Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

Can't search on yahoo or open google.com

This is a discussion on Can't search on yahoo or open google.com within the Resolved HJT Threads forums, part of the Tech Support Forum category. My computer automatically downloaded windows pc defender or something like that which seems to be a common malware on here.


 
 
Thread Tools Search this Thread
Old 11-23-2009, 02:10 PM   #1
Registered Member
 
Join Date: Jul 2004
Posts: 30
OS: XP



My computer automatically downloaded windows pc defender or something like that which seems to be a common malware on here. I scanned it with malwarebytes and spybot which wasn't able to get rid of it so I am now here for some more serious removal. I can't search in yahoo and can't open google.com. I also can't get a ful scan from dds or an attach.txt file from dds so I only have the dds log below and gmer log attached.

Spybot found and couldn't remove:

-fraud.windowsprotectionsuite
-microsoft.windows.redirectedhosts


DDS (Ver_09-11-23.01) - NTFSx86
Run by *withheld* at 15:48:52.54 on Mon 11/23/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.143 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Windows PC Defender *On-access scanning enabled* (Updated) {E16B644B-E6C1-4F2F-9B47-72C3EDCEA8B5}
FW: Windows PC Defender *enabled* {470FFA16-7755-4080-B461-52193B6933C4}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Selen ***af.***AF-754C0599\Desktop\dds.scr
Attached Files
File Type: txt ark.txt (1.3 KB, 5 views)

__________________
drocket12 is offline  
Old 11-24-2009, 05:20 PM   #2
Management Team, Security Center & TSF Academy
Expert Analyst, Moderator, Security Team
Rangemaster, Moderator, TSF Academy
 
tetonbob's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 49,972
OS: XP Pro; XP Home; Win7 x86 & x64



Hello -

Please delete your existing copy of DDS, and download a fresh copy from one of the links below. Run it again, and post/attach the logs.


Download DDS and save it to your desktop from here, here or here.
Disable any script blocker, and then double click dds to run the tool.
  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt
  • Save both reports to your desktop.
-----------------------------------------------------

Please include the following logs in your thread:
  • Contents of the DDS.txt posted as text in your reply
  • Attach the Attach.txt to your post by clicking the Manage Attachments button under Additonal Options>Attach Files on the composition page. Browse to where you saved the file, and click Upload.

Also...

Quote:
Run by *withheld*
Please do not edit your logs. Full file paths may be required for removals performed in the fixes. Thread can be edited later after things are clean.


Additionally, is this your machine? Do you intend to follow through to the end? I see a recent topic of yours was abandoned before the helper completed all the work.

__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

tetonbob is offline  
Old 11-24-2009, 06:25 PM   #3
Registered Member
 
Join Date: Jul 2004
Posts: 30
OS: XP



Here is a dds log and I have attached "attach.txt" and ark.txt is attached above. I was trying to keep out names in the logs but I'll just leave them as is. I had a previous thread for a computer that lost any ability to connect to the internet that had to be replaced quickly for work and never did get back on to properly close the topic this is my gf's computer that I will follow through to fix. Thanks for your help.


DDS (Ver_09-11-24.02) - NTFSx86
Run by *edited* at 21:18:42.03 on Tue 11/24/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.190 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Windows PC Defender *On-access scanning enabled* (Updated) {E16B644B-E6C1-4F2F-9B47-72C3EDCEA8B5}
FW: Windows PC Defender *enabled* {470FFA16-7755-4080-B461-52193B6933C4}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Selen Schaaf.SCHAAF-754C0599\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://m.www.yahoo.com/
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: {00000000-0000-0000-0000-000000000000} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
IFEO: image file execution options - svchost.exe
IFEO: brastk.exe - svchost.exe
Hosts: 74.125.45.100 4-open-davinci.com
Hosts: 74.125.45.100 securitysoftwarepayments.com
Hosts: 74.125.45.100 privatesecuredpayments.com
Hosts: 74.125.45.100 secure.privatesecuredpayments.com
Hosts: 74.125.45.100 getantivirusplusnow.com

Note: multiple HOSTS entries found. Please refer to Attach.txt

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\selens~1.sch\applic~1\mozilla\firefox\profiles\nzdxgkm3.default\
FF - plugin: c:\documents and settings\selen schaaf.schaaf-754c0599\application data\move networks\plugins\npqmp071503000010.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-10-6 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-10-6 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-10-6 297752]
S3 HPZs2k12;Storage Class Driver for IEEE-1284.4 (HPZ12);c:\windows\system32\drivers\HPZs2k12.sys [2007-9-30 49944]

=============== Created Last 30 ================

2009-11-23 02:51:28 0 d-----w- c:\program files\Spybot - Search & Destroy
2009-11-23 02:51:28 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Spybot - Search & Destroy

==================== Find3M ====================

2009-10-06 19:14:58 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-06 19:14:57 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-10-06 19:14:50 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-09-27 19:15:57 24216 ----a-w- c:\docume~1\selens~1.sch\applic~1\GDIPFONTCACHEV1.DAT
2009-09-19 18:39:40 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36:27 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 07:36:24 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36:24 17408 ------w- c:\windows\system32\corpol.dll
2008-11-26 0314 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008112520081126\index.dat

============= FINISH: 21:19:59.54 ===============
Attached Files
File Type: txt Attach.txt (15.1 KB, 4 views)
__________________
drocket12 is offline  
Old 11-24-2009, 07:01 PM   #4
Management Team, Security Center & TSF Academy
Expert Analyst, Moderator, Security Team
Rangemaster, Moderator, TSF Academy
 
tetonbob's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 49,972
OS: XP Pro; XP Home; Win7 x86 & x64



Thanks for understanding, and for the explanation of the previous thread. These things can happen, but it only takes a minute to post back from another machine and let the helper know.

As I can see the user account is a real name, I'll be happy to go back and edit it out once I know I won't need it for working the fixes.





Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper at this forum.

---------------------------------------------------------------------------------------------
  1. Download Combofix from any of the links below. You must rename it before saving it. Name it ComFx, and Save it to your desktop.

    Link 1
    Link 2

    --------------------------------------------------------------------
  2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.


    You can get help on disabling your protection programs here

  3. Double click on ComFx.exe & follow the prompts.
  4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.

    Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





    The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.

    Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.

    ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.

    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:

    The Recovery Console was successfully installed.



    Click on Yes, to continue scanning for malware. NOTE: If the Recovery Console does NOT install, click on No, do NOT continue, and let me know.
  5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  6. When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  7. Ensure your AntiVirus and AntiSpyware applications are re-enabled. A reboot should have done this.


    ---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

tetonbob is offline  
Old 11-24-2009, 07:34 PM   #5
Registered Member
 
Join Date: Jul 2004
Posts: 30
OS: XP



Here is the combofix log.


ComboFix 09-11-24.02 - Selen Schaaf 11/24/2009 22:22.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.311 [GMT -5:00]
Running from: c:\documents and settings\Selen Schaaf.SCHAAF-754C0599\Desktop\comfx.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-1754145387-440932837-58582808-1007
c:\windows\system32\drivers\1028_DELL_XPS_ME051 .MRK
c:\windows\system32\drivers\DELL_XPS_ME051 .MRK

.
((((((((((((((((((((((((( Files Created from 2009-10-25 to 2009-11-25 )))))))))))))))))))))))))))))))
.

2009-11-23 02:51 . 2009-11-23 03:59 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2009-11-23 02:51 . 2009-11-23 02:55 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-23 02:00 . 2009-11-23 02:00 0 ----a-w- c:\windows\nsreg.dat
2009-11-23 02:00 . 2009-11-23 02:00 -------- d-----w- c:\documents and settings\Selen Schaaf.SCHAAF-754C0599\Local Settings\Application Data\Mozilla
2009-11-12 22:11 . 2009-11-17 00:57 -------- d-----w- c:\documents and settings\Selen Schaaf.SCHAAF-754C0599\Application Data\U3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-23 02:01 . 2009-09-12 18:37 -------- d-----w- c:\documents and settings\Selen Schaaf.SCHAAF-754C0599\Application Data\Move Networks
2009-11-16 02:45 . 2009-10-06 16:21 -------- d-----w- c:\program files\AVG
2009-11-16 02:44 . 2009-10-06 16:21 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\avg8
2009-10-07 23:32 . 2009-10-07 23:32 -------- d-----w- c:\program files\CCleaner
2009-10-06 19:16 . 2009-10-06 19:14 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\AVG Security Toolbar
2009-10-06 19:14 . 2009-10-06 19:14 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-06 19:14 . 2009-10-06 19:14 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-10-06 19:14 . 2009-10-06 19:14 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-06 19:14 . 2009-10-06 19:14 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-10-06 18:46 . 2009-10-06 15:30 -------- d-sh--w- c:\documents and settings\All Users.WINDOWS\Application Data\bf01af1
2009-10-06 16:15 . 2009-10-06 16:15 -------- d-----w- c:\documents and settings\Selen Schaaf.SCHAAF-754C0599\Application Data\Malwarebytes
2009-10-06 16:15 . 2009-10-06 16:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-06 16:14 . 2009-10-06 16:14 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2009-10-06 16:06 . 2009-10-06 16:06 -------- d-----w- c:\documents and settings\Selen Schaaf.SCHAAF-754C0599\Application Data\AVG8
2009-09-19 18:39 . 2009-09-19 18:39 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-19 18:39 . 2009-09-19 18:39 152576 ----a-w- c:\documents and settings\Selen Schaaf.SCHAAF-754C0599\Application Data\Sun\Java\jre1.6.0_16\lzma.dll
2009-09-12 18:37 . 2009-09-12 18:37 127872 ----a-w- c:\documents and settings\Selen Schaaf.SCHAAF-754C0599\Application Data\Move Networks\uninstall.exe
2009-09-12 18:37 . 2009-06-16 06:35 4183416 ----a-w- c:\documents and settings\Selen Schaaf.SCHAAF-754C0599\Application Data\Move Networks\plugins\npqmp071503000010.dll
2009-09-11 14:18 . 2004-08-04 10:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 18:54 . 2009-10-06 16:15 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 18:53 . 2009-10-06 16:14 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 21:03 . 2004-08-04 10:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-02 15:58 . 2009-10-06 19:16 1107200 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-08-29 07:36 . 2006-03-04 03:33 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2004-08-04 10:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2004-08-04 10:00 17408 ------w- c:\windows\system32\corpol.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-09-02 15:58 1107200 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-11-03 2028312]

c:\documents and settings\Tulay Schaaf.SCHAAF-754C0599\Start Menu\Programs\Startup\Tulay's Documents\Tulay's Music
Get More with Jukebox Plus.mp3 [2005-9-8 403456]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-10-06 19:14 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^myPrintMileage.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\myPrintMileage.lnk
backup=c:\windows\pss\myPrintMileage.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/6/2009 2:14 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/6/2009 2:14 PM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [10/6/2009 2:13 PM 297752]
S3 HPZs2k12;Storage Class Driver for IEEE-1284.4 (HPZ12);c:\windows\system32\drivers\HPZs2k12.sys [9/30/2007 12:22 PM 49944]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://m.www.yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Selen Schaaf.SCHAAF-754C0599\Application Data\Mozilla\Firefox\Profiles\nzdxgkm3.default\
FF - plugin: c:\documents and settings\Selen Schaaf.SCHAAF-754C0599\Application Data\Move Networks\plugins\npqmp071503000010.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-*{e47d6d44-6479-461d-bfa3-dbd0dc5a9011} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-24 22:27
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(780)
c:\windows\system32\igfxdev.dll
.
Completion time: 2009-11-24 22:30
ComboFix-quarantined-files.txt 2009-11-25 03:29

Pre-Run: 23,342,632,960 bytes free
Post-Run: 23,476,629,504 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 3480ADC73EB8A3DDF9C7540F83836D18
__________________
drocket12 is offline  
Old 11-24-2009, 07:40 PM   #6
Management Team, Security Center & TSF Academy
Expert Analyst, Moderator, Security Team
Rangemaster, Moderator, TSF Academy
 
tetonbob's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 49,972
OS: XP Pro; XP Home; Win7 x86 & x64



Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------
  1. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
  2. Open notepad and copy/paste the text in the quotebox below into it:

    Quote:
    http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/434671-cant-search-yahoo-open-google-com.html#post2460199

    Reboot::
    Suspect::[28]
    C:\qoobox\quarantine\c\windows\system32\drivers\1028_DELL_XPS_ME051 .MRK.vir
    C:\qoobox\quarantine\c\windows\system32\drivers\DELL_XPS_ME051 .MRK.vir


    Save this as CFScript.txt




    Referring to the picture above, drag CFScript.txt into ComboFix.exe
  3. ComboFix may request an update; please allow it.
  4. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  5. When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    **Note**

    When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
    • Ensure you are connected to the internet and click OK on the message box.

    Please let me know if the file was successfully submitted . Thanks.

    ------------------------------------------------------
  6. Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

Go Start > Run and copy/paste the following single-line command into the Run box and click OK:

notepad C:\windows\system32\drivers\etc\hosts

A Notepad file will open. Post the contents of Log.txt in your next reply.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

tetonbob is offline  
Old 11-24-2009, 08:06 PM   #7
Registered Member
 
Join Date: Jul 2004
Posts: 30
OS: XP



Combofix log below and run command host results at end. I can't verify that any file was submitted to combofix since I didn't see any message box when the log opened. I am also turning in for the night and will pick this up in the morning.

ComboFix 09-11-24.02 - Selen Schaaf 11/24/2009 22:47.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.254 [GMT -5:00]
Running from: c:\documents and settings\Selen Schaaf.SCHAAF-754C0599\Desktop\comfx.exe
Command switches used :: c:\documents and settings\Selen Schaaf.SCHAAF-754C0599\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2009-10-25 to 2009-11-25 )))))))))))))))))))))))))))))))
.

2009-11-23 02:51 . 2009-11-23 03:59 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2009-11-23 02:51 . 2009-11-23 02:55 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-23 02:00 . 2009-11-23 02:00 0 ----a-w- c:\windows\nsreg.dat
2009-11-23 02:00 . 2009-11-23 02:00 -------- d-----w- c:\documents and settings\Selen Schaaf.SCHAAF-754C0599\Local Settings\Application Data\Mozilla
2009-11-12 22:11 . 2009-11-17 00:57 -------- d-----w- c:\documents and settings\Selen Schaaf.SCHAAF-754C0599\Application Data\U3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-23 02:01 . 2009-09-12 18:37 -------- d-----w- c:\documents and settings\Selen Schaaf.SCHAAF-754C0599\Application Data\Move Networks
2009-11-16 02:45 . 2009-10-06 16:21 -------- d-----w- c:\program files\AVG
2009-11-16 02:44 . 2009-10-06 16:21 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\avg8
2009-10-07 23:32 . 2009-10-07 23:32 -------- d-----w- c:\program files\CCleaner
2009-10-06 19:16 . 2009-10-06 19:14 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\AVG Security Toolbar
2009-10-06 19:14 . 2009-10-06 19:14 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-06 19:14 . 2009-10-06 19:14 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-10-06 19:14 . 2009-10-06 19:14 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-06 19:14 . 2009-10-06 19:14 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-10-06 18:46 . 2009-10-06 15:30 -------- d-sh--w- c:\documents and settings\All Users.WINDOWS\Application Data\bf01af1
2009-10-06 16:15 . 2009-10-06 16:15 -------- d-----w- c:\documents and settings\Selen Schaaf.SCHAAF-754C0599\Application Data\Malwarebytes
2009-10-06 16:15 . 2009-10-06 16:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-06 16:14 . 2009-10-06 16:14 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2009-10-06 16:06 . 2009-10-06 16:06 -------- d-----w- c:\documents and settings\Selen Schaaf.SCHAAF-754C0599\Application Data\AVG8
2009-09-19 18:39 . 2009-09-19 18:39 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-19 18:39 . 2009-09-19 18:39 152576 ----a-w- c:\documents and settings\Selen Schaaf.SCHAAF-754C0599\Application Data\Sun\Java\jre1.6.0_16\lzma.dll
2009-09-12 18:37 . 2009-09-12 18:37 127872 ----a-w- c:\documents and settings\Selen Schaaf.SCHAAF-754C0599\Application Data\Move Networks\uninstall.exe
2009-09-12 18:37 . 2009-06-16 06:35 4183416 ----a-w- c:\documents and settings\Selen Schaaf.SCHAAF-754C0599\Application Data\Move Networks\plugins\npqmp071503000010.dll
2009-09-11 14:18 . 2004-08-04 10:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 18:54 . 2009-10-06 16:15 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 18:53 . 2009-10-06 16:14 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 21:03 . 2004-08-04 10:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-02 15:58 . 2009-10-06 19:16 1107200 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-08-29 07:36 . 2006-03-04 03:33 832512 ------w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2004-08-04 10:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2004-08-04 10:00 17408 ------w- c:\windows\system32\corpol.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-11-25_03.27.24 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-25 03:53 . 2009-11-25 03:53 16384 c:\windows\Temp\Perflib_Perfdata_6f8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-09-02 15:58 1107200 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-11-03 2028312]

c:\documents and settings\Tulay Schaaf.SCHAAF-754C0599\Start Menu\Programs\Startup\Tulay's Documents\Tulay's Music
Get More with Jukebox Plus.mp3 [2005-9-8 403456]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-10-06 19:14 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^myPrintMileage.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\myPrintMileage.lnk
backup=c:\windows\pss\myPrintMileage.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/6/2009 2:14 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/6/2009 2:14 PM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [10/6/2009 2:13 PM 297752]
S3 HPZs2k12;Storage Class Driver for IEEE-1284.4 (HPZ12);c:\windows\system32\drivers\HPZs2k12.sys [9/30/2007 12:22 PM 49944]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://m.www.yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Selen Schaaf.SCHAAF-754C0599\Application Data\Mozilla\Firefox\Profiles\nzdxgkm3.default\
FF - plugin: c:\documents and settings\Selen Schaaf.SCHAAF-754C0599\Application Data\Move Networks\plugins\npqmp071503000010.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-24 22:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(472)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-11-24 22:59 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-25 03:59
ComboFix2.txt 2009-11-25 03:30

Pre-Run: 23,484,870,656 bytes free
Post-Run: 23,457,386,496 bytes free

- - End Of File - - 59F06B13F5BAD8E8BD1052812F828A4A


After the run command this is what it came up with:

127.0.0.1 localhost
__________________
drocket12 is offline  
Old 11-24-2009, 08:11 PM   #8
Management Team, Security Center & TSF Academy
Expert Analyst, Moderator, Security Team
Rangemaster, Moderator, TSF Academy
 
tetonbob's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 49,972
OS: XP Pro; XP Home; Win7 x86 & x64



I should think the problems with google and yahoo are gone. Let me know.

Please go to Start > Run and copy/paste the following, then press Enter:

C:\QooBox\ComboFix-quarantined-files.txt

Post the contents of the logfile which will open.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

tetonbob is offline  
Old 11-25-2009, 08:05 AM   #9
Registered Member
 
Join Date: Jul 2004
Posts: 30
OS: XP



I can search on yahoo and open google, thanks. Here is the log:

2009-11-25 03:47:06 . 2009-11-25 03:47:10 702 ----a-w- C:\Qoobox\Quarantine\catchme.txt
2009-11-25 03:25:40 . 2009-11-25 03:50:44 6,656 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2009-11-25 03:19:14 . 2009-11-25 03:45:41 153 ----a-w- C:\Qoobox\Quarantine\catchme.log
2007-10-02 14:22:24 . 2007-10-02 14:22:24 5 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\1028_DELL_XPS_ME051 .MRK.vir
2007-10-02 14:22:24 . 2007-10-02 14:22:24 5 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\DELL_XPS_ME051 .MRK.vir
__________________
drocket12 is offline  
Old 11-25-2009, 08:12 AM   #10
Management Team, Security Center & TSF Academy
Expert Analyst, Moderator, Security Team
Rangemaster, Moderator, TSF Academy
 
tetonbob's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 49,972
OS: XP Pro; XP Home; Win7 x86 & x64



Ok, great. I'm trying to get a look at a couple of files which might have been unneccessarily deleted. Let's try this way.

Open notepad and copy/paste the text in the codebox below into it:

Code:
@echo off
for %%g in (

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\1028_DELL_XPS_ME051 .MRK.vir
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\DELL_XPS_ME051 .MRK.vir 

) do zip Files_for_submission %%g
del %0
Save this as grab.bat
Choose to "Save type as - All Files"
Save it on your desktop.
It should look like this:
Double click on grab.bat & allow it to run

A file, Files_for_submission.zip will be created on your desktop. Please upload that file here:

http://www.bleepingcomputer.com/subm...php?channel=28


In the Link to topic where this file was requested: area, copy and paste this :

http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/434671-cant-search-yahoo-open-google-com.html#post2460913


Once it shows:
Quote:
Your file was successfully submitted. Please let the user helping you know that you have submitted the file.
Close the site and let me know.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

tetonbob is offline  
Old 11-25-2009, 08:23 AM   #11
Registered Member
 
Join Date: Jul 2004
Posts: 30
OS: XP



When I click on the .bat file a black cmd box flashes and the .bat file disappears with no zip file.
__________________
drocket12 is offline  
Old 11-25-2009, 08:30 AM   #12
Management Team, Security Center & TSF Academy
Expert Analyst, Moderator, Security Team
Rangemaster, Moderator, TSF Academy
 
tetonbob's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 49,972
OS: XP Pro; XP Home; Win7 x86 & x64



Grrr

Try manually uploading the files here

http://www.bleepingcomputer.com/subm...php?channel=28

Use the browse button, and navigate to the files.

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\1028_DELL_XPS_ME051 .MRK.vir

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\DELL_XPS_ME051 .MRK.vir
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

tetonbob is offline  
Old 11-25-2009, 08:37 AM   #13
Registered Member
 
Join Date: Jul 2004
Posts: 30
OS: XP



I zipped both and submitted it.
__________________
drocket12 is offline  
Old 11-25-2009, 08:45 AM   #14
Management Team, Security Center & TSF Academy
Expert Analyst, Moderator, Security Team
Rangemaster, Moderator, TSF Academy
 
tetonbob's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 49,972
OS: XP Pro; XP Home; Win7 x86 & x64



Thanks, that worked. While I take a look at those files....

Please perform this online scan to help look for remnants. This scan can take a while, but it's very thorough.

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.
  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on Settings. Uncheck Mail databases.
  • Next, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

tetonbob is offline  
Old 11-25-2009, 11:45 AM   #15
Registered Member
 
Join Date: Jul 2004
Posts: 30
OS: XP



Scan was clean so I just copied the report in the post.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Wednesday, November 25, 2009
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Wednesday, November 25, 2009 15:23:58
Records in database: 3289631
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Objects scanned: 62126
Threats found: 0
Infected objects found: 0
Suspicious objects found: 0
Scan duration: 01:54:36

No threats found. Scanned area is clean.

Selected area has been scanned.
__________________
drocket12 is offline  
Old 11-25-2009, 05:10 PM   #16
Management Team, Security Center & TSF Academy
Expert Analyst, Moderator, Security Team
Rangemaster, Moderator, TSF Academy
 
tetonbob's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 49,972
OS: XP Pro; XP Home; Win7 x86 & x64



Hi -

The files I was looking at seem to be meaningless dross, not real PE files, and should not be a cause for concern for them to remain deleted. Is any application calling out for a missing file?
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

tetonbob is offline  
Old 11-27-2009, 05:44 AM   #17
Registered Member
 
Join Date: Jul 2004
Posts: 30
OS: XP



So far nothing showing any errors, they seemed to be old as well hopefully just left overs from something else.
__________________
drocket12 is offline  
Old 11-27-2009, 08:31 AM   #18
Management Team, Security Center & TSF Academy
Expert Analyst, Moderator, Security Team
Rangemaster, Moderator, TSF Academy
 
tetonbob's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 49,972
OS: XP Pro; XP Home; Win7 x86 & x64



Ok, great.

We should be done here. Some final housekeeping instructions, and protection information for you.

Your logs appear clean.You should be good to go. We still have a few items to address.


Disconnect from the internet and disable your AntiVirus temporarily.

Go to -> Run -> copy/paste in the following single line command & click OK

ComboFix /Uninstall
This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points.

Re-enable your AntiVirus now. Reconnect to the internet at your leisure.

Delete any remaining tools we've used (DDS and GMER) and logs from them.

Empty your Recycle Bin.

Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and look into the following free programs:
  • Microsoft Windows Update - http://www.windowsupdate.com
    Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • SpywareBlaster to help prevent spyware from installing in the first place.
    • Install & update SpywareBlaster with the latest definitions.
      After you have updated, click the button - enable protection for all unprotected items
  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites - green to go, yellow for caution and red to stop, helping you avoid the dangerous sites. WOT has an addon available for both Firefox and IE.

  • Winpatrol

    Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here.

    You can get a free copy of Winpatrol or use the Plus version for more features.

    You can read Winpatrol's FAQ if you run into problems.

  • MVPS HOST FILE
    The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
  • ANTIVIRUS SOFTWARE
    It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.

    Do not install more than one AntiVirus program because they will conflict with each other.

  • Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer

  • http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

  • http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP//Vista. It's made up of two parts - ERUNT & NTREGOPT.

    ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

    NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.


In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles
If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

tetonbob is offline  
Old 11-27-2009, 05:55 PM   #19
Registered Member
 
Join Date: Jul 2004
Posts: 30
OS: XP



All is clear just one question if I goto my c: drive I see a "comfx" file and when I click on it it goes to my computer but labeled at the top "comfx". Is this a combofix security/safety setting? Can it be deleted? Thanks for all your help.
__________________
drocket12 is offline  
Old 11-27-2009, 06:06 PM   #20
Management Team, Security Center & TSF Academy
Expert Analyst, Moderator, Security Team
Rangemaster, Moderator, TSF Academy
 
tetonbob's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 49,972
OS: XP Pro; XP Home; Win7 x86 & x64



If it's still present after performing the ComboFix /Uninstall command, just right click on it and delete it.

__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

tetonbob is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2


All times are GMT -7. The time now is 02:46 PM.


Copyright 2001 - 2014, Tech Support Forum

Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts