Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Firefox & IE redirect - Virus


  • Please log in to reply

#16
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,367 posts
  • MVP
This line keeps coming back:

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifggee]
[BU]

We removed it with OTL then Combofix removed it again as an orphan (registry entry which refers to a file that doesn't exist). It's possible that the klmd23 put it back. Let's see if GMER will run. (Step 4 in the guide: http://www.geekstogo...ide-t2852.html)

I'm also curious about a couple of files. Let's submit them to virustotal.com

Go to http://virustotal.com

click on the Browse button then paste in

c:\windows\system32\dllcache\iedvtool.dll

Open then Submit. It should think for a minute and tell you what it knows about the file.

If it says something like 0/39 at the top then it is OK. If not then copy the report and paste it into a reply.

Repeat for

c:\windows\system32\wininet.dll
c:\windows\system32\win32k.sys

WOT sounds pretty good. Continue to use it but also get the AdBlock Plus.

You might want to try No Scripts too:
https://addons.mozil...efox/addon/722/

I'm pretty sure that when you tell Spybot to immunize that it adds thousands of 127.0.0.1 entries to the hosts file. It may do a few other things.

Avast usually sends you a warning when there is a new version. Don't know why you didn't get it. Wouldn't hurt to let Avast do a boot scan. (Takes a long time - hours! - and you have to check with it once and a while.) Right click on the avast ball then Open Avast User Interface then Scan Computer then (on the left) Boot-time Scan. Once you tell it you want it then reboot and it should do its thing.

Ron
  • 0

Advertisements


#17
pla486

pla486

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
Well, tried to run Gmer again in normal mode, but crashed. Ran again in Safe Mode, it read through the entire drive but didn't produce a report. Do I need to save using the save? I am unable to get to that button in safe mode. The version that I downloaded was created 12/15/09.

I have attached the results of the 3 files from Virus Total.

Attached Files


  • 0

#18
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,367 posts
  • MVP
Virus Total says 0/41 for all three so they are probably OK.

Copy the text between the lines of stars by highlighting and Ctrl + c.

******************************************

Killall:


RegLock::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifggee]

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifggee]

******************************************

Now open notepad (Start, Run, notepad, OK) and Ctrl + V to paste the text into Notepad. Make sure you got it all then File, SAVE AS, (to your Desktop), CFScript , OK. Close notepad. (Overwrite the old one if it's still there.) You should see a file CFScript.txt on your desktop.

Pause your anti-virus.

Drag it over to george and let it start as before.

Post the new log.

I'm not sure why gmer is having a hard time. Something that runs in normal mode but not in Safe Mode I guess. I suppose you may need to press the Save button if it didn't create a log. Or do another screen print if all else fails.

Ron

Ron

Edited by RKinner, 28 June 2010 - 12:43 PM.

  • 0

#19
pla486

pla486

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
Here is the latest results. Your probably right on GMER. It doesn't produce a scroll to get down to the scan, save etc. End result I can't get to the Save button to save.

ComboFix 10-06-27.06 - owner 06/28/2010 14:58:16.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2814.2232 [GMT -4:00]
Running from: c:\documents and settings\owner\Desktop\GEORGE.exe
Command switches used :: c:\documents and settings\owner\Desktop\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((( Files Created from 2010-05-28 to 2010-06-28 )))))))))))))))))))))))))))))))
.

2010-06-28 13:20 . 2010-06-28 13:32 -------- d-----w- C:\GEORGE8264G
2010-06-27 23:32 . 2010-06-27 23:32 503808 ----a-w- c:\documents and settings\owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-23acdbe0-n\msvcp71.dll
2010-06-27 23:32 . 2010-06-27 23:32 499712 ----a-w- c:\documents and settings\owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-23acdbe0-n\jmc.dll
2010-06-27 23:32 . 2010-06-27 23:32 348160 ----a-w- c:\documents and settings\owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-23acdbe0-n\msvcr71.dll
2010-06-27 23:32 . 2010-06-27 23:32 61440 ----a-w- c:\documents and settings\owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-50e258a1-n\decora-sse.dll
2010-06-27 23:32 . 2010-06-27 23:32 12800 ----a-w- c:\documents and settings\owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-50e258a1-n\decora-d3d.dll
2010-06-27 23:32 . 2010-04-12 21:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-27 23:10 . 2010-05-06 20:39 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-06-27 23:10 . 2010-05-06 20:39 164048 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-06-27 23:10 . 2010-05-06 20:34 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-06-27 23:10 . 2010-05-06 20:33 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-06-27 23:10 . 2010-05-06 20:33 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-06-27 23:10 . 2010-05-06 20:33 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-06-27 23:10 . 2010-05-06 20:33 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-06-27 23:10 . 2010-05-06 20:59 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-06-27 23:10 . 2010-05-06 20:59 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-06-27 23:10 . 2010-06-27 23:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-06-27 22:59 . 2007-04-28 03:39 95 ----a-w- c:\documents and settings\owner\Application Data\WinPatrol\Autoexec.bat
2010-06-27 22:59 . 2007-04-28 02:41 0 ----a-w- c:\documents and settings\owner\Application Data\WinPatrol\Config.sys
2010-06-27 22:59 . 2010-06-27 22:59 -------- d-----w- c:\documents and settings\owner\Application Data\WinPatrol
2010-06-27 22:58 . 2010-06-27 22:58 -------- d-----w- c:\program files\BillP Studios
2010-06-27 21:19 . 2010-06-27 21:36 -------- d-----w- C:\GEORGE6970G
2010-06-27 17:48 . 2010-06-27 17:55 -------- d-----w- C:\GEORGE
2010-06-25 17:55 . 2010-06-25 17:55 -------- d-----w- C:\_OTL
2010-06-24 20:46 . 2010-06-24 21:27 -------- d-----w- C:\6C12BD23
2010-06-24 20:00 . 2010-06-24 20:00 -------- d-----w- c:\documents and settings\owner\Application Data\Malwarebytes
2010-06-24 20:00 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-24 20:00 . 2010-06-24 20:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-24 20:00 . 2010-06-24 20:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-24 20:00 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-21 18:07 . 2010-06-21 18:07 2812928 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\191916-191106.dll
2010-06-13 23:55 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-04 17:22 . 2010-06-04 17:22 -------- d-----w- c:\documents and settings\owner\Application Data\PandoraRecovery
2010-06-04 17:22 . 2010-06-04 18:20 -------- d-----w- c:\program files\Pandora Recovery
2010-06-04 15:42 . 2010-06-04 15:42 -------- d-----w- c:\documents and settings\owner\Application Data\SUPERAntiSpyware.com
2010-06-04 15:42 . 2010-06-04 15:42 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-27 23:32 . 2008-05-16 20:16 -------- d-----w- c:\program files\Common Files\Java
2010-06-27 23:32 . 2008-05-16 20:17 -------- d-----w- c:\program files\Java
2010-06-27 23:10 . 2009-08-19 23:06 -------- d-----w- c:\program files\Alwil Software
2010-06-25 01:45 . 2009-12-08 18:11 -------- d-----w- c:\program files\CCleaner
2010-06-25 00:30 . 2008-05-17 16:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-06-24 21:50 . 2008-05-17 16:35 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-06-21 18:08 . 2010-03-31 17:56 -------- d-----w- c:\program files\Quicken
2010-06-21 18:07 . 2010-03-31 18:16 243032 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\QWPATCH.EXE
2010-06-10 20:30 . 2008-11-11 00:59 -------- d-----w- c:\documents and settings\owner\Application Data\Canon
2010-05-27 17:30 . 2010-05-27 17:30 5487616 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\19188-191916.dll
2010-05-06 14:01 . 2008-11-10 21:55 -------- d-----w- c:\documents and settings\All Users\Application Data\CanonIJPLM
2010-05-06 10:41 . 2006-02-28 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2006-02-28 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30 . 2006-02-28 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-03-31 18:17 . 2010-03-31 18:17 7410688 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\191319-191429.dll
2010-03-31 18:17 . 2010-03-31 18:17 5686272 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\19153-191714.dll
2010-03-31 18:17 . 2010-03-31 18:17 7032320 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\191222-191319.dll
2010-03-31 18:17 . 2010-03-31 18:17 6301696 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\191127-191222.dll
2010-03-31 18:17 . 2010-03-31 18:17 2776576 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\191429-19153.dll
2010-03-31 18:17 . 2010-03-31 18:17 2844160 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\191714-19188.dll
2010-03-31 18:16 . 2010-03-31 18:16 230752 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\patchw32.dll
2010-03-31 18:16 . 2010-03-31 18:16 956 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\rebase.cmd
2010-03-31 04:16 . 2010-03-31 04:16 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-03-31 04:10 . 2010-03-31 04:10 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2009-03-10 13:52 . 2009-01-30 01:38 27976 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2009-03-10 13:52 . 2009-01-30 01:38 126360 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2009-03-10 13:52 . 2009-02-02 21:23 46408 ----a-w- c:\program files\mozilla firefox\plugins\atmccli.dll
2009-01-30 01:38 . 2009-01-30 01:39 98712 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2005-10-11 1961984]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Start WingMan Profiler"="c:\program files\Logitech\Gaming Software\LWEMon.exe" [2009-01-21 92168]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"RTHDCPL"="RTHDCPL.EXE" [2006-09-12 16264192]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-08-13 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-08-17 86016]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2006-09-13 81920]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-17 13877248]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2006-01-12 155648]
"LaunchList"="c:\program files\Pinnacle\Studio 11\LaunchList.exe" [2007-01-04 50712]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-10-10 69632]
"IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE" [2007-05-21 124512]
"CTxfiHlp"="CTXFIHLP.EXE" [2007-04-09 19968]
"CTHelper"="CTHELPER.EXE" [2007-04-09 19456]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-15 644696]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-04 1603152]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2010-05-31 323976]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-05-06 2815192]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
DataViz Messenger.lnk - c:\windows\DvzCommon\DvzMsgr.exe [2003-7-1 24576]
HOTSYNCSHORTCUTNAME.lnk - c:\program files\Palm\Hotsync.exe [2004-6-9 471040]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-3-16 809488]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-11-07 20:41 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Pinnacle\\Shared Files\\Programs\\MediaManager\\PMSManager.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Sony Ericsson\\Sony Ericsson Media Manager\\MediaManager.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\umi.exe"=
"c:\\Program Files\\Microsoft Games\\Microsoft Flight Simulator X\\fsx.exe"=
"c:\\Program Files\\Palm\\HOTSYNC.EXE"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Sony Ericsson\\Update Service\\Update Service.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [6/27/2010 7:10 PM 164048]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [6/27/2010 7:10 PM 19024]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [3/16/2009 4:14 PM 10384]
R3 BENDER;Pinnacle AV/DV2 Capture;c:\windows\system32\drivers\bender.sys [4/27/2007 11:46 PM 203264]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [11/26/2008 9:15 AM 13352]
S3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\drivers\gan_adapter.sys [8/28/2006 11:54 PM 10664]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [12/23/2008 11:35 AM 50704]
.
Contents of the 'Scheduled Tasks' folder

2008-05-19 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2010-06-24 19:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://partnerpage.google.com/talkamerica.net
uInternet Settings,ProxyOverride = www.myantispyware.com;myantispyware.com;www.malwarebytes.org;go.trendmicro.com;<local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
Trusted Zone: intuit.com\ttlc
FF - ProfilePath - c:\documents and settings\owner\Application Data\Mozilla\Firefox\Profiles\w3cdljzz.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr
ef", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
- - - - ORPHANS REMOVED - - - -

BHO-{09AC5516-1D55-4CF9-8072-D6AB55C0AB6F} - (no file)
BHO-{1C0165E9-7758-4238-9D0B-E68F384EEC4A} - (no file)
BHO-{4788753c-eaf3-43fd-a342-84de2a4d7849} - (no file)
BHO-{9ADE2127-F831-404D-9A77-5D8C66158717} - (no file)
BHO-{B8047EE5-C42C-4044-B2F4-362D60D2C23D} - (no file)
BHO-{C19698EB-2FA2-4C44-8D47-99507B4A2EEC} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-28 15:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-796845957-1770027372-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-796845957-1770027372-839522115-1003\Software\Policies\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (S-1-5-21-796845957-1770027372-839522115-1003)
@Allowed: (Read) (S-1-5-21-796845957-1770027372-839522115-1003)
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(844)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(2000)
c:\windows\system32\WININET.dll
c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
c:\program files\NVIDIA Corporation\nView\nview.dll
c:\program files\ScanSoft\OmniPageSE4\OpHookSE4.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Canon\IJPLM\IJPLMSVC.EXE
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
c:\program files\NVIDIA Corporation\nTune\nTuneService.exe
c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
.
**************************************************************************
.
Completion time: 2010-06-28 15:11:48 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-28 19:11
ComboFix2.txt 2010-06-28 13:32
ComboFix3.txt 2010-06-27 21:36
ComboFix4.txt 2010-06-27 17:55

Pre-Run: 70,958,497,792 bytes free
Post-Run: 70,936,772,608 bytes free

- - End Of File - - E8F794309FE6D4DF769ABB1716BF8B9A
  • 0

#20
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,367 posts
  • MVP
The evil registry entry did not come back this time so hopefully it is gone for good.

Are you still seeing any problems?

Ron
  • 0

#21
pla486

pla486

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
No, no problems at all right now. Everything seems to be working good.
  • 0

#22
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,367 posts
  • MVP
I think we will quit while we are ahead then.
  • 0

#23
pla486

pla486

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
Thanks Ron for all your assistance on this. I will go ahead then and uninstall ComboFix. Anything special on OTL, TDDSKiller, MBR?

Hopefully with all the new adds help prevent future infections.
  • 0

#24
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,367 posts
  • MVP
I think OTL has a cleanup button. Don't normally use it tho.

The other you can just delete.

Ron
  • 0

#25
pla486

pla486

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
All is uninstalled and everything now seems to be working great.

Can't thank you enough for your help on this one.

Take care

Rick
  • 0

Advertisements







Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP