binsill

I unchecked "real time protection." But when I save, then go from start menu to control panel menu, no "security" icon is available.

Attached Files

Control Panel.doc (78.5 KB, 3 views)

mas_pogi

hi.

You can find it below Real-time protection options. Just scroll down a bit.

WINDOWS DEFENDER

• Click Start > Programs > Windows Defender or launch from the system tray icon.
• Click on Tools & Settings > Options.
• Under Real-time protection options, uncheck the "Real-time protection" check box.
  
• Under administration options, uncheck "use Windows Defender"
• Click Save.
  

Proceed with combofix.

mark

binsill

OK I think that part worked, now that I finally followed your instructions.


ComboFix 09-07-04.02 - B 07/04/2009 14:06.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1014.429 [GMT -5:00]
Running from: c:\users\B\Desktop\binsill.exe
SP: SpywareBot *disabled* (Updated) {3914BDEB-9CF2-421A-9495-FE4C87AEFBD1}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\PlayMe
c:\program files\PlayMe\Uninstall.exe
c:\users\B\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\PlayMe
c:\users\B\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\PlayMe\Uninstall.lnk
c:\windows\Installer\554293.msi
c:\windows\system32\drivers\MSIVXiqpyddinbehckvbpdiwolodvyqcfopur.sys
c:\windows\system32\MabryObj.dll
c:\windows\system32\MSIVXcount
c:\windows\system32\MSIVXcueltmxnvfwkorpbhdipsueecclxviof.dll
c:\windows\system32\MSIVXdmngsmoqcriixtcgfjiudeehaojbbxsi.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_MSIVXserv.sys
-------\Service_MSIVXserv.sys


((((((((((((((((((((((((( Files Created from 2009-06-04 to 2009-07-04 )))))))))))))))))))))))))))))))
.

2009-07-04 19:14 . 2009-07-04 19:14 -------- d-----w- c:\users\B\AppData\Local\temp
2009-07-04 03:08 . 2009-07-04 03:10 -------- d-s---w- C:\Comb-Fix
2009-07-03 05:24 . 2009-07-03 05:24 -------- d-----w- c:\program files\Trend Micro
2009-07-03 03:57 . 2009-06-17 16:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-03 03:57 . 2009-07-03 03:57 -------- d-----w- c:\progra~2\Malwarebytes
2009-07-03 03:57 . 2009-06-17 16:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-03 03:57 . 2009-07-03 05:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-01 04:56 . 2009-07-01 04:56 -------- d-----w- c:\users\B\AppData\Roaming\Amazon
2009-07-01 04:50 . 2009-07-01 04:50 -------- d-----w- c:\program files\Amazon
2009-06-19 23:02 . 2009-06-19 23:02 11264 ----a-w- c:\windows\system32\PSS70687.DLL
2009-06-19 23:01 . 2006-10-27 00:56 32592 ----a-w- c:\windows\system32\msonpmon.dll
2009-06-19 22:56 . 2009-06-19 22:56 -------- d--h--r- C:\MSOCache
2009-06-19 22:50 . 2009-06-20 03:59 -------- d-----w- c:\users\B\AppData\Roaming\GetRightToGo
2009-06-19 20:07 . 2009-06-19 20:07 -------- d-----w- c:\users\B\AppData\Local\Yahoo
2009-06-19 20:01 . 2009-06-19 20:07 -------- d-----w- c:\progra~2\Yahoo!
2009-06-13 22:03 . 2009-04-30 12:37 428544 ----a-w- c:\windows\system32\EncDec.dll
2009-06-13 22:02 . 2009-04-30 12:37 293376 ----a-w- c:\windows\system32\psisdecd.dll
2009-06-12 13:50 . 2009-04-21 11:55 2033152 ----a-w- c:\windows\system32\win32k.sys
2009-06-11 17:25 . 2009-06-11 17:25 -------- d-----w- c:\program files\iPod
2009-06-11 17:25 . 2009-06-11 17:25 -------- d-----w- c:\program files\iTunes
2009-06-11 17:21 . 2009-06-11 17:22 -------- d-----w- c:\program files\QuickTime

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-04 18:05 . 2007-10-01 02:45 1356 ----a-w- c:\users\B\AppData\Local\d3d9caps.dat
2009-07-04 03:47 . 2009-01-17 05:25 -------- d-----w- c:\progra~2\Google Updater
2009-07-02 14:33 . 2009-03-26 03:23 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-07-02 14:33 . 2009-03-26 03:23 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-02 14:33 . 2007-06-09 05:00 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-30 04:11 . 2008-07-28 03:02 -------- d-----w- c:\program files\LimeWire
2009-06-30 04:10 . 2008-07-28 03:02 -------- d-----w- c:\users\B\AppData\Roaming\LimeWire
2009-06-20 08:05 . 2008-06-19 23:26 -------- d-----w- c:\progra~2\Microsoft Help
2009-06-19 23:01 . 2007-02-12 18:22 -------- d-----w- c:\program files\Microsoft Works
2009-06-19 20:01 . 2008-08-24 00:48 -------- d-----w- c:\program files\Yahoo!
2009-06-18 01:04 . 2008-10-31 17:37 -------- d-----w- c:\program files\Google
2009-06-17 03:33 . 2008-09-17 14:44 -------- d-----w- c:\users\B\AppData\Roaming\RomLaw'sVer 5.6.12
2009-06-17 03:33 . 2009-01-15 16:26 -------- d-----w- c:\program files\Romlaw
2009-06-11 17:25 . 2008-07-18 02:42 -------- d-----w- c:\program files\Common Files\Apple
2009-05-28 14:08 . 2009-05-28 14:04 116842 ----a-w- c:\windows\hpqins00.dat
2009-05-13 17:31 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-05-08 16:40 . 2008-09-29 19:25 -------- d-----w- c:\progra~2\Examsoft
2009-05-08 16:37 . 2008-09-29 19:25 300688 ----a-w- c:\windows\jgzr.dat
2009-05-02 14:46 . 2009-03-26 03:23 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-04-24 16:05 . 2009-06-11 19:56 827904 ----a-w- c:\windows\system32\wininet.dll
2009-04-24 16:02 . 2009-06-11 19:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-24 13:44 . 2009-06-11 19:56 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-04-23 12:43 . 2009-06-11 19:56 784896 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-23 12:42 . 2009-06-11 19:56 636928 ----a-w- c:\windows\system32\localspl.dll
2009-04-16 08:08 . 2009-04-16 08:08 11264 ----a-w- c:\windows\system32\PSS289F7.DLL
2001-11-09 00:52 . 2001-11-09 00:52 278528 ----a-w- c:\program files\cac106.exe
2007-02-13 01:47 . 2007-02-13 01:46 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="c:\windows\System32\msconfig.exe" [2008-01-19 227840]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-07-02 1948440]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
"HideFastUserSwitching"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{06AFD922-3708-4281-B57B-6F65268746CF}"= UDP:c:\program files\Atari\Neverwinter Nights 2\nwn2main.exe:Neverwinter Nights 2 Main
"{CD0AF500-7FC0-4755-A253-70D6CF6ADD26}"= TCP:c:\program files\Atari\Neverwinter Nights 2\nwn2main.exe:Neverwinter Nights 2 Main
"{AC661784-4519-47A3-8B2C-85F23354C83C}"= UDP:c:\program files\Atari\Neverwinter Nights 2\nwn2main_amdxp.exe:Neverwinter Nights 2 AMD
"{BFF69AFC-9A94-417C-B26E-F9C13267A0FF}"= TCP:c:\program files\Atari\Neverwinter Nights 2\nwn2main_amdxp.exe:Neverwinter Nights 2 AMD
"{A32B3336-8FDE-4EFA-B13E-C3753C526086}"= UDP:c:\program files\Atari\Neverwinter Nights 2\nwupdate.exe:Neverwinter Nights 2 Updater
"{003019C3-BCAB-4928-A4C1-D6B178D88834}"= TCP:c:\program files\Atari\Neverwinter Nights 2\nwupdate.exe:Neverwinter Nights 2 Updater
"{8D1AB679-D083-493D-B0D0-89E732C0642D}"= UDP:c:\program files\Atari\Neverwinter Nights 2\nwn2server.exe:Neverwinter Nights 2 Server
"{E7DC3B64-BE10-4916-9165-798BE3B6A00A}"= TCP:c:\program files\Atari\Neverwinter Nights 2\nwn2server.exe:Neverwinter Nights 2 Server
"TCP Query User{9176B106-6B5F-4118-B0D3-39844CDEBE49}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{DB9AA5A8-BFB4-44EB-AC06-F7E7F13E7421}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"{4F635312-BAD6-4632-81E2-83E32FA76077}"= c:\program files\PharosSystems\Core\CTskMstr.exe:Pharos Com Task Master
"{0B150D88-102E-488A-9978-4D5997EEB51D}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{73B416A8-7647-419A-919E-FCA4C8477273}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{7366B77A-67E2-4B9A-BBF5-68DB6FD78018}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqtra08.exe:hpqtra08.exe
"{C26C2CF6-0E6D-45B5-AD74-1CE469ECAD8A}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqtra08.exe:hpqtra08.exe
"{5E6B4141-1965-47DA-9373-6DB9E3571E5D}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqste08.exe:hpqste08.exe
"{1EF14324-1371-4579-AAEF-3D2828B48FA5}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqste08.exe:hpqste08.exe
"{742AFD39-3E08-4C29-97D2-9657569601A3}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpofxm08.exe:hpofxm08.exe
"{4D435DAB-FE10-4794-97AE-48CA60AE3C3D}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpofxm08.exe:hpofxm08.exe
"{F43180DF-55CE-4891-80FC-5E7D21389BCC}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hposfx08.exe:hposfx08.exe
"{9E7C022C-F583-4F3C-BF1D-F447BE56305C}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hposfx08.exe:hposfx08.exe
"{D9D2EFCD-880C-4394-B82E-7F97AB5F4003}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hposid01.exe:hposid01.exe
"{219F695B-8FE6-4E1A-A502-D90F55B24A95}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hposid01.exe:hposid01.exe
"{8DF8EBC4-1BB6-49EC-887E-C0CDB7862065}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqscnvw.exe:hpqscnvw.exe
"{34B1B434-A2BE-40C0-BD4F-B05866C676B0}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqscnvw.exe:hpqscnvw.exe
"{5E583F27-01D2-4722-954E-07CBF51FEE53}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqkygrp.exe:hpqkygrp.exe
"{13D3DE7C-108D-4A8E-93BC-2AB6AE6FDCC7}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqkygrp.exe:hpqkygrp.exe
"{EAFA5D4C-92D4-4690-BBD7-DF63ACEF113C}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpzwiz01.exe:hpzwiz01.exe
"{93D08465-C300-4951-A64D-4266BE609EFD}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpzwiz01.exe:hpzwiz01.exe
"{7EDBB158-9C3F-4C41-9429-12BFFB546E8B}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpoews01.exe:hpoews01.exe
"{37540069-6169-454F-BE94-C8FD8579AB8E}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpoews01.exe:hpoews01.exe
"{E3F78A6B-447E-4EEF-A158-98E8EE51EE5F}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqnrs08.exe:hpqnrs08.exe
"{DC0217A6-67FB-4141-AF14-365675020B66}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqnrs08.exe:hpqnrs08.exe
"{083B8A67-7DA4-47E9-A5BF-2DB4174A8B7D}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{B1E2CE2F-6945-4A40-821C-50653DD1D899}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"TCP Query User{D3F460D6-D112-4645-A642-0A8005696F42}c:\\program files\\real\\realplayer\\realplay.exe"= UDP:c:\program files\real\realplayer\realplay.exe:RealPlayer
"UDP Query User{2C81D4A0-5A6B-4ABD-B7E4-C2578EBBD6BA}c:\\program files\\real\\realplayer\\realplay.exe"= TCP:c:\program files\real\realplayer\realplay.exe:RealPlayer
"TCP Query User{D356C944-1C95-477C-99C8-AE56F3CB1B82}c:\\users\\b\\appdata\\roaming\\macromedia\\flash player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"= UDP:c:\users\b\appdata\roaming\macromedia\flash player\http://www.macromedia.com\bin\octosh...:octoshape.exe
"UDP Query User{91D3927B-1940-4495-813D-70D43BC46065}c:\\users\\b\\appdata\\roaming\\macromedia\\flash player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"= TCP:c:\users\b\appdata\roaming\macromedia\flash player\http://www.macromedia.com\bin\octosh...:octoshape.exe
"{13ED8AE7-9B61-4CBC-A92D-FD8E0BD95917}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{7FF410FF-718E-40FA-B144-14445614BE9F}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"TCP Query User{CD1AB6F4-E193-4FDA-A605-BAB0C9491D16}c:\\program files\\limewire\\limewire.exe"= UDP:c:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{F2CD1450-F451-4FD6-B930-0BE800538613}c:\\program files\\limewire\\limewire.exe"= TCP:c:\program files\limewire\limewire.exe:LimeWire
"{E826034A-5756-4378-A210-DDF96589DFEA}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{662ED201-42D6-4177-8557-1A53EB6A502B}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{42D7DAA5-8B37-4FDD-895F-86946B3DECFE}"= c:\program files\AVG\AVG8\avgupd.exe:avgupd.exe
"{00F177C7-EFE4-49B6-AAA4-C78B876A063E}"= c:\program files\AVG\AVG8\avgnsx.exe:avgnsx.exe
"TCP Query User{DFCC3C75-EFA1-404B-8A43-7C1FF34EF84D}c:\\program files\\real\\realplayer\\realplay.exe"= UDP:c:\program files\real\realplayer\realplay.exe:RealPlayer
"UDP Query User{CD566F1E-1CB0-46DD-87E6-0BED3B1BA5B8}c:\\program files\\real\\realplayer\\realplay.exe"= TCP:c:\program files\real\realplayer\realplay.exe:RealPlayer
"{FD9DE2F4-CD0D-492D-862B-4018BD101FA8}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{0C7F3576-AFD8-49FF-8BA9-87B778A3850F}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{42B746B2-7CB4-4C05-AD14-D8D56E1BB7BF}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{97175E55-BF6D-4881-A183-612C2B0C7750}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{DDD7501F-CAD7-4008-AB73-3F72EC5E8096}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{ACBB1556-1356-43BE-9887-2A6FFBE1A59B}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{E9C258C4-D4AB-47EE-805D-F578CFD0584D}c:\\program files\\yahoo!\\messenger\\yahoomessenger.exe"= UDP:c:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger
"UDP Query User{95B7B482-A920-463F-A1B9-A59E2CF402B9}c:\\program files\\yahoo!\\messenger\\yahoomessenger.exe"= TCP:c:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\ExamSoft\\SofTest\\SoftLnch.exe"= c:\program files\ExamSoft\SoftLnch.exe:*:Enabled:SofLaunch

"c:\\Program Files\\ExamSoft\\SofTest\\softest.exe"= c:\program files\ExamSoft\SofTest.exe:*:Enabled:SofTest

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [3/25/2009 10:23 PM 327688]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [3/25/2009 10:23 PM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [3/25/2009 10:22 PM 298776]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.
------- Supplementary Scan -------
.
uStart Page = https://websec.it.siu.edu/util/googl...ltmplcache%3D2
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\users\B\AppData\Roaming\Mozilla\Firefox\Profiles\qtybuz5s.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/|http://caloriecount.about.com/cc/account/index.php
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npoji610.dll
FF - plugin: c:\users\B\AppData\Roaming\Mozilla\Firefox\Profiles\qtybuz5s.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-04 14:22
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\TEMP\catchme.dll 53248 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\mchInjDrv]
"ImagePath"="\??\c:\windows\TEMP\mc292BD.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\audiodg.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\BCMWLTRY.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Common Files\microsoft shared\VS7DEBUG\MDM.EXE
c:\progra~1\PHAROS~1\Core\CTskMstr.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
c:\windows\System32\drivers\XAudio.exe
c:\program files\AVG\AVG8\avgtray.exe
c:\windows\servicing\TrustedInstaller.exe
c:\program files\Windows Media Player\wmpnscfg.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\System32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2009-07-04 14:27 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-04 19:27

Pre-Run: 22,402,809,856 bytes free
Post-Run: 23,821,402,112 bytes free

249 --- E O F --- 2009-07-02 22:54

Attached Files

ComboFix.txt (19.7 KB, 1 views)

mas_pogi

hi.

Yes. We finally ran it.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

Log in normal mode

--------------------------------------------------------------------------

While Spybot's TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent tools from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your logs are clean.

• Open Spybot Search & Destroy.
• In the Mode menu click "Advanced mode" if not already selected.
• Choose "Yes" at the Warning prompt.
• Expand the "Tools" menu.
• Click "Resident".
• Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
• If TeaTimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
• In the File menu click "Exit" to exit Spybot Search & Destroy.

------------------------------------------------------

Download ResetTeaTimer

• and Save it to your Desktop.
• Double-click ResetTeaTimer.zip
• Double-click ResetTeaTimer.bat and click Run to remove all entries set by TeaTimer.
• A DOS window will open and close again, this is normal.

--------------------------------------------------------------------------
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. You can find instructions HERE.

AVG 8.5
Please open the AVG 8.5 Control Center, by right clicking on the AVG icon on task bar.

• Click on Open AVG Interface.
• Double click on Resident Shield
• Deselect the option to "Enable Resident Shield."
• Save changes, and exit the application.
• To re-enable AVG 8.5 later, please select "Enable Resident Shield" again.

3. Open notepad and copy/paste the text in the quotebox below into it:

Quote:

http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/391364-ie-google-search-redirect-firefox-vimax-ads-these-were-stopped-adblock.html#post2222750 COLLECT:: c:\windows\TEMP\mc292BD.tmp DRIVER:: mchInjDrv REGLOCK:: [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

• Ensure you are connected to the internet and click OK on the message box.

If you do not get a message box, please do the following:

There should be a file named [4]-Submit_date@time.zip with today's date, located here:

C:\QooBox\Quarantine\[4]-Submit_date@time.zip

Using the 'Browse' button, please submit it to this site ==> http://www.bleepingcomputer.com/subm....php?channel=4

Please let me know if you successfully submitted the file. Thanks.


---------------------------------------------------------------------

Please uninstall these programs through Programs and Features.
Click on an Orb located at left bottom of your screen > Control Panel > Programs

:P2P program ( Perils of P2P File Sharing )

LimeWire 5.1.4


: They are outdated java runtimes. (Older versions have vulnerabilities that malicious sites can use to exploit and infect your system)

Java(TM) SE Runtime Environment 6

After you uninstall you outdated java, please download the Java(TM) 6 Update 14 here. Install it.

-------------------------------------------------------------------------

Kaspersky scan

*Close any open programs
*Turn off the real time scanner of any existing antivirus program while performing the online scan. You can find the instructions You can find instructions HERE.

Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.

• The program will install and then begin downloading the latest definition files.
• After the files have been downloaded on the left side of the page in the Scan section select My Computer
• This will start the program and scan your system.
• The scan will take a while, so be patient and let it run.
• Once the scan is complete, click on View scan report
• Now, click on the Save Report as button.
• Save the file to your desktop.
• Copy and paste that information in your next post.

In your reply, please post

C:\combofix.txt
Kaspersky scan result


Mark

binsill

- In setting AVG 8.5, didn't have an "Enable Resident Shield" box to deselect, But I had a "Resident Shield Active" box I deselected.

- When CF finished running, I got the log, but no message box.

- Looked in C:\QooBox\Quarantine; couldn't find [4]-Submit_date@time.zip.

Everything else seemed to work OK

Attached Files

	ComboFix.txt (19.7 KB, 2 views)
	Kaspersky scan result.txt (1.2 KB, 2 views)

mas_pogi

hi.

I think you are good to go. Seems the last service we taken down is part of Supersantispyware loaded in memory after all. Anyways it will just be reloaded again.

Thats ok.

All file that kaspersky found in Qoobox are safe. Thats our tool quarantine folder which we will purge in the succeeding instruction.


Congratulations! You now appear clean!

We Need to Clean Up Our Mess

1. Uninstall ComboFix
   Remove Combofix now that we're done with it.
   • Click the Vista Orb located at the bottom left of your screen.
   • Now copy and paste this one in Start Search. Then HIT enter.
     
     
     Code:

     combofix /u

     
     
     
   Uninstalling ComboFix will do the following:
   1. Delete ComboFix and its components from your computer.
   2. Delete other tools commonly used during the malware removal process.
   3. Resets clock settings to standard format.
   4. Re-hides file extensions and hidden/system files.
   5. Clears System Restore cache and creates new restore point.
   
   
2. Please also delete the DDS.scr located at your desktop.

-----------------------------------------------
Recommendations
Below are some recommendations to lower your chances of (re)infection.

1. Install Spyware Blaster and update it regularly
   If you wish, the commercial version provides automatic updating.
   
   
2. Install the MVPs hosts file, and update it regularly
   You can use the HostMan host file manager to do this automaticly if you wish.
   For more information on the hosts file, and what it can do for you, you can view the Tutorial on the Hosts file
   
   
3. Keep Windows (and your other Microsoft software) up to date!
   I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.
   
   Check here: Control Panel\System and Maintenance\Windows Update
   
   
4. Keep your other software up to date as well
   Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on your machine.
   
   
5. Stay up to date!
   The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing :(.

Please respond to this thread one more time so we can mark this thread as resolved.

Maraming salamat.

Mark

binsill

copied and pasted combofix /u into the start search box, when clicked saw "windows cannot find 'binsill.exe' Make sure you typed the name correctly."

I see binsill.exe on the desktop, not sure what I did wrong.



Plus: can't yet open a Word document without it being 'read only.' Is this because of AVG being disabled?

Thanks

mas_pogi

hi.

Try this one.



Does it occur in your other word document file? Or in that file alone? Let me know.

After you uninstalled combofix. Please enable Windows Defender and AVG.

Mark

binsill

First message I get in opening any word doc:"Word cannot open the existing 9Normal)" Assume that refers to the template.

Then I get: "xxxx.doc is locked for editing by 'another user'.

Do you want to:
--open read only copy
--create local copy, merge changes later
--receive notification when original copy is available"

When I try to open read only copy:

"experienced error trying to open. try these:

--check file permissions
--make sure is sufficient free memory
--open with Text Recovery Converter" with this text as well:

This error message can appear for several reasons.
The document may be corrupt or damaged. Use either the Recover Text converter or the Open and Repair feature. Both are available from the Open dialog. The Recover Text converter is in the Files of type: drop down and the Open and Repair feature is available from the Open button (select the down arrow and not the button itself).
Note: If you have opened a file attached to an e-mail, it is recommended to save the file to a local hard disk first before attempting to recover or repair the file.
File permissions may be set so you cannot access the file (read denied). It is even possible you do not have permissions to open anything within the drive or folder the file is saved to. In this case, contact the owner of the drive or folder and request permissions to access the file.
It is possible you have run out of system resources (disk space or RAM) or another program on your system has consumed all the available memory. It is even possible for a program to have a memory leak that is using up large quantities of memory. The best method to recover memory consumed by a memory leak is to restart the computer. It may be possible to shut down the offending program by using the Task Manager, but it is not recommended since it may further destabilize the system.
There may be a read lock on the file you are attempting to open. Another user may have the file open, or even another application that has a link to the file has placed an exclusive lock on the file and is not allowing Word to open the file. If a custom application has opened the file, it may have opened the file using an incorrect method.
The file you are attempting to open may require a file converter that is not installed on your computer. Most converters are already installed, but optional converters are available from the Add or Remove Programs utility (in Control Panel) for your version of Office (requires performing an advanced customization install and searching the feature tree for Office Shared Features \ Converters and Filters). Other converters are available from the Office Resource Kit. Search the www.microsoft.com Web site for "Office Converter Pack".

Then when I close, I get:

"The file Normal already exists. Do you want to replace?"

I click no, cancel instead of save, and try and close again, and get

"Changes have been made that affect the global template, Normal. Do you want to save?"

Under show help says: This message can appear if you made changes to items, such as macros, toolbars, or AutoText, that are stored in a global template that is attached to your document. The most commonly used global template is Normal.dot, which comes with Word.
If you save the changes, they will be available to all documents to which this global template is attached. If you don't save the changes, the changes are discarded from the template.
If you see this message often, you may want to turn off the Prompt to save Normal template option on the Save tab of the Options dialog box (Tools menu), or there may be a problem with Word. For more information, see the Microsoft Knowledge Base article 291352.

I click no and Word closes.

mas_pogi

hi.

Was the Combofix uninstallation a successful?


Your problem with Word doc is really new to me. My experience is limited on that area. As far is your latest log is concern, it was already clean.

Please proceed in MS office forum

http://www.techsupportforum.com/micr...ffice-support/

Start a thread there and state your problem.

I hope it will be sorted out as soon as possible.

Mark

binsill

OK will do -- hope the other forum's as helpful as this one. Thanks!