Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Malware - 2 hits in the last several weeks


  • This topic is locked This topic is locked

#16
Salagubang

Salagubang

    Trusted Helper

  • Malware Removal
  • 3,890 posts
OTL scan is clear. :)

We need to use some bigger guns.

We need to temporarily remove your Anti-Virus, as it interes with the fix I want to run. You can reinstall it again later. If you are not happy about doing this, please let me know before proceding

Download AppRemover and run it.

Click Next >>
Posted Image


Ensure "Remove Security Application" is collected and click Next >>
Posted Image


AppRemover will scan all the security applications on your PC
Posted Image

Select Any AVG entries from the applications offered and click Next >> twice.
Posted Image

Follow any further on-screen instructions. If asked to reboot,please do so.

Note: Please do not browse the internet or open any email attachments until your Anti-Virus is re-installed


Next

Please download ComboFix from one of these locations:

Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
  • 0

Advertisements


#17
wisesilver

wisesilver

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 501 posts
Hi Salagubang. :)
1) I ran AppRemover and removed All antimalware products: AVG, Malwarebytes, Super Antispyware, Spybot Search and Destroy. I rebooted
2) ComboFix "complained" that AVG was still there. So, I reran AppRemover. It removed another anti Malware product and I rebooted.
3) Still ComboFix "complained" that AVG was there and wouldn't run. I went to C:\Programs and deleted the AVG Directory. TaDa, now ComboFix ran.
4) I ran ComboFix and went out to buy dinner. When I returned it was done and the log below was opened. So I didn't see anything that it did including the creation of the recovery console. But the recovery console may already have been there since I have run ComboFix on this machine before.
5) I rebooted to enter this log and the warning about windows update is now gone.

Do you think I missed anything important whuile ComboFix was running?

Here is the ComboFix Log:

ComboFix 11-05-17.03 - weissfamily 05/18/2011 19:35:26.4.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.605 [GMT -4:00]
Running from: c:\documents and settings\All Users\Desktop\Anti Malware\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\weissfamily\Application Data\.#
c:\documents and settings\weissfamily\Desktop\Windows Restore.lnk
c:\documents and settings\weissfamily\WINDOWS
c:\windows\system32\ndisapi.dll
c:\windows\system32\Thumbs.db
.
.
((((((((((((((((((((((((( Files Created from 2011-04-18 to 2011-05-18 )))))))))))))))))))))))))))))))
.
.
2011-05-18 00:58 . 2008-04-14 00:12 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2011-05-18 00:58 . 2001-08-18 02:36 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2011-05-18 00:58 . 2008-04-14 00:12 18944 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll
2011-05-18 00:58 . 2001-08-18 02:37 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe
2011-05-18 00:58 . 2001-08-18 02:37 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe
2011-05-18 00:56 . 2004-08-04 03:29 33599 -c--a-w- c:\windows\system32\dllcache\watv04nt.sys
2011-05-18 00:55 . 2001-08-17 16:14 123995 -c--a-w- c:\windows\system32\dllcache\tjisdn.sys
2011-05-18 00:54 . 2001-08-17 17:57 6784 -c--a-w- c:\windows\system32\dllcache\smbhc.sys
2011-05-18 00:53 . 2001-08-17 17:53 6912 -c--a-w- c:\windows\system32\dllcache\seaddsmc.sys
2011-05-18 00:53 . 2008-04-13 18:45 11520 -c--a-w- c:\windows\system32\dllcache\scsiscan.sys
2011-05-18 00:53 . 2001-08-17 17:52 11648 -c--a-w- c:\windows\system32\dllcache\scsiprnt.sys
2011-05-18 00:43 . 2001-08-17 17:52 49024 -c--a-w- c:\windows\system32\dllcache\ql1280.sys
2011-05-18 00:42 . 2001-08-17 16:50 198144 -c--a-w- c:\windows\system32\dllcache\nv3.sys
2011-05-18 00:42 . 2001-08-18 02:36 123776 -c--a-w- c:\windows\system32\dllcache\nv3.dll
2011-05-18 00:42 . 2001-08-17 16:49 51552 -c--a-w- c:\windows\system32\dllcache\ntgrip.sys
2011-05-18 00:36 . 2001-08-17 17:52 17280 -c--a-w- c:\windows\system32\dllcache\mraid35x.sys
2011-05-18 00:36 . 2001-08-17 17:48 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2011-05-18 00:36 . 2001-08-17 17:52 6528 -c--a-w- c:\windows\system32\dllcache\miniqic.sys
2011-05-18 00:36 . 2001-08-17 18:56 235648 -c--a-w- c:\windows\system32\dllcache\mgaud.dll
2011-05-18 00:36 . 2001-08-17 16:50 320384 -c--a-w- c:\windows\system32\dllcache\mgaum.sys
2011-05-18 00:36 . 2008-04-13 18:41 26112 -c--a-w- c:\windows\system32\dllcache\memstpci.sys
2011-05-18 00:36 . 2001-08-18 02:36 47616 -c--a-w- c:\windows\system32\dllcache\memgrp.dll
2011-05-18 00:36 . 2001-08-17 17:58 8320 -c--a-w- c:\windows\system32\dllcache\memcard.sys
2011-05-18 00:36 . 2001-08-17 16:12 164586 -c--a-w- c:\windows\system32\dllcache\mdgndis5.sys
2011-05-18 00:36 . 2001-08-17 17:52 7424 -c--a-w- c:\windows\system32\dllcache\mammoth.sys
2011-05-18 00:34 . 2001-08-18 02:36 58880 -c--a-w- c:\windows\system32\dllcache\m3092dc.dll
2011-05-18 00:34 . 2001-08-17 16:19 48768 -c--a-w- c:\windows\system32\dllcache\maestro.sys
2011-05-18 00:32 . 2001-08-17 16:12 45632 -c--a-w- c:\windows\system32\dllcache\ip5515.sys
2011-05-18 00:31 . 2001-08-17 17:28 289887 -c--a-w- c:\windows\system32\dllcache\hsf_fall.sys
2011-05-18 00:21 . 2001-08-17 16:12 24618 -c--a-w- c:\windows\system32\dllcache\fa410nd5.sys
2011-05-18 00:20 . 2001-08-17 16:20 334208 -c--a-w- c:\windows\system32\dllcache\ds1wdm.sys
2011-05-18 00:19 . 2008-04-13 18:36 10240 -c--a-w- c:\windows\system32\dllcache\compbatt.sys
2011-05-18 00:18 . 2001-08-17 17:52 7680 -c--a-w- c:\windows\system32\dllcache\cd20xrnt.sys
2011-05-18 00:17 . 2001-08-18 02:36 102400 -c--a-w- c:\windows\system32\dllcache\binlsvc.dll
2011-05-18 00:15 . 2001-08-17 18:07 101888 -c--a-w- c:\windows\system32\dllcache\adpu160m.sys
2011-05-16 22:31 . 2011-05-16 22:31 -------- d-----w- c:\program files\ESET
2011-05-14 19:12 . 2011-05-14 19:12 11264 ----a-w- c:\windows\system32\drivers\uzqwnzm2.sys
2011-05-14 05:16 . 2009-10-22 17:54 37392 ----a-w- c:\windows\system32\drivers\90301632.sys
2011-05-14 05:16 . 2009-10-10 03:31 315408 ----a-w- c:\windows\system32\drivers\9030163.sys
2011-05-14 05:16 . 2009-09-25 21:59 128016 ----a-w- c:\windows\system32\drivers\90301631.sys
2011-05-14 03:59 . 2011-05-14 03:59 -------- d-----w- C:\_OTL
2011-05-01 09:58 . 2011-05-01 09:59 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-05-01 03:33 . 2011-05-01 03:55 -------- d-----w- c:\program files\Weiss
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-07 05:33 . 2007-11-08 04:05 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:45 . 2001-08-23 12:00 434176 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2001-08-23 12:00 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-20 22:17 . 2011-02-20 21:42 2478272 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VisualStudio\10.0\1033\ResourceCache.dll
2011-02-20 21:42 . 2011-02-20 21:42 18368 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VSA\9.0\1033\ResourceCache.dll
2011-05-17 01:11 . 2011-03-26 21:34 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PhotoShow Deluxe Media Manager"="c:\progra~1\Nero\data\Xtras\mssysmgr.exe" [2004-11-12 212992]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus CX3800 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE" [2005-02-08 98304]
"schedule"="c:\program files\InterVideo\Backup\Schedule.exe" [2004-09-01 40960]
"WINCINEMAMGR"="c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe" [2005-01-17 270336]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2005-01-27 1381376]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2003-05-04 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2003-05-04 40960]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 6.0\apdproxy.exe" [2007-09-11 67488]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-07-22 150528]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768]
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2007-11-10 270336]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoCommonGroups"= 0 (0x0)
"NoStartMenuSubFolders"= 0 (0x0)
"NoChangeAnimation"= 0 (0x0)
"NoDFSTab"= 0 (0x0)
"NoFileAssociate"= 0 (0x0)
"NoFileUrl"= 0 (0x0)
"NoSMMyPictures"= 0 (0x0)
"NoStartMenuMyMusic"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Mythology\\aomx.exe"=
"c:\\Program Files\\Firefly Studios\\Stronghold Legends\\StrongholdLegends.exe"=
"c:\\Documents and Settings\\weissfamily\\My Documents\\World of Warcraft\\Launcher.exe"=
"c:\\Documents and Settings\\weissfamily\\My Documents\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Documents and Settings\\weissfamily\\My Documents\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"=
"c:\\Documents and Settings\\weissfamily\\My Documents\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"=
"c:\\Documents and Settings\\weissfamily\\My Documents\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\TeamViewer\\Version5\\TeamViewer.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqfxt08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
"c:\\StarCraft II\\StarCraft II.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
.
R0 90301632;90301632 Boot Guard Driver;c:\windows\system32\drivers\90301632.sys [5/14/2011 1:16 AM 37392]
R0 ivicd;Ivi CDVD Filter Driver;c:\windows\system32\drivers\ivicd.sys [11/10/2007 10:21 PM 38784]
R1 90301631;90301631;c:\windows\system32\drivers\90301631.sys [5/14/2011 1:16 AM 128016]
R1 ndicql;ndicql;c:\windows\system32\drivers\ndicql.sys [3/23/2008 12:55 AM 19712]
R1 uzqwnzm2;AVZ-RK Kernel Driver;c:\windows\system32\drivers\uzqwnzm2.sys [5/14/2011 3:12 PM 11264]
R2 HPW5ECP;HPW5ECP;c:\windows\system32\drivers\HPW5ECP.sys [9/25/1998 7:06 AM 44032]
R2 SBFSHOOK;SBFSHOOK;c:\windows\system32\drivers\sbfshook.sys [11/10/2007 10:24 PM 8320]
R2 wdserver;WatchDog Network Server;c:\program files\WatchDog\wdserver.exe [5/7/2003 1:22 PM 208896]
S1 56576501;56576501;c:\windows\system32\DRIVERS\56576501.sys --> c:\windows\system32\DRIVERS\56576501.sys [?]
S1 avgnt;avgnt;c:\windows\system32\drivers\avgnt.sys --> c:\windows\system32\drivers\avgnt.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/10/2010 11:31 PM 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [12/10/2010 11:31 PM 136176]
S3 iviudf;iviudf;c:\windows\system32\drivers\IviUdf.sys [11/10/2007 10:21 PM 116224]
S3 ujqwnzm2;AVZ-SG Kernel Driver;\??\c:\windows\system32\Drivers\ujqwnzm2.sys --> c:\windows\system32\Drivers\ujqwnzm2.sys [?]
S3 utqwnzm2;AVZ Kernel Driver;\??\c:\windows\system32\Drivers\utqwnzm2.sys --> c:\windows\system32\Drivers\utqwnzm2.sys [?]
S3 VSPerfDrv100;Performance Tools Driver 10.0;c:\program files\Microsoft Visual Studio 10.0\Team Tools\Performance Tools\VSPerfDrv100.sys [12/8/2009 10:24 PM 48128]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [7/22/2009 11:08 PM 47128]
S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [3/30/2009 4:09 AM 239336]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [3/30/2009 4:23 AM 366936]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - udffsrec
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPService REG_MULTI_SZ HPSLPSVC
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-11 03:31]
.
2011-05-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-11 03:31]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.yahoo.com
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} - hxxp://www.yoyogames.com/downloads/activex/YoYo.cab
FF - ProfilePath - c:\documents and settings\weissfamily\Application Data\Mozilla\Firefox\Profiles\yimajthb.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKCU-Run-EA Core - c:\program files\Electronic Arts\EADM\Core.exe
AddRemove-Adobe_a68eec966ce913ddaa63251dc82ed31 - c:\program files\Common Files\Adobe\Installers\a68eec966ce913ddaa63251dc82ed31\Setup.exe
AddRemove-HijackThis - c:\documents and settings\Mom-N-Dad\Desktop\HijackThis.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-18 19:47
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1275210071-412668190-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:a2,8d,08,4b,28,de,73,b5,30,23,d0,a7,86,59,b5,8b,d0,e5,4b,97,bd,
f7,06,72,09,79,24,87,99,02,64,f5,14,48,b6,ae,40,dd,df,2f,72,8a,e0,fd,e0,92,\
"rkeysecu"=hex:64,b6,bd,e1,3e,80,9e,c4,40,b4,90,83,87,8e,33,49
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(656)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2011-05-18 19:52:34
ComboFix-quarantined-files.txt 2011-05-18 23:52
ComboFix2.txt 2009-03-31 23:13
.
Pre-Run: 32,695,947,264 bytes free
Post-Run: 32,834,592,768 bytes free
.
- - End Of File - - 3C29B9782AB36CB9EB6F75E125D3050F
  • 0

#18
Salagubang

Salagubang

    Trusted Helper

  • Malware Removal
  • 3,890 posts
Here you go. :)

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Driver::
90301632
90301631
ndicql
uzqwnzm2
56576501
iviudf
ujqwnzm2
utqwnzm2

File::
c:\windows\system32\drivers\90301632.sys
c:\windows\system32\drivers\90301631.sys
c:\windows\system32\drivers\ndicql.sys
c:\windows\system32\drivers\uzqwnzm2.sys
c:\windows\system32\DRIVERS\56576501.sys
c:\windows\system32\drivers\IviUdf.sys
c:\windows\system32\Drivers\ujqwnzm2.sys
c:\windows\system32\Drivers\utqwnzm2.sys


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
  • 0

#19
wisesilver

wisesilver

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 501 posts
Hi Salagubang. :unsure:

After dragging CFScript.txt to ComboFix.exe, I assume you want me to then run ComboFix.exe. Then post the log. :yes: Is this correct? :)
  • 0

#20
Salagubang

Salagubang

    Trusted Helper

  • Malware Removal
  • 3,890 posts
Combofix will automatically run when you drag the scripts. :)

After that, post the log it creates. No need to do another run.
  • 0

#21
wisesilver

wisesilver

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 501 posts
Hi Salagubang. :) I moved the CFScript.txt file to ComboFix.exe and let it run. Attached is the Log file. :unsure:

ComboFix 11-05-18.04 - weissfamily 05/19/2011 18:41:22.5.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.449 [GMT -4:00]
Running from: c:\documents and settings\All Users\Desktop\Anti Malware\ComboFix.exe
Command switches used :: c:\documents and settings\All Users\Desktop\Anti Malware\CFScript.txt
.
FILE ::
"c:\windows\system32\DRIVERS\56576501.sys"
"c:\windows\system32\drivers\90301631.sys"
"c:\windows\system32\drivers\90301632.sys"
"c:\windows\system32\drivers\IviUdf.sys"
"c:\windows\system32\drivers\ndicql.sys"
"c:\windows\system32\Drivers\ujqwnzm2.sys"
"c:\windows\system32\Drivers\utqwnzm2.sys"
"c:\windows\system32\drivers\uzqwnzm2.sys"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\drivers\90301631.sys
c:\windows\system32\drivers\90301632.sys
c:\windows\system32\drivers\IviUdf.sys
c:\windows\system32\drivers\ndicql.sys
c:\windows\system32\drivers\uzqwnzm2.sys
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_56576501
-------\Legacy_90301631
-------\Legacy_90301632
-------\Legacy_IVIUDF
-------\Legacy_NDICQL
-------\Legacy_UJQWNZM2
-------\Legacy_UTQWNZM2
-------\Legacy_UZQWNZM2
-------\Service_56576501
-------\Service_90301631
-------\Service_90301632
-------\Service_iviudf
-------\Service_ndicql
-------\Service_ujqwnzm2
-------\Service_utqwnzm2
-------\Service_uzqwnzm2
.
.
((((((((((((((((((((((((( Files Created from 2011-04-19 to 2011-05-19 )))))))))))))))))))))))))))))))
.
.
2011-05-18 00:58 . 2008-04-14 00:12 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2011-05-18 00:58 . 2001-08-18 02:36 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2011-05-18 00:58 . 2008-04-14 00:12 18944 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll
2011-05-18 00:58 . 2001-08-18 02:37 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe
2011-05-18 00:58 . 2001-08-18 02:37 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe
2011-05-18 00:56 . 2004-08-04 03:29 33599 -c--a-w- c:\windows\system32\dllcache\watv04nt.sys
2011-05-18 00:55 . 2001-08-17 16:14 123995 -c--a-w- c:\windows\system32\dllcache\tjisdn.sys
2011-05-18 00:54 . 2001-08-17 17:57 6784 -c--a-w- c:\windows\system32\dllcache\smbhc.sys
2011-05-18 00:53 . 2001-08-17 17:53 6912 -c--a-w- c:\windows\system32\dllcache\seaddsmc.sys
2011-05-18 00:53 . 2008-04-13 18:45 11520 -c--a-w- c:\windows\system32\dllcache\scsiscan.sys
2011-05-18 00:53 . 2001-08-17 17:52 11648 -c--a-w- c:\windows\system32\dllcache\scsiprnt.sys
2011-05-18 00:43 . 2001-08-17 17:52 49024 -c--a-w- c:\windows\system32\dllcache\ql1280.sys
2011-05-18 00:42 . 2001-08-17 16:50 198144 -c--a-w- c:\windows\system32\dllcache\nv3.sys
2011-05-18 00:42 . 2001-08-18 02:36 123776 -c--a-w- c:\windows\system32\dllcache\nv3.dll
2011-05-18 00:42 . 2001-08-17 16:49 51552 -c--a-w- c:\windows\system32\dllcache\ntgrip.sys
2011-05-18 00:36 . 2001-08-17 17:52 17280 -c--a-w- c:\windows\system32\dllcache\mraid35x.sys
2011-05-18 00:36 . 2001-08-17 17:48 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2011-05-18 00:36 . 2001-08-17 17:52 6528 -c--a-w- c:\windows\system32\dllcache\miniqic.sys
2011-05-18 00:36 . 2001-08-17 18:56 235648 -c--a-w- c:\windows\system32\dllcache\mgaud.dll
2011-05-18 00:36 . 2001-08-17 16:50 320384 -c--a-w- c:\windows\system32\dllcache\mgaum.sys
2011-05-18 00:36 . 2008-04-13 18:41 26112 -c--a-w- c:\windows\system32\dllcache\memstpci.sys
2011-05-18 00:36 . 2001-08-18 02:36 47616 -c--a-w- c:\windows\system32\dllcache\memgrp.dll
2011-05-18 00:36 . 2001-08-17 17:58 8320 -c--a-w- c:\windows\system32\dllcache\memcard.sys
2011-05-18 00:36 . 2001-08-17 16:12 164586 -c--a-w- c:\windows\system32\dllcache\mdgndis5.sys
2011-05-18 00:36 . 2001-08-17 17:52 7424 -c--a-w- c:\windows\system32\dllcache\mammoth.sys
2011-05-18 00:34 . 2001-08-18 02:36 58880 -c--a-w- c:\windows\system32\dllcache\m3092dc.dll
2011-05-18 00:34 . 2001-08-17 16:19 48768 -c--a-w- c:\windows\system32\dllcache\maestro.sys
2011-05-18 00:32 . 2001-08-17 16:12 45632 -c--a-w- c:\windows\system32\dllcache\ip5515.sys
2011-05-18 00:31 . 2001-08-17 17:28 289887 -c--a-w- c:\windows\system32\dllcache\hsf_fall.sys
2011-05-18 00:21 . 2001-08-17 16:12 24618 -c--a-w- c:\windows\system32\dllcache\fa410nd5.sys
2011-05-18 00:20 . 2001-08-17 16:20 334208 -c--a-w- c:\windows\system32\dllcache\ds1wdm.sys
2011-05-18 00:19 . 2008-04-13 18:36 10240 -c--a-w- c:\windows\system32\dllcache\compbatt.sys
2011-05-18 00:18 . 2001-08-17 17:52 7680 -c--a-w- c:\windows\system32\dllcache\cd20xrnt.sys
2011-05-18 00:17 . 2001-08-18 02:36 102400 -c--a-w- c:\windows\system32\dllcache\binlsvc.dll
2011-05-18 00:15 . 2001-08-17 18:07 101888 -c--a-w- c:\windows\system32\dllcache\adpu160m.sys
2011-05-16 22:31 . 2011-05-16 22:31 -------- d-----w- c:\program files\ESET
2011-05-14 05:16 . 2009-10-10 03:31 315408 ----a-w- c:\windows\system32\drivers\9030163.sys
2011-05-14 03:59 . 2011-05-14 03:59 -------- d-----w- C:\_OTL
2011-05-01 09:58 . 2011-05-01 09:59 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-05-01 03:33 . 2011-05-01 03:55 -------- d-----w- c:\program files\Weiss
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-07 05:33 . 2007-11-08 04:05 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:45 . 2001-08-23 12:00 434176 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2001-08-23 12:00 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-20 22:17 . 2011-02-20 21:42 2478272 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VisualStudio\10.0\1033\ResourceCache.dll
2011-02-20 21:42 . 2011-02-20 21:42 18368 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VSA\9.0\1033\ResourceCache.dll
2011-05-17 01:11 . 2011-03-26 21:34 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PhotoShow Deluxe Media Manager"="c:\progra~1\Nero\data\Xtras\mssysmgr.exe" [2004-11-12 212992]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus CX3800 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE" [2005-02-08 98304]
"schedule"="c:\program files\InterVideo\Backup\Schedule.exe" [2004-09-01 40960]
"WINCINEMAMGR"="c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe" [2005-01-17 270336]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2005-01-27 1381376]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2003-05-04 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2003-05-04 40960]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 6.0\apdproxy.exe" [2007-09-11 67488]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-07-22 150528]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768]
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2007-11-10 270336]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoCommonGroups"= 0 (0x0)
"NoStartMenuSubFolders"= 0 (0x0)
"NoChangeAnimation"= 0 (0x0)
"NoDFSTab"= 0 (0x0)
"NoFileAssociate"= 0 (0x0)
"NoFileUrl"= 0 (0x0)
"NoSMMyPictures"= 0 (0x0)
"NoStartMenuMyMusic"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Mythology\\aomx.exe"=
"c:\\Program Files\\Firefly Studios\\Stronghold Legends\\StrongholdLegends.exe"=
"c:\\Documents and Settings\\weissfamily\\My Documents\\World of Warcraft\\Launcher.exe"=
"c:\\Documents and Settings\\weissfamily\\My Documents\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Documents and Settings\\weissfamily\\My Documents\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"=
"c:\\Documents and Settings\\weissfamily\\My Documents\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"=
"c:\\Documents and Settings\\weissfamily\\My Documents\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\TeamViewer\\Version5\\TeamViewer.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqfxt08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
"c:\\StarCraft II\\StarCraft II.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
.
R0 ivicd;Ivi CDVD Filter Driver;c:\windows\system32\drivers\ivicd.sys [11/10/2007 10:21 PM 38784]
R2 HPW5ECP;HPW5ECP;c:\windows\system32\drivers\HPW5ECP.sys [9/25/1998 7:06 AM 44032]
R2 SBFSHOOK;SBFSHOOK;c:\windows\system32\drivers\sbfshook.sys [11/10/2007 10:24 PM 8320]
S1 avgnt;avgnt;c:\windows\system32\drivers\avgnt.sys --> c:\windows\system32\drivers\avgnt.sys [?]
S3 VSPerfDrv100;Performance Tools Driver 10.0;c:\program files\Microsoft Visual Studio 10.0\Team Tools\Performance Tools\VSPerfDrv100.sys [12/8/2009 10:24 PM 48128]
S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [3/30/2009 4:09 AM 239336]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - udffsrec
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPService REG_MULTI_SZ HPSLPSVC
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-11 03:31]
.
2011-05-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-11 03:31]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.yahoo.com
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} - hxxp://www.yoyogames.com/downloads/activex/YoYo.cab
FF - ProfilePath - c:\documents and settings\weissfamily\Application Data\Mozilla\Firefox\Profiles\yimajthb.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-19 18:57
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1275210071-412668190-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:a2,8d,08,4b,28,de,73,b5,30,23,d0,a7,86,59,b5,8b,d0,e5,4b,97,bd,
f7,06,72,09,79,24,87,99,02,64,f5,14,48,b6,ae,40,dd,df,2f,72,8a,e0,fd,e0,92,\
"rkeysecu"=hex:64,b6,bd,e1,3e,80,9e,c4,40,b4,90,83,87,8e,33,49
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(644)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(1412)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Ahead\InCD\InCDsrv.exe
c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\wdfmgr.exe
c:\program files\WatchDog\wdserver.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
c:\program files\Java\jre6\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2011-05-19 19:07:14 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-19 23:07
ComboFix2.txt 2011-05-18 23:52
ComboFix3.txt 2009-03-31 23:13
.
Pre-Run: 32,742,023,168 bytes free
Post-Run: 32,601,133,056 bytes free
.
- - End Of File - - ED1C02252237FC4439A635B9A9675E6F
  • 0

#22
Salagubang

Salagubang

    Trusted Helper

  • Malware Removal
  • 3,890 posts
Looks good.

:)

You may reinstall your antivirus programs now. How is the computer running?
  • 0

#23
wisesilver

wisesilver

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 501 posts
It is running a lot better. :unsure:

1) So, do you think you got everything? ;)
2) I use AVG, SuperAntiSpyware and Malwarebytes. Do you think I should keep with this combination? :)

Thank you for all your help. :) Let me Know about the above. :yes:
  • 0

#24
Salagubang

Salagubang

    Trusted Helper

  • Malware Removal
  • 3,890 posts
Congratulations, the machine is clean. :unsure:

I use AVG, SuperAntiSpyware and Malwarebytes. Do you think I should keep with this combination?


A very good combination. :)

Lets wrap up.

We need to remove all the tools that you have used.
This is so that should you ever be re-infected, you will download updated versions. It will also remove the quarantined Malware from your computer.

Remove ComboFix
  • Click the Start button
  • Click Run...
  • Type Combofix /Uninstall in the run dialog box and click OK
Posted Image


Remove Other Tools
  • Download OTC to your desktop and run it
  • Click CleanUp! to begin the cleanup process and remove our tools, including this application
  • You may be asked to reboot the machine to finish the cleanup process - if so, choose Yes

You may manually delete any remaining clutter from your desktop.

Lets Re-hide system files and folders.
Opening Windows Explorer (to get there right-click your Start button and go to "Explore"), please do the following:
  • Go to Tools (drop-down menu at the top of the window)
  • Go down and click Folder Options
  • Click on the View tab
  • Find the Hidden Files and Folders section of the box and check "Do not show hidden files and folders"
  • Again under Hidden Files and Folders, find "Hide protected operating system files (Recommended)" and check it (if it's already checked)
  • Click Apply, and then Ok at the bottom.
  • Close the window

++++++++++++++++++++++++++++++++++++

Maintaning your computer

Download TFC to your desktop
  • Open the file and close any other windows.
  • It will close all programs itself when run, make sure to let it run uninterrupted.
  • Click the Start button to begin the process. The program should not take long to finish its job
  • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete CLEAN
THEN
  • Download Flush Flash from Here and follow the easy to use instructions on the same page
NEXT

Defrag the harddrive

++++++++++++++++++++++++++++++++++

Other things to keep in mind

Windows, Java, and Adobe products should all be kept up-to-date on a regular basis so the latest security fixes are in place on your computer. Please refer to the following links on how to manage these products.

Here are a few other applications you might consider. Keeping your temporary file area clean, your Windows registry backed up, and backing up your important data are all good techniques.
  • Flush Flash - by Bobbi Flekman - cleans Flash Player cookies
  • ERUNT (Emergency Recovery Utility NT) - a registry backup utility
  • Cobian Backup - a very good backup utility - read the tutorial here
  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
  • Green to go
  • Yellow for caution
  • Red to stop
WOT has an addon available for Chrome and Opera.
Please remember that just having these programs is not enough. You must use them. Running a full spyware scan weekly, a full virus scan monthly, and checking for updates and cleaning your temporary files periodically is very important in keeping your computer in tip-top shape.

Finally, please take the time to read the following articles. Applying this information will help prevent future infections:

How to prevent malware by miekiemoes
Preventing Malware and Safe Computing by Rorschach112

This article will help you understand how you may have gotten infected:
How did I get infected in the first place?

Remember, you have to be smarter than the bad guys! Be safe out there! Posted Image
  • 0

#25
wisesilver

wisesilver

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 501 posts
Hi Salagubang. :) I performed all of the items down to "Other things to keep in mind" and will perform these later.

I have one issue left: The computer is requesting an ATI driver for my video card. I looked for my install disk for the video card but haven't been able to locate it. Do you have a safe link where I might download a fresh driver? :) Also, the screen "paints" slowly with scrolling a Web page, etc., and I think this is related to the mising video driver. :)

Thank you! :unsure: :yes: ;)
  • 0

Advertisements


#26
Salagubang

Salagubang

    Trusted Helper

  • Malware Removal
  • 3,890 posts
Direct from AMD website:

http://support.amd.c...ages/index.aspx
  • 0

#27
wisesilver

wisesilver

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 501 posts
Hi Salagubang. :unsure:

It was a strange process but I think the driver issue was somehow solved. :yes:

1) The site/link had me select choices to download the correct driver. I downloaded a file that both provided a Control console and the driver.
2) The driver eliminated the yellow question mark in the device manager for the display adaptor. but the console "complained" that there was an issue with the driver.
3) So, Through the Control console I downloaded a second driver. Rebooting did strange things to my display (unusual colors, large size, much less detail).
4) So in Device manager I requested a restore of the previous (first download) driver. And I uninstalled the control pannel so I wouldn't see the complaint. :)

I figure/hope that if Device Manager is happy I'm OK. After rerunning a Malware scan I think the test will be to have my son try a game requiring hi resolution graphics. If it runs fine then I would guess I'm OK.

Do you have any thoughts that would suggest something different Salagubang? :)
  • 0

#28
Salagubang

Salagubang

    Trusted Helper

  • Malware Removal
  • 3,890 posts

I figure/hope that if Device Manager is happy I'm OK. After rerunning a Malware scan I think the test will be to have my son try a game requiring hi resolution graphics. If it runs fine then I would guess I'm OK.


I concur, testing the driver on a game scenario would be best. :unsure:

When installing/upgrading video card drivers, it is best to uninstall the current driver to avoid conflicts. You can refer to the guide here on how to fix driver ATI driver issues. Nevertheless, if the drivers are now correctly installed then that is just fine. :)
  • 0

#29
wisesilver

wisesilver

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 501 posts
Hi Salagubang. :unsure: I think we can close this thread. :yes: ;)

My son started Spore and the opening sequence graphics looks fine. If I have trouble I will look at the link (thank you! :) ).

Thank you for all you help. :).
  • 0

#30
Salagubang

Salagubang

    Trusted Helper

  • Malware Removal
  • 3,890 posts
You're welcome. :)
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP