Junior Member
I hope I'm posting in the right area, I'm not exactly sure what caused my problem. I never had this happen before. I was opening some of my e-mails when a pop up came up from Internet Security 2010 (IS 2010) telling me my computer had been infected by a virus and all these other bad things. I closed the window and it just kept coming up asking me if I wanted to run a scan and they would fix it if I bought their program. It told me to run my spyware and antivirus scan to fix the problem. So I ran the AVG protection I have and it said I was protected and all was normal. But I still could not get rid of this IS 2010 it keep popping up and even put its Icon on my screen. I deleted that but there was no program in the add or remove part of the control panel to get rid of. It turned my screen green with the warning that my computer was infected. So I tried a system restore and that got rid of the green screen and warning but now when I click on the Internet Explorer Icon it opens and quickly closes so I can no longer get on the internet this way. I can get on the internet through Firefox though.
I just tried to undo the system restore that I did this past Friday and the machine says its unable to do it. Is there anything that can be done to get this back to normal or am I screwed?
THX in advance for any help.......Sal
Senior Member
From now on, don't use system restore until you're told, it's safe to do it.
Print these instructions out.
NOTE. If any of the programs listed below refuse to run, try renaming executive file to something else; for instance, rename hijackthis.exe to scanner.exe
***VERY IMPORTANT! Make sure, you update Superantispyware, and Malwarebytes before running the scans.***
STEP 1. Download SUPERAntiSpyware Free for Home Users:
SUPERAntiSpyware.com | Remove Malware | Remove Spyware - AntiMalware, AntiSpyware, AntiAdware!
* Double-click SUPERAntiSpyware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here: SUPERAntiSpyware.com - Database Definition Information.)
* Close SUPERAntiSpyware.
PHYSICALLY DISCONNECT FROM THE INTERNET
Restart computer in Safe Mode.
To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; select Safe Mode; you'll see "Safe Mode" in all four corners of your screen
* Open SUPERAntiSpyware.
* Click Scan your Computer... button.
* Click Scanning Preferences/Control Center... button.
* Under General and Startup tab, make sure, Start SUPERAntiSpyware when Windows starts option is UN-checked.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):
- Close browsers before scanning.
- Terminate memory threats before quarantining.
* Click the Close button to leave the control center screen.
* On the left, make sure you check C:\Fixed Drive.
* On the right, choose Perform Complete Scan.
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click OK.
* Make sure everything has a checkmark next to it and click Next.
* A notification will appear that Quarantine and Removal is Complete. Click OK and then click the Finish button to return to the main menu.
* If asked if you want to reboot, click Yes.
* To retrieve the removal information after reboot, launch SUPERAntispyware again.
- Click Preferences, then click the Statistics/Logs tab.
- Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
- If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
- Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program.
Post SUPERAntiSpyware log.
RECONNECT TO THE INTERNET
RESTART COMPUTER!
STEP 2. Download Malwarebytes' Anti-Malware: Malwarebytes.org to your desktop.
(Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)
* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.
The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
RESTART COMPUTER!
STEP 3. Download GMER: GMER - Rootkit Detector and Remover, by clicking on Download EXE button.
Alternative downloads:
- |MG| GMER 1.0.15.15281 Download
- http://www.softpedia.com/get/Interne...ers/GMER.shtml
Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
When scan is completed, click Save button, and save the results as gmer.log
Warning ! Please, do not select the "Show all" checkbox during the scan.
Post the log to your next reply.
RESTART COMPUTER
STEP 4. Download HijackThis:
HijackThis - Trend Micro USA
by clicking on Installer under Version 2.0.2
[DO NOT download version 2.0.3 (beta)]
Install, and run it.
Post HijackThis log.
NOTE. If you're using Vista, or 7, right click on HijackThis, and click Run as Administrator
Do NOT attempt to "fix" anything!
DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
Junior Member
I can no longer get on the internet with the infected computer. It locks up now and is very slow to respond to the start menu or anything else.
When I try to get on the internet through firefox I get a window with "XUL Runner" with an error message.
I keep getting a security warning that says, "Application cannot be executed. The file svchost.exe is infected. Do you want to activate your antivirus software now?" If I click no it closes and opens right back up. I also get "File wuauclt.exe is infected", "File iedw.exe is infected". If I click yes another window trys to open, then closes and "Windows Security Center" opens up but anything I try to do there gives me more files that are infected (file hpzipm.exe, file control.exe, file rundll32.exe, file wmiprvse.exe, file discupdmgr.exe, file launchmsn.exe).
In the bottom right corner I'm also getting a window that says "Antivirus software alert" the details say:
Attack from: 166.165.112.250, port 43957
Attacked port: 59803
Threat: Win32/Nuquel.E
Do you want to block this attack?
When I click yes a window trys to open and closes with another security warning.
I really don't know much about any of this but I'm tring to learn and want to learn more. I hope I'm not coming across as a dumb ass. This is so frustrating but, I want to beat it. Am I totally F##ked here or can this be fixed?
What should I do now?
Thx for putting up with me...................Sal
Senior Member
Download Combofix listed below on good computer and run it on bad computer (it may be run in Safe Mode, if necessary).
Please download ComboFix from Here or Here to your Desktop.
**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
- Please, never rename Combofix unless instructed.
- Close any open browsers.
- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
NOTE 1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.
- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
- Double click on combofix.exe & follow the prompts.
- When finished, it will produce a report for you.
- Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
Make sure, you re-enable your security programs, when you're done with Combofix.
DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
Junior Member
I'm sorry Broni but if you could I would greatly appriciate if you could give me step by step in computer for idiots terms on how to do some of this stuff.
How do I download Combofix on a good computer and then get it to the bad one when the bad one will not let me do anything? And if it did, how do I do that?
How do I disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix?
How do I temporarily disable my anti-virus, script blocking and any anti-malware real-time protection before performing a scan?
Can I get on the internet in safe mode to download any of this stuff?
Will any of this process cause me to lose any pictures, music (I-tunes) or info that are in my documents from the the harddrive?
Sorry for all the questions but I'm a little nervous to do this for fear of making things even worse.
Once again thanks for all the help........Sal
Senior Member
Use USB memory stick, or CD to move file(s) from one computer to another. If you don't have USB memory stick, I strongly suggest, you get one. They're very inexpensive ($10-$15) and they're very handy on many occasions.How do I download Combofix on a good computer and then get it to the bad one when the bad one will not let me do anything? And if it did, how do I do that?
There is a link in my previous reply, which explains how to do it.How do I disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix?
How do I temporarily disable my anti-virus, script blocking and any anti-malware real-time protection before performing a scan?
If you use Safe Mode with Networking, then yes.Can I get on the internet in safe mode to download any of this stuff?
No.Will any of this process cause me to lose any pictures, music (I-tunes) or info that are in my documents from the the harddrive?
Junior Member
O.K. so I ran Combofix on the machine (not in safe mode) and it appeared to be succesful.
During the Combofix run a window opened stating: " Combofix has detected the presence of rootkit activity and needs to reboot the machine". ( What does that mean??? )
The report is below:
But I still can't get on the internet. When I click on the internet explorer browser it opens a window and quickly closes. When I click on the firefox browser a XUL Runner window opens up with this text in it:
Error: Platform version '1.9.0.3' is not compatible with
minVersion >= 1.9.0.17
maxVersion <= 1.9.0.17
I'm getting discouraged now, what should I do next???
Thanks again for the help..........Sal
ComboFix 10-01-23.03 - HP_Administrator 01/23/2010 21:46:33.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1569 [GMT -7:00]
Running from: l:\school_work\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\s
c:\windows\kb913800.exe
c:\windows\system32\warning.html
D:\Autorun.inf
Infected copy of c:\windows\system32\DRIVERS\iastor.sys was found and disinfected
Restored copy from - c:\windows\system32\drivers\iaStor.sys
.
((((((((((((((((((((((((( Files Created from 2009-12-24 to 2010-01-24 )))))))))))))))))))))))))))))))
.
2010-01-22 06:59 . 2010-01-22 06:59 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\MSNInstaller
2010-01-21 00:01 . 2010-01-21 00:01 -------- d-----w- c:\documents and settings\All Users\Application Data\rhapsody
2010-01-21 00:00 . 2010-01-21 00:00 8413 ----a-w- c:\windows\system32\drivers\mcstrm.sys
2010-01-19 15:49 . 2010-01-22 05:17 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\alnxyv
2010-01-19 02:14 . 2010-01-22 06:24 -------- d-----w- C:\$AVG8.VAULT$
2010-01-18 13:19 . 2010-01-18 13:19 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Netscape
2010-01-16 06:58 . 2010-01-16 06:58 -------- d-----w- c:\windows\system32\wbem\Repository
2010-01-16 05:52 . 2010-01-16 05:52 -------- d-----w- c:\documents and settings\HP_Administrator\IECompatCache
2010-01-16 05:51 . 2010-01-16 05:51 -------- d-----w- c:\documents and settings\HP_Administrator\PrivacIE
2010-01-16 05:50 . 2010-01-16 05:50 -------- d-----w- c:\documents and settings\NetworkService\IETldCache
2010-01-16 05:50 . 2010-01-16 05:50 -------- d-----w- c:\documents and settings\HP_Administrator\IETldCache
2010-01-16 05:46 . 2010-01-16 05:46 -------- d-----w- c:\windows\ie8updates
2010-01-16 05:45 . 2010-01-16 06:57 -------- dc----w- c:\windows\ie8
2010-01-06 23:53 . 2010-01-19 17:03 1324 ----a-w- c:\windows\system32\d3d9caps.dat
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2010-01-21 00:01 . 2006-09-29 14:48 -------- d-----w- c:\program files\Rhapsody
2010-01-20 22:24 . 2008-10-20 18:10 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2010-01-17 20:06 . 2008-10-20 20:15 7300 ----a-w- c:\documents and settings\HP_Administrator\Application Data\wklnhst.dat
2010-01-07 01:28 . 2010-01-07 01:28 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation
2010-01-07 01:28 . 2010-01-07 01:28 -------- d-----w- c:\program files\NVIDIA Corporation
2010-01-05 10:00 . 2004-08-10 04:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2004-08-10 04:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2004-08-10 04:00 17408 ------w- c:\windows\system32\corpol.dll
2009-12-23 15:58 . 2009-12-23 15:58 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\HPQ
2009-12-22 07:33 . 2009-12-22 07:33 -------- d-----w- c:\program files\Atari
2009-12-22 07:33 . 2006-09-29 14:37 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-22 06:09 . 2009-12-22 06:09 0 ----a-w- c:\windows\PowerReg.dat
2009-12-22 06:06 . 2009-12-22 06:06 -------- d-----w- c:\program files\Infogrames Interactive
2009-12-05 23:49 . 2008-10-20 18:42 1 ----a-w- c:\documents and settings\HP_Administrator\Application Data\OpenOffice.org\3\user\uno_packages\cache\stam p.sys
2009-12-04 04:50 . 2009-02-17 17:40 -------- d-----w- c:\program files\Google
2009-12-02 11:23 . 2009-11-01 14:24 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\HpUpdate
2009-11-25 07:28 . 2008-12-08 05:49 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-21 16:36 . 2004-08-10 04:00 470528 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-21 03:32 . 2009-11-21 03:32 278120 ----a-w- c:\windows\system32\nvmccs.dll
2009-11-21 03:32 . 2009-11-21 03:32 154216 ----a-w- c:\windows\system32\nvsvc32.exe
2009-11-21 03:32 . 2009-11-21 03:32 145000 ----a-w- c:\windows\system32\nvcolor.exe
2009-11-21 03:32 . 2009-11-21 03:32 12669544 ----a-w- c:\windows\system32\nvcpl.dll
2009-11-21 03:32 . 2009-11-21 03:32 110184 ----a-w- c:\windows\system32\nvmctray.dll
2009-11-21 03:32 . 2009-11-21 03:32 81920 ----a-w- c:\windows\system32\nvwddi.dll
2009-11-21 02:34 . 2010-01-07 01:28 69632 ----a-w- c:\windows\system32\OpenCL.dll
2009-11-21 02:34 . 2010-01-07 01:28 4038656 ----a-w- c:\windows\system32\nvcuda.dll
2009-11-21 02:34 . 2010-01-07 01:28 2259560 ----a-w- c:\windows\system32\nvcuvid.dll
2009-11-21 02:34 . 2010-01-07 01:28 1989224 ----a-w- c:\windows\system32\nvcuvenc.dll
2009-11-21 02:34 . 2010-01-07 01:28 13602816 ----a-w- c:\windows\system32\nvoglnt.dll
2009-11-21 02:34 . 2010-01-07 01:28 2293286 ----a-w- c:\windows\system32\nvdata.bin
2009-11-21 02:34 . 2010-01-07 01:28 182888 ----a-w- c:\windows\system32\nvcodins.dll
2009-11-21 02:34 . 2010-01-07 01:28 182888 ----a-w- c:\windows\system32\nvcod.dll
2009-11-21 02:34 . 2010-01-07 01:28 11374592 ----a-w- c:\windows\system32\nvcompiler.dll
2009-11-21 02:34 . 2010-01-07 01:28 1056768 ----a-w- c:\windows\system32\nvapi.dll
2009-11-21 02:34 . 2006-09-29 14:39 6282752 ----a-w- c:\windows\system32\nv4_disp.dll
2009-11-21 02:34 . 2006-09-29 14:39 10235968 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2009-11-08 22:41 . 2009-05-21 17:12 127325 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Move Networks\uninstall.exe
2009-11-08 22:41 . 2009-08-13 19:21 4187512 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Move Networks\plugins\npqmp071505000011.dll
2009-11-08 22:41 . 2009-11-08 22:41 1408800 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Move Networks\MoveMediaPlayerWin_071505000011.exe
2009-10-31 04:07 . 2009-10-31 04:07 70932 ---ha-w- c:\windows\system32\mlfcache.dat
2009-10-29 07:46 . 2004-08-10 04:00 832512 ----a-w- c:\windows\system32\wininet(3).dll
2009-10-29 07:46 . 2004-08-10 04:00 1168384 ----a-w- c:\windows\system32\urlmon(3).dll
2009-10-29 07:45 . 2004-08-10 04:00 916480 ----a-w- c:\windows\system32\wininet(2).dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe" [2009-08-03 39408]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-09-03 3342336]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-30 67584]
"ftutil2"="ftutil2.dll" [2004-06-07 106496]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-14 16239616]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"DMAScheduler"="c:\program files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-04-13 90112]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-23 237568]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-16 249856]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2004-12-14 663552]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-12-11 2043160]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"NvMediaCenter"="c:\windows\system32\NvMcTray. dll" [2009-11-21 110184]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-11-21 12669544]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-09-29 180269]
c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-9-12 384000]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-15 15:06 11952 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/20/2008 11:10 AM 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/20/2008 11:10 AM 108552]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [10/22/2008 8:22 AM 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [10/22/2008 8:22 AM 297752]
R3 WN5301;LIteon Wireless PCI Network Adapter Service;c:\windows\system32\drivers\wn5301.sys [9/29/2006 7:40 AM 468768]
.
Contents of the 'Scheduled Tasks' folder
2010-01-24 c:\windows\Tasks\User_Feed_Synchronization-{B2D878FD-79C9-4F88-BF3A-394FAB37B082}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 01:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.cox.net/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILI ON&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILI ON&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION &pf=desktop
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6 097707281E79.dll/cmsidewiki.html
Trusted Zone: trymedia.com
DPF: {A1662FB6-39BE-41BB-ACDC-0448FB1B5817} - hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_5/PhotoCenter_ActiveX_Control.cab
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\sp7a66g9.default\
FF - prefs.js: browser.startup.homepage - hxxp://phoenix.cox.net/cci/home
FF - component: c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\sp7a66g9.default\ext ensions\piclens@cooliris.com\components\piclensstu b.dll
FF - plugin: c:\documents and settings\HP_Administrator\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\HP_Administrator\Application Data\Move Networks\plugins\npqmp071505000011.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-PCDrProfiler - (no file)
HKLM-Run-nwiz - nwiz.exe
HKLM-Run-mdohikcu - c:\documents and settings\HP_Administrator\Local Settings\Application Data\alnxyv\uhsysysguard.exe
************************************************** ************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2010-01-23 21:54
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(4088)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\windows\RTHDCPL.EXE
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\hp\KBD\KBD.EXE
c:\windows\ehome\mcrdsvc.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\program files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\dllhost.exe
c:\windows\eHome\ehmsas.exe
c:\windows\system\hpsysdrv.exe
c:\program files\Java\jre1.6.0_07\bin\jusched.exe
c:\program files\Real\RealPlayer\RealPlay.exe
c:\program files\DISC\DISCover.exe
c:\program files\DISC\DiscUpdMgr.exe
c:\program files\DISC\DiscStreamHub.exe
c:\program files\Java\jre1.6.0_07\bin\jucheck.exe
.
************************************************** ************************
.
Completion time: 2010-01-23 22:00:23 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-24 05:00
Pre-Run: 213,929,185,280 bytes free
Post-Run: 214,323,605,504 bytes free
- - End Of File - - D341E4815BAE55120A818B66ED7EA7AC
Junior Member
I shut the machine down and fired it back up and at first the internet explorer browser was not working and the I tried again and it came up.
But still getting that window when I try firefox????? Why is that???
Senior Member
Just be patient.
You can't rush things with an infection.
We have to proceed slowly and cautiously.
We'll get there....
I'll review your Combofix log now.
Senior Member
Uninstall Combofix:
Go Start > Run [Vista users, go Start>"Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall"
Restart computer.
================================================== =============
Print these instructions out.
NOTE. If any of the programs listed below refuse to run, try renaming executive file to something else; for instance, rename hijackthis.exe to scanner.exe
***VERY IMPORTANT! Make sure, you update Superantispyware, and Malwarebytes before running the scans.***
STEP 1. Download SUPERAntiSpyware Free for Home Users:
SUPERAntiSpyware.com | Remove Malware | Remove Spyware - AntiMalware, AntiSpyware, AntiAdware!
* Double-click SUPERAntiSpyware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here: SUPERAntiSpyware.com - Database Definition Information.)
* Close SUPERAntiSpyware.
PHYSICALLY DISCONNECT FROM THE INTERNET
Restart computer in Safe Mode.
To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; select Safe Mode; you'll see "Safe Mode" in all four corners of your screen
* Open SUPERAntiSpyware.
* Click Scan your Computer... button.
* Click Scanning Preferences/Control Center... button.
* Under General and Startup tab, make sure, Start SUPERAntiSpyware when Windows starts option is UN-checked.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):
- Close browsers before scanning.
- Terminate memory threats before quarantining.
* Click the Close button to leave the control center screen.
* On the left, make sure you check C:\Fixed Drive.
* On the right, choose Perform Complete Scan.
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click OK.
* Make sure everything has a checkmark next to it and click Next.
* A notification will appear that Quarantine and Removal is Complete. Click OK and then click the Finish button to return to the main menu.
* If asked if you want to reboot, click Yes.
* To retrieve the removal information after reboot, launch SUPERAntispyware again.
- Click Preferences, then click the Statistics/Logs tab.
- Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
- If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
- Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program.
Post SUPERAntiSpyware log.
RECONNECT TO THE INTERNET
RESTART COMPUTER!
STEP 2. Download Malwarebytes' Anti-Malware: Malwarebytes.org to your desktop.
(Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)
* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.
The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
RESTART COMPUTER!
STEP 4.
Post fresh HijackThis log.
NOTE. If you're using Vista, right click on HijackThis, and click Run as Administrator
Do NOT attempt to "fix" anything!
DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
