unwanted antivirus soft virus

[tlgreenis]

I CANNOT PERFORM THE FIRST STEPS. I am told everything is infected do I want to activate Antivirus Soft. This is the second request for help

After booting computer a message came up asking if I wanted to activate Antivirus Soft. I answered no. I was then notified that my virus protection was out of date did I want to activate Antivirus Soft. Microsoft firewall then advised that my virus protection was out of date. According to the system tray my installed virus protection is working properly.

This Antivirus soft will not let me access any functions on the computer. I can access the internet. I cannot install or run any other software. I cannot perform any of the first steps listed above as requested.

It activates IE and brings up porn sites. I also receive messages about threats from various IP's and ports:

Threat Win32/nugel.E IP:203.71.129.109 Port 32897 Attacked port 60242

There are many of these reports, they occur even if I physically disconnect the cable from the modem.

[tetonbob]

More details about the machine are required. What Operating System?

If you have an active internet connection, copy/paste the links below into your browser, don't click them or the rogue might redirect. If you don't have an active internet connection, download the tools from another machine, and transfer them to the affected machine via USB flash drive.


Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)
There are 4 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click and choose Run as Admin
You only need to get one of them to run, not all of them.


http://download.bleepingcomputer.com/grinler/rkill.exe
http://download.bleepingcomputer.com/grinler/rkill.com
http://download.bleepingcomputer.com/grinler/rkill.scr
http://download.bleepingcomputer.com/grinler/rkill.pif


Note:

You will likely see a message from this rogue telling you the file is infected. Ignore the message. Leave the message OPEN, do not close the message. Run rkill repeatedly until it's able to do it's job. This may take a few tries. You'll be able to tell rkill has done it's job when your desktop (explorer.exe) cycles off and then on again.

At this point, you should now be able to run analysis tools.

Once the tool has run, do NOT reboot the machine, and then try once again to run DDS and GMER.

If for some reason the machine reboots, repeat the process. Again, try not to restart the machine.

[tlgreenis]

After running rkill. I was able to run DDS, see result. When running GMER, it would get about 75% complete then computer would go to blue screen and restart. I could only get GMER to complete a scan without running rkill, result attached.

DDS Results:

DDS (Ver_09-12-01.01) - NTFSx86
Run by Master at 19:32:49.77 on Sun 02/07/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.147 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============


============== Pseudo HJT Report ===============

uStart Page = hxxp://start.iplay.com
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DW6] "c:\program files\the weather channel fw\desktop\DesktopWeather.exe"
mRun: [<NO NAME>]
mRun: [WorksFUD] c:\program files\microsoft works\wkfud.exe
mRun: [Microsoft Works Portfolio] c:\program files\microsoft works\WksSb.exe /AllUsers
mRun: [Microsoft Works Update Detection] c:\program files\microsoft works\WkDetect.exe
mRun: [CHotkey] mHotkey.exe
mRun: [OemReset] %systemroot%\OPTIONS\OEMRESET.EXE /AUDIT
mRun: [UpdReg] c:\windows\Updreg.exe
mRun: [IW Controlcenter] c:\progra~1\vob\instan~1\IWCTRL.EXE
mRun: [GWMDMMSG] GWMDMMSG.exe
mRun: [GWMDMpi] c:\windows\GWMDMpi.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
mRun: [nmapp] "c:\program files\pure networks\network magic\nmapp.exe" -autorun -nosplash
mRun: [WD Anywhere Backup] c:\program files\wd\wd anywhere backup\MemeoLauncher2.exe --silent
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Monitor] "c:\program files\leapfrog\leapfrog connect\Monitor.exe"
mRun: [Lexmark X6100 Series] "c:\program files\lexmark x6100 series\lxbfbmgr.exe"
mRun: [advbmhpg] c:\documents and settings\dianne\local settings\application data\ihwefx\rdgtsftav.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1230295273526
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\master\applic~1\mozilla\firefox\profiles\m9rp6xys.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Yahoo!
FF - prefs.js: browser.startup.homepage - www.comcast.net
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\documents and settings\all users\application data\realarcade\npraclient.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\mozilla firefox\plugins\npMyGames.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npraclient.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R? FlyUsb;FLY Fusion
S? cdrdrv;cdrdrv
S? fasttrak;fasttrak
S? McProxy;McAfee Proxy Service
S? McShield;McAfee Real-time Scanner
S? McSysmon;McAfee SystemGuards
S? MemeoBackgroundService;MemeoBackgroundService
S? mfeavfk;McAfee Inc. mfeavfk
S? mfebopk;McAfee Inc. mfebopk
S? mfehidk;McAfee Inc. mfehidk
S? mferkdk;McAfee Inc. mferkdk
S? mfesmfk;McAfee Inc. mfesmfk
S? vobcom;vobcom
S? vobiw;vobiw

=============== Created Last 30 ================

2010-02-07 23:23:43 457 ----a-w- c:\program files\0207201018234331.bat
2010-01-31 21:23:49 54156 ---ha-w- c:\windows\QTFont.qfn
2010-01-31 21:23:49 1409 ----a-w- c:\windows\QTFont.for
2010-01-20 05:27:54 0 d-----w- c:\docume~1\master\applic~1\iMaxGen
2010-01-20 05:25:13 463 ----a-w- c:\program files\012020100251364.bat
2010-01-19 00:18:01 0 d-----w- c:\docume~1\alluse~1\applic~1\FarmFrenzy3_America
2010-01-14 03:42:42 470528 ------w- c:\windows\system32\dllcache\aclayers.dll

==================== Find3M ====================

2009-12-21 13:19:18 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-12-14 19:15:14 2146304 ----a-w- c:\windows\system32\GPhotos.scr
2009-11-13 22:57:16 922112 ------w- c:\windows\system32\imapi2fs.dll
2009-11-13 22:57:16 922112 ------w- c:\windows\system32\dllcache\imapi2fs.dll
2009-11-13 22:57:16 62592 ------w- c:\windows\system32\dllcache\cdrom.sys
2009-11-13 22:57:16 426496 ------w- c:\windows\system32\imapi2.dll
2009-11-13 22:57:16 426496 ------w- c:\windows\system32\dllcache\imapi2.dll

============= FINISH: 19:34:20.41 ===============

[tetonbob]

Good job! If need be, use rkill before running ComboFix as outlined below, but it might not be required.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper at this forum.

---------------------------------------------------------------------------------------------

1. Download ComboFix from one of these locations:
   
   Link 1
   Link 2
   
   * IMPORTANT !!! Place combofix.exe on your Desktop
   
2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
   
   
   You can get help on disabling your protection programs here
   
   
   How to disable McAfee:
   
   • Please open McAfee Security Centre
   • Under Common Tasks click on Home
   • Click Computer Files
   • Click Configure
   • Make sure the following are disabled by ticking the "Off" button.

     Virus protection
     Spyware protection
     System Guards Protection
     Script Scanning Protection (you may have to scroll down to see it)

   • Next, select never for "When to re-enable real time scanning"
   • and click OK.
   Further info on disabling and re-enabling McAfee: http://help.aol.com/help/microsites/...ernalID=222820
   
   
   See this image to assist you:
   
   http://img.photobucket.com/albums/v6...ee_disable.gif
   
   
   
3. Double click on combofix.exe & follow the prompts.
   
4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
   
   Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
   
   
   
   
   
   The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.
   
   With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
   
   Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.
   
   ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.
   
   Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:
   
   The Recovery Console was successfully installed.
   
   
   
   Click on Yes, to continue scanning for malware.
   
5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
   
6. When finished, it shall produce a log for you. Post that log in your next reply
   
   Note:
   Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
   
   ---------------------------------------------------------------------------------------------
   
7. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
   
   ---------------------------------------------------------------------------------------------

[tlgreenis]

The combofix results are attached.

Question which virus protection is better:Mcafee or Norton?
Or is there a better alternative?

Don't panic. I'm not making any changes.


ComboFix 10-02-09.02 - Master 02/09/2010 17:53:33.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.215 [GMT -5:00]
Running from: c:\documents and settings\Master\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Master\Application Data\.#
c:\windows\COUPON~1.OCX
c:\windows\CouponPrinter.ocx
c:\windows\regsvr32.exe

.
((((((((((((((((((((((((( Files Created from 2010-01-09 to 2010-02-09 )))))))))))))))))))))))))))))))
.

2010-02-07 23:23 . 2010-02-07 23:23 457 ----a-w- c:\program files\0207201018234331.bat
2010-02-02 19:34 . 2010-02-09 22:20 -------- d-----w- c:\documents and settings\Dianne\Local Settings\Application Data\ihwefx
2010-01-20 05:27 . 2010-01-20 05:27 -------- d-----w- c:\documents and settings\Master\Application Data\iMaxGen
2010-01-20 05:25 . 2010-01-20 05:25 463 ----a-w- c:\program files\012020100251364.bat
2010-01-19 02:17 . 2010-01-19 02:17 -------- d-sh--w- c:\documents and settings\Travis\PrivacIE
2010-01-19 02:16 . 2010-01-19 02:16 -------- d-sh--w- c:\documents and settings\Travis\IETldCache
2010-01-19 00:18 . 2010-01-19 00:44 -------- d-----w- c:\documents and settings\All Users\Application Data\FarmFrenzy3_America
2010-01-14 03:42 . 2009-11-21 16:36 470528 ------w- c:\windows\system32\dllcache\aclayers.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-07 23:23 . 2009-06-28 03:34 -------- d-----w- c:\program files\I-play Games
2010-02-07 23:22 . 2009-01-15 01:36 -------- d-----w- c:\program files\GamesBar
2010-01-31 09:55 . 2009-01-02 05:29 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-01-25 22:39 . 2009-05-18 03:46 -------- d-----w- c:\documents and settings\Master\Application Data\Oberonv1002
2010-01-20 15:26 . 2009-01-02 05:41 -------- d-----w- c:\program files\Oberon Media
2010-01-19 02:17 . 2009-02-11 01:15 132784 ----a-w- c:\documents and settings\Travis\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-10 04:35 . 2009-01-09 16:56 -------- d-----w- c:\documents and settings\Master\Application Data\PlayFirst
2010-01-10 04:35 . 2009-01-09 16:56 -------- d-----w- c:\documents and settings\All Users\Application Data\PlayFirst
2009-12-21 19:14 . 2008-12-26 12:12 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-19 21:52 . 2009-01-09 19:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Sandlot Games
2009-12-18 19:48 . 2009-12-18 19:48 -------- d-----w- c:\documents and settings\Master\Application Data\Big Fish Games
2009-12-18 04:09 . 2009-12-18 04:09 -------- d-----w- c:\documents and settings\Master\Application Data\Cat's Eye Games
2009-12-14 19:15 . 2009-12-14 19:15 2146304 ----a-w- c:\windows\system32\GPhotos.scr
2009-12-14 04:27 . 2009-01-11 03:41 -------- d-----w- c:\documents and settings\Master\Application Data\EleFun Games
2009-12-13 04:19 . 2009-01-02 05:41 -------- d-----w- c:\program files\Common Files\Oberon Media
2009-11-21 16:36 . 2008-12-26 12:08 470528 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-13 22:57 . 2009-11-13 22:57 922112 ------w- c:\windows\system32\imapi2fs.dll
2009-11-13 22:57 . 2009-11-13 22:57 426496 ------w- c:\windows\system32\imapi2.dll
2009-11-13 22:57 . 2008-12-26 12:08 62592 ----a-w- c:\windows\system32\drivers\cdrom.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WorksFUD"="c:\program files\Microsoft Works\wkfud.exe" [2000-07-14 24576]
"Microsoft Works Portfolio"="c:\program files\Microsoft Works\WksSb.exe" [2000-07-14 311350]
"Microsoft Works Update Detection"="c:\program files\Microsoft Works\WkDetect.exe" [2000-07-14 28739]
"CHotkey"="mHotkey.exe" [2002-01-17 479744]
"UpdReg"="c:\windows\Updreg.exe" [2000-05-11 90112]
"IW Controlcenter"="c:\progra~1\VOB\INSTAN~1\IWCTRL.EXE" [2002-03-02 732160]
"GWMDMMSG"="GWMDMMSG.exe" [2002-03-28 101611]
"GWMDMpi"="c:\windows\GWMDMpi.exe" [2002-03-28 40960]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-05-16 648504]
"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2008-05-21 451896]
"WD Anywhere Backup"="c:\program files\WD\WD Anywhere Backup\MemeoLauncher2.exe" [2008-11-07 197856]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2009-05-07 380928]
"Lexmark X6100 Series"="c:\program files\Lexmark X6100 Series\lxbfbmgr.exe" [2003-09-23 57344]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Forget Me Not.lnk - c:\program files\Broderbund\AG CreataCard\AGRemind.exe [2008-12-26 323584]
Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2000-7-13 24633]
Quicken Startup.lnk - c:\quickenw\QWDLLS.EXE [2008-12-26 36864]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service

R0 fasttrak;fasttrak;c:\windows\SYSTEM32\drivers\Fasttrak.sys [5/23/2002 12:29 AM 73600]
R1 cdrdrv;cdrdrv;c:\windows\SYSTEM32\drivers\Cdrdrv.sys [6/20/2002 1:40 AM 57344]
R1 vobcom;vobcom;c:\windows\SYSTEM32\drivers\vobcom.sys [6/20/2002 1:40 AM 9728]
R1 vobiw;vobiw;c:\windows\SYSTEM32\drivers\vobIW.sys [6/20/2002 1:40 AM 174080]
R2 MemeoBackgroundService;MemeoBackgroundService;c:\program files\WD\WD Anywhere Backup\MemeoBackgroundService.exe [11/7/2008 2:20 PM 25824]
S3 FlyUsb;FLY Fusion;c:\windows\SYSTEM32\drivers\FlyUsb.sys [7/18/2009 8:00 PM 18560]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - NMSCFG
.
Contents of the 'Scheduled Tasks' folder

2010-01-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-12-26 16:22]

2010-02-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-12-26 16:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://start.iplay.com
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
FF - ProfilePath - c:\documents and settings\Master\Application Data\Mozilla\Firefox\Profiles\m9rp6xys.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Yahoo!
FF - prefs.js: browser.startup.homepage - www.comcast.net
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\documents and settings\All Users\Application Data\RealArcade\npraclient.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\Mozilla Firefox\plugins\npMyGames.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npraclient.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-DW6 - c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe
HKLM-Run-OemReset - c:\windows\OPTIONS\OEMRESET.EXE



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-09 18:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-02-09 18:13:00
ComboFix-quarantined-files.txt 2010-02-09 23:12

Pre-Run: 78,753,656,832 bytes free
Post-Run: 79,452,045,312 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 6258CD5DCCD2DC45495F05CD98F11734

[tetonbob]

Well, I don't care for either, it's sort of 6 of one, half dozen of the other for me with those two choices...but the best protection begins at the keyboard. For what it's worth, I use Eset's NOD32. The other paid AV I like is Kaspersky.

www.av-comparatives.org for comparisons.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

1. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
   
2. Open notepad and copy/paste the text in the quotebox below into it:
   
   
   
   Code:

   http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/459741-unwanted-antivirus-soft-virus.html#post2587868
   Folder::
   c:\documents and settings\dianne\local settings\application data\ihwefx
   DirLook::
   c:\documents and settings\Master\Application Data\iMaxGen
   Collect::
   c:\documents and settings\dianne\local settings\application data\ihwefx\rdgtsftav.exe
   c:\program files\0207201018234331.bat
   c:\program files\012020100251364.bat
   Comment::
   End Copy Here

   
   
   Save this as CFScript.txt
   
   
   
   
   Referring to the picture above, drag CFScript.txt into ComboFix.exe
   
3. ComboFix may request an update; please allow it.
   
4. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
   
5. When finished, it shall produce a log for you. Post that log in your next reply
   
   Note:
   Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
   
   **Note**
   
   When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
   • Ensure you are connected to the internet and click OK on the message box.
   
   Please let me know if the file was successfully submitted . Thanks.
   
   ------------------------------------------------------
   
6. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
   
   ---------------------------------------------------------------------------------------------
   
   Please go to Start > Run and copy/paste the following, then press Enter:
   
   C:\QooBox\Add-Remove Programs.txt
   
   A text file should open. Please post the contents of that file in your next reply.
   

So, two logs in next reply, C:\ComboFix.txt and the Add-Remove Programs.txt

[tlgreenis]

Thanks for the AV info. McAfee has removed several trojans: FakeAlert-Spypro.gen.a, and Artimis!. Is Artemis! what ever part of ComboFix? After VP removes Artemis ComboFix is gone from computer.

Any idea how/where this was picked up?

I am trying to educate my mother about these things. She can't believe what people are doing to others.

See attached logs. ComboFix said file was successfully submitted.


ComboFix 10-02-10.01 - Master 02/10/2010 16:19:46.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.269 [GMT -5:00]
Running from: c:\documents and settings\Master\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Master\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

file zipped: c:\program files\012020100251364.bat
file zipped: c:\program files\0207201018234331.bat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\dianne\local settings\application data\ihwefx
c:\program files\012020100251364.bat
c:\program files\0207201018234331.bat

.
((((((((((((((((((((((((( Files Created from 2010-01-10 to 2010-02-10 )))))))))))))))))))))))))))))))
.

2010-02-10 21:08 . 2010-02-10 21:08 -------- d-----w- c:\windows\LastGood
2010-01-20 05:27 . 2010-01-20 05:27 -------- d-----w- c:\documents and settings\Master\Application Data\iMaxGen
2010-01-19 02:17 . 2010-01-19 02:17 -------- d-sh--w- c:\documents and settings\Travis\PrivacIE
2010-01-19 02:16 . 2010-01-19 02:16 -------- d-sh--w- c:\documents and settings\Travis\IETldCache
2010-01-19 00:18 . 2010-01-19 00:44 -------- d-----w- c:\documents and settings\All Users\Application Data\FarmFrenzy3_America
2010-01-14 03:42 . 2009-11-21 16:36 470528 ------w- c:\windows\system32\dllcache\aclayers.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-07 23:23 . 2009-06-28 03:34 -------- d-----w- c:\program files\I-play Games
2010-02-07 23:22 . 2009-01-15 01:36 -------- d-----w- c:\program files\GamesBar
2010-01-31 09:55 . 2009-01-02 05:29 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-01-25 22:39 . 2009-05-18 03:46 -------- d-----w- c:\documents and settings\Master\Application Data\Oberonv1002
2010-01-20 15:26 . 2009-01-02 05:41 -------- d-----w- c:\program files\Oberon Media
2010-01-19 02:17 . 2009-02-11 01:15 132784 ----a-w- c:\documents and settings\Travis\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-10 04:35 . 2009-01-09 16:56 -------- d-----w- c:\documents and settings\Master\Application Data\PlayFirst
2010-01-10 04:35 . 2009-01-09 16:56 -------- d-----w- c:\documents and settings\All Users\Application Data\PlayFirst
2009-12-21 19:14 . 2008-12-26 12:12 916480 ------w- c:\windows\system32\wininet.dll
2009-12-19 21:52 . 2009-01-09 19:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Sandlot Games
2009-12-18 19:48 . 2009-12-18 19:48 -------- d-----w- c:\documents and settings\Master\Application Data\Big Fish Games
2009-12-18 04:09 . 2009-12-18 04:09 -------- d-----w- c:\documents and settings\Master\Application Data\Cat's Eye Games
2009-12-14 19:15 . 2009-12-14 19:15 2146304 ----a-w- c:\windows\system32\GPhotos.scr
2009-12-14 04:27 . 2009-01-11 03:41 -------- d-----w- c:\documents and settings\Master\Application Data\EleFun Games
2009-12-13 04:19 . 2009-01-02 05:41 -------- d-----w- c:\program files\Common Files\Oberon Media
2009-11-21 16:36 . 2008-12-26 12:08 470528 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-13 22:57 . 2009-11-13 22:57 922112 ------w- c:\windows\system32\imapi2fs.dll
2009-11-13 22:57 . 2009-11-13 22:57 426496 ------w- c:\windows\system32\imapi2.dll
2009-11-13 22:57 . 2008-12-26 12:08 62592 ----a-w- c:\windows\system32\drivers\cdrom.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\Master\Application Data\iMaxGen ----

2010-01-20 05:29 . 2009-12-14 10:14 4248 ----a-w- c:\documents and settings\Master\Application Data\iMaxGen\JaneAngel_TemplarMystery_iWin_Oberon_1_0_0\game.dat
2010-01-20 05:29 . 2009-12-14 10:14 104 ----a-w- c:\documents and settings\Master\Application Data\iMaxGen\JaneAngel_TemplarMystery_iWin_Oberon_1_0_0\developer.dat
2010-01-20 05:29 . 2010-01-20 06:24 361 ----a-w- c:\documents and settings\Master\Application Data\iMaxGen\JaneAngel_TemplarMystery_iWin_Oberon_1_0_0\default.pm
2010-01-20 05:29 . 2010-01-20 06:24 366 ----a-w- c:\documents and settings\Master\Application Data\iMaxGen\JaneAngel_TemplarMystery_iWin_Oberon_1_0_0\kathy.profile
2010-01-20 05:27 . 2009-12-14 10:14 126 ----a-w- c:\documents and settings\Master\Application Data\iMaxGen\JaneAngel_TemplarMystery_iWin_Oberon_1_0_0\config.dat


((((((((((((((((((((((((((((( SnapShot@2010-02-09_23.05.44 )))))))))))))))))))))))))))))))))))))))))
.
+ 2002-04-04 06:00 . 2010-02-10 21:06 32768 c:\windows\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2002-04-04 06:00 . 2010-02-09 22:32 32768 c:\windows\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2010-02-10 21:03 . 2010-02-10 21:06 16384 c:\windows\SYSTEM32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WorksFUD"="c:\program files\Microsoft Works\wkfud.exe" [2000-07-14 24576]
"Microsoft Works Portfolio"="c:\program files\Microsoft Works\WksSb.exe" [2000-07-14 311350]
"Microsoft Works Update Detection"="c:\program files\Microsoft Works\WkDetect.exe" [2000-07-14 28739]
"CHotkey"="mHotkey.exe" [2002-01-17 479744]
"UpdReg"="c:\windows\Updreg.exe" [2000-05-11 90112]
"IW Controlcenter"="c:\progra~1\VOB\INSTAN~1\IWCTRL.EXE" [2002-03-02 732160]
"GWMDMMSG"="GWMDMMSG.exe" [2002-03-28 101611]
"GWMDMpi"="c:\windows\GWMDMpi.exe" [2002-03-28 40960]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-05-16 648504]
"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2008-05-21 451896]
"WD Anywhere Backup"="c:\program files\WD\WD Anywhere Backup\MemeoLauncher2.exe" [2008-11-07 197856]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2009-05-07 380928]
"Lexmark X6100 Series"="c:\program files\Lexmark X6100 Series\lxbfbmgr.exe" [2003-09-23 57344]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Forget Me Not.lnk - c:\program files\Broderbund\AG CreataCard\AGRemind.exe [2008-12-26 323584]
Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2000-7-13 24633]
Quicken Startup.lnk - c:\quickenw\QWDLLS.EXE [2008-12-26 36864]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service

R0 fasttrak;fasttrak;c:\windows\SYSTEM32\drivers\Fasttrak.sys [5/23/2002 12:29 AM 73600]
R1 cdrdrv;cdrdrv;c:\windows\SYSTEM32\drivers\Cdrdrv.sys [6/20/2002 1:40 AM 57344]
R1 vobcom;vobcom;c:\windows\SYSTEM32\drivers\vobcom.sys [6/20/2002 1:40 AM 9728]
R1 vobiw;vobiw;c:\windows\SYSTEM32\drivers\vobIW.sys [6/20/2002 1:40 AM 174080]
R2 MemeoBackgroundService;MemeoBackgroundService;c:\program files\WD\WD Anywhere Backup\MemeoBackgroundService.exe [11/7/2008 2:20 PM 25824]
S3 FlyUsb;FLY Fusion;c:\windows\SYSTEM32\drivers\FlyUsb.sys [7/18/2009 8:00 PM 18560]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - NMSCFG
.
Contents of the 'Scheduled Tasks' folder

2010-01-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-12-26 16:22]

2010-02-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-12-26 16:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://start.iplay.com
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
FF - ProfilePath - c:\documents and settings\Master\Application Data\Mozilla\Firefox\Profiles\m9rp6xys.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Yahoo!
FF - prefs.js: browser.startup.homepage - www.comcast.net
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\documents and settings\All Users\Application Data\RealArcade\npraclient.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\Mozilla Firefox\plugins\npMyGames.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npraclient.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-10 16:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-02-10 16:34:57
ComboFix-quarantined-files.txt 2010-02-10 21:34
ComboFix2.txt 2010-02-09 23:13

Pre-Run: 79,478,374,400 bytes free
Post-Run: 79,435,407,360 bytes free

- - End Of File - - 160221056B868027E06AEFE19B836BD2
Upload was successful

[tetonbob]

Quote:

McAfee has removed several trojans: FakeAlert-Spypro.gen.a,

What location, file name, file path?

Quote:

and Artimis!. Is Artemis! what ever part of ComboFix?

Artemis is McAfee generic detection. Unfortunately, McAfee and other AntiVirus see some of ComboFix's embedded tools as threats (they are not!), which is why the AV need be disabled while it's running. We will later need to replace ComboFix to desktop, but for now, it's ok.

Quote:

Any idea how/where this was picked up?

Not really. Sometimes these come from unsavory sites, but also they can come from legit sites which are poorly secure and have malicious code parked on them.

[tlgreenis]

Quote:
McAfee has removed several trojans: FakeAlert-Spypro.gen.a,
What location, file name, file path?

This is what is in the log:
02/09/2010 9:02:52 PM

Registry: C:\System Volume Information\_restore{1536FC13-E172-47EA-ABF3-40B443C9C015}\RP457\A0037269.exe

Process: C\WINDOWS\System32\svchost.exe

Process Description: Generic Host Process for Win32 Services

This happened when I enabled VP after running ComboFix the first time.


I looked back a bit further in the log and noticed the following:

02/02/2010 2:33:26PM

File: C;\Documents and Settings\Dianne\Local Settings\Application Data\Mozilla\Firefox\Profiles\9kf53yfk.default/Cache\BA85FF16d01

Process: C:\Program Files\Mozilla Firefox\firefox.exe

Process Description: Firefox

[tetonbob]

OK, thanks. System Volume Information is System Restore's cache. What is there cannot harm the machine unless it were restored to that snapshot. After we are done here, we will flush old restore points, and set a new clean point with which to go forward.

The other item is in Firefox's cache, we shall clear that out also.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

• Download the latest version of Java Runtime Environment (JRE) 18 and save it to your desktop.
• Scroll down to where it says JDK 6 Update 18 (JDK or JRE)
• Click the Download JRE button to the right
• Select the Windows platform from the dropdown menu.
• Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6u18 with JavaFX 1 License Agreement". Click on Continue.The page will refresh.
• Click on the link to download Windows Offline Installation and save the file to your desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel, double-click on Add or Remove Programs and remove all older versions of Java.
• Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java versions.
  
  
  Java(TM) 6 Update 13
  Java(TM) 6 Update 14
  
  
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on [b]jre-6u18-windows-i586.exe/b] to install the newest version.

• After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.

=============================

This tool clears temp files and empties your Recycle Bin.

1. Download TFC (Temp File Cleaner) to your desktop, or other location.
2. Save any unsaved work. TFC will close all open application windows.
3. Double-click TFC.exe to run the program.
4. If prompted, click "Yes" to reboot.

=============================


Please download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to the following:
  
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
• Then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform quick scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. Save it to your desktop. Malwarebytes' Anti-Malware may require a reboot to complete removals. After a reboot, if required, post that saved log in your next reply.

---------------------------------------------------------------------------------------------

[tlgreenis]

Attached is Malwarebytes' log

[tetonbob]

Looks good. Please run ths online scan to help look for remnants.

Go here to run an online scannner from ESET.

• Note: You will need to use Internet explorer for this scan
• Turn off the real time scanner of any existing antivirus program while performing the online scan
• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Click Start
• Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
• Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
• Click Scan
• Wait for the scan to finish
• Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
• Copy and paste that log as a reply to this topic and also let me know how things are now.

[tlgreenis]

See the attached ESET log. I have not had any more obvious symptoms, however, there is still alot of hard drive activity.

[tetonbob]

It's not unusual to see the hdd light anytime the machine is on. Mine flashes regularly. That said, there are two accounts on this machine and while some of the scans are global (all accounts) some scans need to be done on each user account. We'll get to Travis shortly.

Eset has identified several items which need your attention.

Your Comcast mailboxes in Firefox (? Thunderbird? ) have infected items in them. Unfortunately, there are no specific mails identified

Master and Travis inbox, and Travis trash. Both should have any suspect emails deleted.

C:\Documents and Settings\Master\Application Data\Mozilla\Profiles\default\rjhcwghg.slt\Mail\mail.comcast.net\Inbox
C:\Documents and Settings\Travis\Application Data\Mozilla\Profiles\default\g20sa3ua.slt\Mail\mail.comcast.net\Inbox
C:\Documents and Settings\Travis\Application Data\Mozilla\Profiles\default\g20sa3ua.slt\Mail\mail.comcast.net\Trash


Trymedia games can be considered adware by some vendors. I'll leave that to you.

C:\Documents and Settings\Master\Desktop\temp\DeliciousEmilysTasteofFame-dm.exe
C:\Documents and Settings\Master\Desktop\temp\ManiaCombo-dm.exe
C:\Documents and Settings\Travis\My Documents\My Pictures\GV_v1r.exe
C:\Documents and Settings\Travis\My Documents\My Pictures\PirateHunterSetup-dm.exe
C:\Documents and Settings\Travis\My Documents\My Pictures\PrisonTycoonSetup-dm.exe
C:\Documents and Settings\Travis\My Documents\My Pictures\RiskII-dm.exe
C:\Documents and Settings\Travis\My Documents\My Pictures\WarlordsBattlecryIIISetup-dm.exe


These items look like a backup, and should be deleted:


C:\My Old Data -- 08-12-26 0504AM\Kathy Old Data -- 08-12-23 0824PM\Documents and Settings\All Users\Documents\My Pictures\WarlordsBattlecryIIISetup-dm.exe
C:\My Old Data -- 08-12-26 0504AM\Kathy Old Data -- 08-12-23 0824PM\Documents and Settings\Master\Application Data\Mozilla\Profiles\default\rjhcwghg.slt\Mail\mail.comcast.net\Inbox
C:\My Old Data -- 08-12-26 0504AM\Kathy Old Data -- 08-12-23 0824PM\Documents and Settings\Travis\Application Data\Mozilla\Profiles\default\g20sa3ua.slt\Mail\mail.comcast.net\Inbox
C:\My Old Data -- 08-12-26 0504AM\Kathy Old Data -- 08-12-23 0824PM\Documents and Settings\Travis\Application Data\Mozilla\Profiles\default\g20sa3ua.slt\Mail\mail.comcast.net\Trash
C:\My Old Data -- 08-12-26 0504AM\Kathy Old Data -- 08-12-23 0824PM\Documents and Settings\Travis\Local Settings\temp\lmSYcJjl.ini
C:\My Old Data -- 08-12-26 0504AM\Kathy Old Data -- 08-12-23 0824PM\Documents and Settings\Travis\Local Settings\temp\lmSYcJjl.ini2
C:\My Old Data -- 08-12-26 0504AM\Kathy Old Data -- 08-12-23 0824PM\Documents and Settings\Travis\Local Settings\Temporary Internet Files\Content.IE5\87X2XB0N\process[1].htm
C:\My Old Data -- 08-12-26 0504AM\Kathy Old Data -- 08-12-23 0824PM\Documents and Settings\Travis\Local Settings\Temporary Internet Files\Content.IE5\LJN96TWC\process[1].htm
C:\My Old Data -- 08-12-26 0504AM\Kathy Old Data -- 08-12-23 0824PM\Program Files\NoAdware5.0\NoAdware5.exe


Once you've done that, log into Travis account, and post DDS logs from that account.

[tlgreenis]

Working on mail boxes, haven't resolved issues still need help. I am waiting on password for one of the mail accounts, should have it in the AM. Will then be able to supply requested info.

[tlgreenis]

Here's the new ESET log for Master. I will start running under Travis right after this post.

[tlgreenis]

Here are the DDS files from Travis Account.


DDS (Ver_09-12-01.01) - NTFSx86
Run by Travis at 15:28:01.95 on Sun 02/14/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.266 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\mHotkey.exe
C:\PROGRA~1\VOB\INSTAN~1\IWCTRL.EXE
C:\WINDOWS\GWMDMMSG.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe
C:\WINDOWS\system32\lexpps.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\QUICKENW\QWDLLS.EXE
C:\Program Files\WD\WD Anywhere Backup\MemeoBackup.exe
C:\Documents and Settings\Travis\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.comcast.net/a/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [HXDL.EXE] c:\program files\bestbuy\helpexpress\HXDL.EXE -from="HXIUL.EXE" -to="HXIUL.EXE" -run
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [WorksFUD] c:\program files\microsoft works\wkfud.exe
mRun: [Microsoft Works Portfolio] c:\program files\microsoft works\WksSb.exe /AllUsers
mRun: [Microsoft Works Update Detection] c:\program files\microsoft works\WkDetect.exe
mRun: [CHotkey] mHotkey.exe
mRun: [UpdReg] c:\windows\Updreg.exe
mRun: [IW Controlcenter] c:\progra~1\vob\instan~1\IWCTRL.EXE
mRun: [GWMDMMSG] GWMDMMSG.exe
mRun: [GWMDMpi] c:\windows\GWMDMpi.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
mRun: [nmapp] "c:\program files\pure networks\network magic\nmapp.exe" -autorun -nosplash
mRun: [WD Anywhere Backup] c:\program files\wd\wd anywhere backup\MemeoLauncher2.exe --silent
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Monitor] "c:\program files\leapfrog\leapfrog connect\Monitor.exe"
mRun: [Lexmark X6100 Series] "c:\program files\lexmark x6100 series\lxbfbmgr.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [LexPPS.exe] c:\windows\system32\lexpps.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\forget~1.lnk - c:\program files\broderbund\ag creatacard\AGRemind.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\common files\microsoft shared\works shared\wkcalrem.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quicke~1.lnk - c:\quickenw\QWDLLS.EXE
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1230295273526
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\travis\applic~1\mozilla\firefox\profiles\uvlxrsxm.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 fasttrak;fasttrak;c:\windows\system32\drivers\Fasttrak.sys [2002-5-23 73600]
R1 cdrdrv;cdrdrv;c:\windows\system32\drivers\Cdrdrv.sys [2002-6-20 57344]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-12-26 214664]
R1 vobcom;vobcom;c:\windows\system32\drivers\vobcom.sys [2002-6-20 9728]
R1 vobiw;vobiw;c:\windows\system32\drivers\vobIW.sys [2002-6-20 174080]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-12-26 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-12-26 144704]
R2 MemeoBackgroundService;MemeoBackgroundService;c:\program files\wd\wd anywhere backup\MemeoBackgroundService.exe [2008-11-7 25824]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-12-26 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-12-26 35272]
R3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-12-26 34248]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [2009-7-18 18560]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-12-26 40552]
S4 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-12-26 606736]

=============== Created Last 30 ================

2010-02-11 22:27:42 0 d-----w- c:\program files\ESET
2010-02-11 06:47:12 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-11 06:47:10 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-02-11 06:47:09 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-11 06:47:09 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-11 06:26:15 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-02-09 22:47:57 0 d-sha-r- C:\cmdcons
2010-02-09 22:43:23 98816 ----a-w- c:\windows\sed.exe
2010-02-09 22:43:23 77312 ----a-w- c:\windows\MBR.exe
2010-02-09 22:43:23 261632 ----a-w- c:\windows\PEV.exe
2010-02-09 22:43:23 161792 ----a-w- c:\windows\SWREG.exe
2010-01-31 21:23:49 54156 ---ha-w- c:\windows\QTFont.qfn
2010-01-31 21:23:49 1409 ----a-w- c:\windows\QTFont.for
2010-01-19 02:17:32 0 d-sh--w- c:\documents and settings\travis\PrivacIE
2010-01-19 02:16:32 0 d-sh--w- c:\documents and settings\travis\IETldCache
2010-01-19 00:18:01 0 d-----w- c:\docume~1\alluse~1\applic~1\FarmFrenzy3_America

==================== Find3M ====================

2010-02-11 06:25:40 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-31 16:14:12 352640 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-31 16:14:12 352640 ------w- c:\windows\system32\dllcache\srv.sys
2009-12-21 13:19:18 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-12-16 12:58:04 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-16 12:58:04 343040 ------w- c:\windows\system32\dllcache\mspaint.exe
2009-12-14 19:15:14 2146304 ----a-w- c:\windows\system32\GPhotos.scr
2009-12-14 07:35:35 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-14 07:35:35 33280 ------w- c:\windows\system32\dllcache\csrsrv.dll
2009-12-08 18:55:25 2180352 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:55:25 2180352 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-12-08 18:53:08 2136064 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-12-08 18:19:32 2057728 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-08 18:19:32 2057728 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-12-08 18:19:32 2015744 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-12-08 09:13:51 474112 ------w- c:\windows\system32\dllcache\shlwapi.dll
2009-12-04 14:41:55 453760 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2009-11-27 17:33:35 17920 ------w- c:\windows\system32\msyuv.dll
2009-11-27 17:33:35 17920 ------w- c:\windows\system32\dllcache\msyuv.dll
2009-11-27 17:33:35 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 17:33:35 1291264 ------w- c:\windows\system32\dllcache\quartz.dll
2009-11-27 16:37:27 8704 ------w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:37:27 8704 ------w- c:\windows\system32\dllcache\tsbyuv.dll
2009-11-27 16:37:27 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:37:27 84992 ------w- c:\windows\system32\dllcache\avifil32.dll
2009-11-27 16:37:27 48128 ------w- c:\windows\system32\iyuv_32.dll
2009-11-27 16:37:27 48128 ------w- c:\windows\system32\dllcache\iyuv_32.dll
2009-11-27 16:37:27 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:37:27 28672 ----a-w- c:\windows\system32\dllcache\msvidc32.dll
2009-11-27 16:37:27 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:37:27 11264 ------w- c:\windows\system32\dllcache\msrle32.dll
2009-11-21 16:36:13 470528 ------w- c:\windows\system32\dllcache\aclayers.dll

============= FINISH: 15:28:29.43 ===============

[tetonbob]

Logs seem fine for the most part. From a malware perspective, we should be done here. What issues remain?

[tlgreenis]

What needs to be done to clear out the restore points?

And to clear out Firefox's cache?

Will I need to clear the cache for each user?

[tetonbob]

Answers to your questions shall follow.

Some final housekeeping instructions, and protection information for you.

Your logs appear clean.You should be good to go. We still have a few items to address.


Disconnect from the internet and disable your AntiVirus temporarily.

Go to -> Run -> copy/paste in the following single line command & click OK

ComboFix /Uninstall

This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points.

Re-enable your AntiVirus now. Reconnect to the internet at your leisure.

Delete any remaining tools we've used (DDS and GMER) and logs from them.

Empty your Recycle Bin.

CLEAR & RESET SYSTEM RESTORE'S CACHE

Go to Start >> Run - type or copy/paste control sysdm.cpl,,4 & press Enter

* Tick on the checkbox - Turn off System Restore on all drives
* Click Apply

Turn it back 'On' by unticking the same checkbox & click Apply, and then OK

---------------------------------------------------------------------------------------------

Clear the Firefox cache. Tools > Clear Recent History > Select Everything from the dropdown. Do this on all users.

Another useful tool is ATF Cleaner.

Please download ATF Cleaner by Atribune.

• Double-click ATF-Cleaner.exe to run the program.
  Under Main choose: Select All
  Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

---------------------------------------------------------------------------------------------



Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and look into the following free programs:

• Microsoft Windows Update - http://www.windowsupdate.com
  Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  
  
• SpywareBlaster to help prevent spyware from installing in the first place.
  • Install & update SpywareBlaster with the latest definitions.
    After you have updated, click the button - enable protection for all unprotected items
• WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites - green to go, yellow for caution and red to stop, helping you avoid the dangerous sites. WOT has an addon available for both Firefox and IE.
  
  
• Winpatrol
  
  Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here.
  
  You can get a free copy of Winpatrol or use the Plus version for more features.
  
  You can read Winpatrol's FAQ if you run into problems.
  
  
• MVPS HOST FILE
  The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
  
• ANTIVIRUS SOFTWARE
  It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.
  
  Do not install more than one AntiVirus program because they will conflict with each other.
  
  
• Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer
  
  
• http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  
  
• http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP//Vista. It's made up of two parts - ERUNT & NTREGOPT.
  
  ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.
  
  NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

• How did I get infected in the first place?
• PC Safety and Security--What Do I Need?

If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.