TechSpot

Please help me get rid of Whistler Black Internet

By JimKirk
Aug 6, 2010
  1. I'm sick of the ubiquitous pop-up that ask me if I want to turn on Microsoft Phishing Filter. I'm sick of the constant clicking and exiting sounds. I'm sick of the pop-unders that keep bringing Yahoo Messenger up on screen before they open. Most of all I'm sick of the audio ads for Bonjela. Please somebody help me. I'm tearing out my hair.
     
  2. crunchie

    crunchie Malware Helper Posts: 728

  3. JimKirk

    JimKirk TS Rookie Topic Starter Posts: 23

    Do I really have to do all that when I already know what infection I have?
     
  4. JimKirk

    JimKirk TS Rookie Topic Starter Posts: 23

    Besides, aren't you just a newbie like me?
     
  5. Broni

    Broni Malware Annihilator Posts: 52,892   +344

    "crunchie" will be helping out, while Bobbye is gone for a while.
    "crunchie" knows, what he's doing and everybody is required to post prescribed logs.
     
  6. JimKirk

    JimKirk TS Rookie Topic Starter Posts: 23

    ok, fair enough. so i just follow from step 1 on?
     
  7. crunchie

    crunchie Malware Helper Posts: 728

    Yes please.

    Thank you Broni.
     
  8. JimKirk

    JimKirk TS Rookie Topic Starter Posts: 23

    ok. will do.
     
  9. Broni

    Broni Malware Annihilator Posts: 52,892   +344

    :)
    I'm out of this thread.
    Have fun guys :)
     
  10. JimKirk

    JimKirk TS Rookie Topic Starter Posts: 23

    All the logs
     

    Attached Files:

  11. crunchie

    crunchie Malware Helper Posts: 728

    If you can, please do not attach your logs in zip format. I do not particularly enjoy downloading files from an infected computer :).

    Preferably do a copy/paste unless the log is too large.

    ==

    Please download ComboFix by sUBs from HERE or HERE
    • You must download it to and run it from your Desktop
    • Physically disconnect from the internet.
    • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
    • Double click combofix.exe & follow the prompts.
    • When finished, it will produce a log. Please save that log to post in your next reply.
    • Re-enable all the programs that were disabled during the running of ComboFix..

    Note:
    Do not mouse-click combofix's window while it is running. That may cause it to stall.

    CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    Run Combofix ONCE only!!
     
  12. JimKirk

    JimKirk TS Rookie Topic Starter Posts: 23

    yeah, sorry about that. this bloody forum has a character limit. 20,000 characters per post. ridiculous. the logs were almost 50,000 in total.
     
  13. crunchie

    crunchie Malware Helper Posts: 728

    No worries. It is what it is :).
     
  14. JimKirk

    JimKirk TS Rookie Topic Starter Posts: 23

    combofix log

    ComboFix 10-08-06.01 - jim 07/08/2010 4:52.1.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.618 [GMT 1:00]
    Running from: c:\documents and settings\jim\Desktop\ComboFix.exe
    AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\jim\Application Data\inst.exe
    c:\windows\UA000106.DLL

    .
    \\.\PhysicalDrive0 - Bootkit Whistler was found and disinfected
    .
    ((((((((((((((((((((((((( Files Created from 2010-07-07 to 2010-08-07 )))))))))))))))))))))))))))))))
    .

    2010-08-06 20:47 . 2010-08-06 20:47 -------- d-----w- C:\VritualRoot
    2010-08-06 20:47 . 2010-08-06 21:43 205809 ----a-w- c:\windows\system32\drivers\sfi.dat
    2010-08-06 20:38 . 2010-08-06 20:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo Downloader
    2010-08-06 13:40 . 2010-08-06 13:40 -------- d-----w- c:\program files\ESET
    2010-08-06 12:33 . 2010-08-06 12:33 -------- d-----w- c:\documents and settings\jim\Application Data\Malwarebytes
    2010-08-06 12:32 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-08-06 12:32 . 2010-08-06 12:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-08-06 12:32 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-08-06 12:32 . 2010-08-06 12:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-08-06 01:05 . 2010-08-06 10:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2010-08-06 01:05 . 2010-08-06 01:08 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2010-07-28 13:16 . 2010-07-28 13:16 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Yahoo
    2010-07-26 23:20 . 2010-07-26 23:20 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
    2010-07-26 22:41 . 2010-07-26 22:41 -------- d-----w- c:\documents and settings\jim\Local Settings\Application Data\Sunbelt Software
    2010-07-26 22:37 . 2010-08-02 20:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
    2010-07-19 21:44 . 2010-07-19 21:44 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Yahoo
    2010-07-19 21:43 . 2010-07-19 21:43 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Yahoo!
    2010-07-17 01:43 . 2010-07-17 01:44 -------- d-----w- c:\documents and settings\jim\Local Settings\Application Data\Deployment
    2010-07-14 14:10 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
    2010-07-13 01:01 . 2010-07-13 01:01 -------- d-----w- c:\documents and settings\jim\Application Data\Acapela Group
    2010-07-13 01:01 . 2010-07-13 01:01 -------- d-----w- c:\documents and settings\jim\Local Settings\Application Data\Xtranormal
    2010-07-13 00:57 . 2010-07-13 00:57 -------- d-----w- c:\program files\Xtranormal
    2010-07-13 00:56 . 2010-07-13 01:01 -------- d-----w- c:\documents and settings\jim\Application Data\Xtranormal

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-08-07 04:11 . 2007-05-23 02:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Kontiki
    2010-08-07 04:09 . 2007-04-14 04:31 -------- d-----w- c:\documents and settings\jim\Application Data\Skype
    2010-08-07 04:06 . 2006-10-30 18:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
    2010-08-06 18:36 . 2007-06-02 02:05 -------- d-----w- c:\program files\Common Files\AOL
    2010-08-05 16:25 . 2008-02-11 16:53 -------- d-----w- c:\documents and settings\jim\Application Data\gtk-2.0
    2010-08-02 20:23 . 2006-10-30 18:51 -------- d-----w- c:\program files\Lavasoft
    2010-07-26 03:58 . 2006-10-30 20:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
    2010-06-22 18:10 . 2010-06-22 18:10 -------- d-----w- c:\program files\NaturalSoft
    2010-06-14 11:12 . 2010-06-14 11:12 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Yahoo!
    2010-06-10 11:36 . 2007-05-02 14:04 7100 --sha-w- c:\windows\system32\KGyGaAvL.sys
    2010-06-10 11:36 . 2006-10-30 23:04 104 --sh--r- c:\windows\system32\3FB759C97D.sys
    2010-06-09 17:35 . 2006-10-30 21:31 -------- d--h--r- c:\documents and settings\jim\Application Data\yahoo!
    2010-08-06 00:28 . 2006-12-09 17:50 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
    2007-06-25 01:36 . 2007-05-02 14:04 88 --sh--r- c:\windows\system32\7DC959B73F.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
    "DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2004-07-19 306688]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-04 68856]
    "kdx"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]
    "Veoh"="c:\program files\Veoh Networks\Veoh\VeohClient.exe" [2008-04-01 3587120]
    "VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2010-04-28 2633976]
    "Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-05-07 26211624]
    "Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2010-06-01 5252408]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Dell Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]
    "ShowLOMControl"="1 (0x1)" [X]
    "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
    "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
    "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
    "SigmatelSysTrayApp"="stsystra.exe" [2005-09-09 393216]
    "DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-11-01 94208]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 761947]
    "Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-12-15 839680]
    "ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
    "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
    "Corel Photo Downloader"="c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe" [2006-02-09 106496]
    "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-08-06 30192]
    "Lexmark X5100 Series"="c:\program files\Lexmark X5100 Series\lxbabmgr.exe" [2003-03-04 86100]
    "XDc"="c:\program files\Xtreme Desktop\xdc\startxdc.exe" [2006-10-03 1383478]
    "MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 1121280]
    "4oD"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]
    "googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-05 149280]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-12-01 198160]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-10 417792]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
    "UVS12 Preload"="c:\program files\Corel\Corel VideoStudio 12\uvPL.exe" [2008-06-09 397456]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-22 141608]
    "dvd43"="c:\program files\dvd43\dvd43_tray.exe" [2009-10-23 827904]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-02-01 8699904]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10e.ex e" [2010-01-27 256280]

    c:\documents and settings\jim\Start Menu\Programs\Startup\
    Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2010-5-14 390432]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-3-22 24576]
    InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2006-11-2 278528]

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\InterVideo\\DVD7\\WinDVD.exe"=
    "c:\\Program Files\\Kontiki\\KService.exe"=
    "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
    "c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
    "c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
    "c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Corel\\DVD9\\WinDVD.exe"=
    "c:\\Program Files\\BitLord\\BitLord.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=

    R1 oreans32;oreans32;c:\windows\system32\drivers\oreans32.sys [31/10/2006 11:02 33824]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [16/10/2009 20:26 108289]
    R2 regi;regi;c:\windows\system32\drivers\regi.sys [17/04/2007 21:09 11032]
    R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [12/03/2008 20:32 24652]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [06/01/2010 17:36 135664]
    S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\aspi32.sys [05/11/2006 13:26 16512]
    S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [30/10/2006 19:42 30192]
    S3 SynasUSB;SynasUSB;c:\windows\system32\drivers\synasUSB.sys [01/12/2009 00:14 18432]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-08-02 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

    2010-08-07 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2006-12-24 17:23]

    2010-08-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 16:36]

    2010-08-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 16:36]

    2010-08-07 c:\windows\Tasks\OGALogon.job
    - c:\windows\system32\OGAEXEC.exe [2009-08-03 15:07]
    .
    .
    ------- Supplementary Scan -------
    .
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uStart Page = hxxp://www.forumswatcher.com/search.htm
    mStart Page = hxxp://www.yahoo.com
    uInternet Connection Wizard,ShellNext = hxxp://www1.euro.dell.com/content/default.aspx?c=ie&l=en&s=gen
    uInternet Settings,ProxyOverride = *.local
    uSearchURL,(Default) = hxxp://www.forumswatcher.com/search.htm
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    DPF: {DCDC28C5-831C-43EA-9C02-78872CCCA409} - hxxp://automobiles.honda.com/images/vividas/player/vivid_ocx.jpeg
    FF - ProfilePath - c:\documents and settings\jim\Application Data\Mozilla\Firefox\Profiles\l3ewarz3.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
    FF - prefs.js: browser.search.selectedEngine - Ask.com
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.ie
    FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
    FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
    FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
    FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
    FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
    FF - plugin: c:\program files\Picasa2\npPicasa2.dll
    FF - plugin: c:\program files\Picasa2\npPicasa3.dll
    FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
    FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
    FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
    FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.homepage.dontask - true);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_availa ble_pref", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    .
    - - - - ORPHANS REMOVED - - - -

    WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
    HKCU-Run-nDVDControl - c:\program files\DNsoft.be\nDVD\nDVDControl.exe
    HKCU-Run-CD-Rom Control - c:\program files\movitheatre\config\DVDDevice.exe
    AddRemove-QQ Games - c:\program files\Tencent\QQ Games\Uninstall.EXE
    AddRemove-QQ Pool - c:\program files\Tencent\QQ Games\QQ Pool\Uninstall.EXE
    AddRemove-QQ Treasure Hunter - c:\program files\Tencent\QQ Games\QQ Treasure Hunter\Uninstall.EXE
    AddRemove-{C8C8387B-A98B-44E8-807A-1A9B7F51FFDA} - c:\documents and settings\jim\Local Settings\Application Data\{C712AF59-975F-4D33-BD94-F38108590815}\setup_blazemp.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-08-07 05:10
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(824)
    c:\windows\System32\BCMLogon.dll

    - - - - - - - > 'explorer.exe'(612)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\System32\wltrysvc.exe
    c:\windows\System32\bcmwltry.exe
    c:\windows\system32\LEXBCES.EXE
    c:\windows\system32\LEXPPS.EXE
    c:\program files\Avira\AntiVir Desktop\avguard.exe
    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Kontiki\KService.exe
    c:\program files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
    c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
    c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    c:\windows\system32\igfxsrvc.exe
    c:\windows\system32\fxssvc.exe
    c:\windows\stsystra.exe
    c:\windows\system32\WLTRAY.exe
    c:\program files\Lexmark X5100 Series\lxbabmon.exe
    c:\program files\Xtreme Desktop\xdc\xdc.exe
    c:\program files\iPod\bin\iPodService.exe
    c:\progra~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
     
  15. JimKirk

    JimKirk TS Rookie Topic Starter Posts: 23

    **************************************************************************
    .
    Completion time: 2010-08-07 05:20:27 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-08-07 04:20

    Pre-Run: 2,684,039,168 bytes free
    Post-Run: 2,570,305,536 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

    - - End Of File - - 3334647CB66E138D6CA970A3A73BCCA8
     
  16. crunchie

    crunchie Malware Helper Posts: 728

    Looks good, but I need you to check a file out for me.

    Please go to Jotti's or to virustotal and have this file scanned. Post the results back here.

    c:\windows\system32\7DC959B73F.sys
     
  17. JimKirk

    JimKirk TS Rookie Topic Starter Posts: 23

    will do...
     
  18. JimKirk

    JimKirk TS Rookie Topic Starter Posts: 23

    oops, have looked in the folder, have got view hidden files and folders set to on, but can't find that file.
     
  19. JimKirk

    JimKirk TS Rookie Topic Starter Posts: 23

    oh, turns out it doesn't matter. jotti's found it anyway, and found nothing on any of the scans. is that good or bad? found nothing was printed in green, so i'm guessing that's good.
     
  20. crunchie

    crunchie Malware Helper Posts: 728

    Should be ok then. Google reveals nothing about it. Usually a bad sign.
    You should be able to edit your posts too :).

    How is the pc now?
     
  21. crunchie

    crunchie Malware Helper Posts: 728

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad.exe in the Run Box.
    2. Now copy/paste the entire content of the codebox below into the Notepad window:
    Code:
    
    DDS::
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
    TB: {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - No File
    
    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

    3. Save the above as CFScript.txt

    4. Physically disconnect from the internet.

    5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

    6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    7. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter you re-enable all the programs that were disabled during the running of ComboFix:
    • Combofix.txt
      .
    Please take note:

    CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    ====================

    Please download JavaRa

    If you get this message:
    Problems with the download? Please use this direct link or try another mirror.

    Select the Direct link download unzip it to your Desktop.

    Double click JavaRa.exe then click Remove Older Versions.

    Follow any prompts; a log will popup (JavaRa.log)-- please post the contents of this log.

    Next, open JavaRa.exe again, and select Search For Updates.

    Select Update Using Sun Java's Website --> Search, and continue the instructions for downloading and installing the latest Java version. Look for JDK 6 Update 21 (JDK or JRE). On the right select this one Download JRE..

    In Vista and Windows 7 run the tool as Administrator.
     
  22. JimKirk

    JimKirk TS Rookie Topic Starter Posts: 23

    sorry, what does that mean? i'm not following you.
    and editing my posts hasn't been a problem. i don't know why you'd mention that.

    but the computer seems fine now i think. fingers crossed. haven't noticed any popups or audio ads as of yet.
     
  23. crunchie

    crunchie Malware Helper Posts: 728

    I mean that rather than make several posts in a row, if you have forgotten to mention something, you can go back and edit your post.
    I still would like you to follow the last instructions please.
    After that, we can do a final clean up.
    Combofix makes changes to your system that we will need to reverse.
     
  24. JimKirk

    JimKirk TS Rookie Topic Starter Posts: 23

    ok, will do. but what i meant was, what was that about google not revealing anything about it? anything about what?
     
  25. crunchie

    crunchie Malware Helper Posts: 728

    Anything about that file I asked you to upload :).
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...