Solved Please help me get rid of Whistler Black Internet

[JimKirk]

I'm sick of the ubiquitous pop-up that ask me if I want to turn on Microsoft Phishing Filter. I'm sick of the constant clicking and exiting sounds. I'm sick of the pop-unders that keep bringing Yahoo Messenger up on screen before they open. Most of all I'm sick of the audio ads for Bonjela. Please somebody help me. I'm tearing out my hair.

 

[crunchie]

please read from the following link and post the requested logs;
https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/

 

[JimKirk]

Do I really have to do all that when I already know what infection I have?

 

[JimKirk]

Besides, aren't you just a newbie like me?

 

[Broni]

"crunchie" will be helping out, while Bobbye is gone for a while.
"crunchie" knows, what he's doing and everybody is required to post prescribed logs.

 

[JimKirk]

"crunchie" will be helping out, while Bobbye is gone for a while.
"crunchie" knows, what he's doing and everybody is required to post prescribed logs.

ok, fair enough. so i just follow from step 1 on?

 

[crunchie]

Yes please.

Thank you Broni.

 

[JimKirk]

ok. will do.

 

[Broni]

Thank you Broni.

I'm out of this thread.
Have fun guys

 

[JimKirk]

All the logs

 

[crunchie]

If you can, please do not attach your logs in zip format. I do not particularly enjoy downloading files from an infected computer .

Preferably do a copy/paste unless the log is too large.

==

Please download ComboFix by sUBs from HERE or HERE

• You must download it to and run it from your Desktop
• Physically disconnect from the internet.
• Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
• Double click combofix.exe & follow the prompts.
• When finished, it will produce a log. Please save that log to post in your next reply.
• Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Run Combofix ONCE only!!

 

[JimKirk]

If you can, please do not attach your logs in zip format. I do not particularly enjoy downloading files from an infected computer .

Preferably do a copy/paste unless the log is too large.

==

Please download ComboFix by sUBs from HERE or HERE

• You must download it to and run it from your Desktop
• Physically disconnect from the internet.
• Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
• Double click combofix.exe & follow the prompts.
• When finished, it will produce a log. Please save that log to post in your next reply.
• Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Run Combofix ONCE only!!

yeah, sorry about that. this bloody forum has a character limit. 20,000 characters per post. ridiculous. the logs were almost 50,000 in total.

 

[crunchie]

No worries. It is what it is .

 

[JimKirk]

combofix log

ComboFix 10-08-06.01 - jim 07/08/2010 4:52.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.618 [GMT 1:00]
Running from: c:\documents and settings\jim\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\jim\Application Data\inst.exe
c:\windows\UA000106.DLL

.
\\.\PhysicalDrive0 - Bootkit Whistler was found and disinfected
.
((((((((((((((((((((((((( Files Created from 2010-07-07 to 2010-08-07 )))))))))))))))))))))))))))))))
.

2010-08-06 20:47 . 2010-08-06 20:47 -------- d-----w- C:\VritualRoot
2010-08-06 20:47 . 2010-08-06 21:43 205809 ----a-w- c:\windows\system32\drivers\sfi.dat
2010-08-06 20:38 . 2010-08-06 20:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo Downloader
2010-08-06 13:40 . 2010-08-06 13:40 -------- d-----w- c:\program files\ESET
2010-08-06 12:33 . 2010-08-06 12:33 -------- d-----w- c:\documents and settings\jim\Application Data\Malwarebytes
2010-08-06 12:32 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-06 12:32 . 2010-08-06 12:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-06 12:32 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-06 12:32 . 2010-08-06 12:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-06 01:05 . 2010-08-06 10:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-08-06 01:05 . 2010-08-06 01:08 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-07-28 13:16 . 2010-07-28 13:16 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Yahoo
2010-07-26 23:20 . 2010-07-26 23:20 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-07-26 22:41 . 2010-07-26 22:41 -------- d-----w- c:\documents and settings\jim\Local Settings\Application Data\Sunbelt Software
2010-07-26 22:37 . 2010-08-02 20:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-07-19 21:44 . 2010-07-19 21:44 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Yahoo
2010-07-19 21:43 . 2010-07-19 21:43 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Yahoo!
2010-07-17 01:43 . 2010-07-17 01:44 -------- d-----w- c:\documents and settings\jim\Local Settings\Application Data\Deployment
2010-07-14 14:10 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-13 01:01 . 2010-07-13 01:01 -------- d-----w- c:\documents and settings\jim\Application Data\Acapela Group
2010-07-13 01:01 . 2010-07-13 01:01 -------- d-----w- c:\documents and settings\jim\Local Settings\Application Data\Xtranormal
2010-07-13 00:57 . 2010-07-13 00:57 -------- d-----w- c:\program files\Xtranormal
2010-07-13 00:56 . 2010-07-13 01:01 -------- d-----w- c:\documents and settings\jim\Application Data\Xtranormal

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-07 04:11 . 2007-05-23 02:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Kontiki
2010-08-07 04:09 . 2007-04-14 04:31 -------- d-----w- c:\documents and settings\jim\Application Data\Skype
2010-08-07 04:06 . 2006-10-30 18:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-08-06 18:36 . 2007-06-02 02:05 -------- d-----w- c:\program files\Common Files\AOL
2010-08-05 16:25 . 2008-02-11 16:53 -------- d-----w- c:\documents and settings\jim\Application Data\gtk-2.0
2010-08-02 20:23 . 2006-10-30 18:51 -------- d-----w- c:\program files\Lavasoft
2010-07-26 03:58 . 2006-10-30 20:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-06-22 18:10 . 2010-06-22 18:10 -------- d-----w- c:\program files\NaturalSoft
2010-06-14 11:12 . 2010-06-14 11:12 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Yahoo!
2010-06-10 11:36 . 2007-05-02 14:04 7100 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-06-10 11:36 . 2006-10-30 23:04 104 --sh--r- c:\windows\system32\3FB759C97D.sys
2010-06-09 17:35 . 2006-10-30 21:31 -------- d--h--r- c:\documents and settings\jim\Application Data\yahoo!
2010-08-06 00:28 . 2006-12-09 17:50 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2007-06-25 01:36 . 2007-05-02 14:04 88 --sh--r- c:\windows\system32\7DC959B73F.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2004-07-19 306688]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-04 68856]
"kdx"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]
"Veoh"="c:\program files\Veoh Networks\Veoh\VeohClient.exe" [2008-04-01 3587120]
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2010-04-28 2633976]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-05-07 26211624]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2010-06-01 5252408]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]
"ShowLOMControl"="1 (0x1)" [X]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
"SigmatelSysTrayApp"="stsystra.exe" [2005-09-09 393216]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-11-01 94208]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 761947]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-12-15 839680]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"Corel Photo Downloader"="c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe" [2006-02-09 106496]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-08-06 30192]
"Lexmark X5100 Series"="c:\program files\Lexmark X5100 Series\lxbabmgr.exe" [2003-03-04 86100]
"XDc"="c:\program files\Xtreme Desktop\xdc\startxdc.exe" [2006-10-03 1383478]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 1121280]
"4oD"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-05 149280]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-12-01 198160]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-10 417792]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"UVS12 Preload"="c:\program files\Corel\Corel VideoStudio 12\uvPL.exe" [2008-06-09 397456]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-22 141608]
"dvd43"="c:\program files\dvd43\dvd43_tray.exe" [2009-10-23 827904]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-02-01 8699904]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10e.ex e" [2010-01-27 256280]

c:\documents and settings\jim\Start Menu\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2010-5-14 390432]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-3-22 24576]
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2006-11-2 278528]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\InterVideo\\DVD7\\WinDVD.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Corel\\DVD9\\WinDVD.exe"=
"c:\\Program Files\\BitLord\\BitLord.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 oreans32;oreans32;c:\windows\system32\drivers\oreans32.sys [31/10/2006 11:02 33824]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [16/10/2009 20:26 108289]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [17/04/2007 21:09 11032]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [12/03/2008 20:32 24652]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [06/01/2010 17:36 135664]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\aspi32.sys [05/11/2006 13:26 16512]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [30/10/2006 19:42 30192]
S3 SynasUSB;SynasUSB;c:\windows\system32\drivers\synasUSB.sys [01/12/2009 00:14 18432]
.
Contents of the 'Scheduled Tasks' folder

2010-08-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2010-08-07 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2006-12-24 17:23]

2010-08-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 16:36]

2010-08-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 16:36]

2010-08-07 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 15:07]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.forumswatcher.com/search.htm
mStart Page = hxxp://www.yahoo.com
uInternet Connection Wizard,ShellNext = hxxp://www1.euro.dell.com/content/default.aspx?c=ie&l=en&s=gen
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.forumswatcher.com/search.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
DPF: {DCDC28C5-831C-43EA-9C02-78872CCCA409} - hxxp://automobiles.honda.com/images/vividas/player/vivid_ocx.jpeg
FF - ProfilePath - c:\documents and settings\jim\Application Data\Mozilla\Firefox\Profiles\l3ewarz3.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ie
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Picasa2\npPicasa2.dll
FF - plugin: c:\program files\Picasa2\npPicasa3.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_availa ble_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-nDVDControl - c:\program files\DNsoft.be\nDVD\nDVDControl.exe
HKCU-Run-CD-Rom Control - c:\program files\movitheatre\config\DVDDevice.exe
AddRemove-QQ Games - c:\program files\Tencent\QQ Games\Uninstall.EXE
AddRemove-QQ Pool - c:\program files\Tencent\QQ Games\QQ Pool\Uninstall.EXE
AddRemove-QQ Treasure Hunter - c:\program files\Tencent\QQ Games\QQ Treasure Hunter\Uninstall.EXE
AddRemove-{C8C8387B-A98B-44E8-807A-1A9B7F51FFDA} - c:\documents and settings\jim\Local Settings\Application Data\{C712AF59-975F-4D33-BD94-F38108590815}\setup_blazemp.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-07 05:10
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(824)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(612)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\wltrysvc.exe
c:\windows\System32\bcmwltry.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Kontiki\KService.exe
c:\program files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\fxssvc.exe
c:\windows\stsystra.exe
c:\windows\system32\WLTRAY.exe
c:\program files\Lexmark X5100 Series\lxbabmon.exe
c:\program files\Xtreme Desktop\xdc\xdc.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\Yahoo!\MESSEN~1\ymsgr_tray.exe

 

[JimKirk]

**************************************************************************
.
Completion time: 2010-08-07 05:20:27 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-07 04:20

Pre-Run: 2,684,039,168 bytes free
Post-Run: 2,570,305,536 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 3334647CB66E138D6CA970A3A73BCCA8

 

[crunchie]

Looks good, but I need you to check a file out for me.

Please go to Jotti's or to virustotal and have this file scanned. Post the results back here.

c:\windows\system32\7DC959B73F.sys

 

[JimKirk]

will do...

 

[JimKirk]

oops, have looked in the folder, have got view hidden files and folders set to on, but can't find that file.

 

[JimKirk]

oh, turns out it doesn't matter. jotti's found it anyway, and found nothing on any of the scans. is that good or bad? found nothing was printed in green, so i'm guessing that's good.

 

[crunchie]

Should be ok then. Google reveals nothing about it. Usually a bad sign.
You should be able to edit your posts too .

How is the pc now?

 

[crunchie]

1. Please open Notepad

• Click Start , then Run
• Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

DDS::
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - No File

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Physically disconnect from the internet.

5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

7. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter you re-enable all the programs that were disabled during the running of ComboFix:

• Combofix.txt
  .

Please take note:

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

====================

Please download JavaRa

If you get this message:
Problems with the download? Please use this direct link or try another mirror.

Select the Direct link download unzip it to your Desktop.

Double click JavaRa.exe then click Remove Older Versions.

Follow any prompts; a log will popup (JavaRa.log)-- please post the contents of this log.

Next, open JavaRa.exe again, and select Search For Updates.

Select Update Using Sun Java's Website --> Search, and continue the instructions for downloading and installing the latest Java version. Look for JDK 6 Update 21 (JDK or JRE). On the right select this one Download JRE..

In Vista and Windows 7 run the tool as Administrator.

 

[JimKirk]

Should be ok then. Google reveals nothing about it. Usually a bad sign.
You should be able to edit your posts too .

How is the pc now?

sorry, what does that mean? i'm not following you.
and editing my posts hasn't been a problem. i don't know why you'd mention that.

but the computer seems fine now i think. fingers crossed. haven't noticed any popups or audio ads as of yet.

 

[crunchie]

I mean that rather than make several posts in a row, if you have forgotten to mention something, you can go back and edit your post.
I still would like you to follow the last instructions please.
After that, we can do a final clean up.
Combofix makes changes to your system that we will need to reverse.

 

[JimKirk]

I mean that rather than make several posts in a row, if you have forgotten to mention something, you can go back and edit your post.
I still would like you to follow the last instructions please.
After that, we can do a final clean up.
Combofix makes changes to your system that we will need to reverse.

ok, will do. but what i meant was, what was that about google not revealing anything about it? anything about what?

 

[crunchie]

Anything about that file I asked you to upload .