Tech Support Forum banner
Status
Not open for further replies.
1 - 20 of 27 Posts

·
Registered
Joined
·
117 Posts
Discussion Starter · #1 ·
My dad caught this on his computer the other day. It was constantly trying to change his default search engine to Yahoo. I googled the problem and deleted all of the files associated with the malware, along with uninstalling the Spigot Toolbar and the PDF Creator using "Add/Remove Programs". I didn't make any changes to the registry. All of the files that were associated with this were located in Program Files.

After deleting most of the files, I noticed that ApplicationUpdater.exe still remained. It wouldn't let me kill it's process in Task Manager and wouldn't let me delete it's files manually. Though, after uninstalling the toolbar in Add/Remove Programs, ApplicationUpdater disappeared. After that, there have been no symptoms so far, but since I didn't fix anything in the registry, I just want to confirm if the system is clean or not.

Here are the logs:
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26
Run by wamcd at 16:21:11 on 2011-10-05
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.355 [GMT -4:00]
.
AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Symantec AntiVirus\Smc.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\HP\HPLaserJetService\HPLaserJetService.exe
C:\WINDOWS\system32\HPSIsvc.exe
C:\Program Files\Identity Finder 4\idfEndpoint.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec AntiVirus\SmcGui.exe
C:\WINDOWS\MMKeybd.exe
C:\Program Files\Netropa\Traymon.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\HP UT LEDM\bin\hppusg.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
.
============== Pseudo HJT Report ===============
.
uDefault_Page_URL = hxxp://education.dellnet.com/
uStart Page = hxxp://education.dellnet.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [DellTouch] c:\windows\MMKeybd.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [StatusClient] c:\program files\hewlett-packard\toolbox2.0\apache tomcat 4.0\webapps\toolbox\statusclient\StatusClient.exe /auto
mRun: [TomcatStartup] c:\program files\hewlett-packard\toolbox2.0\hpbpsttp.exe
mRun: [QuickFinder Scheduler] "c:\program files\corel\wordperfect office 2002\programs\QFSCHD100.EXE"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [HPUsageTrackingLEDM] "c:\program files\hp\hp ut ledm\bin\hppusg.exe" "c:\program files\hp\hp ut ledm\"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\corelc~1.lnk - c:\windows\installer\{f73e7b59-f951-11d4-884d-00902761a46d}\I_26dadCC.exe
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {41F17733-B041-4099-A042-B518BB6A408C} - hxxp://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1115408060564
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1130441725093
DPF: {86ecb6a0-400a-11d5-b638-00c04faedb18}
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18}
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37862.3092708333
DPF: {CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 68.87.64.150 68.87.75.198
TCP: Interfaces\{4D71D46A-A34A-4F59-8B92-CC51FF0FB026} : DhcpNameServer = 68.87.64.150 68.87.75.198
Notify: igfxcui - igfxdev.dll
SEH: Quick View Plus - ShellExecute Hook: {0cab0400-7395-11d0-a5e5-0020afe2fdd9} - qvphook.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - d:\documents and settings\wamcd.wamcd01\application data\mozilla\firefox\profiles\o40f8ch2.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&type=302398&p=
FF - component: c:\program files\common files\spigot\wtxpcom\components\WidgiToolbarFF.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npbeatnk.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npdrmv2.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npdsplay.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\NPJava11.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\NPJava12.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\NPJava13.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\NPJava14.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\NPJava32.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\NPJinit-11816.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\NPJinit1319.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\NPJPI142_02.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npnul32.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\NPOFFICE.DLL
FF - plugin: c:\program files\netscape\communicator\program\plugins\NPOJI610.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\nppl3260.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\NPQ00132.DLL
FF - plugin: c:\program files\netscape\communicator\program\plugins\NPQ00532.DLL
FF - plugin: c:\program files\netscape\communicator\program\plugins\NPQ00632.DLL
FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin2.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin3.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin4.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin5.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin6.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin7.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\nprfxins.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\nprjplug.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\nprpjplug.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\NPSWF32.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\NPtestDirectory.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\NPtrainingEngine.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npvpg005.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npwmsdrm.dll
FF - plugin: c:\program files\real\realone player\netscape6\nppl3260.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprjplug.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprpjplug.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
============= SERVICES / DRIVERS ===============
.
R2 ASFAgent;ASF Agent;c:\program files\intel\asf agent\ASFAgent.exe [2002-5-8 212992]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2010-8-10 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2010-8-10 108392]
R2 HP LaserJet Service;HP LaserJet Service;c:\program files\hp\hplaserjetservice\HPLaserJetService.exe [2009-6-24 136704]
R2 HPSIService;HP SI Service;c:\windows\system32\HPSIsvc.exe [2010-12-17 99896]
R2 IDFEndpointService;Identity Finder Endpoint Service;c:\program files\identity finder 4\idfEndpoint.exe [2010-10-13 6181376]
R2 NetAlrt;NetAlrt;c:\windows\system32\drivers\Netalrt.sys [2002-5-7 39680]
R2 Nhksrv;Netropa NHK Server;c:\windows\Nhksrv.exe [1980-1-1 28672]
R2 PlatAlrt;PlatAlrt;c:\windows\system32\drivers\platalrt.sys [2002-5-7 23744]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec antivirus\Rtvscan.exe [2010-11-8 1839776]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-8-1 105592]
R3 Msikbd2k;DellTouch;c:\windows\system32\drivers\Msikbd2k.sys [2002-10-7 6942]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20111003.001\NAVENG.SYS [2011-10-3 86136]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20111003.001\NAVEX15.SYS [2011-10-3 1576312]
S3 {E6759E0C-470B-44DC-A4A1-627E68BB3A85};AIM 3.0 SI164;c:\windows\system32\drivers\a302.sys [2003-8-29 11319]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2009-3-30 23888]
S3 FILEMON;FILEMON;\??\c:\windows\system32\drivers\filem.sys --> c:\windows\system32\drivers\FILEM.SYS [?]
S3 Intel Remote Control Helper;Intel Remote Control Helper;c:\windows\system32\drivers\rch.sys --> c:\windows\system32\drivers\rch.sys [?]
S3 mvusbews;USB EWS Device;c:\windows\system32\drivers\mvusbews.sys [2010-12-17 17408]
.
=============== Created Last 30 ================
.
.
==================== Find3M ====================
.
2011-09-30 20:09:04 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-08-17 18:11:47 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-08-17 18:11:46 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-08-17 16:30:38 1409 ----a-w- c:\windows\QTFont.for
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
.
============= FINISH: 16:22:13.00 ===============
 

Attachments

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
Hello Whimsicott,

It would be a good idea to sweep through the machine with a good Anti Malware program. Download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform Quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Save it to your desktop.
Note: Malwarebytes' Anti-Malware may require a reboot to complete removals. After a reboot, if required, post that saved log in your next reply.
 

·
Registered
Joined
·
117 Posts
Discussion Starter · #3 ·
Hello, Reid! Glad to see you again! :)
I'll run Malwarebytes once I get the chance to use his machine (probably when I get home from school, since he doesn't get home from work until a couple of hours later). I know that the staff wants to make this forum a one-time visit for each user, but I made a new topic since this is a different computer.
Either way, thank you!
 

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
Any luck yet? :smile:
 

·
Registered
Joined
·
117 Posts
Discussion Starter · #5 ·
None yet, since both of my parents have been using it a lot lately. I'll keep you updated once I get the chance to run it. Though, should I remove Malwarebytes after the scan? He doesn't really want us installing things on his computer (though, Malwarebytes has a permanent residence on mine.)
 

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
See if you can talk him into leaving it on the machine. Explain to him that AV alone is not enough. Layered protection is best, meaning AV, and a good Anti Malware program.
 

·
Registered
Joined
·
117 Posts
Discussion Starter · #7 ·
I got the Malwarebytes log! :D
In the mean time, my dad was infected with two rogue antivirus programs, one being Privacy Protection, which was last week. The other was AV Protection 2011, which I supposedly removed today. I just hope these infections can't spread to other computers on our home network. I still have another log from when Malwarebytes removed those threats.

Here is the most recent log:

Malwarebytes' Anti-Malware 1.51.2.1300
Malwarebytes : Free anti-malware, anti-virus and spyware removal download

Database version: 8154

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

11/19/2011 11:31:05 AM
mbam-log-2011-11-19 (11-31-05).txt

Scan type: Quick scan
Objects scanned: 174331
Time elapsed: 7 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
 

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
I highly recommend you run the initial tools, dds.scr and gmer.exe, and post those logs si I can get a look at the current state of the machine.
 

·
Registered
Joined
·
117 Posts
Discussion Starter · #9 ·
I'll do that soon, as my dad now allows me to use his computer when he needs a problem fixed.
Though, a quick question: can those rogue security programs spread to other computers connected to the same wireless router? (I don't want my PC to get infected as well). They don't connect to each other locally, they're just connected to the same router.
 

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
It shouldn't, no. Without knowing exactly what is/was on the machine, I can't say for certain whether or not anyone on the same router is at risk.

Try to impress upon your father that lack of symptoms does not necessarily mean the infection is completely gone. A set of logs, and the MBAM results of what it removed, would give me a better idea.
 

·
Registered
Joined
·
117 Posts
Discussion Starter · #11 ·
Thank you for getting back to me! I got the logs ready! :)
Also, We both suspected that it was gone after the first infection, but after the second one hit, I did some investigation.

DDS:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26
Run by wamcd at 15:17:56 on 2011-11-22
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.107 [GMT -5:00]
.
AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Symantec AntiVirus\Smc.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\HP\HPLaserJetService\HPLaserJetService.exe
C:\WINDOWS\system32\HPSIsvc.exe
C:\Program Files\Identity Finder 4\idfEndpoint.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec AntiVirus\SmcGui.exe
C:\WINDOWS\MMKeybd.exe
C:\Program Files\Netropa\Traymon.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\igfxsrvc.exe
.
============== Pseudo HJT Report ===============
.
uDefault_Page_URL = hxxp://education.dellnet.com/
uStart Page = hxxp://education.dellnet.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [DellTouch] c:\windows\MMKeybd.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [StatusClient] c:\program files\hewlett-packard\toolbox2.0\apache tomcat 4.0\webapps\toolbox\statusclient\StatusClient.exe /auto
mRun: [TomcatStartup] c:\program files\hewlett-packard\toolbox2.0\hpbpsttp.exe
mRun: [QuickFinder Scheduler] "c:\program files\corel\wordperfect office 2002\programs\QFSCHD100.EXE"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [HPUsageTrackingLEDM] "c:\program files\hp\hp ut ledm\bin\hppusg.exe" "c:\program files\hp\hp ut ledm\"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\corelc~1.lnk - c:\windows\installer\{f73e7b59-f951-11d4-884d-00902761a46d}\I_26dadCC.exe
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {41F17733-B041-4099-A042-B518BB6A408C} - hxxp://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1115408060564
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1130441725093
DPF: {86ecb6a0-400a-11d5-b638-00c04faedb18}
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18}
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37862.3092708333
DPF: {CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 68.87.64.150 68.87.75.198
TCP: Interfaces\{4D71D46A-A34A-4F59-8B92-CC51FF0FB026} : DhcpNameServer = 68.87.64.150 68.87.75.198
Notify: igfxcui - igfxdev.dll
SEH: Quick View Plus - ShellExecute Hook: {0cab0400-7395-11d0-a5e5-0020afe2fdd9} - qvphook.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - d:\documents and settings\wamcd.wamcd01\application data\mozilla\firefox\profiles\o40f8ch2.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&type=302398&p=
FF - component: c:\program files\common files\spigot\wtxpcom\components\WidgiToolbarFF.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npbeatnk.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npdrmv2.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npdsplay.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\NPJava11.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\NPJava12.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\NPJava13.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\NPJava14.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\NPJava32.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\NPJinit-11816.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\NPJinit1319.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\NPJPI142_02.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npnul32.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\NPOFFICE.DLL
FF - plugin: c:\program files\netscape\communicator\program\plugins\NPOJI610.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\nppl3260.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\NPQ00132.DLL
FF - plugin: c:\program files\netscape\communicator\program\plugins\NPQ00532.DLL
FF - plugin: c:\program files\netscape\communicator\program\plugins\NPQ00632.DLL
FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin2.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin3.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin4.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin5.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin6.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin7.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\nprfxins.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\nprjplug.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\nprpjplug.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\NPSWF32.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\NPtestDirectory.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\NPtrainingEngine.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npvpg005.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npwmsdrm.dll
FF - plugin: c:\program files\real\realone player\netscape6\nppl3260.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprjplug.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprpjplug.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
============= SERVICES / DRIVERS ===============
.
R2 ASFAgent;ASF Agent;c:\program files\intel\asf agent\ASFAgent.exe [2002-5-8 212992]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2010-8-10 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2010-8-10 108392]
R2 HP LaserJet Service;HP LaserJet Service;c:\program files\hp\hplaserjetservice\HPLaserJetService.exe [2009-6-24 136704]
R2 HPSIService;HP SI Service;c:\windows\system32\HPSIsvc.exe [2010-12-17 99896]
R2 IDFEndpointService;Identity Finder Endpoint Service;c:\program files\identity finder 4\idfEndpoint.exe [2010-10-13 6181376]
R2 NetAlrt;NetAlrt;c:\windows\system32\drivers\Netalrt.sys [2002-5-7 39680]
R2 Nhksrv;Netropa NHK Server;c:\windows\Nhksrv.exe [1980-1-1 28672]
R2 PlatAlrt;PlatAlrt;c:\windows\system32\drivers\platalrt.sys [2002-5-7 23744]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec antivirus\Rtvscan.exe [2010-11-8 1839776]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-11-10 106104]
R3 Msikbd2k;DellTouch;c:\windows\system32\drivers\Msikbd2k.sys [2002-10-7 6942]
R3 mvusbews;USB EWS Device;c:\windows\system32\drivers\mvusbews.sys [2010-12-17 17408]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20111115.019\NAVENG.SYS [2011-11-16 86136]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20111115.019\NAVEX15.SYS [2011-11-16 1576312]
S3 {E6759E0C-470B-44DC-A4A1-627E68BB3A85};AIM 3.0 SI164;c:\windows\system32\drivers\a302.sys [2003-8-29 11319]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2009-3-30 23888]
S3 FILEMON;FILEMON;\??\c:\windows\system32\drivers\filem.sys --> c:\windows\system32\drivers\FILEM.SYS [?]
S3 Intel Remote Control Helper;Intel Remote Control Helper;c:\windows\system32\drivers\rch.sys --> c:\windows\system32\drivers\rch.sys [?]
.
=============== Created Last 30 ================
.
2011-11-19 15:04:12 -------- d-----w- d:\documents and settings\wamcd.wamcd01\application data\tS1ibD3pn4
2011-11-19 15:04:12 -------- d-----w- d:\documents and settings\wamcd.wamcd01\application data\bQH6dWK7fLhXjCl
2011-11-19 14:58:56 -------- d-----w- d:\documents and settings\wamcd.wamcd01\application data\UNycA1uvDoFpHsJ
2011-11-19 14:58:56 -------- d-----w- d:\documents and settings\wamcd.wamcd01\application data\rdEL8gTZqYwIrOt
2011-11-19 02:37:33 -------- d-----w- d:\documents and settings\wamcd.wamcd01\application data\nJ7dEL8gT
2011-11-19 02:37:33 -------- d-----w- d:\documents and settings\wamcd.wamcd01\application data\dqhYCwkIVlNx0c2
2011-11-19 02:36:24 -------- d-----w- c:\program files\19D81
2011-11-19 02:33:30 -------- d-----w- d:\documents and settings\wamcd.wamcd01\application data\49D19
2011-11-19 02:33:30 -------- d-----w- c:\program files\B1CF4
2011-11-19 02:33:01 -------- d-----w- d:\documents and settings\wamcd.wamcd01\application data\EuvvSS2obF3pGQJ
2011-11-19 02:33:01 -------- d-----w- d:\documents and settings\wamcd.wamcd01\application data\bdK8ZZ9hYwk
2011-11-19 02:32:57 -------- d-----w- d:\documents and settings\wamcd.wamcd01\application data\148B1
2011-11-19 02:32:57 -------- d-----w- c:\program files\LP
2011-11-19 02:32:51 -------- d-----w- d:\documents and settings\wamcd.wamcd01\application data\DdddEK88gRqhYw
2011-11-19 02:32:50 -------- d-----w- d:\documents and settings\wamcd.wamcd01\application data\PXXwjjUVelOBzP
2011-11-13 18:59:56 -------- d-----w- d:\documents and settings\wamcd.wamcd01\application data\Malwarebytes
2011-11-13 18:59:50 -------- d-----w- d:\documents and settings\all users\application data\Malwarebytes
2011-11-13 18:59:47 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-13 18:59:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-24 16:01:15 5632 ----a-w- c:\windows\system32\ptpusb.dll
2011-10-24 16:01:15 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2011-10-24 16:01:15 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2011-10-24 16:01:14 159232 ----a-w- c:\windows\system32\ptpusd.dll
2011-10-24 15:36:23 -------- d-----w- d:\documents and settings\wamcd.wamcd01\local settings\application data\Apple Computer
2011-10-24 15:35:58 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2011-10-24 15:35:58 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2011-10-24 15:34:45 -------- d-----w- c:\program files\iPod
2011-10-24 15:34:42 -------- d-----w- d:\documents and settings\all users\application data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2011-10-24 15:34:42 -------- d-----w- c:\program files\iTunes
2011-10-24 15:34:19 -------- d-----w- d:\documents and settings\wamcd.wamcd01\local settings\application data\Apple
2011-10-24 15:33:58 4517664 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-10-24 15:33:58 42496 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-10-24 15:33:31 -------- d-----w- c:\program files\Bonjour
.
==================== Find3M ====================
.
2011-11-13 19:28:09 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 15:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 15:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-31 03:05:04 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-08-31 03:05:04 73064 ----a-w- c:\windows\system32\dnssd.dll
2011-08-31 03:05:04 50536 ----a-w- c:\windows\system32\jdns_sd.dll
2011-08-31 03:05:04 178536 ----a-w- c:\windows\system32\dnssdX.dll
.
============= FINISH: 15:18:59.04 ===============



Removing Privacy Protection (Malwarebytes):

Malwarebytes' Anti-Malware 1.51.2.1300
Malwarebytes : Free anti-malware, anti-virus and spyware removal download

Database version: 8154

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

11/13/2011 2:05:33 PM
mbam-log-2011-11-13 (14-05-29).txt

Scan type: Quick scan
Objects scanned: 173561
Time elapsed: 4 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Privacy Protection (Exploit.Drop.Gen) -> Value: Privacy Protection -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
d:\documents and settings\all users\application data\privacy.exe (Exploit.Drop.Gen) -> No action taken.
d:\documents and settings\wamcd.wamcd01\local settings\Temp\75F.tmp (Exploit.Drop.Gen) -> No action taken.
d:\documents and settings\wamcd.wamcd01\local settings\Temp\msimg32.dll (Trojan.Inject) -> No action taken.
d:\documents and settings\wamcd.wamcd01\local settings\Temp\~!#757.tmp (Trojan.FakeAlert) -> No action taken.
d:\documents and settings\wamcd.wamcd01\local settings\Temp\~!#758.tmp (Trojan.Inject) -> No action taken.
d:\documents and settings\wamcd.wamcd01\local settings\Temp\0.5731984555561629.exe (Exploit.Drop.2) -> No action taken.



Removing AV Protection 2011 (Malwarebytes):

Malwarebytes' Anti-Malware 1.51.2.1300
Malwarebytes : Free anti-malware, anti-virus and spyware removal download

Database version: 8154

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

11/19/2011 11:03:23 AM
mbam-log-2011-11-19 (11-03-21).txt

Scan type: Quick scan
Objects scanned: 173522
Time elapsed: 9 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\eVVVrlOOBtP0uSi (Trojan.FakeAlert) -> Value: eVVVrlOOBtP0uSi -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell.Gen) -> Value: Shell -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\m7ffELL9gTXjYek8234A (Trojan.FakeAlert.CLGen) -> Value: m7ffELL9gTXjYek8234A -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\372.exe (Backdoor.CycBot) -> Value: 372.exe -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
d:\documents and settings\wamcd.wamcd01\application data\ldr.ini (Malware.Trace) -> No action taken.
d:\documents and settings\wamcd.wamcd01\application data\dwme.exe (Trojan.FakeAlert) -> No action taken.
c:\WINDOWS\SYSTEM32\av protection 2011v121.exe (Trojan.FakeAlert.CLGen) -> No action taken.
c:\program files\LP\5371\372.exe (Backdoor.CycBot) -> No action taken.
 

Attachments

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
There's more to do here, I'm afraid. Go ahead and run Malwarebyte's again, and allow it to clean those items.

Next, Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT- Save ComboFix.exe to your Desktop

====================================================


Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal. If you are unsure how to do this, please refer to our sticky topic How to disable your security applications

====================================================


Double click on ComboFix.exe & follow the prompts.


  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:





Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.
 

·
Registered
Joined
·
117 Posts
Discussion Starter · #13 ·
I'll do the ComboFix soon. Though, I did have Malwarebytes remove the files for the rogues when they were detected, since Malwarebytes didn't automatically remove them after it finished the scan.
 

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
Good, but do still run ComboFix. There are folders in the dds.txt that are malware, that MBAM did not detect.
 

·
Registered
Joined
·
117 Posts
Discussion Starter · #15 ·
Well, I finally got the chance to run ComboFix. However, when I opened it, it told me to disable Symantec. So, I right clicked the system tray icon and disabled it there (forgot to do so earlier). However, it ended up only disabling HALF of Symantec, Combofix pops up saying that there is POSSIBLE MACHINE DAMAGE if I don't disable it. Well, instead of clicking OK, I clicked the X button on the dialogue box, hoping Combofix would stop running. Well, it just kept running. What do I do?
 

·
Registered
Joined
·
117 Posts
Discussion Starter · #16 · (Edited)
Double Post!!
Combofix ran normally without any problems. It also uninstalled without any problems. Though, after a restart, I noticed a few things wouldn't open, but after restarting again, it seems to be just fine. I really hope I didn't mess anything up.
Another note, when I went to uninstall it, I thought it was going to scan again, so before it could I rebooted (it was nagging me about Symantec again). Though, I did the uninstall command again after a reboot and it went perfectly fine.

EDIT: I can't get My Computer or anything else like that to open -.-

EDIT 2: and nothing happens when I click "Restart" or "Shut down". I have to force-restart it with the power button.

Anyway, here's the log:

ComboFix 11-12-08.01 - wamcd 12/08/2011 14:35:07.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.203 [GMT -5:00]
Running from: d:\documents and settings\wamcd.WAMCD01\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\LP
c:\program files\LP\5371\20C8.tmp
c:\program files\LP\5371\20CA.tmp
c:\program files\LP\5374\3.tmp
c:\program files\LP\5374\5.tmp
c:\program files\LP\5374\6.tmp
c:\windows\CSC\d6
c:\windows\dasetup.log
c:\windows\help\wmplayer.bak
c:\windows\system32\PowerToyReadme.htm
c:\windows\TSOC.LOG
d:\documents and settings\All Users\Start Menu\Programs\Internet Explorer.lnk
d:\documents and settings\wamcd.WAMCD01\Start Menu\Programs\AV Protection 2011
d:\documents and settings\wamcd.WAMCD01\Start Menu\Programs\AV Protection 2011\AV Protection 2011.lnk
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_FILEMON
-------\Service_FILEMON
.
.
((((((((((((((((((((((((( Files Created from 2011-11-08 to 2011-12-08 )))))))))))))))))))))))))))))))
.
.
2011-12-02 15:03 . 2011-12-02 15:03 -------- d-----w- d:\documents and settings\wamcd.WAMCD01\Application Data\JLAdventCalendarLondon2011
2011-12-02 15:02 . 2011-12-02 15:03 -------- d-----w- c:\program files\Jacquie Lawson London Advent Calendar
2011-11-19 15:04 . 2011-11-19 15:04 -------- d-----w- d:\documents and settings\wamcd.WAMCD01\Application Data\bQH6dWK7fLhXjCl
2011-11-19 15:04 . 2011-11-19 15:04 -------- d-----w- d:\documents and settings\wamcd.WAMCD01\Application Data\tS1ibD3pn4
2011-11-19 14:58 . 2011-11-19 14:58 -------- d-----w- d:\documents and settings\wamcd.WAMCD01\Application Data\rdEL8gTZqYwIrOt
2011-11-19 14:58 . 2011-11-19 14:58 -------- d-----w- d:\documents and settings\wamcd.WAMCD01\Application Data\UNycA1uvDoFpHsJ
2011-11-19 02:37 . 2011-11-19 02:37 -------- d-----w- d:\documents and settings\wamcd.WAMCD01\Application Data\nJ7dEL8gT
2011-11-19 02:37 . 2011-11-19 02:37 -------- d-----w- d:\documents and settings\wamcd.WAMCD01\Application Data\dqhYCwkIVlNx0c2
2011-11-19 02:36 . 2011-11-29 08:16 -------- d-----w- c:\program files\19D81
2011-11-19 02:33 . 2011-12-06 02:14 -------- d-----w- d:\documents and settings\wamcd.WAMCD01\Application Data\49D19
2011-11-19 02:33 . 2011-12-06 01:12 -------- d-----w- c:\program files\B1CF4
2011-11-19 02:33 . 2011-11-19 02:33 -------- d-----w- d:\documents and settings\wamcd.WAMCD01\Application Data\EuvvSS2obF3pGQJ
2011-11-19 02:33 . 2011-11-19 02:33 -------- d-----w- d:\documents and settings\wamcd.WAMCD01\Application Data\bdK8ZZ9hYwk
2011-11-19 02:32 . 2011-12-06 02:14 -------- d-----w- d:\documents and settings\wamcd.WAMCD01\Application Data\148B1
2011-11-19 02:32 . 2011-11-19 02:32 -------- d-----w- d:\documents and settings\wamcd.WAMCD01\Application Data\DdddEK88gRqhYw
2011-11-19 02:32 . 2011-11-19 02:32 -------- d-----w- d:\documents and settings\wamcd.WAMCD01\Application Data\PXXwjjUVelOBzP
2011-11-13 18:59 . 2011-11-13 18:59 -------- d-----w- d:\documents and settings\wamcd.WAMCD01\Application Data\Malwarebytes
2011-11-13 18:59 . 2011-11-13 18:59 -------- d-----w- d:\documents and settings\All Users\Application Data\Malwarebytes
2011-11-13 18:59 . 2011-11-19 16:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-13 18:59 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-13 19:28 . 2011-07-05 23:39 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-10 14:22 . 2004-06-07 18:19 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06 . 2004-08-04 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 15:41 . 2008-07-30 00:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41 . 2004-08-04 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 15:41 . 2004-08-04 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-11-11 00:04 . 2011-05-30 22:58 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-05-26 19:23 1385864 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-05-26 1385864]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-05-26 1385864]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellTouch"="c:\windows\MMKeybd.exe" [2001-09-05 163840]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-04-06 94208]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-06 77824]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-05-02 4640768]
"nwiz"="nwiz.exe" [2003-05-02 323584]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-02-22 180269]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"Persistence"="c:\windows\system32\igfxpers.exe" [2005-04-06 114688]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"StatusClient"="c:\program files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe" [2002-12-16 36864]
"TomcatStartup"="c:\program files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe" [2003-03-31 155648]
"QuickFinder Scheduler"="c:\program files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE" [2002-08-15 77887]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2010-08-11 115560]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"HPUsageTrackingLEDM"="c:\program files\HP\HP UT LEDM\bin\hppusg.exe" [2009-08-04 30264]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-10-09 421736]
.
c:\windows\SYSTEM32\CONFIG\systemprofile\Start Menu\Programs\Startup\
Configure IE for BEN Financials.lnk - d:\documents and settings\Default User\Application Data\BEN Financials XP SP2 Installer\ben-ie-conf.exe [2005-11-9 110794]
.
d:\documents and settings\wamcd.WAMCD01\Start Menu\Programs\Startup\
Jacquie Lawson London Advent Calendar.lnk - c:\program files\Jacquie Lawson London Advent Calendar\Jacquie Lawson London Advent Calendar.exe [2011-12-2 142336]
.
d:\documents and settings\All Users\Start Menu\Programs\Startup\
CorelCENTRAL 10.lnk - c:\windows\Installer\{F73E7B59-F951-11D4-884D-00902761A46D}\I_26dadCC.exe [2006-12-8 5222]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{0cab0400-7395-11d0-a5e5-0020afe2fdd9}"= "qvphook.dll" [1999-01-14 41472]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Corel\\WordPerfect Office 2002\\Register\\NAVBrowser.exe"=
"c:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\Javasoft\\JRE\\1.3.1\\bin\\javaw.exe"=
"c:\\Program Files\\Symantec AntiVirus\\Smc.exe"=
"c:\\Program Files\\Symantec AntiVirus\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"33899:TCP"= 33899:TCP:*:Disabled:Remote Desktop SASC Standard Port
.
R2 ASFAgent;ASF Agent;c:\program files\intel\ASF Agent\ASFAgent.exe [5/8/2002 9:51 AM 212992]
R2 HP LaserJet Service;HP LaserJet Service;c:\program files\HP\HPLaserJetService\HPLaserJetService.exe [6/24/2009 10:57 AM 136704]
R2 HPSIService;HP SI Service;c:\windows\SYSTEM32\HPSIsvc.exe [12/17/2010 7:25 PM 99896]
R2 IDFEndpointService;Identity Finder Endpoint Service;c:\program files\Identity Finder 4\idfEndpoint.exe [10/13/2010 4:06 AM 6181376]
R2 NetAlrt;NetAlrt;c:\windows\SYSTEM32\DRIVERS\Netalrt.sys [5/7/2002 4:05 PM 39680]
R2 Nhksrv;Netropa NHK Server;c:\windows\Nhksrv.exe [1/1/1980 28672]
R2 PlatAlrt;PlatAlrt;c:\windows\SYSTEM32\DRIVERS\platalrt.sys [5/7/2002 4:06 PM 23744]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\eengine\EraserUtilRebootDrv.sys [11/10/2011 4:00 AM 106104]
R3 Msikbd2k;DellTouch;c:\windows\SYSTEM32\DRIVERS\Msikbd2k.sys [10/7/2002 5:37 PM 6942]
R3 mvusbews;USB EWS Device;c:\windows\SYSTEM32\DRIVERS\mvusbews.sys [12/17/2010 7:25 PM 17408]
S3 {E6759E0C-470B-44DC-A4A1-627E68BB3A85};AIM 3.0 SI164;c:\windows\SYSTEM32\DRIVERS\a302.sys [8/29/2003 8:59 AM 11319]
S3 COH_Mon;COH_Mon;c:\windows\SYSTEM32\DRIVERS\COH_Mon.sys [3/30/2009 3:55 PM 23888]
S3 Intel Remote Control Helper;Intel Remote Control Helper;c:\windows\system32\drivers\rch.sys --> c:\windows\system32\drivers\rch.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2011-12-08 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07]
.
2011-12-08 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-05-26 19:23]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://education.dellnet.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 68.87.64.150 68.87.75.198
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {86ecb6a0-400a-11d5-b638-00c04faedb18}
FF - ProfilePath - d:\documents and settings\wamcd.WAMCD01\Application Data\Mozilla\Firefox\Profiles\o40f8ch2.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&type=302398&p=
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
- - - - ORPHANS REMOVED - - - -
.
Notify-NavLogon - (no file)
SafeBoot-Symantec Antvirus
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2011-12-08 14:58
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Microsoft\TelnetServer\1.0\ReadConfig]
@DACL=(02 0000)
"Defaults"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.EXE'(2336)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2011-12-08 15:04:40 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-08 20:04
.
Pre-Run: 29,522,853,888 bytes free
Post-Run: 29,572,960,256 bytes free
.
- - End Of File - - 57BBA22B4245D35583D8645E6B7C5A46
 

·
Registered
Joined
·
117 Posts
Discussion Starter · #17 ·
(Editing time limit ran out)

EDIT 3: Well, Windows is now just being really slow to restart/shut down. Still, What happened? He's had the "Windows Explorer won't open" problems a few times before, so it might just be his computer.
 

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
Hi Scott,

I just got home from work, and don't have time right now to give you the next steps. I see leftover malware in ComboFix.txt that we need to address.

Please just sit tight for an hour or so til I have the time to review it and compose the reply.

Do not run ComboFix or any other tools on your own while you're waiting - please, just wait for me. :)
 

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
Hi,
Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.


Please - in the future, do not uninstall ComboFix until I advise you to. When you uninstall it, you delete all the backups it made, including Erunt backups that could be used if something goes wrong.

Also -
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
You need to allow it to install the Recovery Console. As I explained earlier...

Ried said:
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.


You'll need to download ComboFix again from one of these locations:

Link 1
Link 2


* IMPORTANT- Save ComboFix.exe to your Desktop

====================================================


Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal. If you are unsure how to do this, please refer to our sticky topic How to disable your security applications

***************************************************

Open notepad and copy/paste the text in the code box below into it:

Folder::
d:\documents and settings\wamcd.WAMCD01\Application Data\bQH6dWK7fLhXjCl
d:\documents and settings\wamcd.WAMCD01\Application Data\tS1ibD3pn4
d:\documents and settings\wamcd.WAMCD01\Application Data\rdEL8gTZqYwIrOt
d:\documents and settings\wamcd.WAMCD01\Application Data\UNycA1uvDoFpHsJ
d:\documents and settings\wamcd.WAMCD01\Application Data\nJ7dEL8gT
d:\documents and settings\wamcd.WAMCD01\Application Data\dqhYCwkIVlNx0c2
c:\program files\19D81
d:\documents and settings\wamcd.WAMCD01\Application Data\49D19
c:\program files\B1CF4
d:\documents and settings\wamcd.WAMCD01\Application Data\EuvvSS2obF3pGQJ
d:\documents and settings\wamcd.WAMCD01\Application Data\bdK8ZZ9hYwk
d:\documents and settings\wamcd.WAMCD01\Application Data\148B1
d:\documents and settings\wamcd.WAMCD01\Application Data\DdddEK88gRqhYw
d:\documents and settings\wamcd.WAMCD01\Application Data\PXXwjjUVelOBzP

Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe

***************************************************





Refering to the picture above, drag CFScript into ComboFix.exe. Allow ComboFix to install the Recovery Console.

When finished, please post the contents of C:\ComboFix.txt
 

·
Registered
Joined
·
117 Posts
Discussion Starter · #20 ·
Thank you very much for getting back to me! :)

I just uninstalled Combofix because I didn't know when I'd get the chance to run it again (and since it's a powerful tool, I didn't want someone to accidentally open it, unsure of what it was).

Though, I don't know why disabling Symantec only disabled half of it, but Combofix ran normally nonetheless.

Also, I knew there were those Application Data files leftover. After you mentioned malware remaining that MBAM didn't remove, I read over the DDS logs and saw those AppData directories. Though, how come we couldn't run the script on the first scan?
 
1 - 20 of 27 Posts
Status
Not open for further replies.
Top