ApoMap
    Apophysis 2.0
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    Bonjour
    Combined Community Codec Pack 2008-01-24
    COMODO Internet Security
    Compaq Connections (remove only)
    CoreAVC Professional Edition (remove only)
    Data Lifeguard Diagnostic for Windows
    dj_aio_corporate
    DJ_AIO_Software_min
    DVD Play
    File Uploader
    FileZilla Client 3.5.0
    Frets On Fire
    GIMP 2.6.10
    Google Chrome
    Google Earth
    Google Gears
    Google Update Helper
    Google Updater
    Greeting Card Factory Express
    Hardware Diagnostic Tools
    Highlight Viewer (Windows Live Toolbar)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    HP Advisor
    HP Customer Experience Enhancements
    HP Customer Feedback
    HP Deskjet All-In-One Driver Software 9.0.A Corporate Edition
    HP Easy Setup - Core
    HP Easy Setup - Frontend
    HP On-Screen Caps/Num/Scroll Lock Indicator
    HP Update
    Intel(R) Graphics Media Accelerator Driver
    Intel(R) Matrix Storage Manager
    iTunes
    Java Auto Updater
    Java(TM) 6 Update 24
    Java(TM) 6 Update 3
    Java(TM) 6 Update 4
    Java(TM) 6 Update 5
    Java(TM) 6 Update 7
    Last.fm 1.5.1.30182
    LightScribe System Software
    LightScribe Template Labeler
    Linksys Dual-Band Wireless-N USB Network Adapter
    Linksys WUSB600N Dual-Band Wireless-N USB Network Adapter
    Logitech Legacy USB Camera Driver Package
    Logitech QuickCam
    Logitech QuickCam Driver Package
    Malwarebytes' Anti-Malware
    Map Button (Windows Live Toolbar)
    MatchMaker League Scheduler for Windows
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft Application Error Reporting
    Microsoft Choice Guard
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Home and Student 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Search Enhancement Pack
    Microsoft Silverlight
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft Sync Framework Runtime Native v1.0 (x86)
    Microsoft Sync Framework Services Native v1.0 (x86)
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2005 Redistributable - KB2467175
    Microsoft Works
    Mozilla Firefox 4.0.1 (x86 en-US)
    Mozilla Thunderbird (3.1.10)
    Mozilla Thunderbird (3.1.2)
    MPEG Video Wizard DVD 5.0 (12/2009)
    MPEG Video Wizard DVD 5.0.0.103 (12/2009)
    MSVC80_x86
    MSVCRT
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB941833)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    My HP Games
    NEF Codec
    Nikon Message Center
    Nikon Transfer
    Nvu 1.0PR
    Octoshape add-in for Adobe Flash Player
    OGA Notifier 2.0.0048.0
    OpenOffice.org 2.4
    Paint.NET v3.5.4
    Picture Control Utility
    Python 2.4.3
    QuickTime
    RealPlayer
    Realtek High Definition Audio Driver
    Rhapsody
    Rhapsody Player Engine
    Roxio Creator Audio
    Roxio Creator Basic v9
    Roxio Creator Copy
    Roxio Creator Data
    Roxio Creator EasyArchive
    Roxio Creator Tools
    Roxio Express Labeler 3
    Roxio MyDVD Basic v9
    Scan
    Security Update for 2007 Microsoft Office System (KB2288621)
    Security Update for 2007 Microsoft Office System (KB2288931)
    Security Update for 2007 Microsoft Office System (KB2345043)
    Security Update for 2007 Microsoft Office System (KB2466156)
    Security Update for 2007 Microsoft Office System (KB2509488)
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB976321)
    Security Update for CAPICOM (KB931906)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
    Security Update for Microsoft Office Excel 2007 (KB2464583)
    Security Update for Microsoft Office InfoPath 2007 (KB979441)
    Security Update for Microsoft Office PowerPoint 2007 (KB2535818)
    Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Security Update for Microsoft Office Word 2007 (KB2344993)
    Smart Menus (Windows Live Toolbar)
    SmartSound Quicktracks for Premiere Elements 8.0
    Soft Data Fax Modem with SmartCP
    TBS WMP Plug-in
    Toolbox
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft Office 2007 Help for Common Features (KB963673)
    Update for Microsoft Office Excel 2007 Help (KB963678)
    Update for Microsoft Office OneNote 2007 (KB980729)
    Update for Microsoft Office OneNote 2007 Help (KB963670)
    Update for Microsoft Office Powerpoint 2007 Help (KB963669)
    Update for Microsoft Office Script Editor Help (KB963671)
    Update for Microsoft Office Word 2007 Help (KB963665)
    VC 9.0 Runtime
    ViewNX
    Visual C++ 2008 x86 Runtime - (v9.0.30729)
    Visual C++ 2008 x86 Runtime - v9.0.30729.01
    Windows 7 Upgrade Advisor
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Favorites for Windows Live Toolbar
    Windows Live Messenger
    Windows Live Movie Maker
    Windows Live Photo Gallery
    Windows Live Sign-in Assistant
    Windows Live Sync
    Windows Live Toolbar
    Windows Live Toolbar Extension (Windows Live Toolbar)
    Windows Live Upload Tool
    Windows Live Writer
    Windows Media Player Firefox Plugin
    WinRAR archiver
    Yahoo! Messenger
    .
    ==== Event Viewer Messages From Past Week ========
    .
    5/22/2011 1:32:24 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: i8042prt
    5/22/2011 1:32:24 PM, Error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
    5/22/2011 1:31:38 PM, Error: Microsoft-Windows-TerminalServices-LocalSessionManager [1048] - Terminal Service start failed. The relevant status code was The configuration data for this product is corrupt. Contact your support personnel. .
    5/22/2011 1:30:29 PM, Error: volmgr [46] - Crash dump initialization failed!
    .
    ==== End Of File ===========================



    ######*******#########
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please do a right click> Properties on the icon. Let me know whatever information you find.
    ==================================
    Please note: If you have Combofix on the desktop already, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.
    Notes:
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    =========================================
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESETOnlineScan
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
      [o] Double click on the [​IMG]on your desktop.
    • Check 'Yes I accept terms of use.'
    • Click Start button
    • Accept any security warnings from your browser.
      [​IMG]
    • Uncheck 'Remove found threats'
    • Check 'Scan archives/
    • Leave remaining settings as is.
    • Press the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    • When the scan completes, press List of found threats
    • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    • Push the Back button
    • Push Finish

    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
     
  3. rookieWV

    rookieWV TS Rookie Topic Starter Posts: 16

    Hi Bobbye!

    The properties on the icon just say

    Windows Vista Recovery

    C:\ProgramData\35970808.exe
     
  4. rookieWV

    rookieWV TS Rookie Topic Starter Posts: 16

    Bobbye - I ran the combofix and now I'm running the ESET. The ESET has been at it for 2 hours and is only at 12% --- is it supposed to take a whole day for it to complete the scan? Just wondering since everything else was fairly fast and smooth.
     
  5. rookieWV

    rookieWV TS Rookie Topic Starter Posts: 16

    Here are the logs from ComboFix and ESET ---

    And a couple of questions:

    1) Should I also scan all other drives besides the C drive - additional hard drives/ partitions, external hard drives, memory cards etc.?

    2) Should the system restore be disabled to not get re-infected??


    Thanks,



    ******####******

    ComboFix log



    ComboFix 11-05-27.02 - Sari 05/28/2011 12:14:30.1.2 - x86
    Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.1.1033.18.3574.2362 [GMT -5:00]
    Running from: c:\users\Sari\Desktop\ComboFix.exe
    AV: COMODO Defense+ *Disabled/Updated* {A7500527-8708-6548-7035-7F679C5FCEA5}
    FW: COMODO Defense+ *Disabled* {9F6B8402-CD67-6410-5B6A-D652628C89DE}
    SP: COMODO Defense+ *Disabled/Updated* {1C31E4C3-A132-6AC6-4A85-4415E7D88418}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    K:\autorun.inf
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-04-28 to 2011-05-28 )))))))))))))))))))))))))))))))
    .
    .
    2011-05-28 14:46 . 2011-05-28 14:46 -------- d-----w- c:\users\Sari\AppData\Roaming\Malwarebytes
    2011-05-28 14:46 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-05-28 14:46 . 2011-05-28 14:46 -------- d-----w- c:\programdata\Malwarebytes
    2011-05-28 14:45 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-05-28 14:45 . 2011-05-28 14:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-05-27 13:02 . 2011-05-09 20:46 6962000 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{73BF2DE0-43A5-4A03-8C75-D0594D79FA1E}\mpengine.dll
    2011-05-17 15:57 . 2011-05-17 15:57 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-05-11 20:47 . 2011-04-07 12:01 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-03-10 16:12 . 2011-04-13 06:42 1161728 ----a-w- c:\windows\system32\mfc42u.dll
    2011-03-10 16:12 . 2011-04-13 06:42 1136640 ----a-w- c:\windows\system32\mfc42.dll
    2011-03-03 15:00 . 2011-04-13 06:42 738816 ----a-w- c:\windows\system32\inetcomm.dll
    2011-03-03 14:56 . 2011-04-27 05:04 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
    2011-03-03 14:56 . 2011-04-27 05:04 173056 ----a-w- c:\windows\apppatch\AcXtrnal.dll
    2011-03-03 14:56 . 2011-04-27 05:04 459776 ----a-w- c:\windows\apppatch\AcSpecfc.dll
    2011-03-03 14:56 . 2011-04-27 05:04 2153984 ----a-w- c:\windows\apppatch\AcGenral.dll
    2011-03-03 14:56 . 2011-04-27 05:04 541696 ----a-w- c:\windows\apppatch\AcLayers.dll
    2011-03-03 13:01 . 2011-04-27 05:04 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
    2011-03-03 12:53 . 2011-04-13 06:42 2040832 ----a-w- c:\windows\system32\win32k.sys
    2011-03-02 14:49 . 2011-04-13 06:42 86528 ----a-w- c:\windows\system32\dnsrslvr.dll
    2011-04-30 12:05 . 2011-03-26 17:06 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2009-11-10 5244216]
    "LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2009-03-17 2387968]
    "CAHeadless"="e:\adobe\Elements Organizer 8.0\CAHeadless\ElementsAutoAnalyzer.exe" [2009-09-06 615808]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RtHDVCpl"="RtHDVCpl.exe" [2008-01-15 4874240]
    "OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2006-11-20 155648]
    "Nikon Transfer Monitor"="c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe" [2009-02-24 479232]
    "LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 2178832]
    "LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984]
    "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2008-06-03 178712]
    "hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2006-09-28 65536]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
    "DPService"="c:\program files\HP\DVDPlay\DPService.exe" [2007-12-18 90112]
    "COMODO Internet Security"="e:\program files\Comodo\COMODO Internet Security\cfp.exe" [2010-03-29 1800464]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-19 141848]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-19 166424]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-19 133656]
    "iTunesHelper"="e:\itunes\iTunesHelper.exe" [2010-02-15 141608]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
    "Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "Launcher"="c:\windows\SMINST\launcher.exe" [2006-11-24 44136]
    .
    c:\users\Sari\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-1-21 393216]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Compaq Connections.lnk - c:\program files\Compaq Connections\3572475\Program\Compaq Connections.exe [2007-4-18 34520]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\windows\System32\guard32.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2009-12-29 135664]
    R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2009-12-29 135664]
    R3 netr28u;Linksys USB Wireless LAN Card Driver for Vista;c:\windows\system32\DRIVERS\netr28u.sys [2007-12-14 570880]
    R3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [x]
    R3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [x]
    R3 rt70x86;Linksys Home Wireless-G USB Adaptor Driver;c:\windows\system32\DRIVERS\WUSB54Gv4x86.sys [2007-03-12 245248]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
    S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [2010-03-29 130960]
    S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [2010-03-29 29520]
    S2 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8;e:\adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe [2009-09-06 169312]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - KWLDYPOD
    *Deregistered* - kwldypod
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    hpdevmgmt REG_MULTI_SZ hpqcxs08
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-05-28 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-04-29 16:36]
    .
    2011-05-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-12-29 22:52]
    .
    2011-05-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-12-29 22:52]
    .
    2011-05-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3204947284-1875590285-2841034717-1000Core.job
    - c:\users\Sari\AppData\Local\Google\Update\GoogleUpdate.exe [2009-12-29 21:05]
    .
    2011-05-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3204947284-1875590285-2841034717-1000UA.job
    - c:\users\Sari\AppData\Local\Google\Update\GoogleUpdate.exe [2009-12-29 21:05]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.altavista.com/
    mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Presario&pf=desktop
    uInternet Settings,ProxyOverride = *.local
    IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
    TCP: DhcpNameServer = 8.8.8.8 8.8.4.4
    DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.1.0/GarminAxControl.CAB
    FF - ProfilePath - c:\users\Sari\AppData\Roaming\Mozilla\Firefox\Profiles\9pklsz25.default\
    FF - prefs.js: browser.startup.homepage - www.altavista.com
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-05-28 12:28
    Windows 6.0.6001 Service Pack 1 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(780)
    c:\windows\system32\guard32.dll
    .
    - - - - - - - > 'lsass.exe'(728)
    c:\windows\system32\guard32.dll
    .
    Completion time: 2011-05-28 12:32:14
    ComboFix-quarantined-files.txt 2011-05-28 17:31
    .
    Pre-Run: 69,528,449,024 bytes free
    Post-Run: 77,623,377,920 bytes free
    .
    - - End Of File - - 1EE567BAEABEE4641D0C014D7A2B847B


    ******#####*******


    ESET scan log



    C:\Users\Sari\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\20\5c9dfd94-3d680ac7 multiple threats
    C:\Users\Sari\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\28\dbb0d5c-312b82d9 multiple threats
    C:\Users\Sari\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\47\4bbaaaaf-1cbb870a multiple threats

    *****####********
     
  6. rookieWV

    rookieWV TS Rookie Topic Starter Posts: 16

    Help? Anyone?
     
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Every one of these posts sent me an email- including the 2 word one above! You only started this thread 9 hours ago. Please don't bump a thread for a few hours.
    ======================================
    You have configured the system to use Google Public DNS: TCP: DhcpNameServer = 8.8.8.8 8.8.4.4> hopefully you have good security.
    =====================================
    Combofix removed this entry: K:\autorun.inf This would indicate you are using an infected flash drive:
    Please disinfect all movable drives
    1. Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
    2. Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
      Note: Some security programs will flag Flash_Disinfector as being some sort of malware, you can safely ignore these warnings
    3. The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
    4. Wait until it has finished scanning and then exit the program.
    5. Reboot your computer when done.

    Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.
    =================
    For the Eset entries:
    To clear the Java Plug-in cache:

    • [1]. Click Start > Control Panel.
      [2]. Double-click the Java icon in the control panel. The Java Control Panel appears.
      [​IMG]
      [3].Click Settings under Temporary Internet Files.The Temporary Files Settings dialog box appears.
      [4] Click Delete Files.The Delete Temporary Files dialog box appears.
      [​IMG]
      There are three options on this window to clear the cache.Check all.
    • . Delete Files
    • .View Applications
    • .View Applets
      [5]. Click OK on Delete Temporary Files window.
      Note: This deletes all the Downloaded Applications and Applets from the cache.
      [6]. Click Apply> OK on Temporary Files Settings window.
    Note: If you want to delete a specific application and applet from the cache, click on View Application and View Applet options respectively.
    ==================================
    No. I will have to remove old restore points when we have finished, and set a new, clean restore point. Malware can cause a system to become so corrupt that the only way to get back into the system is through a restore point. So we leave them. However, you should not attempt to do a System Restore while I am helping you clean the system.
    ========================================
    I will review the Combvofix log tomorrow. It's 10:30 and I'm tired and hungry!
     
  8. rookieWV

    rookieWV TS Rookie Topic Starter Posts: 16

    Bobbye - I'm sorry for the bumping :(
    I'm quite familiar with forums but I've never enabled emails on the ones I've used, so I didn't realize it was sending you notifications. My bad :(

    A couple more questions before I move on with your instructions -

    1) the Google Public DNS? I know for sure *I* haven't configured the system to use it. Is it possible that either our ISP people have done it (?) or some google program (or some malware?) did it?
    I'm baffled on that one!
    How can I fix it?


    2) the K -drive is my external hard drive (1TB) - should I run the flash disinfector on it?

    I was reading another thread in which it was mentioned that Flash Disinfector is not compatible with Windows Vista -- do I need to run something else in its place to clean the flash drives?
    And how to clean up the external hard drive?

    3) what about my camera memory card (obviously it does not show up as it's only connected when downloading pictures from the camera) -- should it be checked?



    ... and I know about the hungry part, too... I'm a starving photographer, and having my computer down will make me starve some more as I can't process my files :(



    Thank You for your help so far.




    ***** edited to add*****


    RE: Deleting the temp files in Java Control Panel -- I click on OK and nothing happens. It's not locked up totally, but it will not do anything. I can move the window around, but I can't close it after clicking on OK, and I can only get out of it by ending the process in Task Manager.
    Obviously, something's not right there...
    OK I finally got it, I think. it just took quite a good bit of time which I didn't expect in the first place.


    Also, I ran the Flash Disinfector, but of course it wouldn't do anything (as far as I can tell) to the K-drive. I did run it on my flash drive just in case. How can I check the K-drive??
     
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    About getting the emails: you don't have to do anything. I am subscribed to my Active threads, ergo the notification of each reply.
    =======================
    The Flash Drive Disinfector says: Please disinfect all movable drives
    =======================
    About the Java cache: "I click on OK and nothing happens." You aren't going to 'see' the files being deleted.' To close: Click on OK on the delete screen, then on Apply on the main screen> Then on OK on the main screen. IF you get a notice to Confirm after Apply, choose Yes.
    (the sequence will be Settings> Delete> OK> Apply> Confirm> OK)
    ===================================
    About the desktop icon: C:\ProgramData\35970808.exe
    Open the Task Manager> Highlight 35970808.exe> End Task.
    ===================================
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    FileLook::
    c:\windows\SMINST\launcher.exe
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=-
    DDS::
    mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Presario&pf=desktop
    mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Presario&pf=desktop
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
    Questions & Comments:
    1). Is Comcast your ISP? Did they have you set up settings initially?
    2). Are you using a router?
    3). Please check the following:
    • Access Internet Options through the Control Panel or Tools in IE
    • Select the Connections" tab at the top.
    • Click LAN Settings near the bottom of the "Connections" section.
    • Are any boxes in either Automatic Configuration or the Proxy server checked? If Yes, which ones. If Proxy is set, what is it?.
    [​IMG]
    =====================
    Download HijackThis and save to your desktop.
    • Extract it to a directory on your hard drive called c:\HijackThis.
    • Then navigate to that directory and double-click on the hijackthis.exe file.
    • When started click on the Scan button and then the Save Log button to create a log of your information.
    • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
     
  10. rookieWV

    rookieWV TS Rookie Topic Starter Posts: 16

    OK, here we go with the logs for ComboFix 2nd run and HijackThis,

    and, to your comments and questions:


    I got the Java applets etc. deleted. Thank You.


    The desktop icon for the "Vista Recovery" still exists, but I believe Malwarebytes removed the .exe file for it since it's not in the processes in Task Manager, and it seems I saw the log mention it was deleted?


    I have run the Flash Disinfector on my removable flash drive and my camera card. I'm still wondering about the external hard drive since the FD program does not give an option to choose what to check/ clean, and the hard drive has been connected all along, so it's available for the FD, I just can't direct it to it, nor can I tell if it checked it in any way.
    And I *really* need that drive clean of malware, it has all my picture files that I need to be selling.




    1) No, Comcast is not our ISP. We are on a small rural ISP out in the middle of nowhere, at the end of a wireless connection.
    Earlier in the year we had lots of connection problems (slow, or no connection), and they have configured the system so many times (router) it's not even funny.

    2) Yes, we have a router.

    3) The LAN settings are blank, just like in your screen cap.


    Now my new questions/comments:

    After running the Combofix, when trying to run Firefox I got the following error:
    "Illegal operation attempted on a registry key that has been marked for deletion"

    Also, my IE (that I never use) refused to run.

    I had to reboot at this point. After that I was able to get back on and running and get the HijackThis downloaded and run.

    I hope I didn't cause it to go back to any restore point that might be harmful?


    What are the cons of having the Google Public DNS?? What can it cause and why would my ISP people have me/us on it IF they did it??


    *********************


    ComboFix 11-05-27.02 - Sari 05/29/2011 12:45:21.2.2 - x86
    Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.1.1033.18.3574.2366 [GMT -5:00]
    Running from: c:\users\Sari\Desktop\ComboFix.exe
    Command switches used :: c:\users\Sari\Desktop\CFscript.txt
    AV: COMODO Defense+ *Disabled/Updated* {A7500527-8708-6548-7035-7F679C5FCEA5}
    FW: COMODO Defense+ *Disabled* {9F6B8402-CD67-6410-5B6A-D652628C89DE}
    SP: COMODO Defense+ *Disabled/Updated* {1C31E4C3-A132-6AC6-4A85-4415E7D88418}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-04-28 to 2011-05-29 )))))))))))))))))))))))))))))))
    .
    .
    2011-05-29 17:57 . 2011-05-29 17:57 -------- d-----w- c:\users\Sari\AppData\Local\temp
    2011-05-29 17:57 . 2011-05-29 17:57 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-05-28 14:46 . 2011-05-28 14:46 -------- d-----w- c:\users\Sari\AppData\Roaming\Malwarebytes
    2011-05-28 14:46 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-05-28 14:46 . 2011-05-28 14:46 -------- d-----w- c:\programdata\Malwarebytes
    2011-05-28 14:45 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-05-28 14:45 . 2011-05-28 14:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-05-27 13:02 . 2011-05-09 20:46 6962000 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{73BF2DE0-43A5-4A03-8C75-D0594D79FA1E}\mpengine.dll
    2011-05-17 15:57 . 2011-05-17 15:57 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-05-11 20:47 . 2011-04-07 12:01 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-03-10 16:12 . 2011-04-13 06:42 1161728 ----a-w- c:\windows\system32\mfc42u.dll
    2011-03-10 16:12 . 2011-04-13 06:42 1136640 ----a-w- c:\windows\system32\mfc42.dll
    2011-03-03 15:00 . 2011-04-13 06:42 738816 ----a-w- c:\windows\system32\inetcomm.dll
    2011-03-03 14:56 . 2011-04-27 05:04 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
    2011-03-03 14:56 . 2011-04-27 05:04 173056 ----a-w- c:\windows\apppatch\AcXtrnal.dll
    2011-03-03 14:56 . 2011-04-27 05:04 459776 ----a-w- c:\windows\apppatch\AcSpecfc.dll
    2011-03-03 14:56 . 2011-04-27 05:04 2153984 ----a-w- c:\windows\apppatch\AcGenral.dll
    2011-03-03 14:56 . 2011-04-27 05:04 541696 ----a-w- c:\windows\apppatch\AcLayers.dll
    2011-03-03 13:01 . 2011-04-27 05:04 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
    2011-03-03 12:53 . 2011-04-13 06:42 2040832 ----a-w- c:\windows\system32\win32k.sys
    2011-03-02 14:49 . 2011-04-13 06:42 86528 ----a-w- c:\windows\system32\dnsrslvr.dll
    2011-04-30 12:05 . 2011-03-26 17:06 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    (((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    --- c:\windows\SMINST\launcher.exe ---
    Company: soft thinks
    File Description: Launcher
    File Version: 1, 0, 0, 10
    Product Name: soft thinks Launcher
    Copyright: Copyright © 2006
    Original Filename: Launcher.exe
    File size: 44136
    Created time: 2006-11-24 23:20
    Modified time: 2006-11-24 23:20
    MD5: DBEB9EE2A13D9AA0D5F180757B5A2C26
    SHA1: 5400A2B2ADE9D78630E0AED1C88A284A2DA18835
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2009-11-10 5244216]
    "LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2009-03-17 2387968]
    "CAHeadless"="e:\adobe\Elements Organizer 8.0\CAHeadless\ElementsAutoAnalyzer.exe" [2009-09-06 615808]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RtHDVCpl"="RtHDVCpl.exe" [2008-01-15 4874240]
    "OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2006-11-20 155648]
    "Nikon Transfer Monitor"="c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe" [2009-02-24 479232]
    "LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 2178832]
    "LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984]
    "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2008-06-03 178712]
    "hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2006-09-28 65536]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
    "DPService"="c:\program files\HP\DVDPlay\DPService.exe" [2007-12-18 90112]
    "COMODO Internet Security"="e:\program files\Comodo\COMODO Internet Security\cfp.exe" [2010-03-29 1800464]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-19 141848]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-19 166424]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-19 133656]
    "iTunesHelper"="e:\itunes\iTunesHelper.exe" [2010-02-15 141608]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
    "Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "Launcher"="c:\windows\SMINST\launcher.exe" [2006-11-24 44136]
    .
    c:\users\Sari\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-1-21 393216]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Compaq Connections.lnk - c:\program files\Compaq Connections\3572475\Program\Compaq Connections.exe [2007-4-18 34520]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\windows\System32\guard32.dll
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2009-12-29 135664]
    R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2009-12-29 135664]
    R3 netr28u;Linksys USB Wireless LAN Card Driver for Vista;c:\windows\system32\DRIVERS\netr28u.sys [2007-12-14 570880]
    R3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [x]
    R3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [x]
    R3 rt70x86;Linksys Home Wireless-G USB Adaptor Driver;c:\windows\system32\DRIVERS\WUSB54Gv4x86.sys [2007-03-12 245248]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
    S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [2010-03-29 130960]
    S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [2010-03-29 29520]
    S2 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8;e:\adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe [2009-09-06 169312]
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    hpdevmgmt REG_MULTI_SZ hpqcxs08
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-05-29 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-04-29 16:36]
    .
    2011-05-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-12-29 22:52]
    .
    2011-05-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-12-29 22:52]
    .
    2011-05-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3204947284-1875590285-2841034717-1000Core.job
    - c:\users\Sari\AppData\Local\Google\Update\GoogleUpdate.exe [2009-12-29 21:05]
    .
    2011-05-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3204947284-1875590285-2841034717-1000UA.job
    - c:\users\Sari\AppData\Local\Google\Update\GoogleUpdate.exe [2009-12-29 21:05]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.altavista.com/
    uInternet Settings,ProxyOverride = *.local
    IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
    TCP: DhcpNameServer = 8.8.8.8 8.8.4.4
    DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.1.0/GarminAxControl.CAB
    FF - ProfilePath - c:\users\Sari\AppData\Roaming\Mozilla\Firefox\Profiles\9pklsz25.default\
    FF - prefs.js: browser.startup.homepage - www.altavista.com
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-05-29 12:57
    Windows 6.0.6001 Service Pack 1 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    Completion time: 2011-05-29 12:59:59
    ComboFix-quarantined-files.txt 2011-05-29 17:59
    ComboFix2.txt 2011-05-28 17:32
    .
    Pre-Run: 76,031,463,424 bytes free
    Post-Run: 76,001,718,272 bytes free
    .
    - - End Of File - - D4171E6FA0CE56E5B7156A1F9E249577




    ***************###############******************



    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 1:21:45 PM, on 5/29/2011
    Platform: Windows Vista SP1 (WinNT 6.00.1905)
    MSIE: Internet Explorer v8.00 (8.00.6001.19048)
    Boot mode: Normal

    Running processes:
    C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\taskeng.exe
    C:\WINDOWS\RtHDVCpl.exe
    C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
    C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
    C:\Program Files\Logitech\QuickCam\Quickcam.exe
    C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
    C:\hp\support\hpsysdrv.exe
    C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
    E:\Program Files\Comodo\COMODO Internet Security\cfp.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\System32\igfxpers.exe
    E:\itunes\iTunesHelper.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\Compaq Connections\3572475\Program\Compaq Connections.exe
    C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
    C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
    C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.altavista.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.36.0\gears.dll
    O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
    O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
    O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
    O4 - HKLM\..\Run: [OsdMaestro] "C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe"
    O4 - HKLM\..\Run: [Nikon Transfer Monitor] C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
    O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
    O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
    O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
    O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
    O4 - HKLM\..\Run: [HP Software Update] c:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [DPService] "C:\Program Files\HP\DVDPlay\DPService.exe"
    O4 - HKLM\..\Run: [COMODO Internet Security] "E:\Program Files\Comodo\COMODO Internet Security\cfp.exe" -h
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
    O4 - HKLM\..\Run: [iTunesHelper] "E:\itunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
    O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
    O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe" -quiet
    O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
    O4 - HKCU\..\Run: [CAHeadless] E:\Adobe\Elements Organizer 8.0\CAHeadless\ElementsAutoAnalyzer.exe
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
    O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\3572475\Program\Compaq Connections.exe
    O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.36.0\gears.dll
    O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.36.0\gears.dll
    O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
    O16 - DPF: Garmin Communicator Plug-In - https://static.garmincdn.com/gcp/ie/2.9.1.0/GarminAxControl.CAB
    O20 - AppInit_DLLs: C:\WINDOWS\System32\guard32.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
    O23 - Service: Adobe Active File Monitor V8 (AdobeActiveFileMonitor8.0) - Adobe Systems Incorporated - E:\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - E:\Program Files\Comodo\COMODO Internet Security\cmdagent.exe
    O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
    O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
    O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
    O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
    O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

    --
    End of file - 9544 bytes

    *********************
     
  11. rookieWV

    rookieWV TS Rookie Topic Starter Posts: 16

    Are you still with me?

    Waiting for further instructions!

    :)
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Yes, I am. My @($%^%E$ internet was down-again- I worked offline from what I saw in the email replies. Then we had some bad storms come through. I am trying to catch up.

    I am puzzled about the Google Open DHCP in light of your comments about the ISP problems. I thought it would show in the HijackThis log like this:
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 8.8.8.8 8.8.4.4- but it doesn't. I'm wondering if the Garmin Communicator Plug-In uses this.

    ===================================
    Here is some information about the Google Public DNS:

    Google Public DNS is a free, global Domain Name System (DNS) resolution service, that you can use as an alternative to your current DNS provider. Google goes on to describe, from a security point, why their DNS is 'good':
    The technicalities of this are out of my area of knowledge. If you ISP is using this and we remove it, you won't be able to connect at all. I'm going to try and get some opinions from more learned people in this area. Then we'll decide.
    =====================================
    This usually happens if Combofix isn't updated before scanning.
    =========================
    Sorry-not Comcast. Misread this Compaq Connections.lnk - c:\program files\Compaq Connections\3572475\Program\Compaq Connections.exe [2007-4-18 34520]
    ====================================
    About the Flash Disinfector: It isn't compatible with Windows 7. As far as I know, it's okay with Vista. You should be able to connect the external hard drive while running it and it should be cleaned.

    Please give me an update on the problems you are still experiencing.
     
  13. rookieWV

    rookieWV TS Rookie Topic Starter Posts: 16

    Thank You, Bobbye!
    We live in the tornado alley so I know how it goes with bad storms coming through. Luckily, in our 6 years here, I've only seen one tornado, and it was a tiny little F0, but only a quarter of a mile away :| That was spooky enough for me!



    The Garmin thingy is, I think, related to my husband's GPS, and as far as I know everything related to it on this computer can be deleted - it's not needed at all.

    Same goes for Windows Live stuff - it's all unnecessary.
    Also, iTunes helper can go.


    And again - when I run the Flash Disinfector my external hard drive is connected all along, but I don't have any way to direct the program to it, it doesn't give me any option, just says, "please plug in"... or something like that. It does not indicate in any way WHAT exactly it's checking. So I'm left to wonder what, if anything at all, it did.
    I'm getting a feeling that it may not be working right?


    Is there anything I need to do with the Hijack This - it's still waiting to do fixes/scans/whatever needed?




    OK, to the existing problems:

    1) the malware icon is still on the desktop - should I just delete it? (then stomp on it to make sure it died and pour some disinfectant on it? ;) )

    2) many of my icons are still missing from the desktop and the bar on the bottom of the screen, whatever that's called (quick launch?)


    These are the two I see right now. I have not been using the PC for anything except for waiting for updates here and an occasional weather check, because right now I'm pretty paranoid about it until I get it confirmed clean... I'm sure you know what I mean :)

    Thank You again,

    I'll be waiting! :)
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    1) the malware icon is still on the desktop - should I just delete it? (then stomp on it to make sure it died and pour some disinfectant on it? ) Yes- all of the above! Be sure to use a right click> Delete.

    2) many of my icons are still missing from the desktop and the bar on the bottom of the screen, whatever that's called (quick launch?) Do a right click anywhere on the desktop> Toolbars> Make sure the Quick Launch Toolbar is checked.
    Do another right click on the desktop> choose 'Arrange icons by'> make sure Show icons is checked.
    ==========================================
    The reason "it doesn't give me any option, just says, "please plug in"..is because "external hard drive is connected all along".If the external drive was connected to a USB port when you ran the flash disinfector, then it should have been disinfected also.
    =========================================
    If you are still missing icons or any other section in the system, let's go through the following:
    You are going to run Malwarebytes again and you can use what is on the desktop- the one exception is that you will be doing a Full Scan instead of Quick scan:

    Update Malwarebytes> On the Scanner tab, make sure the the Perform Full Scan option is selected and then click on the Scan button.
    When scan has finished, you will see this image:
    [​IMG]
    • Click on OK to close box and continue.
    • Click on the Show Results button.
    • Click on the Remove Selected button to remove all the listed malware.
    • At end of malware removal, the scan log opens and displays in Notepad. Be sure to click on Format> Uncheck Word Pad before copying the log to paste in your next reply.
    ==================================
    The you will unhide whatever can't be seen: Download Unhide.exe and save to the desktop.
    • Double-click on Unhide.exe icon to run the program.
    • This program will remove the +H, or hidden, attribute from all the files on your hard drives.
    ======================================
    Let me know how these go. I'm still looking for information on the Google Open DNS. You mentioned problems with the ISP, but if there is any way you can contact them and ask if they require this setting, it would make both out lives easier.
     
  15. rookieWV

    rookieWV TS Rookie Topic Starter Posts: 16

    Hi Bobbye, and Thanks again!!

    OK, I ran the unhide, but as far as I could see it didn't unhide any of the missing icons -
    Firefox
    Adobe Elements
    Adobe Premiere Elements
    QuickTimePro
    Nikon ViewNX
    Nikon Transfer
    (Adobe Reader - not used much to mention, but looks like missing)

    ... and I'm not sure if there are some others missing - the ones mentioned are the ones I use all the time, so they're the first ones I see missing.


    Also, despite of checking the desktop and toolbar settings you told me (which are OK) - the toolbar/items on the left bottom side are still MIA - the "minimize all windows" icon among others.



    I'll call the ISP people about the Google Open DNS and see if they have anything to say about it. I'll let you know after I get a hold of them.




    Here's the last log for malwarebytes:


    Malwarebytes' Anti-Malware 1.51.0.1200
    www.malwarebytes.org

    Database version: 6705

    Windows 6.0.6001 Service Pack 1
    Internet Explorer 8.0.6001.19048

    6/3/2011 12:39:12 AM
    mbam-log-2011-06-03 (00-39-12).txt

    Scan type: Full scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|K:\|)
    Objects scanned: 503903
    Time elapsed: 2 hour(s), 7 minute(s), 24 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
     
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please open Windows Explorer: Windows key + E: Click on My Computer> Double click on Local Drive (C)> Programs> Right click on each of the following> Choose Send To> Choose Desktop- create a shortcut:
    Exit Windows Explorer when through.

    If Quick Launch Toolbar is on the Taskbar:
    Right click the Taskbar> Uncheck 'Lock the taskbar'> Drag each of the new shortcuts into the Quick Launch Toolbar.

    Right click again on the Taskbar when finished and check 'lock the Taskbar'

    FYI: For keyboards having Windows key, shortcut to minimize all open windows is "Windows-Key M.

    See if that does it.
     
  17. rookieWV

    rookieWV TS Rookie Topic Starter Posts: 16

    I wasn't sure if there was a quicker way to get the icons back / if you had a better way to do it than digging into the folders and getting them from there. I may be old and decrepit, but still know how to do that. Thanks!! :D

    Looks much better now!!


    I have a call into the ISP people, waiting for reply - most of their people work a day job and just do the ISP thing on evenings/ weekends. I'll let you know what I hear from them ASAP. I'm interested to hear if it's their job or where the heck did the Google Open DNS come from...



    So, is there anything you can suggest that will keep the malware out? I'd rather not repeat this exercise too often! I've managed to survive since early 90s without bugs, this was the first one...

    I have the Comodo AV/FW/Defense -- not quite sure how update it is, though.

    - Is there anything I should run in addition to keep the buggars out? Or replace the Comodo with something better?

    - Is there anything that will stop a webpage you enter from running stuff on your computer/ hiding crap on it to wreak havoc later?

    I have a feeling I initially got the malware from a website when I made a google search for my pictures online to see where they're being used. On one site the #ell broke loose and I had to shut down to keep it from going from a snowball to an avalanche.
    Everything seemed to work fine for a long time (a month? maybe more?) after that, but I've made sure not to enter the same place again while searching. Problem is, it's likely to do the same someplace else if someone's setting them out as traps.



    Also -- how safe am I right now to resume my work?
     
  18. rookieWV

    rookieWV TS Rookie Topic Starter Posts: 16

    Update to the Google Public DNS ---- the ISP people said that THAT is what it's supposed to be. I don't know the whys for it, but it is what they want it to be.
     
  19. rookieWV

    rookieWV TS Rookie Topic Starter Posts: 16

    Hey Bobbye... still remembah me? :)

    I'm still (mostly) patiently waiting for you to get back to me :)

    Do you have any opinion about a noscript extension for Firefox and if it could stop malware like the one I got from getting into the system?
     
  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Seems like I'm telling everyone sorry for delay! We have been swamped!

    I though the setting would be for the ISP. Glad you checked. Thank you. It may be the only available was to provide you with service.

    Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • Select Yes when the "Begin cleanup Process?" prompt appears.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
    -----
    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

    Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
    ------------------------------------------
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    Empty the Recycle Bin
    =======================================
    >>>
    Go to Comodo Support and/or look for the Read Me that should be withing the program. The program is based for the most part, on finding /preventing/removing malware. If you don't have the most current database, the AV will not recognize something new as malware.

    Use a Site Advisor. Know that the site is safe before you click on it. I recommend the following:

    The Web of Trust (WOT) add-on is a safe surfing tool for your browser. Traffic-light rating symbols show which rate the site for Trustworthiness, Vendor Reliability, Privacy, Child Safety.Traffic-light rating symbols show which rate the site for Trustworthiness, Vendor Reliability, Privacy, Child Safety.Your online email account – Google Mail, Yahoo! Mail and Hotmail is also protected.
    ======================================
    Comodo is fine for the firewall. It's bi-directional. Here are more tips for added security and safer browsing: (Links are in Bold Blue)
    1. Browser Security
      [o] Safe Settings (Please ignore the suggestion to use the Registry Editor in this section "Creating a Custom Security Zone")
      [o] ZonedOut. This manages the Zones in Internet Explorer. (For IE7 and IE8, Windows 2000 thru Vista. No Windows 7)
      [o] Replace the Host Files
      [o] Google Toolbar Pop Up Blocker
      [o]Web of Trust (WOT) Site Advisor.
    2. Have layered Security:
      [o]Antivirus :(only one):Both of the following programs are free and known to be good:
      [o]Avira-AntiVir-Personal-Free-Antivirus
      [o] [o]Avast-Free Antivirus
      [o]Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
      [o]Comodo
      [o]Zone Alarm
    3. Antimalware: I recommend all of the following:
      [o]Spywareblaster: SpywareBlaster protects against bad ActiveX.
      [o]Spybot Search & Destroy
    4. Updates: Stay current:
      [o] the Microsoft Download Sitefrequently. All updates marked Critical and the current SP updates.
      [o]Adobe Reader Install current, uninstall old.
      [o]Java Updates Install current, uninstall old.
    5. Tracking Cookies
      Reset Cookie:
      [o]For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> check 'override automatic Cookie handling'> check 'accept first party Cookies'> check 'Block third party Cookies'> check 'allow per session Cookies'> Apply> OK.
      [o]For Firefox: Tools> Options> Privacy> Cookies> check ‘accept Cookies from Sites’> Uncheck 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')
      I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
      AdBlock Plus
      Easy List
      [o]For Chrome: Tools> Options> Under The Hood> Privacy Section> CHECK 'Restrict how third party Cookies can be used'> Close.
    6. Do regular Maintenance
      [o] Temporary File Cleaner
    7. Restore Points:
      [o]See System Restore Guide
    8. Safe Email Handling
      [o] Don't open email from anyone you don't know.
      [o] Don't open Attachments in the email. Safe to your desktop and scan for viruses using a right click
      [o] Don't leave your personal email address on the internet. Have a separate email account at one of the free web-based emails like Yahoo.
    Please let me know if you find any bad link.
    =====================================
    I try to make a user understand that he or she is the first line of security. This puts some of the responsibility on the user- no matter how much or what security there is, if the user does 'dumb' things, the system will get malware: Some of my considerations of "dumb things"
    1. File Sharing
    2. Coupon printing
    3. Cosmetic things for the system like cursors, wallpaper, screensavers, Smileys, etc
    4. Random clicking on links.
    5. Opening attachments of unknown content/opening email from unknown senders.
    =====================================
    The entries in the 2 logs look fine. I don't see any evidence of malware or bad entries remaining. You should be safe to resume your work. Were you able to recreste new shortcuts?
     
  21. rookieWV

    rookieWV TS Rookie Topic Starter Posts: 16

    Hey Bobbye!!

    Thanks!!

    ...and don't feel rushed... you're the helper... we're the helpees, and when you get swamped we just have to wait. It is hard to sit on my hands sometimes, but it's certainly not your fault if I can't handle my impatience...!!!

    OK, done with
    -combofix uninstall and
    -OTCleanIt
    as well as
    -system restore/creating new restore point and cleaning out the rest
    and
    -emptied recycle bin


    Also, downloaded WOT and installed it. OH!! You had some extra tags in the link - check it out!!


    Going to have to go down the list for the additional safety features ASAP.

    Then... I have another question...

    I tried to install the SP2 for my Vista a year ago and after that my internet connection kept zapping out. I could only get it back by rebooting, nothing else helped. So, I contacted Microsoft support and after TWO months of trying everything on the planet they deemed I could NOT have SP2 on this system AND keep my net going....

    So --
    Should I update to Win 7 since I can't have the SP update -- I actually had to install SP2 blocker to keep it out :(

    Let me know what you think before I go any further with my efforts - because I may have to change some of it if I go for the 7...

    Thanks again...

    Waiting.... :)
     
  22. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Thank you- I fixed the link.

    1. Is the offending icon on the desktop gone? Did you successfully create new short cuts for the ones you were missing?
    2. Did you restore the Quick Launch Toolbar and drag the new icons into it?
    3. Did you check and make sure Comodo is updating?
    4. The presence of the Google Public DNS has been resolved, correct?

    This bothers me:
    Did they give you a reason for this? I don't know why MS would deny the update if you have a legitimate version of the OS.
     
  23. rookieWV

    rookieWV TS Rookie Topic Starter Posts: 16

    Hey Bobbye -

    1. Yes, the icon is gone. And yes, I got shortcuts done for everything I need :)
    2. I opted not to do it, since really the only one I use through the quick launch is to minimize all windows, and now that (I think) I remember the shortcut key for it, I don't really need the rest.

    3. Gotta do it next!
    4. Yes, I'm supposed to have it on here :)


    The reason for not updating was that they (MS) simply could NOT come up with a solution with which my connection would work.
    When I say it didn't work I mean that it would work for a while after a startup- anything from 7 to 45 mins, and then it would die on me. I could not get it back unless I rebooted.

    We tried *everything* under the sun with the support person (like I said, it took about two whole months), through drivers, Bios update (surprise, surprise after that the PC wouldn't start because it was trying to boot off of a wrong HDD, luckily I figured it out), disabling different things and testing if it worked.

    Something, somewhere was incompatible between the SP2 and my hard/software, but it remained a mystery.

    Finally, the guy literally threw his hands up in the air and said he can't find a solution. I had to fill out a stupid survey and tell them the problem had been "solved" as best it was possible.
    HE told me to download and install the update blocker because he wanted to make sure it wouldn't get installed through other updates.

    And NO, I was NOT happy, but what could I do?
    I thought about going to Win 7 back then, but gave up because I was tired of dealing with problems at that point.

    My PC came from Walmart with a $299 discount price tag four years ago, with Vista installed. Outside of that SP2 problem it has been working fine.



    ******edited to ask:

    I tried updating my Comodo, but it keeps coming back saying that "the net connection was lost half way through the update"... and I know the connection is alive and well. I tried several times, no luck - so - I'm downloading the newest firewall from Comodo and then adding the antivirus you suggested.


    The question - for antimalware you suggested two downloads -- as in - get them both?? Just making sure....

    Thanks again.....
     
  24. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    We need to bring this thread to a close. The purpose here is to find and remove malware. We have done that. The malware problems have been resolved. The system is clean and the cleaning tools have been removed.

    You appear to have ongoing issues with the ISP- I can't resolve that. Do I advise you updating to Win 7? Not necessarily. You will need to do compatibility testing for what's on the system and if it's compatible with Win 7. If you have enough of the system requirements, etc.

    A suggestion for the Vista SP:
    It sounds like you could be having a RAM issue. SP2 doesn't work, per se. It integrates into the OS. Check the Microsoft update site and find what is actually included in it and what the system requirements are. IF you can reboot and restore the system to a running condition, then either you don't have enough RAM or a chip is bad.

    One more question:
    How much RAM do you have installed?

    Another thought: your hard drive 'space' is already limited:
    C: is FIXED (NTFS) - 142 GiB total, 64.038 GiB free.
    D: is FIXED (NTFS) - 7 GiB total, 0.878 GiB free.

    Consider that also.
     
  25. rookieWV

    rookieWV TS Rookie Topic Starter Posts: 16

    Hey Bobbye -

    I have 4 GB ram installed, of which the system can see 3 and something.
    The PC came with a whopping 512MB (yeah, I know!) and I updated it to the maximum 4GB two years ago.


    So, in other words.... you think I should start thinking about ditching this PC and get a better one... right? ;)

    I can probably clean out some stuff off of it, but probably not tons...
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...