Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

User Tag List

Problem with virus infection

This is a discussion on Problem with virus infection within the Resolved HJT Threads forums, part of the Tech Support Forum category. A fake windows security center pops-up at my tool bar and it stops my anti-virus and then everything else on


 
 
Thread Tools Search this Thread
Old 06-25-2010, 01:27 PM   #1
Registered Member
 
Join Date: Jun 2010
Location: New York
Posts: 38
OS: XP



A fake windows security center pops-up at my tool bar and it stops my
anti-virus and then everything else on my computer. When I try to open
any page the fake security warning pops-up. I got my computer working
by disabling everything at "MSCONFIG--> start up".
I ran Combofix. It appeared to fix it in the beginning but again the fake
security showed up and stopped everything. I even tried Rootkit buster
and didn't work. So I started to get help from this forum and followed the
instruction to clean spyware or malware , ran "DDS.scr" and then "GMER".
In the following is "DDS log" and attached "Attach.txt" & "Ark.txt".
I desperately need help to clean up my computer.
Thanks!
---------------------------------------------------------------------

DDS (Ver_10-03-17.01) - NTFSx86
Run by Parisa H at 0:22:25.98 on Thu 06/24/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.490 [GMT -7:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Parisa H\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.guardian.co.uk/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*https://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-inc&channel=us
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn4\yt.dll
mWinlogon: Userinit=c:\windows\system32\Userinit.exe
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn4\yt.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: moigh Object: {b2b65907-de39-4595-b974-e89d7198eeff} - c:\windows\system32\ompptcin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn4\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn4\yt.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 8\SnagItIEAddin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} - file://c:\program files\autocad 2002\AcDcToday.ocx
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {F281A59C-7B65-11D3-8617-0010830243BD} - file://c:\program files\autocad 2002\AcPreview.ocx
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\parisa~1\applic~1\mozilla\firefox\profiles\ktv8xu12.default\
FF - prefs.js: browser.startup.homepage - www.cnn.com
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "https://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-2-4 324232]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-2-4 53896]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-4-8 185968]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-4-8 161392]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2005-4-17 1706176]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100618.033\naveng.sys [2010-6-18 85552]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100618.033\navex15.sys [2010-6-18 1347504]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-3 135664]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2005-4-8 83568]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2005-4-17 124608]

============== File Associations ===============

.scr=AutoCADScriptFile

=============== Created Last 30 ================

2100-02-23 21:35:34 768 ----a-w- c:\windows\x73_lut.dat
2100-02-08 22:53:34 1437 ----a-w- c:\windows\GtX73.ini
2010-06-20 05:19:57 0 d-----w- c:\documents and settings\parisa h\log
2010-06-19 05:33:00 185344 ----a-w- c:\windows\system32\Thawbrkr.dll
2010-06-19 05:33:00 185344 ----a-w- c:\windows\system32\dllcache\thawbrkr.dll
2010-06-17 08:05:55 0 d-----w- c:\docume~1\parisa~1\applic~1\MSNInstaller
2010-06-17 05:16:42 0 d-----w- c:\windows\system32\scripting
2010-06-17 05:16:42 0 d-----w- c:\windows\l2schemas
2010-06-17 05:16:40 0 d-----w- c:\windows\system32\en
2010-06-17 05:16:40 0 d-----w- c:\windows\system32\bits
2010-06-12 22:33:30 0 d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-06-11 03:04:03 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-11 02:53:53 0 d-----w- c:\program files\Windows Installer Clean Up
2010-06-07 06:34:33 0 ----a-w- c:\windows\vpc32.INI
2010-06-07 06:07:09 91856 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-06-07 06:07:09 123200 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-06-07 0637 0 d-----w- c:\program files\Symantec AntiVirus
2010-06-05 08:33:46 0 d-----w- c:\docume~1\parisa~1\applic~1\Sky-Banners
2010-06-05 07:33:54 0 d-sha-r- C:\cmdcons
2010-06-05 04:26:48 0 d-----w- c:\windows\pss
2010-06-04 07:00:21 0 d-----w- c:\docume~1\parisa~1\applic~1\Street-Ads
2010-06-04 06:59:44 50981 ----a-w- c:\windows\system32\wqippcwmkkkuvpg.exe
2010-06-04 06:59:08 0 d-----w- c:\docume~1\alluse~1\applic~1\Update
2010-06-03 22:13:36 309760 ----a-w- c:\windows\system32\ompptcin.dll

==================== Find3M ====================

2010-05-05 13:30:57 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-05-02 05:22:50 1851264 ------w- c:\windows\system32\dllcache\win32k.sys
2010-04-20 05:51:20 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-20 05:51:20 285696 ------w- c:\windows\system32\dllcache\atmfd.dll
2010-04-06 11:52:46 2462720 ----a-w- c:\windows\system32\dllcache\WMVCore.dll
2006-08-24 06:24:30 104 --sh--r- c:\windows\system32\63775502E1.sys
2006-08-24 06:24:30 7518 --sha-w- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 0:23:34.04 ===============
Attached Files
File Type: zip Attach.zip (4.7 KB, 27 views)
File Type: zip ark.zip (540 Bytes, 26 views)
parisah is offline  
Sponsored Links
Advertisement
 
Old 06-28-2010, 06:55 AM   #2
TSF-Emeritus
 
Join Date: Jun 2006
Location: here & there and everywhere
Posts: 15,384
OS: XP Win7 Win 8.1 Ubuntu 10.10



Hello and welcome to TSF.

Download ComboFix from one of these locations, but do not run it yet.

Link 1
Link 2

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.

How to disable your security applications

To disable Norton Antivirus:
Please navigate to the system tray on the bottom right hand corner and look for a sign.
  • right-click it -> chose "Disable Auto-Protect."
  • select a duration of 5 hours (this assures no interference with the cleanup of your pc)
  • click "Ok."
  • a popup will warn that protection will now be disabled and the sign will now look like this:


Open notepad and copy/paste the text in the quotebox below into it:

Quote:
DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
Save this as CFScript.txt




Refering to the picture above, drag CFScript.txt into ComboFix.exe


As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.

ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:

The Recovery Console was successfully installed.



Click on Yes, to continue scanning for malware.

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.



When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


---------------------------------------------------------------------------------------------

If there are internet issues afterward:

Reboot the machine, and check again.

If still issues...

*In IE: Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.

In Firefox in Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection and uncheck the proxyserver, set it to No Proxy.
amateur is offline  
Old 06-29-2010, 12:48 AM   #3
Registered Member
 
Join Date: Jun 2010
Location: New York
Posts: 38
OS: XP



Thanks so much for your reply. Here is the combofix log:
-----------------------------------------------------------------------------
ComboFix 10-06-28.01 - Parisa H 06/29/2010 0:31.6.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.438 [GMT -7:00]
Running from: c:\documents and settings\Parisa H\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Parisa H\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\LocalService\Application Data\Street-Ads
c:\documents and settings\Parisa H\Application Data\Sky-Banners
c:\documents and settings\Parisa H\Application Data\Sky-Banners\skb\log.xml
c:\documents and settings\Parisa H\Application Data\Street-Ads
c:\program files\$NtUninstall***1012$
c:\program files\$NtUninstall***1012$\elUninstall.exe
c:\windows\$NtUninstallMTF1011$
c:\windows\$NtUninstallMTF1011$\apUninstall.exe
c:\windows\system32\ompptcin.dll

.
((((((((((((((((((((((((( Files Created from 2010-05-28 to 2010-06-29 )))))))))))))))))))))))))))))))
.

2100-02-23 21:35 . 2001-02-22 16:54 768 ----a-w- c:\windows\x73_lut.dat
2010-06-20 05:19 . 2010-06-20 05:19 -------- d-----w- c:\documents and settings\Parisa H\log
2010-06-19 05:33 . 2004-08-10 10:00 185344 ----a-w- c:\windows\system32\Thawbrkr.dll
2010-06-19 05:33 . 2004-08-10 10:00 185344 ----a-w- c:\windows\system32\dllcache\thawbrkr.dll
2010-06-19 05:32 . 2004-08-10 10:00 10752 ----a-w- c:\windows\system32\dllcache\c_iscii.dll
2010-06-19 05:32 . 2004-08-10 10:00 10752 ----a-w- c:\windows\system32\c_iscii.dll
2010-06-19 05:32 . 2004-08-10 10:00 5632 ----a-w- c:\windows\system32\kbdusa.dll
2010-06-19 05:32 . 2004-08-10 10:00 5632 ----a-w- c:\windows\system32\dllcache\kbdusa.dll
2010-06-19 05:32 . 2004-08-10 10:00 6144 ----a-w- c:\windows\system32\ftlx041e.dll
2010-06-19 05:32 . 2004-08-10 10:00 6144 ----a-w- c:\windows\system32\dllcache\ftlx041e.dll
2010-06-17 08:08 . 2010-06-17 08:08 -------- d-----w- c:\documents and settings\Parisa H\Local Settings\Application Data\Mozilla
2010-06-17 08:05 . 2010-06-17 08:05 -------- d-----w- c:\documents and settings\Parisa H\Application Data\MSNInstaller
2010-06-17 05:16 . 2010-06-17 05:16 -------- d-----w- c:\windows\system32\scripting
2010-06-17 05:16 . 2010-06-17 05:16 -------- d-----w- c:\windows\l2schemas
2010-06-17 05:16 . 2010-06-17 05:16 -------- d-----w- c:\windows\system32\en
2010-06-17 05:16 . 2010-06-17 05:16 -------- d-----w- c:\windows\system32\bits
2010-06-12 22:33 . 2010-06-12 22:33 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-06-12 22:10 . 2010-06-12 22:10 -------- d-----w- c:\documents and settings\LocalService\Application Data\Yahoo!
2010-06-12 21:29 . 2010-04-20 23:45 607472 ----a-w- c:\documents and settings\All Users\Application Data\yahoo!\YUpdater\yupdater.exe
2010-06-11 03:04 . 2010-05-06 10:41 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-11 02:53 . 2010-06-11 02:53 3584 ----a-r- c:\documents and settings\Parisa H\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2010-06-11 02:53 . 2010-06-11 02:53 -------- d-----w- c:\program files\Windows Installer Clean Up
2010-06-07 17:18 . 2010-06-07 17:18 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2010-06-07 15:43 . 2010-06-07 15:43 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-06-07 15:43 . 2010-06-07 15:43 -------- d-sh--w- c:\documents and settings\LocalService\IECompatCache
2010-06-07 06:08 . 2010-06-07 06:08 -------- d-----w- c:\documents and settings\Parisa H\Local Settings\Application Data\Symantec
2010-06-07 06:07 . 2005-04-02 03:36 91856 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-06-07 06:07 . 2005-04-02 03:36 123200 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-06-07 06:06 . 2010-06-29 07:26 -------- d-----w- c:\program files\Symantec AntiVirus
2010-06-05 07:07 . 2010-06-05 07:07 -------- d-----w- c:\documents and settings\Administrator\Tracing
2010-06-05 07:05 . 2010-06-05 07:05 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-06-05 07:05 . 2010-06-05 07:05 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-06-05 05:36 . 2010-06-05 05:36 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-06-05 05:06 . 2010-06-05 05:06 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Help
2010-06-04 06:59 . 2010-06-04 06:59 50981 ----a-w- c:\windows\system32\wqippcwmkkkuvpg.exe
2010-06-04 06:59 . 2010-06-05 07:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Update
2010-06-03 04:23 . 2010-06-03 04:23 439816 ----a-w- c:\documents and settings\Parisa H\Application Data\Real\Update\setup3.10\setup.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-19 07:38 . 2006-05-14 05:30 123944 ----a-w- c:\documents and settings\Parisa H\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-17 05:20 . 2005-08-16 09:41 88183 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-06-12 22:34 . 2009-11-17 08:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-06-12 22:10 . 2006-05-14 04:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-06-12 21:32 . 2007-01-15 07:04 -------- d--h--r- c:\documents and settings\Parisa H\Application Data\yahoo!
2010-06-12 21:30 . 2006-05-14 04:35 -------- d-----w- c:\documents and settings\All Users\Application Data\yahoo!
2010-06-12 21:30 . 2006-05-14 04:33 -------- d-----w- c:\program files\Yahoo!
2010-06-11 02:53 . 2009-03-09 05:24 -------- d-----w- c:\program files\MSECache
2010-06-07 06:10 . 2006-08-30 06:02 -------- d-----w- c:\program files\Symantec_Client_Security
2010-06-07 06:08 . 2006-08-30 06:02 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-06-07 06:07 . 2006-08-30 06:02 -------- d-----w- c:\program files\Symantec
2010-06-07 06:06 . 2006-08-30 06:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-06-07 05:12 . 2008-12-28 09:33 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-06 10:41 . 2005-08-16 09:18 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2005-08-16 09:18 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:51 . 2005-08-16 09:18 285696 ----a-w- c:\windows\system32\atmfd.dll
2006-08-24 06:24 . 2006-05-14 05:30 104 --sh--r- c:\windows\system32\63775502E1.sys
2006-08-24 06:24 . 2006-05-14 05:30 7518 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-04 39408]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="c:\progra~1\SYMANT~2\VPTray.exe" [2005-04-17 85184]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 761947]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
2005-12-19 20:08 1347584 ----a-w- c:\windows\system32\WLTRAY.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
2005-04-08 22:52 48752 ----a-w- c:\program files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/3/2010 9:32 PM 135664]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [4/17/2005 12:30 PM 124608]

--- Other Services/Drivers In Memory ---

*Deregistered* - EraserUtilDrv11010
.
Contents of the 'Scheduled Tasks' folder

2010-06-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2010-06-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-04 04:32]

2010-06-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-04 04:32]

2010-06-29 c:\windows\Tasks\User_Feed_Synchronization-{B4203B0B-01D3-430A-985D-8ABEE364FF84}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 12:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.guardian.co.uk/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*https://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-inc&channel=us
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
FF - ProfilePath - c:\documents and settings\Parisa H\Application Data\Mozilla\Firefox\Profiles\ktv8xu12.default\
FF - prefs.js: browser.startup.homepage - www.cnn.com
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-pdblmxit - c:\documents and settings\Parisa H\Local Settings\Application Data\mjimvgweb\aghmecutssd.exe
HKCU-Run-OE_OEM - c:\program files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
HKCU-Run-hsfg9w8gujsokgahi8gysgnsdgefshyjy - c:\docume~1\ADMINI~1\LOCALS~1\Temp\debug.exe
AddRemove-$NtUninstallMTF1011$ - c:\windows\$NtUninstallMTF1011$\apUninstall.exe
AddRemove-$NtUninstall***1012$ - c:\program files\$NtUninstall***1012$\elUninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, https://www.gmer.net
Rootkit scan 2010-06-29 00:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(692)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
.
Completion time: 2010-06-29 00:40:20
ComboFix-quarantined-files.txt 2010-06-29 07:40
ComboFix2.txt 2010-06-07 05:40

Pre-Run: 19,165,110,272 bytes free
Post-Run: 19,276,275,712 bytes free

- - End Of File - - 2F1431924AEEB938576C448C205A420F
parisah is offline  
Sponsored Links
Advertisement
 
Old 06-29-2010, 01:28 AM   #4
TSF-Emeritus
 
Join Date: Jun 2006
Location: here & there and everywhere
Posts: 15,384
OS: XP Win7 Win 8.1 Ubuntu 10.10



Hi,

From your initial post:

Quote:
I ran Combofix. It appeared to fix it in the beginning but again the fake
security showed up and stopped everything. I even tried Rootkit buster
and didn't work.
Please note that Combofix should never be run without the supervision of a trained analyst.

Quote:
Why we don't ask you to run ComboFix from the onset

As stated by the author of ComboFix:
ComboFix is a very powerful tool which when improperly used may render your machine to a doorstop.
We first need to verify if there's any rootkits present and how they could affect our tools. DDS & GMER are preliminary scans. We use their logs to map our strategy for attack.
With these logs we can determine the infections present & decide whether to deploy ComboFix.
================

Please go to: VirusTotal
  • On the page you'll find a "Browse" button.
  • Next to the browse button you'll see a box to enter text.
  • Please copy/paste the following in BOLD:

    c:\windows\system32\wqippcwmkkkuvpg.exe

  • Then click the "Send File " button just below.
  • This will scan the file. Please be patient.
  • If the file is analyzed before click Reanalyse file now button.
  • Wait until the file is analyzed.
  • Once scanned, copy and paste the results in your next reply.

===================

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner. This is a very thorough scan and will take a long time. Please be patient and allow it to run its course.

**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.
  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on Settings. Uncheck Mail databases.
  • Next, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

Note for Internet Explorer 8 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.
amateur is offline  
Old 06-30-2010, 01:58 PM   #5
Registered Member
 
Join Date: Jun 2010
Location: New York
Posts: 38
OS: XP



Here is the "Virus Total" scan result. Just to let you know that I was not able to copy/paste "c:\windows\system32\wqippcwmkkkuvpg.exe", because it was prompting me to upload the file, so I uploaded this file from my computer and therefor it was not in
"Bold". THANKS ALOT for your help.
-----------------------------------------------------------------
Antivirus Version Last Update Result
a-squared 5.0.0.31 2010.06.30 -
AhnLab-V3 2010.06.30.00 2010.06.30 -
AntiVir 8.2.4.2 2010.06.29 -
Antiy-AVL 2.0.3.7 2010.06.30 -
Authentium 5.2.0.5 2010.06.30 -
Avast 4.8.1351.0 2010.06.29 -
Avast5 5.0.332.0 2010.06.29 -
AVG 9.0.0.836 2010.06.29 -
BitDefender 7.2 2010.06.30 -
CAT-QuickHeal 10.00 2010.06.30 -
ClamAV 0.96.0.3-git 2010.06.30 -
Comodo 5262 2010.06.30 -
DrWeb 5.0.2.03300 2010.06.30 -
eSafe 7.0.17.0 2010.06.29 -
eTrust-Vet 36.1.7675 2010.06.29 -
F-Prot 4.6.1.107 2010.06.29 -
F-Secure 9.0.15370.0 2010.06.30 -
Fortinet 4.1.133.0 2010.06.29 -
GData 21 2010.06.30 -
Ikarus T3.1.1.84.0 2010.06.30 -
Jiangmin 13.0.900 2010.06.30 -
Kaspersky 7.0.0.125 2010.06.30 -
McAfee 5.400.0.1158 2010.06.30 -
McAfee-GW-Edition 2010.1 2010.06.29 Artemis!AECE982E7339
Microsoft 1.5902 2010.06.30 -
NOD32 5238 2010.06.29 -
Norman 6.05.10 2010.06.29 W32/BHO.AAHU
nProtect 2010-06-29.01 2010.06.29 -
Panda 10.0.2.7 2010.06.29 -
PCTools 7.0.3.5 2010.06.30 Trojan.BHO.G
Prevx 3.0 2010.06.30 High Risk Cloaked Malware
Rising 22.54.02.01 2010.06.30 -
Sophos 4.54.0 2010.06.30 Troj/BHO-QN
Sunbelt 6524 2010.06.30 -
Symantec 20101.1.0.89 2010.06.30 WS.Reputation.1
TheHacker 6.5.2.0.305 2010.06.30 -
TrendMicro 9.120.0.1004 2010.06.30 -
TrendMicro-HouseCall 9.120.0.1004 2010.06.30 -
VBA32 3.12.12.5 2010.06.29 -
ViRobot 2010.6.29.3912 2010.06.30 -
VirusBuster 5.0.27.0 2010.06.29 -
Additional information
File size: 50981 bytes
MD5...: aece982e7339d3dc97708d84e50aa234
SHA1..: 7672b280890312ec4eeff1f829ac871f0eb5f26c
SHA256: 73978e071f4726954c7fe11e7d7e67b6eb1e39a3ca5504eb6f8843536a30d16a
ssdeep: 1536:VSV8/DcCDCMMkG0DaXJp5vh2idqQpsttsNf/:VS8BCfoDaXJp55vP+ttg3
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x325e
timedatestamp.....: 0x4b1ae3d2 (Sat Dec 05 22:50:58 2009)
machinetype.......: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x5dc8 0x5e00 6.51 e80992014f71a8d74a073aae70d08af5
.rdata 0x7000 0x129c 0x1400 5.05 c9f64a3006462e830a22bdd4740678e5
.data 0x9000 0x25c98 0x400 4.88 a81e24eb26c207ab205634c089d49bbd
.ndata 0x2f000 0xd000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rsrc 0x3c000 0x9e8 0xa00 4.42 5dc1d2e44f72ef12149ee36f892fee1b

( 8 imports )
> KERNEL32.dll: CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, CreateFileA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetFileTime, GetTempPathA, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetWindowsDirectoryA
> USER32.dll: EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
> GDI32.dll: SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
> SHELL32.dll: SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
> ADVAPI32.dll: RegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
> COMCTL32.dll: ImageList_AddMasked, ImageList_Destroy, -, ImageList_Create
> ole32.dll: CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
> VERSION.dll: GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

( 0 exports )
RDS...: NSRL Reference Data Set
-
trid..: Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
pdfid.: -
<a href='https://info.prevx.com/aboutprogramtext.asp?PX5=4B3CC6E425DDA67BC701008051B48F00FE217703' target='_blank'>https://info.prevx.com/aboutprogramte...B48F00FE217703</a>
ThreatExpert info: <a href='https://www.threatexpert.com/report.aspx?md5=aece982e7339d3dc97708d84e50aa234' target='_blank'>https://www.threatexpert.com/report.a...708d84e50aa234</a>
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
packers (F-Prot): NSIS
----------------------------------------------------
In the following is "kaspersky" scan result:
----------------------------------------------------
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Wednesday, June 30, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Wednesday, June 30, 2010 02:47:23
Records in database: 4265527
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: no

Scan area - My Computer:
C:\
D:\

Scan statistics:
Objects scanned: 126745
Threats found: 8
Infected objects found: 15
Suspicious objects found: 0
Scan duration: 04:44:08


File name / Threat / Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B0C0000.VBN Infected: Rootkit.Win32.Agent.bert 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B140001.VBN Infected: Rootkit.Win32.Agent.bert 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B180000.VBN Infected: Rootkit.Win32.Agent.bert 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B180001.VBN Infected: Trojan-Downloader.Win32.Wzhyk.he 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B180002.VBN Infected: Trojan-Clicker.Win32.VBiframe.car 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BF80000\4FFC0079.VBN Infected: Trojan.Win32.KillAV.gnc 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BF80001\4FFC0094.VBN Infected: Trojan.Win32.KillAV.gnc 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BF80002\4FFC00B6.VBN Infected: Trojan.Win32.KillAV.gnc 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F980000\4F99B2D6.VBN Infected: not-a-virus:AdWare.Win32.RON.dvc 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\ompptcin.dll.vir Infected: Trojan.Win32.BHO.ahvo 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000026.dll Infected: not-a-virus:AdWare.Win32.BHO.mgs 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000048.dll Infected: Trojan.Win32.BHO.ahvo 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP11\A0007391.dll Infected: Trojan.Win32.BHO.ahvo 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP9\A0006133.exe Infected: Trojan.Win32.FraudPack.axzj 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP9\A0006134.exe Infected: Trojan.Win32.FraudPack.axzj 1

Selected area has been scanned.
parisah is offline  
Old 06-30-2010, 09:33 PM   #6
TSF-Emeritus
 
Join Date: Jun 2006
Location: here & there and everywhere
Posts: 15,384
OS: XP Win7 Win 8.1 Ubuntu 10.10



Hi,

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

Code:
https://www.techsupportforum.com/f100/problem-with-virus-infection-492886.html#post2783210

Collect::
c:\windows\system32\wqippcwmkkkuvpg.exe
Save this as CFScript.txt on your desktop.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.





Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, it pops out with the CF log and this message box:



Clicking OK will begin the auto-upload of the zipped file.



============================

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform Full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Save it to your desktop.
Note: Malwarebytes' Anti-Malware may require a reboot to complete removals. After a reboot, if required, post that saved log in your next reply and also let me know how the computer is performing now.
amateur is offline  
Old 07-02-2010, 12:22 AM   #7
Registered Member
 
Join Date: Jun 2010
Location: New York
Posts: 38
OS: XP



Thanks so much for your reply. Here is "Combofix log":
--------------------------------------------------------------
ComboFix 10-06-30.03 - Parisa H 07/01/2010 0:07.7.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.485 [GMT -7:00]
Running from: c:\documents and settings\Parisa H\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Parisa H\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

file zipped: c:\windows\system32\wqippcwmkkkuvpg.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\wqippcwmkkkuvpg.exe

.
((((((((((((((((((((((((( Files Created from 2010-06-01 to 2010-07-01 )))))))))))))))))))))))))))))))
.

2100-02-23 21:35 . 2001-02-22 16:54 768 ----a-w- c:\windows\x73_lut.dat
2010-06-30 07:00 . 2010-06-30 07:00 503808 ----a-w- c:\documents and settings\Parisa H\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-299017da-n\msvcp71.dll
2010-06-30 07:00 . 2010-06-30 07:00 499712 ----a-w- c:\documents and settings\Parisa H\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-299017da-n\jmc.dll
2010-06-30 07:00 . 2010-06-30 07:00 348160 ----a-w- c:\documents and settings\Parisa H\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-299017da-n\msvcr71.dll
2010-06-30 07:00 . 2010-06-30 07:00 61440 ----a-w- c:\documents and settings\Parisa H\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-330780f4-n\decora-sse.dll
2010-06-30 07:00 . 2010-06-30 07:00 12800 ----a-w- c:\documents and settings\Parisa H\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-330780f4-n\decora-d3d.dll
2010-06-30 07:00 . 2010-06-30 06:59 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-20 05:19 . 2010-06-20 05:19 -------- d-----w- c:\documents and settings\Parisa H\log
2010-06-19 05:33 . 2004-08-10 10:00 185344 ----a-w- c:\windows\system32\Thawbrkr.dll
2010-06-19 05:33 . 2004-08-10 10:00 185344 ----a-w- c:\windows\system32\dllcache\thawbrkr.dll
2010-06-19 05:32 . 2004-08-10 10:00 10752 ----a-w- c:\windows\system32\dllcache\c_iscii.dll
2010-06-19 05:32 . 2004-08-10 10:00 10752 ----a-w- c:\windows\system32\c_iscii.dll
2010-06-19 05:32 . 2004-08-10 10:00 5632 ----a-w- c:\windows\system32\kbdusa.dll
2010-06-19 05:32 . 2004-08-10 10:00 5632 ----a-w- c:\windows\system32\dllcache\kbdusa.dll
2010-06-19 05:32 . 2004-08-10 10:00 6144 ----a-w- c:\windows\system32\ftlx041e.dll
2010-06-19 05:32 . 2004-08-10 10:00 6144 ----a-w- c:\windows\system32\dllcache\ftlx041e.dll
2010-06-17 08:08 . 2010-06-17 08:08 -------- d-----w- c:\documents and settings\Parisa H\Local Settings\Application Data\Mozilla
2010-06-17 08:05 . 2010-06-17 08:05 -------- d-----w- c:\documents and settings\Parisa H\Application Data\MSNInstaller
2010-06-17 05:16 . 2010-06-17 05:16 -------- d-----w- c:\windows\system32\scripting
2010-06-17 05:16 . 2010-06-17 05:16 -------- d-----w- c:\windows\l2schemas
2010-06-17 05:16 . 2010-06-17 05:16 -------- d-----w- c:\windows\system32\en
2010-06-17 05:16 . 2010-06-17 05:16 -------- d-----w- c:\windows\system32\bits
2010-06-12 22:33 . 2010-06-12 22:33 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-06-12 22:10 . 2010-06-12 22:10 -------- d-----w- c:\documents and settings\LocalService\Application Data\Yahoo!
2010-06-12 21:29 . 2010-04-20 23:45 607472 ----a-w- c:\documents and settings\All Users\Application Data\yahoo!\YUpdater\yupdater.exe
2010-06-11 03:04 . 2010-05-06 10:41 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-11 02:53 . 2010-06-11 02:53 3584 ----a-r- c:\documents and settings\Parisa H\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2010-06-11 02:53 . 2010-06-11 02:53 -------- d-----w- c:\program files\Windows Installer Clean Up
2010-06-07 17:18 . 2010-06-07 17:18 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2010-06-07 15:43 . 2010-06-07 15:43 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-06-07 15:43 . 2010-06-07 15:43 -------- d-sh--w- c:\documents and settings\LocalService\IECompatCache
2010-06-07 06:08 . 2010-06-07 06:08 -------- d-----w- c:\documents and settings\Parisa H\Local Settings\Application Data\Symantec
2010-06-07 06:07 . 2005-04-02 03:36 91856 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-06-07 06:07 . 2005-04-02 03:36 123200 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-06-07 06:06 . 2010-07-01 07:00 -------- d-----w- c:\program files\Symantec AntiVirus
2010-06-05 07:07 . 2010-06-05 07:07 -------- d-----w- c:\documents and settings\Administrator\Tracing
2010-06-05 07:05 . 2010-06-05 07:05 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-06-05 07:05 . 2010-06-05 07:05 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-06-05 05:36 . 2010-06-05 05:36 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-06-05 05:06 . 2010-06-05 05:06 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Help
2010-06-04 06:59 . 2010-06-05 07:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Update
2010-06-03 04:23 . 2010-06-03 04:23 439816 ----a-w- c:\documents and settings\Parisa H\Application Data\Real\Update\setup3.10\setup.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-30 07:00 . 2006-04-10 16:19 -------- d-----w- c:\program files\Common Files\Java
2010-06-30 06:59 . 2006-04-10 16:19 -------- d-----w- c:\program files\Java
2010-06-19 07:38 . 2006-05-14 05:30 123944 ----a-w- c:\documents and settings\Parisa H\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-17 05:20 . 2005-08-16 09:41 88183 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-06-12 22:34 . 2009-11-17 08:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-06-12 22:10 . 2006-05-14 04:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-06-12 21:32 . 2007-01-15 07:04 -------- d--h--r- c:\documents and settings\Parisa H\Application Data\yahoo!
2010-06-12 21:30 . 2006-05-14 04:35 -------- d-----w- c:\documents and settings\All Users\Application Data\yahoo!
2010-06-12 21:30 . 2006-05-14 04:33 -------- d-----w- c:\program files\Yahoo!
2010-06-11 02:53 . 2009-03-09 05:24 -------- d-----w- c:\program files\MSECache
2010-06-07 06:10 . 2006-08-30 06:02 -------- d-----w- c:\program files\Symantec_Client_Security
2010-06-07 06:08 . 2006-08-30 06:02 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-06-07 06:07 . 2006-08-30 06:02 -------- d-----w- c:\program files\Symantec
2010-06-07 06:06 . 2006-08-30 06:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-06-07 05:12 . 2008-12-28 09:33 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-06 10:41 . 2005-08-16 09:18 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2005-08-16 09:18 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:51 . 2005-08-16 09:18 285696 ----a-w- c:\windows\system32\atmfd.dll
2006-08-24 06:24 . 2006-05-14 05:30 104 --sh--r- c:\windows\system32\63775502E1.sys
2006-08-24 06:24 . 2006-05-14 05:30 7518 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( [email protected]_07.37.35 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-06-30 07:00 . 2010-06-30 07:00 16384 c:\windows\temp\Perflib_Perfdata_d1c.dat
+ 2010-06-30 07:00 . 2010-06-30 06:59 153376 c:\windows\system32\javaws.exe
+ 2010-06-30 07:00 . 2010-06-30 06:59 145184 c:\windows\system32\javaw.exe
+ 2010-06-30 07:00 . 2010-06-30 06:59 145184 c:\windows\system32\java.exe
+ 2010-06-30 07:00 . 2010-06-30 07:00 180224 c:\windows\Installer\50ffe76.msi
+ 2010-06-30 06:59 . 2010-06-30 06:59 576000 c:\windows\Installer\50ffe71.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-04 39408]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="c:\progra~1\SYMANT~2\VPTray.exe" [2005-04-17 85184]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 761947]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
2005-12-19 20:08 1347584 ----a-w- c:\windows\system32\WLTRAY.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
2005-04-08 22:52 48752 ----a-w- c:\program files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/3/2010 9:32 PM 135664]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [4/17/2005 12:30 PM 124608]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - JAVAQUICKSTARTERSERVICE
*Deregistered* - EraserUtilDrv11010
.
Contents of the 'Scheduled Tasks' folder

2010-06-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2010-06-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-04 04:32]

2010-07-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-04 04:32]

2010-07-01 c:\windows\Tasks\User_Feed_Synchronization-{B4203B0B-01D3-430A-985D-8ABEE364FF84}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 12:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.guardian.co.uk/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*https://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-inc&channel=us
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
FF - ProfilePath - c:\documents and settings\Parisa H\Application Data\Mozilla\Firefox\Profiles\ktv8xu12.default\
FF - prefs.js: browser.startup.homepage - www.cnn.com
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-wqippcwmkkkuvpg - c:\windows\system32\wqippcwmkkkuvpg.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, https://www.gmer.net
Rootkit scan 2010-07-01 00:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\docume~1\PARISA~1\LOCALS~1\Temp\catchme.dll 53248 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(692)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
.
Completion time: 2010-07-01 00:16:31
ComboFix-quarantined-files.txt 2010-07-01 07:16
ComboFix2.txt 2010-06-29 07:40
ComboFix3.txt 2010-06-07 05:40

Pre-Run: 19,070,169,088 bytes free
Post-Run: 19,169,619,968 bytes free

- - End Of File - - C57A4F1A78900B1CE49258876AC9425E
Upload was successful
-----------------------------------------------------
and here is "Malware bytes log":
-----------------------------------------------------
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4263

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/1/2010 7:46:28 PM
mbam-log-2010-07-01 (19-46-28).txt

Scan type: Full scan (C:\|)
Objects scanned: 254153
Time elapsed: 1 hour(s), 13 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\AppID\{84c3c236-f588-4c93-84f4-147b2abbe67b} (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{38061edc-40bb-4618-a8da-e56353347e6d} (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{7b6a2552-e65b-4a9e-add4-c45577ffd8fd} (Adware.EZLife) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Sky-Banners (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Sky-Banners (Adware.Adrotator) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\ompptcin.dll.vir (Trojan.BHO) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000026.dll (Adware.AdShot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0000048.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP11\A0007391.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP2\A0000426.exe (Adware.Lifze) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP9\A0006100.exe (Adware.Lifze) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP9\A0006133.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP9\A0006134.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
--------------------------------------------------------------
My computer seems to work ok now. I don't see signs of being infected. Only problem I see is that I can't open "guardian.co.uk" website in Firefox. A "surveys.cnet.com" website interrupts it from opening and the page doesn't open at all. I read in a forum that this was a common problem for people opening guardian website using Firefox and getting interrupted by "survys.cnet" and someone made a comment, that's because the computer is infected. I can open guardian website in IE but the page opens with error. I'm attaching the error detail in the following. Also the small icon next to the website address doesn't belong to guardian. It is for a different website (which I can't exactly tell what site but it looks like "FN" or "EN". Could these mean that my computer is still infected?
Here is the error detail:
------------------------
Webpage error details

User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Timestamp: Fri, 2 Jul 2010 05:40:59 UTC


Message: 'E05516' is undefined
Line: 64
Char: 2
Code: 0
URI: https://static.guim.co.uk/static/9160...ipts/revsci.js
parisah is offline  
Old 07-02-2010, 03:48 AM   #8
TSF-Emeritus
 
Join Date: Jun 2006
Location: here & there and everywhere
Posts: 15,384
OS: XP Win7 Win 8.1 Ubuntu 10.10



Hi,

I am not sure what the issue is with guardian.co.uk and cnet.com. I don't see any malware in the logs. The fact that it only happens with one particular website, i.e. guardian.com.uk, and with both browsers, suggests that it may have something to do either with the website or with your ISP. However, my research indicates that you're not alone and some users seem to have solved the issue by installing NoScript addon. This may or may not solve your problem, but NoScript is a useful addon and you would benefit from installing it if you don't have it.

Does the page load for you when you type this in the address bar?

https://77.91.248.30

Uninstall the following via the Add/Remove Panel (Start->Control Panel->Add or Remove Programs):

Java 2 Runtime Environment, SE v1.4.2_03
Java(TM) SE Runtime Environment 6 Update 1


These are all outdated, and security risks by having them installed still. Unfortunately, Java does not uninstall these older versions when you update, nor tell you that you should. Java(TM) 6 Update 10 can be updated from the Java control panel Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now. An update should begin; follow the prompts.

Once the install is complete....

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup)
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.

=========================

Adobe Reader 8.1.4

Your Adobe Reader is out of date and can be exploited. Please download the latest version, here.

Uncheck Google Toolbar or Free McAfeeŽ Security Scan Plus,, or any other offers they may have. during the installation, unless you want it.

========================

Clean your Cache and Cookies in IE:

Close all instances of Outlook Express and Internet Explorer
Go to Control Panel > Internet Options > General tab
Click the "Delete Cookies" button
Next to it, Click the "Delete Files" button
When prompted, place a check in: "Delete all offline content", click OK

Clean your Cache and Cookies in Firefox:

Go to Tools > Options.
Click Privacy in the menu on the left side of the Options window.
Click the Clear button located to the right of each option (History, Cookies, Cache).
Click OK to close the Options window
Alternatively, you can clear all information stored while browsing by clicking Clear All.
A confirmation dialog box will be shown before clearing the information.

Clean other Temporary files + Recycle bin
Go to start > run and type: cleanmgr and click ok.
Let it scan your system for files to remove.
Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
Press OK to remove them.

=============================
  • Go to Start | Run, type cmd and press Enter
  • Copy the following command:
    Code:
    ipconfig /flushdns
  • Click the image button in the upper left portion of the command prompt window title bar and choose Edit > Paste
  • Press Enter to execute the command
  • Type Exit to exit the command prompt.

=============================

Let me know if any of these resolved the issue and post a fresh DDS.txt.
amateur is offline  
Old 07-03-2010, 05:04 PM   #9
Registered Member
 
Join Date: Jun 2010
Location: New York
Posts: 38
OS: XP



THANKS for your reply.
I did all the clean ups. The problem with "guardian.co.uk" is not resolved yet but the small website logo on my address bar is correct now and belongs to the website.
"https://77.91.248.30" loads "guardian.co.uk" in IE with error on page and in Firefox doesn't load and gets interrupted by "surveys.cnet.com".
I have files quarantined in my Symantec anti-virus. Do I need to delete those files?
Here is the fresh DDS.txt:
-----------------------------------

DDS (Ver_10-03-17.01) - NTFSx86
Run by Parisa H at 1:13:24.40 on Sat 07/03/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.294 [GMT -7:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Parisa H\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.guardian.co.uk/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*https://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-inc&channel=us
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn4\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn4\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn4\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn4\yt.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 8\SnagItIEAddin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [ModemOnHold] c:\program files\netwaiting\netWaiting.exe
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [vptray] c:\progra~1\symant~2\VPTray.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRunOnce: [Uninstall Adobe Download Manager] "c:\windows\system32\rundll32.exe" "c:\program files\nos\bin\getPlus_Helper.dll",Uninstall /IE2883E8F-472F-4fb0-9522-AC9BF37916A7 /Get1noarp
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} - file://c:\program files\autocad 2002\AcDcToday.ocx
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {F281A59C-7B65-11D3-8617-0010830243BD} - file://c:\program files\autocad 2002\AcPreview.ocx
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\parisa~1\applic~1\mozilla\firefox\profiles\ktv8xu12.default\
FF - prefs.js: browser.startup.homepage - www.cnn.com
FF - plugin: c:\documents and settings\parisa h\application data\mozilla\firefox\profiles\ktv8xu12.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "https://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-2-4 324232]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-2-4 53896]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-4-8 185968]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-4-8 161392]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2005-4-17 1706176]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100702.003\naveng.sys [2010-7-2 85552]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100702.003\navex15.sys [2010-7-2 1347504]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-3 135664]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2005-4-8 83568]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2005-4-17 124608]

============== File Associations ===============

.scr=AutoCADScriptFile

=============== Created Last 30 ================

2100-02-23 21:35:34 768 ----a-w- c:\windows\x73_lut.dat
2100-02-08 22:53:34 1437 ----a-w- c:\windows\GtX73.ini
2010-07-01 07:38:36 0 d-----w- c:\docume~1\parisa~1\applic~1\Malwarebytes
2010-07-01 07:38:25 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-01 07:38:24 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-07-01 07:38:23 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-01 07:38:23 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-30 07:00:13 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-29 07:27:38 98816 ----a-w- c:\windows\sed.exe
2010-06-29 07:27:38 77312 ----a-w- c:\windows\MBR.exe
2010-06-29 07:27:38 256512 ----a-w- c:\windows\PEV.exe
2010-06-29 07:27:38 161792 ----a-w- c:\windows\SWREG.exe
2010-06-20 05:19:57 0 d-----w- c:\documents and settings\parisa h\log
2010-06-19 05:33:00 185344 ----a-w- c:\windows\system32\Thawbrkr.dll
2010-06-19 05:33:00 185344 ----a-w- c:\windows\system32\dllcache\thawbrkr.dll
2010-06-17 08:05:55 0 d-----w- c:\docume~1\parisa~1\applic~1\MSNInstaller
2010-06-17 05:16:42 0 d-----w- c:\windows\system32\scripting
2010-06-17 05:16:42 0 d-----w- c:\windows\l2schemas
2010-06-17 05:16:40 0 d-----w- c:\windows\system32\en
2010-06-17 05:16:40 0 d-----w- c:\windows\system32\bits
2010-06-12 22:33:30 0 d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-06-11 03:04:03 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-11 02:53:53 0 d-----w- c:\program files\Windows Installer Clean Up
2010-06-07 06:34:33 0 ----a-w- c:\windows\vpc32.INI
2010-06-07 06:07:09 91856 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-06-07 06:07:09 123200 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-06-07 0637 0 d-----w- c:\program files\Symantec AntiVirus
2010-06-05 07:33:54 0 d-sha-r- C:\cmdcons
2010-06-05 04:26:48 0 d-----w- c:\windows\pss
2010-06-04 06:59:08 0 d-----w- c:\docume~1\alluse~1\applic~1\Update

==================== Find3M ====================

2010-05-05 13:30:57 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-05-02 05:22:50 1851264 ------w- c:\windows\system32\dllcache\win32k.sys
2010-04-20 05:51:20 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-20 05:51:20 285696 ------w- c:\windows\system32\dllcache\atmfd.dll
2010-04-06 11:52:46 2462720 ----a-w- c:\windows\system32\dllcache\WMVCore.dll
2006-08-24 06:24:30 104 --sh--r- c:\windows\system32\63775502E1.sys
2006-08-24 06:24:30 7518 --sha-w- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 1:13:38.04 ===============
parisah is offline  
Old 07-03-2010, 11:23 PM   #10
TSF-Emeritus
 
Join Date: Jun 2006
Location: here & there and everywhere
Posts: 15,384
OS: XP Win7 Win 8.1 Ubuntu 10.10



Hi,

Quote:
I have files quarantined in my Symantec anti-virus. Do I need to delete those files?
You may if you wish to. As long as you don't restore them, they are inert and will not harm you from there.

I think it would be better if you take up the guardian.co.uk issue with the Internet Explorer Forum and Other Browsers forums. From malware point of view, the machine appears to be clean.
  • Click Start thenRun
  • Now type ComboFix /Uninstall in the run box and click OK. Notice the space between the Combofix and the /
.

This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore to prevent reinfection from old restore points.

It's vital that you keep all your software up-to-date as older versions may have some security vulnerabilities. Secunia Software Inspector Scan can help you find out which programs need to be updated.

If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.


Please respond to this thread one more time so we can mark this thread as resolved.

Surf Safely and Think Prevention!
amateur is offline  
Old 07-05-2010, 01:32 AM   #11
Registered Member
 
Join Date: Jun 2010
Location: New York
Posts: 38
OS: XP



Thanks A LOT! I truly appreciate your time and great help, and wish you all the best.
parisah is offline  
Old 07-05-2010, 02:17 AM   #12
TSF-Emeritus
 
Join Date: Jun 2006
Location: here & there and everywhere
Posts: 15,384
OS: XP Win7 Win 8.1 Ubuntu 10.10



You're welcome. Glad to have been able to help. Stay safe!
amateur is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 06:00 AM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts