PDA

View Full Version : AttackYestrday



Plantier
2011-05-21, 08:57
I need assistance
to recover from an attack.but cannot
I tried to load ERUNT but it willnot install

DDS (Ver_11-05-19.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Run by Owner at 6:28:45 on 2011-05-21
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1015.444 [GMT 2:00]
.
AV: Anti-virus firewall 9.12 *Enabled/Updated* {E7512ED5-4245-4B4D-AF3A-382D3F313F15}
FW: Anti-virus firewall 9.12 *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Orange\AntivirusFirewall\Anti-Virus\fsgk32st.exe
C:\Program Files\Orange\AntivirusFirewall\Common\FSMA32.EXE
C:\Program Files\Orange\AntivirusFirewall\Anti-Virus\FSGK32.EXE
C:\Program Files\Orange\AntivirusFirewall\Common\FSHDLL32.EXE
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Orange\AntivirusFirewall\FWES\Program\fsdfwd.exe
C:\Program Files\Orange\AntivirusFirewall\Anti-Virus\fssm32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Orange\AntivirusFirewall\Anti-Virus\fsav32.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\LVComsX.exe
C:\Documents and Settings\Carole PALMER\Local Settings\Temporary Internet Files\Content.IE5\5OS75JB7\dds[1].scr
C:\WINDOWS\system32\WSCRIPT.exe
.
============== Pseudo HJT Report ===============
.
uSearchMigratedDefaultURL = hxxp://uk.search.yahoo.com/search?ei=UTF-8&fr=yie7c&p={searchTerms}
uSearch Bar = hxxp://www.wanadoo.fr/go/page_recherche/
uStart Page = hxxp://www.facebook.com/home.php?ref=hp
uInternet Connection Wizard,ShellNext = hxxp://www.elonex.co.uk/
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uURLSearchHooks: SearchElf 1.2 Toolbar: {f4e6547e-325b-403c-a3bb-ad29ed37a92f} - c:\program files\searchelf_1.2\prxtbSea2.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
BHO: SearchElf 1.2 Toolbar: {f4e6547e-325b-403c-a3bb-ad29ed37a92f} - c:\program files\searchelf_1.2\prxtbSea2.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: SearchElf 1.2 Toolbar: {f4e6547e-325b-403c-a3bb-ad29ed37a92f} - c:\program files\searchelf_1.2\prxtbSea2.dll
TB: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [LDM] c:\program files\logitech\desktop messenger\8876480\program\BackWeb-8876480.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [PrinTray] c:\windows\system32\spool\drivers\w32x86\3\printray.exe
mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE
mRun: [LogitechVideoRepair] c:\program files\logitech\video\ISStart.exe
mRun: [LogitechVideoTray] c:\program files\logitech\video\LogiTray.exe
mRun: [EPSON Stylus D78 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatibge.exe /fu "c:\windows\temp\E_S2C7.tmp" /EF "HKLM"
mRun: [F-Secure Manager] "c:\program files\orange\antivirusfirewall\common\FSM32.EXE" /splash
mRun: [F-Secure TNB] "c:\program files\orange\antivirusfirewall\fsgui\TNBUtil.exe" /CHECKALL /WAITFORSW
mRun: [IntelZeroConfig] "c:\program files\intel\wifi\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\common files\intel\wirelesscommon\iFrmewrk.exe" /tf Intel Wireless Tray
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng1.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\photof~1.lnk - c:\program files\common files\panasonic\photofunstudio autostart\AutoStartupService.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL
LSP: c:\program files\orange\antivirusfirewall\fsps\program\FSLSP.DLL
DPF: {2EDF75C0-5ABD-49f9-BAB6-220476A32034} - hxxp://intel-drv-cdn.systemrequirementslab.com/multi/bin/sysreqlab_srlx.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1134138356660
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1164665774046
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} - hxxp://www.securitoo.com/ols/fscax.cab
DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} - hxxp://www.blueyonder.co.uk/assets/tool/files/MotivePreQual.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: c:\progra~1\google\google~3\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\carole palmer\application data\mozilla\firefox\profiles\lu1hxnh5.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\picasa2\npPicasa2.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: http://forums.spybot.info/misc.php?do=email_dev&email=anFzQHN1bi5jb20= - c:\program files\java\jre6\lib\deploy\jqs\ff
.
============= SERVICES / DRIVERS ===============
.
R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [2009-9-8 42664]
R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [2009-9-8 81864]
R1 F-Secure HIPS;F-Secure HIPS Driver;c:\program files\orange\antivirusfirewall\hips\drivers\fshs.sys [2009-9-8 69928]
R1 RapportKELL;RapportKELL;c:\program files\trusteer\rapport\bin\RapportKELL.sys [2010-2-17 58984]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2010-2-17 108904]
R2 F-Secure Gatekeeper Handler Starter;FSGKHS;c:\program files\orange\antivirusfirewall\anti-virus\fsgk32st.exe [2009-9-8 221608]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\orange\antivirusfirewall\anti-virus\minifilter\fsgk.sys [2009-9-8 130728]
R3 FSORSPClient;F-Secure ORSP Client;c:\program files\orange\antivirusfirewall\orsp client\fsorsp.exe [2009-9-8 63992]
S2 gupdate1c9a6095bcb07de;Google Update Service (gupdate1c9a6095bcb07de);c:\program files\google\update\GoogleUpdate.exe [2009-3-16 133104]
S3 AX88172;ASIX AX88172 USB2 to Fast Ethernet Adapter;c:\windows\system32\drivers\ax88172.sys [2010-1-12 18224]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-3-16 133104]
S3 USBNET_XP;Instant Wireless XP USB Network Adapter ver.2.6 Driver;c:\windows\system32\drivers\netusbxp.sys [2007-1-10 72576]
S4 F-Secure Filter;F-Secure File System Filter;c:\program files\orange\antivirusfirewall\anti-virus\win2k\fsfilter.sys [2009-9-8 41640]
S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\orange\antivirusfirewall\anti-virus\win2k\fsrec.sys [2009-9-8 27048]
S4 GoogleDesktopManager-093009-130223;Google Desktop Manager 5.9.909.30391;c:\program files\google\google desktop search\GoogleDesktop.exe [2007-1-10 30192]
S4 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2010-2-17 779496]
.
=============== Created Last 30 ================
.
2100-02-08 15:03:54 53248 -c--a-w- c:\program files\ACMonitor_X73.exe
2011-05-19 15:22:07 -------- d--h--w- c:\windows\PIF
.
==================== Find3M ====================
.
2011-04-12 12:06:13 0 ----a-w- c:\windows\system32\ConduitEngine.tmp
2011-04-06 14:20:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 14:20:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06:29 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06:29 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41:59 385024 ----a-w- c:\windows\system32\html.iec
2001-05-08 15:36:42 114688 -c--a-w- c:\program files\lxarscan.dll
.
============= FINISH: 6:31:43.53 ===============

shelf life
2011-05-27, 03:16
hi Plantier,

Your post is a few days old. If you still need help simply reply back.

Plantier
2011-06-01, 09:09
Yes please, shelf life, I,m desperate

shelf life
2011-06-01, 23:38
ok. Start with malwarebytes and lets see what that can dig up.

Please download the free version of Malwarebytes (http://www.malwarebytes.org/mbam.php) to your desktop.



Double-click mbam-setup.exe and follow the prompts to install the program.



Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.



If an update is found, it will download and install the latest version.



Once the program has loaded, select Perform FULL SCAN, then click Scan.

When the scan is complete, click OK, then Show Results to view the results.



Be sure that everything is checked, and click *Remove Selected.*



*A restart of your computer may be required to remove some items. If prompted please restart your computer to complete the fix.*



When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt

Post the log in your reply.

Plantier
2011-06-02, 09:04
Than you for your reply.

I have two computers on a 'Livebox'. I am replying on the one with least (perhaps no) problems. The other is a laptop.

I attempted to load Malwarebytes on the laptop I got a 'loading' message but was the transferred to a Techspot Page offering Malwarebytes Anti-Malware 1.51.0 at $24.95 I can find no evidence that the application has loaded.

I tried the same on this computer, and was redirected to fileforum offering Malwarebytes Anti-Malware 1.51.0.1200 again at $24.95 again there is no evidence of the application (free version) having loaded

Plantier
2011-06-02, 14:23
Just tried again, and loaded mbam-setup on the desktop. When I try to run app. I get 'Choose the program you want to open this file'

This happens with many exe. applications eg SpyBot, Securitoo

Plantier
2011-06-02, 18:21
I loaded Malwarebytes on the good computer, ran it, with no infections

Plantier
2011-06-02, 18:24
The Log:Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6753

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

02/06/2011 17:14:44
mbam-log-2011-06-02 (17-14-44).txt

Scan type: Full scan (C:\|D:\|J:\|)
Objects scanned: 330479
Time elapsed: 3 hour(s), 41 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

shelf life
2011-06-03, 00:13
1)Try renaming the mbam-setup.exe to something like plantier.exe and see what happens

if that dosnt work:

2) boot your computer into safe mode. To reach safe mode you would tap the f8 key during a computer restart, chose the: safe mode with networking. Log into your usual account. Once at the safe mode desktop try installing malwarebytes and updating it before a scan

if that dosnt work:
reboot computer normally

3) Please download rkill.com (http://download.bleepingcomputer.com/grinler/rkill.com) by Grinler and save it to your desktop:

Double-click on the Rkill desktop icon to run the tool.

A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
After its finished try running installing, updating and running: Malwarebytes

If malwarebytes dosnt run download rkill.scr (http://download.bleepingcomputer.com/grinler/rkill.scr)
Double-click on the Rkill.scr desktop icon to run the tool.

A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
After its finished try running installing, updating and running: Malwarebytes

If malwarebytes dosnt run download explorer.exe (http://download.bleepingcomputer.com/grinler/eXplorer.exe)
Double-click on the eXplorer.exe desktop icon to run the tool.

A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
After its finished try running installing, updating and running: Malwarebytes

If malwarebytes dosnt run download iExplore.exe (http://download.bleepingcomputer.com/grinler/iExplore.exe)
Double-click on the iExplorer.exe desktop icon to run the tool.

A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
After its finished try running installing, updating and running: Malwarebytes

If malwarebytes dosnt run download uSeRiNiT.exe (http://download.bleepingcomputer.com/grinler/uSeRiNiT.exe)

Double-click on the uSeRiNiT.exe desktop icon to run the tool.

A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
After its finished try running installing, updating and running: Malwarebytes

Hopefully MBAM will install and run ok.

Plantier
2011-06-03, 10:53
I've tried all the options several times over. I am able to load from the web, but none of the exe. files will run.

I get the same 'Open With...' screen

I renamed MBAM.exe. Downloaded rkill.exe : rkill.scr : the others (explorer.exe,iexplore.exe,userinit.exe) all came up automatically with rkill.exe and 'Open With...'

shelf life
2011-06-03, 23:30
ok.

1)Create a new system restore point:

1. Click Start, click Run, type %SystemRoot%\system32\restore\rstrui.exe, and then click OK.
2. On the Welcome to System Restore page, click Create a restore point, and then click Next .
3. On the Create a Restore Point page, type a name for the restore point and then click Create
4. After the restore point has been created, click Close.

Note If System Restore is turned off, you receive a message that asks whether you want to turn on System Restore now. Click Yes. Then, in the System Properties dialog box, click to clear the Turn off System Restore check box, click OK, and then repeat this step.

2) Download this (http://download.bleepingcomputer.com/reg/FixExe.reg) Extract it to your desktop then double click it, if asked to "merge to registry' select yes. afterwards try running MBAM

Plantier
2011-06-04, 00:06
Iget 'Open with.......file retrui.exe

Plantier
2011-06-04, 00:47
I downloaded 'this' and now have Malware, which I willrun

Plantier
2011-06-04, 07:59
It worked!



Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6766

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

04/06/2011 06:46:58
mbam-log-2011-06-04 (06-46-58).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 264151
Time elapsed: 1 hour(s), 29 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\all users\Desktop\antivirus.lnk (Rogue.AntiVirus) -> Quarantined and deleted successfully.
c:\documents and settings\carole palmer\Desktop\explorer.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
c:\documents and settings\carole palmer\Desktop\userinit.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

shelf life
2011-06-04, 16:36
ok good. Not much in the log to worry about. Hows it looking on your end now?

Plantier
2011-06-04, 19:50
Seems fine now.
What worries me is responding to security warnings. I have one now, a Windows Security Alert. Do I tick the box for automatic updates, or ignore?
This what got me into trouble inthe first place. How do I know the 'Flags' and popups are genuine?

shelf life
2011-06-04, 23:20
Do you have Windows update turned on? start>settings>control panel>security center. You can also manage the settings from there. You could also visit Windows Update. (http://www.update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us)


Windows Security Alert
What you are seeing sounds like scareware. There are no security alerts that popup that are from Windows. At the most you may see a icon by the clock that displays a message when you toggle over it that is from Windows, but scareware can mimic this also.
Are you seeing this popup only when you are on the internet? Is it coming from a icon by the clock?
See this link. (http://www.malwarevault.com/scareware.html)

Plantier
2011-06-05, 00:22
control panel-system says Automatic upgrades is on, icon next clock says off, and unable to change: it says go system panel and switch-on there.

Your link shows the kind of thing I'm concerned about

Plantier
2011-06-05, 01:05
I associate the Scareware with the point when my Antivirus and Spybot failed to work. Were they not the source of the infections?

I followed your link to Windows Update on both computers. I get a different page displayed on each - this again makes me suspicious.

I have a problem with the laptop keyboard, the characters jump to the beginning of the word sometimes. Is this me, I don't use it very often.

Perhaps I'm nit-picking now and want to thank you Shelf Life for helping me (us) with this problem and appreciate very much that you are prepared to give your time and experience to help the thousands of us that get into difficulty.

shelf life
2011-06-05, 03:48
Ok Your welcome. I am not seeing any malware. That "open with" problem must have been a bad file association. Malware can cause it also but your logs dont look bad. Please post the link to the Windows Update page you went to.

Also we will get another download to use as a check for malware. Its called combofix, there is a guide to read first. Read through the guide then apply the directions on your own machine. Post the combofix log.

Guide to using Combofix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

Plantier
2011-06-05, 06:51
Windows Update Ref: Laptop

http://www.update.microsoft.com/microsoftupdate/v6/muoptdefault.aspx?returnurl=http://www.update.microsoft.com/microsoftupdate&ln=en-us

Plantier
2011-06-05, 06:51
Update Ref: Desktop Computer

http://www.update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us

Plantier
2011-06-05, 08:29
Combofix Log:

Going for a walk now - about 20k - beautiful morning, but still no rain

ComboFix 11-06-04.02 - Carole PALMER 05/06/2011 6:55.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1015.510 [GMT 2:00]
Running from: c:\documents and settings\Carole PALMER\Desktop\ComboFix.exe
AV: Anti-virus firewall 9.12 *Disabled/Updated* {E7512ED5-4245-4B4D-AF3A-382D3F313F15}
FW: Anti-virus firewall 9.12 *Disabled* {D4747503-0346-49EB-9262-997542F79BF4}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Carole PALMER\Application Data\PriceGong
c:\documents and settings\Carole PALMER\Application Data\PriceGong\Data\1.xml
c:\documents and settings\Carole PALMER\Application Data\PriceGong\Data\a.xml
c:\documents and settings\Carole PALMER\Application Data\PriceGong\Data\b.xml
c:\documents and settings\Carole PALMER\Application Data\PriceGong\Data\c.xml
c:\documents and settings\Carole PALMER\Application Data\PriceGong\Data\d.xml
c:\documents and settings\Carole PALMER\Application Data\PriceGong\Data\e.xml
c:\documents and settings\Carole PALMER\Application Data\PriceGong\Data\f.xml
c:\documents and settings\Carole PALMER\Application Data\PriceGong\Data\g.xml
c:\documents and settings\Carole PALMER\Application Data\PriceGong\Data\h.xml
c:\documents and settings\Carole PALMER\Application Data\PriceGong\Data\i.xml
c:\documents and settings\Carole PALMER\Application Data\PriceGong\Data\J.xml
c:\documents and settings\Carole PALMER\Application Data\PriceGong\Data\k.xml
c:\documents and settings\Carole PALMER\Application Data\PriceGong\Data\l.xml
c:\documents and settings\Carole PALMER\Application Data\PriceGong\Data\m.xml
c:\documents and settings\Carole PALMER\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\Carole PALMER\Application Data\PriceGong\Data\n.xml
c:\documents and settings\Carole PALMER\Application Data\PriceGong\Data\o.xml
c:\documents and settings\Carole PALMER\Application Data\PriceGong\Data\p.xml
c:\documents and settings\Carole PALMER\Application Data\PriceGong\Data\q.xml
c:\documents and settings\Carole PALMER\Application Data\PriceGong\Data\r.xml
c:\documents and settings\Carole PALMER\Application Data\PriceGong\Data\s.xml
c:\documents and settings\Carole PALMER\Application Data\PriceGong\Data\t.xml
c:\documents and settings\Carole PALMER\Application Data\PriceGong\Data\u.xml
c:\documents and settings\Carole PALMER\Application Data\PriceGong\Data\v.xml
c:\documents and settings\Carole PALMER\Application Data\PriceGong\Data\w.xml
c:\documents and settings\Carole PALMER\Application Data\PriceGong\Data\x.xml
c:\documents and settings\Carole PALMER\Application Data\PriceGong\Data\y.xml
c:\documents and settings\Carole PALMER\Application Data\PriceGong\Data\z.xml
c:\documents and settings\Carole PALMER\My Documents\AdbeRdr810_en_US.0xe
c:\documents and settings\Carole PALMER\WINDOWS
c:\documents and settings\Default User\WINDOWS
c:\windows\system32\config\systemprofile\WINDOWS
.
.
((((((((((((((((((((((((( Files Created from 2011-05-05 to 2011-06-05 )))))))))))))))))))))))))))))))
.
.
2100-02-08 15:03 . 2001-05-11 10:39 53248 -c--a-w- c:\program files\ACMonitor_X73.exe
2011-06-03 21:45 . 2011-06-03 21:45 -------- d-----w- c:\documents and settings\Carole PALMER\Application Data\Malwarebytes
2011-06-03 21:45 . 2011-05-29 07:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-03 21:45 . 2011-06-03 21:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-06-03 21:45 . 2011-05-29 07:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-03 21:45 . 2011-06-03 21:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-06-03 21:36 . 2011-06-03 21:36 -------- d--h--w- c:\windows\PIF
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-12 12:06 . 2011-03-10 10:12 0 ----a-w- c:\windows\system32\ConduitEngine.tmp
2011-04-06 14:20 . 2011-04-06 14:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 14:20 . 2011-04-06 14:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2011-03-07 05:33 . 2005-12-09 13:57 692736 ----a-w- c:\windows\system32\inetcomm.dll
2001-05-08 15:36 . 2000-12-05 14:56 114688 -c--a-w- c:\program files\lxarscan.dll
2009-10-27 08:51 . 2007-04-13 10:56 119808 -c--a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{f4e6547e-325b-403c-a3bb-ad29ed37a92f}"= "c:\program files\SearchElf_1.2\prxtbSea2.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{f4e6547e-325b-403c-a3bb-ad29ed37a92f}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2011-01-17 14:54 175912 ----a-w- c:\program files\ConduitEngine\prxConduitEngine.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f4e6547e-325b-403c-a3bb-ad29ed37a92f}]
2011-01-17 14:54 175912 ----a-w- c:\program files\SearchElf_1.2\prxtbSea2.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{f4e6547e-325b-403c-a3bb-ad29ed37a92f}"= "c:\program files\SearchElf_1.2\prxtbSea2.dll" [2011-01-17 175912]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\prxConduitEngine.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{f4e6547e-325b-403c-a3bb-ad29ed37a92f}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{F4E6547E-325B-403C-A3BB-AD29ED37A92F}"= "c:\program files\SearchElf_1.2\prxtbSea2.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{f4e6547e-325b-403c-a3bb-ad29ed37a92f}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-03-30 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-03-10 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-03-10 126976]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 61952]
"RTHDCPL"="RTHDCPL.EXE" [2005-06-08 14565376]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2005-06-08 458752]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2005-06-08 217088]
"F-Secure Manager"="c:\program files\Orange\AntivirusFirewall\Common\FSM32.EXE" [2009-11-18 201128]
"F-Secure TNB"="c:\program files\Orange\AntivirusFirewall\FSGUI\TNBUtil.exe" [2009-11-18 1655208]
"IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2009-11-03 1372160]
"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2009-11-03 1202448]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-12-14 47904]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-14 421160]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-03-30 68856]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe [2004-12-22 45056]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-6-26 67128]
PHOTOfunSTUDIO 5.0.lnk - c:\program files\Common Files\Panasonic\PHOTOfunSTUDIO AutoStart\AutoStartupService.exe [2010-12-26 172544]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Carole PALMER^Start Menu^Programs^Startup^OpenOffice.org 3.0.lnk]
path=c:\documents and settings\Carole PALMER\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk
backup=c:\windows\pss\OpenOffice.org 3.0.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2005-06-06 23:46 57344 ----a-w- c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2009-10-27 08:51 30192 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HControl]
2005-08-29 11:30 102400 -c--a-w- c:\windows\ATK0100\HControl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-04-14 09:32 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]
2005-06-08 13:44 196608 -c--a-w- c:\program files\Logitech\Video\ManifestEngine.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 10:50 155648 -c--a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 16:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2004-11-02 19:24 32768 -c--a-w- c:\program files\ASUSTeK\ASUSDVD\PDVDServ.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2006-10-13 16:20 20058152 ----a-w- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-10-11 03:17 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-03-30 19:36 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"RapportMgmtService"=2 (0x2)
"LightScribeService"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"iPod Service"=3 (0x3)
"idsvc"=3 (0x3)
"gusvc"=3 (0x3)
"gupdate1c9a6095bcb07de"=2 (0x2)
"GoogleDesktopManager-093009-130223"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Toshiba\\Bluetooth Toshiba Stack\\WirelessFTP1.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [08/09/2009 13:42 42664]
R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [08/09/2009 13:41 81864]
R1 F-Secure HIPS;F-Secure HIPS Driver;c:\program files\Orange\AntivirusFirewall\HIPS\drivers\fshs.sys [08/09/2009 13:40 69928]
R1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [17/02/2010 12:44 58984]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [17/02/2010 12:44 108904]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\Orange\AntivirusFirewall\Anti-Virus\minifilter\fsgk.sys [08/09/2009 13:39 130728]
R3 FSORSPClient;F-Secure ORSP Client;c:\program files\Orange\AntivirusFirewall\ORSP Client\fsorsp.exe [08/09/2009 13:40 61088]
S2 gupdate1c9a6095bcb07de;Google Update Service (gupdate1c9a6095bcb07de);c:\program files\Google\Update\GoogleUpdate.exe [16/03/2009 09:32 133104]
S3 AX88172;ASIX AX88172 USB2 to Fast Ethernet Adapter;c:\windows\system32\drivers\ax88172.sys [12/01/2010 15:22 18224]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [16/03/2009 09:32 133104]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [03/06/2011 23:45 39984]
S3 USBNET_XP;Instant Wireless XP USB Network Adapter ver.2.6 Driver;c:\windows\system32\drivers\netusbxp.sys [10/01/2007 14:51 72576]
S4 F-Secure Filter;F-Secure File System Filter;c:\program files\Orange\AntivirusFirewall\Anti-Virus\win2k\fsfilter.sys [08/09/2009 13:39 41640]
S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\Orange\AntivirusFirewall\Anti-Virus\win2k\fsrec.sys [08/09/2009 13:39 27048]
S4 GoogleDesktopManager-093009-130223;Google Desktop Manager 5.9.909.30391;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [10/01/2007 15:12 30192]
S4 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [17/02/2010 12:44 779496]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WUAUSERV
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 10:34]
.
2011-06-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-16 07:32]
.
2011-06-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-16 07:32]
.
2011-06-05 c:\windows\Tasks\User_Feed_Synchronization-{F47F2B7F-9F45-4CC4-A408-7861B344BA3D}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 02:31]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://uk.search.yahoo.com/search?ei=UTF-8&fr=yie7c&p={searchTerms}
uStart Page = hxxp://www.facebook.com/home.php?ref=hp
uInternet Connection Wizard,ShellNext = hxxp://www.elonex.co.uk/
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
LSP: c:\program files\Orange\AntivirusFirewall\FSPS\program\FSLSP.DLL
TCP: DhcpNameServer = 192.168.1.1
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - c:\documents and settings\Carole PALMER\Application Data\Mozilla\Firefox\Profiles\lu1hxnh5.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-LDM - c:\program files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
HKLM-Run-PrinTray - c:\windows\System32\spool\DRIVERS\W32X86\3\printray.exe
MSConfigStartUp-AppleSyncNotifier - c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
MSConfigStartUp-WOOKIT - c:\progra~1\Wanadoo\Shell.exe
AddRemove-CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_10431966 - c:\program files\CONEXANT\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_10431966\HXFSETUP.EXE -U -IHDAUDIO\FUNC_02&VEN_14F1&DEV_2BFA&SUBSYS_10431966
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-05 07:05
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(820)
c:\program files\orange\antivirusfirewall\hips\fshook32.dll
.
- - - - - - - > 'lsass.exe'(876)
c:\program files\Orange\AntivirusFirewall\FSPS\program\FSLSP.DLL
c:\program files\orange\antivirusfirewall\hips\fshook32.dll
.
- - - - - - - > 'explorer.exe'(4944)
c:\windows\system32\WININET.dll
c:\program files\orange\antivirusfirewall\hips\fshook32.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Orange\AntivirusFirewall\FSPS\program\FSLSP.DLL
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\orange\antivirusfirewall\scanner-interface\fsgkiapi.dll
c:\windows\system32\netprovcredman.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\WiFi\bin\S24EvMon.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Belkin\Belkin Wireless Network Utility\WLService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\program files\Orange\AntivirusFirewall\Anti-Virus\fsgk32st.exe
c:\program files\Orange\AntivirusFirewall\Common\FSMA32.EXE
c:\program files\Orange\AntivirusFirewall\Anti-Virus\FSGK32.EXE
c:\program files\Orange\AntivirusFirewall\Common\FSHDLL32.EXE
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\windows\RTHDCPL.EXE
c:\program files\Orange\AntivirusFirewall\FWES\Program\fsdfwd.exe
c:\program files\Orange\AntivirusFirewall\Anti-Virus\fssm32.exe
c:\program files\Orange\AntivirusFirewall\Anti-Virus\fsav32.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Logitech\Video\FxSvr2.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-06-05 07:21:48 - machine was rebooted
ComboFix-quarantined-files.txt 2011-06-05 05:21
.
Pre-Run: 43,989,585,920 bytes free
Post-Run: 44,332,535,808 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - B328463339B7CE4903858492964B0DB9

shelf life
2011-06-05, 18:44
hi,

Combofix log looks ok. Those links you posted took me to the MS Update website.
You can remove combofix like this:
start>run and type in:
combofix /uninstall
click ok or enter
Note there is a space after the x and before the /

You can also delete all those rkill files you downloaded. I think your file assocaition got messed up somehow, not malware related.

Plantier
2011-06-05, 19:55
All done.

Very many thanks for your help

shelf life
2011-06-05, 23:57
ok your welcome. Your good to go. Here are some tips to help you remain malware free:

10 Tips for Prevention and Avoidance of Malware:

There is no reason why your computer can not stay malware free.

No software can think for you. Help yourself. In no special order:

1) It is essential to keep your operating system (Windows) browser (IE, FireFox, Chrome, Opera) and other software up to date to "patch" vulnerabilities that could be exploited. Visit Windows Update (http://www.update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us) frequently or use the Windows auto-update feature. (http://www.microsoft.com/windows/downloads/windowsupdate/automaticupdate.mspx) Staying updated is also essential for web based applications, browser plugins and addons like Java, Adobe Flash/Reader, iTunes etc. More and more third party applications are being targeted. Use the auto-update features available in most software. Not sure if you are using the latest version of software? Check their version status and get the updates here. (http://secunia.com/vulnerability_scanning/online/)



2) Know what you are installing to your computer. Alot of software can come bundled with unwanted add-ons, like adware, toolbars and malware. More and more legitimate software is installing useless toolbars if not unchecked first. Do not install any files from ads, popups or random links. Do not fall for fake warnings about virus and trojans being found on your computer and you are then prompted to install software to remedy this. See also the signs (http://www.malwarevault.com/signs.html)that you may have malware on your computer.



3) Install and keep updated: one antivirus and two or three anti-malware applications. If not updated they will soon be worthless. If either of these frequently find malware then its time to *review your computer habits*.



4) Refrain from clicking on links or attachments via E-Mail, IM, IRC, Chat Rooms, Blogs or Social Networking Sites, no matter how tempting or legitimate the message may seem. Do you trust the source? See also E-mail phishing Tricks (http://www.fraud.org/tips/internet/phishing.htm).



5) Do not click on ads/pop ups or offers from websites requesting that you need to install software to your computer--*for any reason*. Use the Alt+F4 keys to close the window.



6) Don't click on offers to "scan" your computer. Install ActiveX Objects with care. Do you trust the website to install components?



7) Consider the use of limited (non-privileged) accounts for everyday use, rather than administrator accounts. Limited accounts (http://www.microsoft.com/protect/computer/advanced/useraccount.mspx) can help prevent *malware from installing and lessen its potential impact.* This is exactly what user account control (UAC) in Windows Vista and Windows 7 attempts to address.



8) Install and understand the *limitations* of a software firewall.



9) A slide show how to for securing Internet Explorer 8.0 (http://threatpost.com/en_us/slideshow/How%20to%20configure%20Internet%20Explorer%20for%20secure%20surfing) for safer surfing. How to harden FireFox. (http://threatpost.com/en_us/slideshow/How-to-configure-Mozilla-Firefox-for-secure-surfing?utm_source=Second+Sidebar&utm_medium=Featured+Slideshows&utm_campaign=Configure+Mozilla+Firefox) for safer surfing.



10) Warez, cracks etc are very popular for carrying malware payloads.If you download/install files via p2p networks you will encounter malware. A file can be named anything be nothing but malware or have malware bundled in it. Can you really trust the source of the file?

More info/tips with pictures, links below

Happy Safe Surfing.

Plantier
2011-06-08, 16:50
In trouble again:

Following your suggestion I changed access to Limited Account, but all email messages and address book have gone. Can you help me recover them.

I also ran Spybot S&D yesterday and it notified 15 'problems'. I assume they were ghosts of the dead viruses - come back to haunt me.

Plantier
2011-06-08, 22:15
Sorry about the panic, but I've sorted-out the email problem

shelf life
2011-06-09, 00:13
ok, no problem. What is it spybot is finding? Can you post it? If its cookies, they are not really much to worry about. Limited accounts may take some getting use to.

Plantier
2011-06-09, 20:27
Not sure file is attached

shelf life
2011-06-10, 00:28
Hi,

Go it. I dont see anything in there to be worried about. Looks fine.