1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved Beginner's Help

Discussion in 'Malware and Virus Removal Archive' started by AtomicTyson, 2010/04/02.

Page 2 of 4
  1. 2010/04/04
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    * Rkill.com
    * Rkill.scr
    * Rkill.pif
    * Rkill.exe

    * Double-click on the Rkill desktop icon to run the tool.
    * If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    * A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    * If not, delete the file, then download and use the one provided in Link 2.
    * If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    * Do not reboot until instructed.
    * If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run then try to immediately run the following.

    Now download and run exeHelper.

    * Please download exeHelper from Raktor to your desktop.
    * Double-click on exeHelper.com to run the fix.
    * A black window should pop up, press any key to close once the fix is completed.
    * A log file named log.txt will be created in the directory where you ran exeHelper.com
    * Attach the log.txt file to your next message.[/LIST]

    Note: If the window shows a message that says "Error deleting file ", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

    Then...
    Rename mbam.exe to broni.exe and try to run it again by double clicking on broni.exe.
     
    broni,
    #21
  2. 2010/04/04
    AtomicTyson

    AtomicTyson Inactive Thread Starter

    Joined:
    2010/04/02
    Messages:
    70
    Likes Received:
    0
    exeHelper by Raktor
    Build 20100329
    Run at 20:26:56 on 04/04/10
    Now searching...
    Checking for numerical processes...
    Checking for sysguard processes...
    Checking for bad processes...
    Checking for bad files...
    Checking for bad registry entries...
    Resetting filetype association for .exe
    Removing HKCR\secfile
    Resetting filetype association for .com
    Removing HKCR\secfile
    Resetting userinit and shell values...
    Resetting policies...
    --Finished--

    exeHelper by Raktor
    Build 20100329

    Sorry I dont know how to attach. And I renamed it broni and it still didnt work and it gave me the same error messages. Was I supposed to reinstall it and rename it or just rename the application?
     
    AtomicTyson,
    #22


  3. to hide this advert.

  4. 2010/04/04
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Download Dr.Web CureIt to the desktop:
    ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
    • Doubleclick the drweb-cureit.exe file and click Scan to run express scan. Click OK in pop-up window to allow scan.
    • This will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it. This is only a short scan.
    • Once the short scan has finished, select Complete scan.
    • Click the green arrow [​IMG] at the right, and the scan will start.
    • Click Yes to all if it asks if you want to cure/move the file.
    • When the scan has finished, in the menu, click File and choose Save report list
    • Save the report to your desktop. The report will be called DrWeb.csv
    • Close Dr.Web Cureit.
    • [color=5]Important![/color] Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
    • Copy and paste that log in the next reply. You can use Notepad to open the DrWeb.cvs report.

    NOTE. During the scan, pop-up window will open asking for full version purchase. Simply close the window by clicking on X in upper right corner.


    Post fresh HijackThis log as well.
     
    broni,
    #23
  5. 2010/04/06
    AtomicTyson

    AtomicTyson Inactive Thread Starter

    Joined:
    2010/04/02
    Messages:
    70
    Likes Received:
    0
    Sorry for the wait. Drweb.cvs will be posted first.

    [iTunes] keith urban thankyou(long edition).mp3;C:\Users\John\Documents\LimeWire\Saved;Trojan.WMALoader;Cured.;
    Setup.exe.bac_a03364\data001;C:\Documents and Settings\John\.housecall6.6\Quarantine\Setup.exe.bac_a03364;Adware.Zango;;
    Setup.exe.bac_a03364;C:\Documents and Settings\John\.housecall6.6\Quarantine;Container contains infected objects;Moved.;
    ZAN9C26.exeO.bac_a02640\___\Install.dll;C:\Documents and Settings\John\.housecall6.6\Quarantine\ZAN9C26.exeO.bac_a02640;Adware.Shopper.37;;
    ZAN9C26.exeO.bac_a02640\Resource.dll;C:\Documents and Settings\John\.housecall6.6\Quarantine\ZAN9C26.exeO.bac_a02640;Trojan.Popclick.44;;
    ZAN9C26.exeO.bac_a02640;C:\Documents and Settings\John\.housecall6.6\Quarantine;Archive contains infected objects;Moved.;
    ZAN9C26.exeO.bac_a03364\___\Install.dll;C:\Documents and Settings\John\.housecall6.6\Quarantine\ZAN9C26.exeO.bac_a03364;Adware.Shopper.37;;
    ZAN9C26.exeO.bac_a03364\Resource.dll;C:\Documents and Settings\John\.housecall6.6\Quarantine\ZAN9C26.exeO.bac_a03364;Trojan.Popclick.44;;
    ZAN9C26.exeO.bac_a03364;C:\Documents and Settings\John\.housecall6.6\Quarantine;Archive contains infected objects;Moved.;
    12a49b83-72b58147\myf/y/AppletX.class;C:\Documents and Settings\John\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\3\12a49b83-72b58147;Exploit.CVE2008.5353;;
    12a49b83-72b58147\myf/y/LoaderX.class;C:\Documents and Settings\John\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\3\12a49b83-72b58147;Exploit.CVE2008.5353;;
    12a49b83-72b58147\myf/y/PayloadX.class;C:\Documents and Settings\John\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\3\12a49b83-72b58147;Exploit.CVE2008.5353;;
    12a49b83-72b58147;C:\Documents and Settings\John\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\3;Archive contains infected objects;Moved.;
    2220e1f4-5140e21f\myf/y/AppletX.class;C:\Documents and Settings\John\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\52\2220e1f4-5140e21f;Exploit.CVE2008.5353;;
    2220e1f4-5140e21f\myf/y/LoaderX.class;C:\Documents and Settings\John\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\52\2220e1f4-5140e21f;Exploit.CVE2008.5353;;
    2220e1f4-5140e21f\myf/y/PayloadX.class;C:\Documents and Settings\John\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\52\2220e1f4-5140e21f;Exploit.CVE2008.5353;;
    2220e1f4-5140e21f;C:\Documents and Settings\John\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\52;Archive contains infected objects;Moved.;
    12a49b83-72b58147\myf/y/AppletX.class;C:\Documents and Settings\John\DoctorWeb\Quarantine\12a49b83-72b58147;Exploit.CVE2008.5353;;
    12a49b83-72b58147\myf/y/LoaderX.class;C:\Documents and Settings\John\DoctorWeb\Quarantine\12a49b83-72b58147;Exploit.CVE2008.5353;;
    12a49b83-72b58147\myf/y/PayloadX.class;C:\Documents and Settings\John\DoctorWeb\Quarantine\12a49b83-72b58147;Exploit.CVE2008.5353;;
    12a49b83-72b58147;C:\Documents and Settings\John\DoctorWeb\Quarantine;Archive contains infected objects;Moved.;
    2220e1f4-5140e21f\myf/y/AppletX.class;C:\Documents and Settings\John\DoctorWeb\Quarantine\2220e1f4-5140e21f;Exploit.CVE2008.5353;;
    2220e1f4-5140e21f\myf/y/LoaderX.class;C:\Documents and Settings\John\DoctorWeb\Quarantine\2220e1f4-5140e21f;Exploit.CVE2008.5353;;
    2220e1f4-5140e21f\myf/y/PayloadX.class;C:\Documents and Settings\John\DoctorWeb\Quarantine\2220e1f4-5140e21f;Exploit.CVE2008.5353;;
    2220e1f4-5140e21f;C:\Documents and Settings\John\DoctorWeb\Quarantine;Archive contains infected objects;Moved.;
    Setup.exe.bac_a03364\data001;C:\Documents and Settings\John\DoctorWeb\Quarantine\Setup.exe.bac_a03364;Adware.Zango;;
    Setup.exe.bac_a03364;C:\Documents and Settings\John\DoctorWeb\Quarantine;Container contains infected objects;Moved.;
    ZAN9C26.exeO.bac_a02640\___\Install.dll;C:\Documents and Settings\John\DoctorWeb\Quarantine\ZAN9C26.exeO.bac_a02640;Adware.Shopper.37;;
    ZAN9C26.exeO.bac_a02640\Resource.dll;C:\Documents and Settings\John\DoctorWeb\Quarantine\ZAN9C26.exeO.bac_a02640;Trojan.Popclick.44;;
    ZAN9C26.exeO.bac_a02640;C:\Documents and Settings\John\DoctorWeb\Quarantine;Archive contains infected objects;Moved.;
    ZAN9C26.exeO.bac_a03364\___\Install.dll;C:\Documents and Settings\John\DoctorWeb\Quarantine\ZAN9C26.exeO.bac_a03364;Adware.Shopper.37;;
    ZAN9C26.exeO.bac_a03364\Resource.dll;C:\Documents and Settings\John\DoctorWeb\Quarantine\ZAN9C26.exeO.bac_a03364;Trojan.Popclick.44;;
    ZAN9C26.exeO.bac_a03364;C:\Documents and Settings\John\DoctorWeb\Quarantine;Archive contains infected objects;Moved.;

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 5:46:57 AM, on 4/6/2010
    Platform: Windows Vista (WinNT 6.00.1904)
    MSIE: Internet Explorer v7.00 (7.00.6000.16809)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Oracle\Information Rights Management\Desktop\sealmon.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    C:\Users\John\AppData\Local\Google\Update\GoogleUpdate.exe
    C:\Program Files\Pando Networks\Media Booster\PMB.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\Windows\system32\DllHost.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe "
    O4 - HKLM\..\Run: [sealmon.exe] C:\Program Files\Oracle\Information Rights Management\Desktop\sealmon.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe "
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
    O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [Google Update] "C:\Users\John\AppData\Local\Google\Update\GoogleUpdate.exe" /c
    O4 - HKCU\..\Run: [Pando Media Booster] C:\Program Files\Pando Networks\Media Booster\PMB.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
    O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
    O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

    --
    End of file - 3559 bytes
     
    AtomicTyson,
    #24
  6. 2010/04/06
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
    broni,
    #25
  7. 2010/04/17
    AtomicTyson

    AtomicTyson Inactive Thread Starter

    Joined:
    2010/04/02
    Messages:
    70
    Likes Received:
    0
    Recently I have had to use my home computer for numerous school projects and for MCAT studying so I do apologize for my lapse in responding back. I have recently gotten even more problems though by reading your message now I do apologize for having to install and uninstall things. Recently pop ups and other things have been showing up and just to show my current situation I have decided to go back and do the beginning steps for setting up a topic. I hope this was a good idea instead of making a new topic. The following are the two files requested to show the current status of my computer and this computer will no longer be used except to go through instruction for help cleaning it if you would grace me with the necessary information:

    DDS (Ver_10-03-17.01) - NTFSx86
    Run by John at 18:43:02.33 on Sat 04/17/2010
    Internet Explorer: 7.0.6000.16809 BrowserJavaVersion: 1.6.0_16
    Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.2942.2494 [GMT -7:00]

    SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
    SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

    ============== Running Processes ===============

    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\DRIVERS\xaudio.exe
    C:\Program Files\Common Files\logishrd\LComMgr\LVComSX.exe
    C:\Program Files\Oracle\Information Rights Management\Desktop\sealmon.exe
    C:\Program Files\QuickTime\QTTask.exe
    C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Windows\asam.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    C:\Windows\system32\DllHost.exe
    C:\Users\John\Desktop\dds(2).scr
    C:\Users\John\AppData\Local\Google\Update\GoogleUpdate.exe
    C:\Program Files\Pando Networks\Media Booster\PMB.exe
    C:\Users\John\AppData\Local\ojhjalukq\lcfyghktssd.exe
    C:\Windows\system32\netsh.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\wbem\wmiprvse.exe

    ============== Pseudo HJT Report ===============

    uInternet Settings,ProxyOverride = <local>
    uInternet Settings,ProxyServer = http=127.0.0.1:5555
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
    uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
    uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
    uRun: [Google Update] "c:\users\john\appdata\local\google\update\GoogleUpdate.exe" /c
    uRun: [Pando Media Booster] c:\program files\pando networks\media booster\PMB.exe
    uRun: [hogqnjlq] c:\users\john\appdata\local\ojhjalukq\lcfyghktssd.exe
    uRun: [asam] c:\windows\asam.exe
    mRun: [LVCOMSX] "c:\program files\common files\logishrd\lcommgr\LVComSX.exe "
    mRun: [sealmon.exe] c:\program files\oracle\information rights management\desktop\sealmon.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe "
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe "
    mRun: [asam] c:\windows\asam.exe
    mPolicies-system: EnableLUA = 0 (0x0)
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

    ================= FIREFOX ===================

    FF - ProfilePath - c:\users\john\appdata\roaming\mozilla\firefox\profiles\707tt871.default\
    FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
    FF - plugin: c:\programdata\nexonus\ngm\npNxGameUS.dll
    FF - plugin: c:\users\john\appdata\local\google\update\1.2.183.23\npGoogleOneClick8.dll
    FF - plugin: c:\users\john\appdata\roaming\move networks\plugins\npqmp071503000010.dll
    FF - plugin: c:\users\john\appdata\roaming\move networks\plugins\npqmp071701000002.dll
    FF - plugin: c:\users\john\appdata\roaming\mozilla\firefox\profiles\707tt871.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    c:\program files\mozilla firefox\greprefs\all.js - pref( "ui.use_native_colors ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "ui.use_native_popup_windows ", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.enable_click_image_resizing ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "accessibility.browsewithcaret_shortcut.enabled ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "javascript.options.mem.high_water_mark ", 32);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "javascript.options.mem.gc_frequency ", 1600);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "network.auth.force-generic-ntlm ", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "svg.smil.enabled ", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "ui.trackpoint_hack.enabled ", -1);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.debug ", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.agedWeight ", 2);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.bucketSize ", 1);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.maxTimeGroupings ", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.timeGroupingSize ", 604800);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.boundaryWeight ", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.prefixWeight ", 5);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "html5.enable ", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref ", true);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.renego_unrestricted_hosts ", " ");
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.treat_unsafe_negotiation_as_broken ", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.require_safe_negotiation ", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl3.rsa_seed_sha ", true);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref( "app.update.download.backgroundInterval ", 600);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref( "app.update.url.manual ", "http://www.firefox.com ");
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref( "browser.search.param.yahoo-fr-ja ", "mozff ");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name ", "chrome://browser/locale/browser.properties ");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description ", "chrome://browser/locale/browser.properties ");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add ", "addons.mozilla.org ");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add.36 ", "getpersonas.com ");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "lightweightThemes.update.enabled ", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.allTabs.previews ", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "plugins.hide_infobar_for_outdated_plugin ", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "plugins.update.notifyUser ", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "toolbar.customization.usesheet ", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.enable ", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.max ", 20);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.cachetime ", 20);

    ============= SERVICES / DRIVERS ===============

    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
    R3 HCW85BDA;Hauppauge WinTV 885 Video Capture;c:\windows\system32\drivers\HCW85BDA.sys [2007-6-11 968064]
    S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]

    =============== Created Last 30 ================

    2010-04-18 00:04:51 60672 ----a-w- c:\windows\asam.exe
    2010-04-06 12:46:54 0 d-----w- c:\program files\Trend Micro
    2010-04-05 15:51:40 0 d-----w- c:\users\john\DoctorWeb
    2010-04-04 19:27:32 0 d-----w- c:\programdata\SUPERAntiSpyware.com
    2010-04-04 19:27:29 0 d-----w- c:\users\john\appdata\roaming\SUPERAntiSpyware.com
    2010-04-04 19:27:29 0 d-----w- c:\program files\SUPERAntiSpyware
    2010-04-04 15:42:18 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-04-04 15:42:17 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-04-04 15:42:17 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-04-03 22:09:55 0 d-sh--w- C:\$RECYCLE.BIN
    2010-04-02 17:05:02 1256 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg
    2010-04-02 17:04:55 1344 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
    2010-04-02 16:58:41 0 d-----w- c:\programdata\Malwarebytes
    2010-03-27 02:23:01 0 d-----w- c:\program files\iPod
    2010-03-27 02:23:00 0 d-----w- c:\program files\iTunes

    ==================== Find3M ====================

    2010-04-06 12:42:41 34800 ----a-w- c:\programdata\nvModes.dat
    2010-02-18 04:11:47 86016 ----a-w- c:\windows\inf\infstrng.dat
    2010-02-18 04:11:47 51200 ----a-w- c:\windows\inf\infpub.dat
    2010-02-18 04:11:46 86016 ----a-w- c:\windows\inf\infstor.dat
    2008-12-10 11:04:53 174 --sha-w- c:\program files\desktop.ini
    2008-09-29 14:18:11 665600 ----a-w- c:\windows\inf\drvindex.dat
    2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
    2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
    2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
    2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
    2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
    2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
    2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
    2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat

    ============= FINISH: 18:43:41.22 ===============


    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-03-17.01)

    Microsoft® Windows Vista™ Home Premium
    Boot Device: \Device\HarddiskVolume1
    Install Date: 9/28/2008 11:08:30 AM
    System Uptime: 4/17/2010 6:41:56 PM (0 hours ago)

    Motherboard: ECS | | Nettle2
    Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 6000+ | Socket M2 | 3000/201mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 466 GiB total, 420.534 GiB free.
    D: is CDROM (CDFS)
    F: is Removable
    G: is Removable
    H: is Removable
    I: is Removable

    ==== Disabled Device Manager Items =============

    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Microsoft 6to4 Adapter
    Device ID: ROOT\*6TO4MP\0000
    Manufacturer: Microsoft
    Name: Microsoft 6to4 Adapter
    PNP Device ID: ROOT\*6TO4MP\0000
    Service: tunnel

    Class GUID: {4d36e96d-e325-11ce-bfc1-08002be10318}
    Description: PCI Simple Communications Controller
    Device ID: PCI\VEN_14F1&DEV_2F20&SUBSYS_200C14F1&REV_00\4&2CF26B65&0&3020
    Manufacturer: CXT
    Name: PCI Soft Data Fax Modem with SmartCP
    PNP Device ID: PCI\VEN_14F1&DEV_2F20&SUBSYS_200C14F1&REV_00\4&2CF26B65&0&3020
    Service: Modem

    ==== System Restore Points ===================

    No restore point in system.

    ==== Installed Programs ======================

    2007 Microsoft Office Suite Service Pack 1 (SP1)
    ACD/Labs Software in C:\Program Files\ACDFREE12\
    Acrobat.com
    Adobe AIR
    Adobe Flash Player 10 Plugin
    Adobe Flash Player ActiveX
    Adobe Reader 9.3
    Adobe Shockwave Player 11.5
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    AusLogics Disk Defrag
    AutoUpdate
    Bonjour
    DivX Codec
    DivX Converter
    DivX Player
    DivX Web Player
    FLV Player 2.0 (build 25)
    Google Chrome
    Guitar Pro 5.2
    HijackThis 2.0.2
    iTunes
    Java(TM) 6 Update 16
    Java(TM) 6 Update 7
    LG USB Modem driver
    Logitech Audio Echo Cancellation Component
    Logitech QuickCam Driver Package
    Logitech Video Enumerator
    Logitech® Camera Driver
    Malwarebytes' Anti-Malware
    Maple 12
    Microsoft Application Error Reporting
    Microsoft Choice Guard
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Excel Viewer
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Professional 2007
    Microsoft Office Professional 2007 Subscription
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Silverlight
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual J# 2.0 Redistributable Package
    Move Media Player
    Mozilla Firefox (3.6.3)
    MSVCRT
    MVision
    NVIDIA Display Control Panel
    NVIDIA Drivers
    Oracle IRM Desktop 5.5.12 10gR3 PR5
    Pando Media Booster
    QuickTime
    Respondus LockDown Browser
    Security Update for 2007 Microsoft Office System (KB951550)
    Security Update for 2007 Microsoft Office System (KB951944)
    Security Update for 2007 Microsoft Office System (KB958439)
    Security Update for CAPICOM (KB931906)
    Security Update for Microsoft Office Excel 2007 (KB958437)
    Security Update for Microsoft Office PowerPoint 2007 (KB951338)
    Security Update for Microsoft Office Publisher 2007 (KB950114)
    Security Update for Microsoft Office system 2007 (KB954326)
    Security Update for Microsoft Office system 2007 (KB956828)
    Security Update for Microsoft Office Word 2007 (KB956358)
    Skype™ 3.8
    SUPERAntiSpyware Free Edition
    Symyx Draw
    System Requirements Lab
    TVUPlayer 2.4.8.2
    Update for Microsoft Office 2007 Help for Common Features (KB957244)
    Update for Microsoft Office Access 2007 Help (KB957241)
    Update for Microsoft Office Excel 2007 Help (KB957242)
    Update for Microsoft Office Outlook 2007 (KB952142)
    Update for Microsoft Office Outlook 2007 Help (KB957246)
    Update for Microsoft Office PowerPoint 2007 Help (KB957247)
    Update for Microsoft Office Publisher 2007 Help (KB957249)
    Update for Microsoft Office Word 2007 Help (KB957252)
    Update for Microsoft Script Editor Help (KB957253)
    Update for Office 2007 (KB946691)
    Update for Outlook 2007 Junk Email Filter (kb962871)
    VC80CRTRedist - 8.0.50727.762
    Ventrilo Client
    Vuze
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Messenger
    Windows Live Sign-in Assistant
    Windows Live Sync
    Windows Live Upload Tool
    Windows Media Player Firefox Plugin
    WinRAR archiver
    WinZip 12.0

    ==== Event Viewer Messages From Past Week ========

    4/17/2010 6:42:03 PM, Error: volmgr [46] - Crash dump initialization failed!
    4/13/2010 3:47:16 PM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.2.3 for the Network Card with network address 001921418A46 has been denied by the DHCP server 192.168.2.1 (The DHCP Server sent a DHCPNACK message).
    4/10/2010 3:00:24 AM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Microsoft .NET Framework 3.5 Service Pack 1 and .NET Framework 3.5 Family Update (KB951847) x86.
    4/10/2010 12:02:06 AM, Error: LSM [1050] - Registering with Service Control Manager to monitor Terminal Service status failed with The specified service does not exist as an installed service. , retry in ten minute.

    ==== End Of File ===========================
     
    AtomicTyson,
    #26
  8. 2010/04/17
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    OK. Let's start over.
    What are the actual issues?


    Print these instructions out.

    NOTE. If any of the programs listed below refuse to run, try renaming executive file to something else; for instance, rename hijackthis.exe to scanner.exe

    ***VERY IMPORTANT! Make sure, you update Malwarebytes before running the scans.***


    STEP 1. Download Malwarebytes' Anti-Malware: http://www.malwarebytes.org/mbam.php to your desktop.
    (Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform Quick Scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.
    * When completed, a log will open in Notepad.
    * Post the log back here.

    The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
    Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

    RESTART COMPUTER!

    STEP 2. Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
    Alternative downloads:
    - http://majorgeeks.com/GMER_d5198.html
    - http://www.softpedia.com/get/Interne...ers/GMER.shtml
    Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
    When scan is completed, click Save button, and save the results as gmer.log
    Warning ! Please, do not select the "Show all" checkbox during the scan.
    Post the log to your next reply.

    RESTART COMPUTER

    STEP 3. Download HijackThis:
    http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download
    by clicking on Installer under Version 2.0.2
    [DO NOT download version 2.0.3 (beta)]
    Install, and run it.
    Post HijackThis log.
    NOTE. If you're using Vista, or 7, right click on HijackThis, and click Run as Administrator
    Do NOT attempt to "fix" anything!


    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
    broni,
    #27
  9. 2010/04/17
    AtomicTyson

    AtomicTyson Inactive Thread Starter

    Joined:
    2010/04/02
    Messages:
    70
    Likes Received:
    0
    The actual problem is this. Constant programs install themselves on my computer claiming to be virus scanners. Obviously it is a scam because they want me to buy their product but as soon as one gets removed another three replace it. Also, recently internet pop ups have started adding on. I recently had AVG free but I couldn't manage to disable all the different settings even with the help posted from this forum and others. So I uninstalled AVG free and currently am without any form of protection since we last talked. Many programs have trouble working due to these random programs blocking my access claiming they are infected.

    Another thing is this, last time your first instruction with the virus scanner didn't work. Should I try again even after I have renamed it and it is still on my pc? Also, many other of your programs listed I already have. Should I start uninstalling all the programs I have? I stopped adding programs about the time you started telling me to add programs I already had.

    And again, thank you for the help again I am very appreciative.

    Edit: Another thing is this. Instead of printing out the instructions since I do not have a working printer, I check the instructions via my laptop. Is this acceptable?
     
    AtomicTyson,
    #28
  10. 2010/04/17
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Which scanner are you referring to?

    We'll take care of your new AV program, when we'll get your computer more stable.
    Just make sure, Windows firewall is one.

    Now, before you run the above scans, start with this...

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    * Rkill.com
    * Rkill.scr
    * Rkill.pif
    * Rkill.exe

    * Double-click on the Rkill desktop icon to run the tool.
    * If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    * A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    * If not, delete the file, then download and use the one provided in Link 2.
    * If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    * Do not reboot until instructed.
    * If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run then try to immediately run the following.

    Now download and run exeHelper.

    * Please download exeHelper from Raktor to your desktop.
    * Double-click on exeHelper.com to run the fix.
    * A black window should pop up, press any key to close once the fix is completed.
    * A log file named log.txt will be created in the directory where you ran exeHelper.com
    * Attach the log.txt file to your next message.[/LIST]

    Note: If the window shows a message that says "Error deleting file ", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).
     
    broni,
    #29
  11. 2010/04/17
    AtomicTyson

    AtomicTyson Inactive Thread Starter

    Joined:
    2010/04/02
    Messages:
    70
    Likes Received:
    0
    Sorry for being vague that was malwarebytes. Last time it wouldnt work despite renaming it. Also this is the post from exeHelper
    exeHelper by Raktor
    Build 20100329
    Run at 20:26:56 on 04/04/10
    Now searching...
    Checking for numerical processes...
    Checking for sysguard processes...
    Checking for bad processes...
    Checking for bad files...
    Checking for bad registry entries...
    Resetting filetype association for .exe
    Removing HKCR\secfile
    Resetting filetype association for .com
    Removing HKCR\secfile
    Resetting userinit and shell values...
    Resetting policies...
    --Finished--

    exeHelper by Raktor
    Build 20100329
     
    AtomicTyson,
    #30
  12. 2010/04/17
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    OK. Go ahead with MBAM right away.
     
    broni,
    #31
  13. 2010/04/17
    AtomicTyson

    AtomicTyson Inactive Thread Starter

    Joined:
    2010/04/02
    Messages:
    70
    Likes Received:
    0
    Sorry but again MBAM did not work with my computer and remember I have tried to change the name and run it again and it didnt work in the past
     
    AtomicTyson,
    #32
  14. 2010/04/17
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

    Run rKill first.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
    broni,
    #33
  15. 2010/04/17
    AtomicTyson

    AtomicTyson Inactive Thread Starter

    Joined:
    2010/04/02
    Messages:
    70
    Likes Received:
    0
    ComboFix 10-04-17.02 - John 04/17/2010 20:23:40.3.2 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.2942.2283 [GMT -7:00]
    Running from: c:\users\John\Desktop\ComboFix.exe
    SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
    SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\users\John\AppData\Local\Microsoft\Windows\Temporary Internet Files\0W4RBwq.jpg
    c:\users\John\AppData\Local\Microsoft\Windows\Temporary Internet Files\10wMg.jpg
    c:\users\John\AppData\Local\Microsoft\Windows\Temporary Internet Files\1A0mAMb.jpg
    c:\users\John\AppData\Local\Microsoft\Windows\Temporary Internet Files\1i56ehcg.jpg
    c:\users\John\AppData\Local\Microsoft\Windows\Temporary Internet Files\CQeLEdtBt.jpg
    c:\users\John\AppData\Local\Microsoft\Windows\Temporary Internet Files\MrVAtIe4O.jpg
    c:\users\John\AppData\Local\Microsoft\Windows\Temporary Internet Files\Ngqew.jpg
    c:\users\John\AppData\Local\Microsoft\Windows\Temporary Internet Files\R80PV7.jpg
    c:\windows\asam.exe

    .
    ((((((((((((((((((((((((( Files Created from 2010-03-18 to 2010-04-18 )))))))))))))))))))))))))))))))
    .

    2010-04-18 03:26 . 2010-04-18 03:26 -------- d-----w- c:\users\John\AppData\Local\temp
    2010-04-18 03:21 . 2010-04-18 03:22 -------- d-----w- C:\32788R22FWJFW
    2010-04-18 00:03 . 2010-04-18 00:03 60672 ----a-w- c:\users\John\AppData\Local\syssvc.exe
    2010-04-18 00:01 . 2010-04-18 00:01 -------- d-----w- c:\users\John\AppData\Local\ojhjalukq
    2010-04-06 18:34 . 2010-04-06 18:34 -------- d-----w- c:\program files\FLV Player
    2010-04-06 12:46 . 2010-04-06 12:46 -------- d-----w- c:\program files\Trend Micro
    2010-04-05 15:51 . 2010-04-05 17:16 -------- d-----w- c:\users\John\DoctorWeb
    2010-04-04 19:29 . 2010-04-04 19:29 52224 ----a-w- c:\users\John\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
    2010-04-04 19:28 . 2010-04-04 19:28 117760 ----a-w- c:\users\John\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
    2010-04-04 19:27 . 2010-04-04 19:27 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
    2010-04-04 19:27 . 2010-04-04 19:27 -------- d-----w- c:\program files\SUPERAntiSpyware
    2010-04-04 19:27 . 2010-04-04 19:27 -------- d-----w- c:\users\John\AppData\Roaming\SUPERAntiSpyware.com
    2010-04-04 19:23 . 2010-04-04 19:23 199168 --sha-w- c:\users\John\AppData\Local\2554285925.dll
    2010-04-04 15:42 . 2010-03-29 22:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-04-04 15:42 . 2010-04-18 03:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-04-04 15:42 . 2010-03-29 22:24 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-04-02 16:58 . 2010-04-02 16:58 -------- d-----w- c:\programdata\Malwarebytes
    2010-04-02 14:34 . 2010-04-02 17:03 -------- d-----w- c:\users\John\AppData\Local\tblueiojw
    2010-04-01 15:18 . 2010-04-01 15:18 1685784 ----a-w- c:\programdata\avg9\update\backup\avgupd.dll
    2010-04-01 15:18 . 2010-04-01 15:18 1035032 ----a-w- c:\programdata\avg9\update\backup\avgupd.exe
    2010-04-01 14:38 . 2009-10-16 22:50 2520888 ----a-w- c:\users\John\AppData\Roaming\Mozilla\Firefox\Profiles\707tt871.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
    2010-04-01 14:38 . 2008-03-05 01:52 286720 ----a-w- c:\users\John\AppData\Roaming\Mozilla\Firefox\Profiles\707tt871.default\extensions\firefox@tvunetworks.com\plugins\libcurl.dll
    2010-04-01 14:38 . 2007-10-31 16:39 59904 ----a-w- c:\users\John\AppData\Roaming\Mozilla\Firefox\Profiles\707tt871.default\extensions\firefox@tvunetworks.com\plugins\zlib1.dll
    2010-04-01 14:38 . 2007-05-17 20:58 143360 ----a-w- c:\users\John\AppData\Roaming\Mozilla\Firefox\Profiles\707tt871.default\extensions\firefox@tvunetworks.com\plugins\libexpatw.dll
    2010-04-01 14:38 . 2006-10-19 00:32 499712 ----a-w- c:\users\John\AppData\Roaming\Mozilla\Firefox\Profiles\707tt871.default\extensions\firefox@tvunetworks.com\plugins\msvcp71.dll
    2010-04-01 14:38 . 2006-10-19 00:32 348160 ----a-w- c:\users\John\AppData\Roaming\Mozilla\Firefox\Profiles\707tt871.default\extensions\firefox@tvunetworks.com\plugins\msvcr71.dll
    2010-04-01 14:38 . 2006-10-17 01:44 196608 ----a-w- c:\users\John\AppData\Roaming\Mozilla\Firefox\Profiles\707tt871.default\extensions\firefox@tvunetworks.com\plugins\ssleay32.dll
    2010-04-01 14:38 . 2006-10-17 01:44 1028096 ----a-w- c:\users\John\AppData\Roaming\Mozilla\Firefox\Profiles\707tt871.default\extensions\firefox@tvunetworks.com\plugins\libeay32.dll
    2010-03-27 02:23 . 2010-03-27 02:23 -------- d-----w- c:\program files\iPod
    2010-03-27 02:23 . 2010-03-27 02:23 -------- d-----w- c:\program files\iTunes
    2010-03-27 02:20 . 2010-03-27 02:20 72488 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-04-18 01:43 . 2009-12-30 05:08 34800 ----a-w- c:\programdata\nvModes.dat
    2010-04-04 19:27 . 2009-06-25 14:46 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
    2010-04-03 21:58 . 2010-02-19 23:02 -------- d-----w- c:\programdata\avg9
    2010-04-03 17:55 . 2008-10-16 23:39 0 ----a-w- c:\users\John\AppData\Local\prvlcl.dat
    2010-04-02 19:15 . 2010-04-02 17:05 1256 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg
    2010-04-02 19:00 . 2010-04-02 17:04 1344 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
    2010-03-31 18:44 . 2008-10-27 02:25 -------- d-----w- c:\users\John\AppData\Roaming\LimeWire
    2010-03-27 05:04 . 2009-08-08 03:32 -------- d-----w- c:\program files\Microsoft Silverlight
    2010-03-27 02:23 . 2009-03-07 07:28 -------- d-----w- c:\program files\Common Files\Apple
    2010-03-16 14:58 . 2008-09-29 06:28 102488 ----a-w- c:\users\John\AppData\Local\GDIPFONTCACHEV1.DAT
    2010-03-12 20:39 . 2010-03-12 20:39 360584 ----a-w- c:\programdata\avg9\update\backup\avgtdix.sys
    2010-03-12 20:39 . 2010-03-12 20:39 333192 ----a-w- c:\programdata\avg9\update\backup\avgldx86.sys
    2010-03-12 20:39 . 2010-03-12 20:39 28424 ----a-w- c:\programdata\avg9\update\backup\avgmfx86.sys
    2010-02-19 23:02 . 2008-09-28 19:53 -------- d-----w- c:\program files\AVG
    2010-02-18 04:41 . 2008-09-29 06:22 -------- d-----w- c:\program files\Common Files\Adobe
    2010-02-18 04:16 . 2008-10-09 05:33 765952 ----a-w- c:\programdata\NexonUS\NGM\NGMDll.dll
    2010-02-18 04:16 . 2008-10-09 05:33 401408 ----a-w- c:\programdata\NexonUS\NGM\NGMResource.dll
    2010-02-18 04:13 . 2009-12-30 05:06 -------- d-----w- c:\programdata\NVIDIA
    2010-02-18 04:12 . 2009-12-30 04:46 -------- d-----w- c:\program files\NVIDIA Corporation
    2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
    2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar "= "c:\program files\Windows Sidebar\sidebar.exe" [2008-09-29 1232896]
    "MsnMsgr "= "c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-27 3883856]
    "Google Update "= "c:\users\John\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-10-03 133104]
    "Pando Media Booster "= "c:\program files\Pando Networks\Media Booster\PMB.exe" [2009-12-28 2935480]
    "hogqnjlq "= "c:\users\John\AppData\Local\ojhjalukq\lcfyghktssd.exe" [2010-04-18 272128]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "LVCOMSX "= "c:\program files\Common Files\LogiShrd\LComMgr\LVComSX.exe" [2006-12-22 244512]
    "sealmon.exe "= "c:\program files\Oracle\Information Rights Management\Desktop\sealmon.exe" [2009-03-13 370952]
    "QuickTime Task "= "c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
    "Adobe ARM "= "c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
    "iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2010-02-16 141608]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA "= 0 (0x0)

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux4 "=wdmaud.drv

    R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2010-02-17 12872]
    S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
    S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-02-17 66632]
    S3 HCW85BDA;Hauppauge WinTV 885 Video Capture;c:\windows\system32\drivers\HCW85BDA.sys [2007-06-11 968064]

    .
    Contents of the 'Scheduled Tasks' folder

    2010-04-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2893342972-3071724252-3358957919-1000Core.job
    - c:\users\John\AppData\Local\Google\Update\GoogleUpdate.exe [2009-10-03 04:22]

    2010-04-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2893342972-3071724252-3358957919-1000UA.job
    - c:\users\John\AppData\Local\Google\Update\GoogleUpdate.exe [2009-10-03 04:22]
    .
    .
    ------- Supplementary Scan -------
    .
    uInternet Settings,ProxyOverride = <local>
    uInternet Settings,ProxyServer = http=127.0.0.1:5555
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
    FF - ProfilePath - c:\users\John\AppData\Roaming\Mozilla\Firefox\Profiles\707tt871.default\
    FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
    FF - plugin: c:\programdata\NexonUS\NGM\npNxGameUS.dll
    FF - plugin: c:\users\John\AppData\Local\Google\Update\1.2.183.23\npGoogleOneClick8.dll
    FF - plugin: c:\users\John\AppData\Roaming\Move Networks\plugins\npqmp071503000010.dll
    FF - plugin: c:\users\John\AppData\Roaming\Move Networks\plugins\npqmp071701000002.dll
    FF - plugin: c:\users\John\AppData\Roaming\Mozilla\Firefox\Profiles\707tt871.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.use_native_colors ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.use_native_popup_windows ", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.enable_click_image_resizing ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "accessibility.browsewithcaret_shortcut.enabled ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "javascript.options.mem.high_water_mark ", 32);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "javascript.options.mem.gc_frequency ", 1600);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.auth.force-generic-ntlm ", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "svg.smil.enabled ", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.trackpoint_hack.enabled ", -1);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.debug ", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.agedWeight ", 2);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.bucketSize ", 1);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.maxTimeGroupings ", 25);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.timeGroupingSize ", 604800);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.boundaryWeight ", 25);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.prefixWeight ", 5);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "html5.enable ", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref ", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.renego_unrestricted_hosts ", " ");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.treat_unsafe_negotiation_as_broken ", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.require_safe_negotiation ", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref( "app.update.download.backgroundInterval ", 600);
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref( "app.update.url.manual ", "http://www.firefox.com ");
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref( "browser.search.param.yahoo-fr-ja ", "mozff ");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name ", "chrome://browser/locale/browser.properties ");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description ", "chrome://browser/locale/browser.properties ");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add ", "addons.mozilla.org ");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add.36 ", "getpersonas.com ");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "lightweightThemes.update.enabled ", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.allTabs.previews ", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "plugins.hide_infobar_for_outdated_plugin ", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "plugins.update.notifyUser ", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "toolbar.customization.usesheet ", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.enable ", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.max ", 20);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.cachetime ", 20);
    .
    - - - - ORPHANS REMOVED - - - -

    HKCU-Run-asam - c:\windows\asam.exe
    HKLM-Run-asam - c:\windows\asam.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-04-17 20:26
    Windows 6.0.6000 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial "=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial "=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial "=dword:00000000
    .
    Completion time: 2010-04-17 20:27:50
    ComboFix-quarantined-files.txt 2010-04-18 03:27
    ComboFix2.txt 2010-04-03 22:10

    Pre-Run: 451,470,069,760 bytes free
    Post-Run: 451,512,463,360 bytes free

    - - End Of File - - D39B7FE5772F413706B0F36D0B574D95

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:36:09 PM, on 4/17/2010
    Platform: Windows Vista (WinNT 6.00.1904)
    MSIE: Internet Explorer v7.00 (7.00.6000.16809)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Program Files\Oracle\Information Rights Management\Desktop\sealmon.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Windows\system32\notepad.exe
    C:\Windows\explorer.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\DllHost.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe "
    O4 - HKLM\..\Run: [sealmon.exe] C:\Program Files\Oracle\Information Rights Management\Desktop\sealmon.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe "
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
    O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [Google Update] "C:\Users\John\AppData\Local\Google\Update\GoogleUpdate.exe" /c
    O4 - HKCU\..\Run: [Pando Media Booster] C:\Program Files\Pando Networks\Media Booster\PMB.exe
    O4 - HKCU\..\Run: [hogqnjlq] C:\Users\John\AppData\Local\ojhjalukq\lcfyghktssd.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
    O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
    O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

    --
    End of file - 3568 bytes
     
    AtomicTyson,
    #34
  16. 2010/04/17
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    I don't see any AV program installed.
    If you're planning on reinstalling AVG, wait until we're done with Combofix.
    Make sure, Windows firewall is on.


    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
c:\users\John\AppData\Local\syssvc.exe
c:\users\John\AppData\Local\2554285925.dll


Folder::
C:\32788R22FWJFW
c:\users\John\AppData\Local\ojhjalukq


Driver::

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "hogqnjlq "=-


RegLockDel::

    3. Save the above as CFScript.txt

    4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
    • A new HijackThis log.
     
    broni,
    #35
  17. 2010/04/17
    AtomicTyson

    AtomicTyson Inactive Thread Starter

    Joined:
    2010/04/02
    Messages:
    70
    Likes Received:
    0
    ComboFix 10-04-17.02 - John 04/17/2010 21:18:12.4.2 - x86
    Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6000.0.1252.1.1033.18.2942.2208 [GMT -7:00]
    Running from: c:\users\John\Desktop\ComboFix.exe
    Command switches used :: c:\users\John\Desktop\CFScript.txt
    SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
    SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
    * Created a new restore point

    FILE ::
    "c:\users\John\AppData\Local\2554285925.dll "
    "c:\users\John\AppData\Local\syssvc.exe "
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\32788R22FWJFW
    c:\32788r22fwjfw\EN-US\cmd.cfxxe.mui
    c:\users\John\AppData\Local\2554285925.dll
    c:\users\John\AppData\Local\ojhjalukq
    c:\users\John\AppData\Local\ojhjalukq\lcfyghktssd.exe
    c:\users\John\AppData\Local\syssvc.exe

    .
    ((((((((((((((((((((((((( Files Created from 2010-03-18 to 2010-04-18 )))))))))))))))))))))))))))))))
    .

    2010-04-18 04:20 . 2010-04-18 04:20 -------- d-----w- c:\users\John\AppData\Local\temp
    2010-04-18 04:20 . 2010-04-18 04:20 -------- d-----w- c:\users\Public\AppData\Local\temp
    2010-04-18 04:20 . 2010-04-18 04:20 -------- d-----w- c:\users\Default\AppData\Local\temp
    2010-04-06 18:34 . 2010-04-06 18:34 -------- d-----w- c:\program files\FLV Player
    2010-04-06 12:46 . 2010-04-06 12:46 -------- d-----w- c:\program files\Trend Micro
    2010-04-05 15:51 . 2010-04-05 17:16 -------- d-----w- c:\users\John\DoctorWeb
    2010-04-04 19:29 . 2010-04-04 19:29 52224 ----a-w- c:\users\John\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
    2010-04-04 19:28 . 2010-04-04 19:28 117760 ----a-w- c:\users\John\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
    2010-04-04 19:27 . 2010-04-04 19:27 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
    2010-04-04 19:27 . 2010-04-04 19:27 -------- d-----w- c:\program files\SUPERAntiSpyware
    2010-04-04 19:27 . 2010-04-04 19:27 -------- d-----w- c:\users\John\AppData\Roaming\SUPERAntiSpyware.com
    2010-04-04 15:42 . 2010-03-29 22:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-04-04 15:42 . 2010-04-18 03:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-04-04 15:42 . 2010-03-29 22:24 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-04-02 16:58 . 2010-04-02 16:58 -------- d-----w- c:\programdata\Malwarebytes
    2010-04-02 14:34 . 2010-04-02 17:03 -------- d-----w- c:\users\John\AppData\Local\tblueiojw
    2010-04-01 15:18 . 2010-04-01 15:18 1685784 ----a-w- c:\programdata\avg9\update\backup\avgupd.dll
    2010-04-01 15:18 . 2010-04-01 15:18 1035032 ----a-w- c:\programdata\avg9\update\backup\avgupd.exe
    2010-04-01 14:38 . 2009-10-16 22:50 2520888 ----a-w- c:\users\John\AppData\Roaming\Mozilla\Firefox\Profiles\707tt871.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
    2010-04-01 14:38 . 2008-03-05 01:52 286720 ----a-w- c:\users\John\AppData\Roaming\Mozilla\Firefox\Profiles\707tt871.default\extensions\firefox@tvunetworks.com\plugins\libcurl.dll
    2010-04-01 14:38 . 2007-10-31 16:39 59904 ----a-w- c:\users\John\AppData\Roaming\Mozilla\Firefox\Profiles\707tt871.default\extensions\firefox@tvunetworks.com\plugins\zlib1.dll
    2010-04-01 14:38 . 2007-05-17 20:58 143360 ----a-w- c:\users\John\AppData\Roaming\Mozilla\Firefox\Profiles\707tt871.default\extensions\firefox@tvunetworks.com\plugins\libexpatw.dll
    2010-04-01 14:38 . 2006-10-19 00:32 499712 ----a-w- c:\users\John\AppData\Roaming\Mozilla\Firefox\Profiles\707tt871.default\extensions\firefox@tvunetworks.com\plugins\msvcp71.dll
    2010-04-01 14:38 . 2006-10-19 00:32 348160 ----a-w- c:\users\John\AppData\Roaming\Mozilla\Firefox\Profiles\707tt871.default\extensions\firefox@tvunetworks.com\plugins\msvcr71.dll
    2010-04-01 14:38 . 2006-10-17 01:44 196608 ----a-w- c:\users\John\AppData\Roaming\Mozilla\Firefox\Profiles\707tt871.default\extensions\firefox@tvunetworks.com\plugins\ssleay32.dll
    2010-04-01 14:38 . 2006-10-17 01:44 1028096 ----a-w- c:\users\John\AppData\Roaming\Mozilla\Firefox\Profiles\707tt871.default\extensions\firefox@tvunetworks.com\plugins\libeay32.dll
    2010-03-27 02:23 . 2010-03-27 02:23 -------- d-----w- c:\program files\iPod
    2010-03-27 02:23 . 2010-03-27 02:23 -------- d-----w- c:\program files\iTunes
    2010-03-27 02:20 . 2010-03-27 02:20 72488 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-04-18 01:43 . 2009-12-30 05:08 34800 ----a-w- c:\programdata\nvModes.dat
    2010-04-04 19:27 . 2009-06-25 14:46 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
    2010-04-03 21:58 . 2010-02-19 23:02 -------- d-----w- c:\programdata\avg9
    2010-04-03 17:55 . 2008-10-16 23:39 0 ----a-w- c:\users\John\AppData\Local\prvlcl.dat
    2010-04-02 19:15 . 2010-04-02 17:05 1256 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg
    2010-04-02 19:00 . 2010-04-02 17:04 1344 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
    2010-03-31 18:44 . 2008-10-27 02:25 -------- d-----w- c:\users\John\AppData\Roaming\LimeWire
    2010-03-27 05:04 . 2009-08-08 03:32 -------- d-----w- c:\program files\Microsoft Silverlight
    2010-03-27 02:23 . 2009-03-07 07:28 -------- d-----w- c:\program files\Common Files\Apple
    2010-03-16 14:58 . 2008-09-29 06:28 102488 ----a-w- c:\users\John\AppData\Local\GDIPFONTCACHEV1.DAT
    2010-03-12 20:39 . 2010-03-12 20:39 360584 ----a-w- c:\programdata\avg9\update\backup\avgtdix.sys
    2010-03-12 20:39 . 2010-03-12 20:39 333192 ----a-w- c:\programdata\avg9\update\backup\avgldx86.sys
    2010-03-12 20:39 . 2010-03-12 20:39 28424 ----a-w- c:\programdata\avg9\update\backup\avgmfx86.sys
    2010-02-19 23:02 . 2008-09-28 19:53 -------- d-----w- c:\program files\AVG
    2010-02-18 04:41 . 2008-09-29 06:22 -------- d-----w- c:\program files\Common Files\Adobe
    2010-02-18 04:16 . 2008-10-09 05:33 765952 ----a-w- c:\programdata\NexonUS\NGM\NGMDll.dll
    2010-02-18 04:16 . 2008-10-09 05:33 401408 ----a-w- c:\programdata\NexonUS\NGM\NGMResource.dll
    2010-02-18 04:13 . 2009-12-30 05:06 -------- d-----w- c:\programdata\NVIDIA
    2010-02-18 04:12 . 2009-12-30 04:46 -------- d-----w- c:\program files\NVIDIA Corporation
    2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
    2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar "= "c:\program files\Windows Sidebar\sidebar.exe" [2008-09-29 1232896]
    "MsnMsgr "= "c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-27 3883856]
    "Google Update "= "c:\users\John\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-10-03 133104]
    "Pando Media Booster "= "c:\program files\Pando Networks\Media Booster\PMB.exe" [2009-12-28 2935480]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "LVCOMSX "= "c:\program files\Common Files\LogiShrd\LComMgr\LVComSX.exe" [2006-12-22 244512]
    "sealmon.exe "= "c:\program files\Oracle\Information Rights Management\Desktop\sealmon.exe" [2009-03-13 370952]
    "QuickTime Task "= "c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
    "Adobe ARM "= "c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
    "iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2010-02-16 141608]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA "= 0 (0x0)

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux4 "=wdmaud.drv

    R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2010-02-17 12872]
    S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
    S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-02-17 66632]
    S3 HCW85BDA;Hauppauge WinTV 885 Video Capture;c:\windows\system32\drivers\HCW85BDA.sys [2007-06-11 968064]

    .
    Contents of the 'Scheduled Tasks' folder

    2010-04-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2893342972-3071724252-3358957919-1000Core.job
    - c:\users\John\AppData\Local\Google\Update\GoogleUpdate.exe [2009-10-03 04:22]

    2010-04-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2893342972-3071724252-3358957919-1000UA.job
    - c:\users\John\AppData\Local\Google\Update\GoogleUpdate.exe [2009-10-03 04:22]
    .
    .
    ------- Supplementary Scan -------
    .
    uInternet Settings,ProxyOverride = <local>
    uInternet Settings,ProxyServer = http=127.0.0.1:5555
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
    FF - ProfilePath - c:\users\John\AppData\Roaming\Mozilla\Firefox\Profiles\707tt871.default\
    FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
    FF - plugin: c:\programdata\NexonUS\NGM\npNxGameUS.dll
    FF - plugin: c:\users\John\AppData\Local\Google\Update\1.2.183.23\npGoogleOneClick8.dll
    FF - plugin: c:\users\John\AppData\Roaming\Move Networks\plugins\npqmp071503000010.dll
    FF - plugin: c:\users\John\AppData\Roaming\Move Networks\plugins\npqmp071701000002.dll
    FF - plugin: c:\users\John\AppData\Roaming\Mozilla\Firefox\Profiles\707tt871.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.use_native_colors ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.use_native_popup_windows ", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.enable_click_image_resizing ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "accessibility.browsewithcaret_shortcut.enabled ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "javascript.options.mem.high_water_mark ", 32);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "javascript.options.mem.gc_frequency ", 1600);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.auth.force-generic-ntlm ", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "svg.smil.enabled ", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.trackpoint_hack.enabled ", -1);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.debug ", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.agedWeight ", 2);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.bucketSize ", 1);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.maxTimeGroupings ", 25);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.timeGroupingSize ", 604800);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.boundaryWeight ", 25);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.prefixWeight ", 5);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "html5.enable ", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref ", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.renego_unrestricted_hosts ", " ");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.treat_unsafe_negotiation_as_broken ", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.require_safe_negotiation ", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref( "app.update.download.backgroundInterval ", 600);
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref( "app.update.url.manual ", "http://www.firefox.com ");
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref( "browser.search.param.yahoo-fr-ja ", "mozff ");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name ", "chrome://browser/locale/browser.properties ");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description ", "chrome://browser/locale/browser.properties ");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add ", "addons.mozilla.org ");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add.36 ", "getpersonas.com ");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "lightweightThemes.update.enabled ", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.allTabs.previews ", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "plugins.hide_infobar_for_outdated_plugin ", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "plugins.update.notifyUser ", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "toolbar.customization.usesheet ", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.enable ", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.max ", 20);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.cachetime ", 20);
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-04-17 21:20
    Windows 6.0.6000 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial "=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial "=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial "=dword:00000000
    .
    Completion time: 2010-04-17 21:21:33
    ComboFix-quarantined-files.txt 2010-04-18 04:21
    ComboFix2.txt 2010-04-18 03:27
    ComboFix3.txt 2010-04-03 22:10

    Pre-Run: 451,533,516,800 bytes free
    Post-Run: 451,509,145,600 bytes free

    - - End Of File - - E1C88EA6789AFEEF4F7EC876016AF9E0

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:33:10 PM, on 4/17/2010
    Platform: Windows Vista (WinNT 6.00.1904)
    MSIE: Internet Explorer v7.00 (7.00.6000.16809)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Program Files\Oracle\Information Rights Management\Desktop\sealmon.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Windows\system32\notepad.exe
    C:\Windows\explorer.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe "
    O4 - HKLM\..\Run: [sealmon.exe] C:\Program Files\Oracle\Information Rights Management\Desktop\sealmon.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe "
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
    O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [Google Update] "C:\Users\John\AppData\Local\Google\Update\GoogleUpdate.exe" /c
    O4 - HKCU\..\Run: [Pando Media Booster] C:\Program Files\Pando Networks\Media Booster\PMB.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
    O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
    O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

    --
    End of file - 3409 bytes
     
    AtomicTyson,
    #36
  18. 2010/04/17
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Good :)

    Uninstall Combofix:
    Go Start > Run [Vista users, go Start> "Start search"]
    Type in:
    Combofix /Uninstall
    Note the space between the "Combofix" and the "/Uninstall "
    Click OK (Vista users - press Enter).
    Restart computer.


    See, if you can update and run Malwarebytes now.
     
    broni,
    #37
  19. 2010/04/18
    AtomicTyson

    AtomicTyson Inactive Thread Starter

    Joined:
    2010/04/02
    Messages:
    70
    Likes Received:
    0
    Sorry I keep getting the same error about "EXPANDING VARIABLES" so it wont work.
     
    AtomicTyson,
    #38
  20. 2010/04/18
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    I found this at MBAM forum:

     
    broni,
    #39
  21. 2010/04/18
    AtomicTyson

    AtomicTyson Inactive Thread Starter

    Joined:
    2010/04/02
    Messages:
    70
    Likes Received:
    0
    I tried it once and it didn't work. I will try again in the morning I apologize but I gotta get some rest as I have class as well on the weekends. Will try it out again when I wake in the morning thanks for the help so far
     
    AtomicTyson,
    #40
Page 2 of 4

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...