We’d like to remind Forumites to please avoid political debate on the Forum.
This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
The Forum now has a brand new text editor, adding a bunch of handy features to use when creating posts. Read more in our how-to guide
Threat detected - help!
Comments
-
What links are redirecting and to what are you directed towards?0
-
TICK and FIX these in hijack~
O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) -
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
.....................................................................
Download HostsXpert
http://download.softpedia.com/dl/a688cad746f64494e3ba8aee103f97e4/4b3ceb67/100027041/software/system/HostsXpert.zip
and then follow the below steps.
* Unzip HostsXpert.zip
* It will create a folder named HostsXpert in whatever folder you extract it to.
* Run HostsXpert.exe by double clicking on it.
* click the Make Writeable? button.
* click Restore Microsoft's Hosts File and then click OK.
* Click the X to exit the program
.............................................................................
Open notepad and copy/paste the text in RED below
File::
c:\windows\system32\E_FLM9CE.DLL
c:\windows\system32\E_FBCH9CE.DLL
c:\windows\system32\E_FBCB9CE.DLL
c:\windows\system32\E_DCINST.DLL
c:\windows\PCDLIB32.DLL
c:\windows\system32\Epcmlib.dll
c:\windows\system32\gdiplus.dll
c:\windows\system32\PICSDK.dll
c:\windows\system32\EPPICPrinterDB.dat
c:\windows\system32\EPPICPattern1.dat
c:\windows\system32\EPPicMgr.dll
c:\windows\system32\EpPicPrt.dll
Save this as "CFScript" (FULL file will be 'CFScript.txt' EXACTLY as shown)
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply
Combofix should never take more that 30 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.:idea:0 -
Sorry for not replying sooner
Combofix log:
ComboFix 10-03-01.01 - steve rosbrook 01/03/2010 20:52:52.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2550.2010 [GMT 0:00]
Running from: c:\documents and settings\steve rosbrook\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\steve rosbrook\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FILE ::
"c:\windows\PCDLIB32.DLL"
"c:\windows\system32\E_DCINST.DLL"
"c:\windows\system32\E_FBCB9CE.DLL"
"c:\windows\system32\E_FBCH9CE.DLL"
"c:\windows\system32\E_FLM9CE.DLL"
"c:\windows\system32\Epcmlib.dll"
"c:\windows\system32\EPPicMgr.dll"
"c:\windows\system32\EPPICPattern1.dat"
"c:\windows\system32\EPPICPrinterDB.dat"
"c:\windows\system32\EpPicPrt.dll"
"c:\windows\system32\gdiplus.dll"
"c:\windows\system32\PICSDK.dll"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\U.exe
c:\windows\PCDLIB32.DLL
c:\windows\system32\E_DCINST.DLL
c:\windows\system32\E_FBCB9CE.DLL
c:\windows\system32\E_FBCH9CE.DLL
c:\windows\system32\E_FLM9CE.DLL
c:\windows\system32\Epcmlib.dll
c:\windows\system32\EPPicMgr.dll
c:\windows\system32\EPPICPattern1.dat
c:\windows\system32\EPPICPrinterDB.dat
c:\windows\system32\EpPicPrt.dll
c:\windows\system32\gdiplus.dll
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\PICSDK.dll
c:\windows\system32\sdra64.exe
Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it
.
((((((((((((((((((((((((( Files Created from 2010-02-01 to 2010-03-01 )))))))))))))))))))))))))))))))
.
2010-03-01 15:16 . 2008-04-14 00:12 26112
w- c:\windows\system32\stu2.exe
2010-02-27 21:00 . 2010-02-27 21:00
d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-02-27 13:27 . 2010-02-27 13:27 388096
r- c:\documents and settings\steve rosbrook\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-02-27 12:04 . 2010-02-27 13:07
d
w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-27 12:04 . 2010-02-27 12:07
d
w- c:\program files\Spybot - Search & Destroy
2010-02-27 10:37 . 2010-02-27 10:37 52224
w- c:\documents and settings\steve rosbrook\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-02-27 10:37 . 2010-02-27 10:37 117760
w- c:\documents and settings\steve rosbrook\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-27 10:34 . 2010-02-27 10:34
d
w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-02-27 10:32 . 2010-02-27 10:32
d
w- c:\program files\SUPERAntiSpyware
2010-02-27 10:32 . 2010-02-27 10:32
d
w- c:\documents and settings\steve rosbrook\Application Data\SUPERAntiSpyware.com
2010-02-23 21:32 . 2010-02-23 21:32 5115823
w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-02-20 19:46 . 2010-02-23 13:14
d
w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-02-19 17:39 . 2010-02-19 17:39
d
w- c:\documents and settings\steve rosbrook\Application Data\ArcSoft
2010-02-19 15:53 . 2010-02-19 15:53
d
w- c:\documents and settings\All Users\Application Data\UDL
2010-02-19 15:42 . 2010-02-23 21:43
d
w- c:\program files\epson
2010-02-19 15:32 . 2008-04-13 18:47 25856
w- c:\windows\system32\drivers\usbprint.sys
2010-02-19 15:32 . 2008-04-13 18:47 25856
w- c:\windows\system32\dllcache\usbprint.sys
2010-02-19 15:32 . 2008-04-13 18:45 15104
w- c:\windows\system32\drivers\usbscan.sys
2010-02-19 15:32 . 2008-04-13 18:45 15104
w- c:\windows\system32\dllcache\usbscan.sys
2010-02-18 19:31 . 2008-04-13 18:45 32128
w- c:\windows\system32\drivers\usbccgp.sys
2010-02-18 19:31 . 2008-04-13 18:45 32128
w- c:\windows\system32\dllcache\usbccgp.sys
2010-02-12 21:39 . 2010-02-12 21:39
d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-02-02 17:10 . 2010-02-02 17:10
d
w- c:\program files\iPod
2010-02-02 17:10 . 2010-02-02 17:14
d
w- c:\program files\iTunes
2010-02-02 16:57 . 2010-02-02 16:57 72488
w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-02-01 13:04 . 2009-08-06 19:23 274288
w- c:\windows\system32\mucltui.dll
2010-02-01 13:04 . 2009-08-06 19:23 215920
w- c:\windows\system32\muweb.dll
2010-01-31 09:14 . 2010-01-31 09:14
d
w- c:\program files\Microsoft Silverlight
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-01 15:15 . 1980-01-01 08:00 31232
w- c:\windows\system32\userinit.exe
2010-02-28 06:58 . 2006-12-01 01:55 5427
w- c:\windows\system32\EGATHDRV.SYS
2010-02-27 18:40 . 2004-08-04 06:59 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-02-27 10:30 . 2007-07-18 19:19
d
w- c:\program files\Common Files\Wise Installation Wizard
2010-02-23 21:49 . 2010-01-12 20:09 1
w- c:\documents and settings\steve rosbrook\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-02-23 21:32 . 2009-03-01 15:34
d
w- c:\program files\Malwarebytes' Anti-Malware
2010-02-23 21:26 . 2006-12-01 01:30
d--h--w- c:\program files\InstallShield Installation Information
2010-02-23 21:22 . 2007-03-03 14:50
d
w- c:\program files\Java
2010-02-04 19:04 . 2006-12-01 01:55
d
w- c:\program files\Google
2010-02-02 17:10 . 2009-10-19 17:02
d
w- c:\program files\Common Files\Apple
2010-01-30 18:39 . 2009-11-07 08:35
d
w- c:\program files\Common Files\Adobe AIR
2010-01-26 20:07 . 2007-02-21 19:56 24440 -c----w- c:\documents and settings\steve rosbrook\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-26 20:04 . 2010-01-26 20:04 20600 ---h--w- c:\windows\system32\mlfcache.dat
2010-01-26 20:03 . 2008-06-19 21:09
d
w- c:\documents and settings\steve rosbrook\Application Data\Apple Computer
2010-01-12 20:08 . 2010-01-12 20:08
d
w- c:\documents and settings\steve rosbrook\Application Data\OpenOffice.org
2010-01-12 20:06 . 2010-01-12 20:06
d
w- c:\program files\JRE
2010-01-12 20:06 . 2010-01-12 20:06
d
w- c:\program files\OpenOffice.org 3
2010-01-12 20:05 . 2008-06-19 20:36
d
w- c:\program files\OpenOffice.org 2.4
2010-01-12 20:02 . 2010-01-12 20:02 411368
w- c:\windows\system32\deploytk.dll
2010-01-12 19:49 . 2007-11-21 19:53
d
w- c:\documents and settings\steve rosbrook\Application Data\OpenOffice.org2
2010-01-12 19:49 . 2007-11-21 19:57 1
w- c:\documents and settings\steve rosbrook\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2010-01-07 16:07 . 2009-03-01 15:34 38224
w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 16:07 . 2009-03-01 15:35 19160
w- c:\windows\system32\drivers\mbam.sys
2009-12-31 16:50 . 1980-01-01 08:00 353792
w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 1980-01-01 08:00 916480
w- c:\windows\system32\wininet.dll
2009-12-19 13:21 . 2009-11-18 21:12 150600
w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-12-19 10:18 . 2009-12-19 10:17 60696384
w- c:\documents and settings\All Users\Application Data\Sony Corporation\AutoUpdateClient\CT\ContentTransferSetup.exe
2009-12-16 18:43 . 2004-08-09 21:22 343040
w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 1980-01-01 08:00 33280
w- c:\windows\system32\csrsrv.dll
2009-12-08 19:27 . 1980-01-01 08:00 2189184
w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2004-08-04 06:59 2066048
w- c:\windows\system32\ntkrnlpa.exe
2009-12-05 11:49 . 2009-12-05 11:49 664
w- c:\windows\system32\d3d9caps.dat
2009-12-04 18:22 . 1980-01-01 08:00 455424
w- c:\windows\system32\drivers\mrxsmb.sys
.
Sigcheck
[-] 2010-03-01 15:15 . 7B877E27B6CBCD45FA619D0ED1074C26 . 31232 . . [1.0.6.4] . . c:\windows\system32\userinit.exe
[7] 2008-04-14 . A93AEE1928A9D7CE3E16D24EC7380F89 . 26112 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\userinit.exe
[7] 2008-04-14 . A93AEE1928A9D7CE3E16D24EC7380F89 . 26112 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\userinit.exe
[7] 2004-08-04 . 39B1FFB03C2296323832ACBAE50D2AFF . 24576 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]
[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 13:01 1230080
w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-02-18 2012912]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NokiaMServer"="c:\program files\Common Files\Nokia\MPlatform\NokiaMServer" [X]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-10-29 761945]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-08 61952]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPHKMGR.exe" [2005-12-21 94208]
"TPWAUDAP"="c:\program files\Lenovo\HOTKEY\TpWAudAp.exe" [2005-12-10 24064]
"PMHandler"="c:\windows\system32\PMHandler.exe" [2006-05-20 24576]
"AGRSMMSG"="AGRSMMSG.exe" [2005-12-12 88204]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-15 1236992]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-03 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-03 118784]
"suScheduler"="c:\program files\ThinkVantage\SystemUpdate\UCLauncher.exe" [2005-08-02 40960]
"AMSG"="c:\progra~1\THINKV~1\AMSG\amsg.exe" [2005-11-23 507904]
"LPManager"="c:\progra~1\Lenovo\LENOVO~2\LPMGR.exe" [2005-12-07 106496]
"cssauthe"="c:\program files\IBM ThinkVantage\Client Security Solution\cssauthe.exe" [2005-12-22 1988144]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2006-04-17 409600]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2006-04-17 98304]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-01-12 149280]
"none"="c:\AUTOEXEC.BAT" [2007-02-21 0]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\steve rosbrook\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"DisallowRun"= 1 (0x1)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\disallowrun]
"1"= firefox.exe
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 14:21 548352
w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-12-21 04:46 24576
w- c:\windows\system32\tphklock.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkbMonitor.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NkbMonitor.exe.lnk
backup=c:\windows\pss\NkbMonitor.exe.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ContentTransferWMDetector.exe]
2009-11-19 18:15 583016
w- c:\program files\Sony\Content Transfer\ContentTransferWMDetector.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-01-22 19:16 141608
w- c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaMusic FastStart]
2009-11-06 16:00 2090272
w- c:\program files\Nokia\Ovi Player\NokiaOviPlayer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
2006-11-24 01:06 487424
r- c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\ThinkVantage\\SystemUpdate\\jre\\bin\\javaw.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [22/06/2008 18:53 333192]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [22/06/2008 18:53 360584]
R1 PMHler;PMHler;c:\windows\system32\drivers\PMHler.sys [21/12/2005 22:09 10240]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 10:25 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [17/02/2010 10:15 66632]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [28/11/2009 09:52 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [28/11/2009 09:52 285392]
R2 smi2;smi2;c:\program files\SMI2\smi2.sys [22/12/2005 00:45 3968]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [17/02/2010 10:15 12872]
S0 ANCSQ;ANCSQ;c:\windows\system32\drivers\ANCSQ.sys --> c:\windows\system32\drivers\ANCSQ.sys [?]
.
Contents of the 'Scheduled Tasks' folder
2010-02-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
Supplementary Scan
.
uStart Page = hxxp://www.betfair.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.lenovo.com/us/en/
uInternet Settings,ProxyOverride = *.local
IE: Send to &Bluetooth Device... - c:\program files\Lenovo\Bluetooth Software\btsendto_ie_ctx.htm
DPF: {0972B098-DEE9-4279-AC7E-4BAAA029102D} - hxxp://assets.photobox.com/assets/aurigma/ImageUploader5.cab?20090806143003
DPF: {8C922C73-FFFA-45A3-B2C2-BC1E30074267} - hxxp://www.sony.co.uk/bravia/RegistrationAgent.cab
FF - ProfilePath - c:\documents and settings\steve rosbrook\Application Data\Mozilla\Firefox\Profiles\haf13358.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://uk.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_uk&p=
FF - prefs.js: browser.startup.homepage - hxxp://www.betfair.com/
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-01 21:05
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
LOCKED REGISTRY KEYS
[HKEY_USERS\S-1-5-21-4068179109-3409195564-439472003-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
DLLs Loaded Under Running Processes
- - - - - - - > 'winlogon.exe'(772)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\tphklock.dll
c:\windows\System32\BCMLogon.dll
- - - - - - - > 'explorer.exe'(1184)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Other Running Processes
.
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Lenovo\Bluetooth Software\bin\btwdins.exe
c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\PMSveH.exe
c:\program files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
c:\program files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
c:\program files\ThinkVantage\SystemUpdate\UCLauncherService.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\IBM ThinkVantage\Common\Logger\logmon.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\windows\AGRSMMSG.exe
c:\program files\Common Files\Nokia\MPlatform\NokiaMServer.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\Java\jre6\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2010-03-01 21:11:42 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-01 21:11
ComboFix2.txt 2010-02-27 21:22
Pre-Run: 28,147,036,160 bytes free
Post-Run: 28,263,432,192 bytes free
- - End Of File - - C630BCBD19126F5652D8ED57AE978F4A0 -
Any better?:idea:0
-
Tried a couple of google searches and no redirects
Is it too complicated to tell me what you fixed? And can I do anything to help stop it happening again?
Thanks so much for your help :A0 -
This shows a serious infection
Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
I would from a safe computer change all passwords.0 -
Ok, will do as soon as I can get access to another computer. Can I stop it happening again?0
-
I would run a scan with Dr Web Cure it;
Please download DrWeb-CureIt and save it to your desktop. DO NOT perform a scan yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".
Scan with Dr.Web CureIt as follows:- Double-click on launch.exe to start the program.
- Cancel any prompts to download the latest CureIt version and click Start.
- At the prompt to "Start scan now", click Ok. Allow the setup.exe/driver to load if asked by any of your security programs.
- The Express scan will automatically begin.
(This is a short scan of files currently running in memory, boot sectors, and targeted folders). - If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
- When complete, click Select All, then choose Cure > Move incurable.
(This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
- Now put a check next to Complete scan to scan all local disks and removable media.
- In the top menu, click Settings > Change settings, and UNcheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
- Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
- When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
- Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
- In the top menu, click file and choose save report list.
- Save the DrWeb.csv report to your desktop.
- Exit Dr.Web Cureit when done.
- Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
- After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
0 -
Followed your instructions, Drweb found 8 things, deleted 7 of them and cured the other. I saved the file and rebooted but now the laptop won't log on - it gets to the welcome page where you click on the user name to log on but immediatlely logs off and returns to that page. I can turn the laptop off or reboot but cannot log on. We only have one user on the laptop - please help!
0 -
Try in SAFE MODE (Keep pressing F8 at bootup)
if it logs in safe mode then simply logging off and back in, in norrmal mode might work:idea:0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 353.6K Banking & Borrowing
- 254.2K Reduce Debt & Boost Income
- 455.1K Spending & Discounts
- 246.6K Work, Benefits & Business
- 603K Mortgages, Homes & Bills
- 178.1K Life & Family
- 260.7K Travel & Transport
- 1.5M Hobbies & Leisure
- 16K Discuss & Feedback
- 37.7K Read-Only Boards