PDA

View Full Version : Virtumonde, Antivirus Override, and more



SLRHCristy
2011-06-16, 10:36
Hello,
Seems like we are quite infected. Started with fake antivirus notifications (title of window popping up was "Windows Vista 2012 Alert" or something similar), which also suppressed our normal security warnings that pop up-I used to ignore those, thinking they were just free trials of random products trying to get us to purchase them. I use S&D to clear viruses and then they are right back again the next time I log on, and now a Virtumonde virus has shown up. Not very computer savvy, and certain we are not using any/enough/correct programs to stay protected-need some help cleaning and then protecting our computer. Any help is very much appreciated.

Thanks!

.
DDS (Ver_2011-06-12.02) - NTFSx86
Internet Explorer: 8.0.6001.19048 BrowserJavaVersion: 1.6.0_20
Run by Jason at 0:21:01 on 2011-06-16
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2036.1191 [GMT -6:00]
.
AV: avast! antivirus *Enabled/Outdated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
SP: avast! antivirus *Enabled/Outdated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Windows\System32\mobsync.exe
C:\Windows\RtHDVCpl.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Portrait Displays\HP My Display\dthtml.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Windows\System32\wpcumi.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe
C:\Program Files\Common Files\SupportSoft\bin\bcont.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.comcast.net?cid=NET_mmhpset
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Presario&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Presario&pf=desktop
uInternet Settings,ProxyOverride = *.local
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: {5617ECA9-488D-4BA2-8562-9710B9AB78D2} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [HPAdvisor] c:\program files\hewlett-packard\hp advisor\HPAdvisor.exe autorun=AUTORUN
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Desktop Software] "c:\program files\common files\supportsoft\bin\bcont.exe" /ini "c:\program files\comcastui\desktop software\uinstaller.ini" /fromrun /starthidden
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Ylukamoheyeva] rundll32.exe "c:\users\jason\appdata\local\dins049.dll",Startup
uRun: [Rdateno] rundll32.exe "c:\users\jason\appdata\local\ayodipokidupa.dll",Startup
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [OsdMaestro] "c:\program files\hewlett-packard\on-screen osd indicator\OSD.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [DT HPW] c:\program files\portrait displays\hp my display\DTHtml.exe -startup_folder
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [WPCUMI] c:\windows\system32\WpcUmi.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Lexmark X1100 Series] "c:\program files\lexmark x1100 series\lxbkbmgr.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Rdateno] rundll32.exe "c:\users\jason\appdata\local\ayodipokidupa.dll",Startup
StartupFolder: c:\users\jason\appdata\roaming\micros~1\windows\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
LSP: c:\windows\system32\wpclsp.dll
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/resources/VistaMSNPUplden-us.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.0.1 205.171.3.25
TCP: Interfaces\{F7BD6E73-F03E-4C12-85B8-8ADE8BF19A9B} : DhcpNameServer = 192.168.0.1 205.171.3.25
Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\jason\appdata\roaming\mozilla\firefox\profiles\fjz7lecu.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2310140&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - LegendsOfZork Customized Web Search
FF - prefs.js: browser.startup.homepage - www.msn.com
FF - component: c:\users\jason\appdata\roaming\mozilla\firefox\profiles\fjz7lecu.default\extensions\{0fc0ec69-5eca-413a-a7cb-765fff3f9768}\components\FFExternalAlert.dll
FF - component: c:\users\jason\appdata\roaming\mozilla\firefox\profiles\fjz7lecu.default\extensions\{0fc0ec69-5eca-413a-a7cb-765fff3f9768}\components\RadioWMPCore.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - Ext: Sukoku: {7AB6D133-2A14-4C11-B3AD-35B1548D38F9} - c:\program files\mozilla firefox\extensions\{7AB6D133-2A14-4C11-B3AD-35B1548D38F9}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: LegendsOfZork Toolbar: {0fc0ec69-5eca-413a-a7cb-765fff3f9768} - %profile%\extensions\{0fc0ec69-5eca-413a-a7cb-765fff3f9768}
FF - Ext: XULRunner: {AAE87C63-8801-4CCB-8775-6E1A609F940C} - c:\users\jason\appdata\local\{AAE87C63-8801-4CCB-8775-6E1A609F940C}
.
============= SERVICES / DRIVERS ===============
.
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-2-11 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-2-11 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2009-2-11 53328]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-2-11 138680]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-10-24 1153368]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-2-11 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-2-11 352920]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-06-14 08:22:35 0 ----a-w- c:\users\jason\appdata\local\Pbegaxacodene.bin
2011-06-14 08:22:34 -------- d-----w- c:\users\jason\appdata\local\{AAE87C63-8801-4CCB-8775-6E1A609F940C}
2011-06-09 23:13:26 1062984 ----a-w- c:\users\jason\gotomypc_540.exe
.
==================== Find3M ====================



.
.
============= FINISH: 0:22:11.14 ===============

SPYBOT S&D Results:

Virtumonde.prx: [SBI $0E36D458] Autorun settings (Rdateno) (Registry value, nothing done)
HKEY_USERS\S-1-5-21-1516005676-1222019494-700852110-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rdateno

Virtumonde.prx: [SBI $0E36D458] Program file (File, nothing done)
C:\Users\Jason\AppData\Local\ayodipokidupa.dll
Properties.size=274432
Properties.md5=868349B56DD907AF13B139AB2B113DEE
Properties.filedate=1200882262
Properties.filedatetext=2008-01-20 20:24:21

Virtumonde.prx: [SBI $0E36D458] Autorun settings (Rdateno) (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rdateno

Virtumonde.prx: [SBI $0E36D458] Autorun settings (Rdateno) (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rdateno


--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SDWinSec.exe (1.0.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2009-10-24 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-11-04 advcheck.dll (1.6.5.20)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2011-03-18 Includes\Adware.sbi (*)
2011-05-17 Includes\AdwareC.sbi (*)
2010-08-13 Includes\Cookies.sbi (*)
2010-12-14 Includes\Dialer.sbi (*)
2011-03-08 Includes\DialerC.sbi (*)
2011-02-24 Includes\HeavyDuty.sbi (*)
2011-03-29 Includes\Hijackers.sbi (*)
2011-05-16 Includes\HijackersC.sbi (*)
2010-09-15 Includes\iPhone.sbi (*)
2010-12-14 Includes\Keyloggers.sbi (*)
2011-03-08 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2011-04-05 Includes\Malware.sbi (*)
2011-06-07 Includes\MalwareC.sbi (*)
2011-02-24 Includes\PUPS.sbi (*)
2011-05-24 Includes\PUPSC.sbi (*)
2010-01-25 Includes\Revision.sbi (*)
2011-02-24 Includes\Security.sbi (*)
2011-05-03 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2011-02-24 Includes\Spyware.sbi (*)
2011-05-31 Includes\SpywareC.sbi (*)
2010-03-08 Includes\Tracks.uti
2011-05-17 Includes\Trojans.sbi (*)
2011-05-11 Includes\TrojansC-02.sbi (*)
2011-05-11 Includes\TrojansC-03.sbi (*)
2011-06-06 Includes\TrojansC-04.sbi (*)
2011-06-06 Includes\TrojansC-05.sbi (*)
2011-06-07 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

Shaba
2011-06-16, 18:56
Hi SLRHCristy

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

SLRHCristy
2011-06-16, 21:56
Hello,

Here is the combofix log for your review.

Thanks!

ComboFix 11-06-15.04 - Jason 06/16/2011 12:33:46.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2036.1137 [GMT -6:00]
Running from: c:\users\Jason\Downloads\ComboFix.exe
AV: avast! antivirus *Disabled/Outdated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
SP: avast! antivirus *Disabled/Outdated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Sukoku
c:\program files\Sukoku\sukoku.dll
c:\program files\Sukoku\uninstall.exe
c:\programdata\Sukoku
c:\users\Jason\AppData\Local\{AAE87C63-8801-4CCB-8775-6E1A609F940C}
c:\users\Jason\AppData\Local\{AAE87C63-8801-4CCB-8775-6E1A609F940C}\chrome.manifest
c:\users\Jason\AppData\Local\{AAE87C63-8801-4CCB-8775-6E1A609F940C}\chrome\content\_cfg.js
c:\users\Jason\AppData\Local\{AAE87C63-8801-4CCB-8775-6E1A609F940C}\chrome\content\overlay.xul
c:\users\Jason\AppData\Local\{AAE87C63-8801-4CCB-8775-6E1A609F940C}\install.rdf
c:\users\Jason\AppData\Local\ayodipokidupa.dll
c:\users\Jason\AppData\Local\dins049.dll
c:\users\Jason\gotomypc_540.exe
c:\windows\system32\jusched.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-05-16 to 2011-06-16 )))))))))))))))))))))))))))))))
.
.
2011-06-16 18:41 . 2011-06-16 18:41 -------- d-----w- c:\users\Public\AppData\Local\temp
2011-06-16 18:41 . 2011-06-16 18:41 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-06-16 18:41 . 2011-06-16 18:41 -------- d-----w- c:\users\cristy\AppData\Local\temp
2011-06-16 18:41 . 2011-06-16 18:41 -------- d-----w- c:\users\cass\AppData\Local\temp
2011-06-14 08:22 . 2011-06-16 14:48 0 ----a-w- c:\users\Jason\AppData\Local\Pbegaxacodene.bin
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"HPAdvisor"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2008-01-19 942080]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"Desktop Software"="c:\program files\Common Files\SupportSoft\bin\bcont.exe" [2009-04-24 1025320]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2008-07-03 6266880]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"DT HPW"="c:\program files\Portrait Displays\HP My Display\DTHtml.exe" [2007-06-30 278528]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-03-26 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-03-26 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-03-26 133656]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-09-15 81000]
"WPCUMI"="c:\windows\system32\WpcUmi.exe" [2006-11-02 176128]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
.
c:\users\Jason\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S1 aswSP;avast! Self Protection; [x]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-09-15 20560]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\DRIVERS\aswMonFlt.sys [2009-09-15 53328]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-16 c:\windows\Tasks\User_Feed_Synchronization-{75F4A956-7178-4257-A9AE-BB2C68A6FF0E}.job
- c:\windows\system32\msfeedssync.exe [2011-04-17 04:43]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net?cid=NET_mmhpset
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Presario&pf=desktop
uInternet Settings,ProxyOverride = *.local
LSP: c:\windows\system32\wpclsp.dll
TCP: DhcpNameServer = 192.168.0.1 205.171.3.25
FF - ProfilePath - c:\users\Jason\AppData\Roaming\Mozilla\Firefox\Profiles\fjz7lecu.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2310140&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - LegendsOfZork Customized Web Search
FF - prefs.js: browser.startup.homepage - www.msn.com
FF - Ext: Sukoku: {7AB6D133-2A14-4C11-B3AD-35B1548D38F9} - c:\program files\Mozilla Firefox\extensions\{7AB6D133-2A14-4C11-B3AD-35B1548D38F9}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: LegendsOfZork Toolbar: {0fc0ec69-5eca-413a-a7cb-765fff3f9768} - %profile%\extensions\{0fc0ec69-5eca-413a-a7cb-765fff3f9768}
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-Ylukamoheyeva - c:\users\Jason\AppData\Local\dins049.dll
HKCU-Run-Rdateno - c:\users\Jason\AppData\Local\ayodipokidupa.dll
HKLM-Run-Lexmark X1100 Series - c:\program files\Lexmark X1100 Series\lxbkbmgr.exe
HKLM-Run-Rdateno - c:\users\Jason\AppData\Local\ayodipokidupa.dll
AddRemove-Sukoku - c:\program files\Sukoku\uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-16 12:44
Windows 6.0.6001 Service Pack 1 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\HWP26A4\4&2d4f67a9&0&UID16843008\Device Parameters\MODES]
@DACL=(02 0000)
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\HWP26A4\4&2d4f67a9&0&UID16843008\Properties\{83da6326-97a6-4088-9453-a1923f573b29}]
@DACL=(02 0000)
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\HWP26A4\4&2d4f67a9&0&UID16843008\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}]
@DACL=(02 0000)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Portrait Displays\Shared\DTSRVC.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\windows\system32\WUDFHost.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\RtHDVCpl.exe
c:\program files\Alwil Software\Avast4\ashDisp.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\System32\rundll32.exe
c:\windows\System32\rundll32.exe
c:\windows\System32\rundll32.exe
c:\program files\Common Files\Portrait Displays\Shared\HookManager.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
c:\windows\servicing\TrustedInstaller.exe
c:\program files\Common Files\Java\Java Update\jucheck.exe
.
**************************************************************************
.
Completion time: 2011-06-16 12:50:56 - machine was rebooted
ComboFix-quarantined-files.txt 2011-06-16 18:50
ComboFix2.txt 2009-11-01 17:25
.
Pre-Run: 257,522,483,200 bytes free
Post-Run: 257,487,187,968 bytes free
.
- - End Of File - - 39351B85201F9584C65826A8BC860962

Shaba
2011-06-18, 09:25
Hi

Does spybot still find something and do you still have same symptoms?

SLRHCristy
2011-06-19, 07:35
Hello Shaba,

Yes, the same viruses still show up once I have shut down and re-started. We have used the internet over the past few days, but these are the same viruses that showed up originally before the virtumonde popped into the picture, and they show up every time we restart the system. Each time I turn on the computer, I run Spybot, fix problems, then shut down. And once I log in again, the viruses are back. I did as instructed and ran combofix and then ran spybot per your instructions, and the viruses still show up...I no longer see the virtumonde and the windows security block/fake popups, but the same five viruses keep showing up in spybot. These were not listed on the first log I sent you since I had already run spybot several times before that and didn't think these would show back up again...

Here is the log:


DoubleClick: Tracking cookie (Firefox: Jason (default)) (Cookie, nothing done)


MediaPlex: Tracking cookie (Firefox: Jason (default)) (Cookie, nothing done)


FastClick: Tracking cookie (Firefox: Jason (default)) (Cookie, nothing done)


FastClick: Tracking cookie (Firefox: Jason (default)) (Cookie, nothing done)


FastClick: Tracking cookie (Firefox: Jason (default)) (Cookie, nothing done)


FastClick: Tracking cookie (Firefox: Jason (default)) (Cookie, nothing done)


Zedo: Tracking cookie (Firefox: Jason (default)) (Cookie, nothing done)


Zedo: Tracking cookie (Firefox: Jason (default)) (Cookie, nothing done)


Zedo: Tracking cookie (Firefox: Jason (default)) (Cookie, nothing done)


Zedo: Tracking cookie (Firefox: Jason (default)) (Cookie, nothing done)


Zedo: Tracking cookie (Firefox: Jason (default)) (Cookie, nothing done)


Statcounter: Tracking cookie (Firefox: Jason (default)) (Cookie, nothing done)



--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SDWinSec.exe (1.0.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2009-10-24 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-11-04 advcheck.dll (1.6.5.20)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2011-03-18 Includes\Adware.sbi (*)
2011-05-17 Includes\AdwareC.sbi (*)
2010-08-13 Includes\Cookies.sbi (*)
2010-12-14 Includes\Dialer.sbi (*)
2011-03-08 Includes\DialerC.sbi (*)
2011-02-24 Includes\HeavyDuty.sbi (*)
2011-03-29 Includes\Hijackers.sbi (*)
2011-05-16 Includes\HijackersC.sbi (*)
2010-09-15 Includes\iPhone.sbi (*)
2010-12-14 Includes\Keyloggers.sbi (*)
2011-03-08 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2011-04-05 Includes\Malware.sbi (*)
2011-06-07 Includes\MalwareC.sbi (*)
2011-02-24 Includes\PUPS.sbi (*)
2011-05-24 Includes\PUPSC.sbi (*)
2010-01-25 Includes\Revision.sbi (*)
2011-02-24 Includes\Security.sbi (*)
2011-05-03 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2011-02-24 Includes\Spyware.sbi (*)
2011-05-31 Includes\SpywareC.sbi (*)
2010-03-08 Includes\Tracks.uti
2011-05-17 Includes\Trojans.sbi (*)
2011-05-11 Includes\TrojansC-02.sbi (*)
2011-05-11 Includes\TrojansC-03.sbi (*)
2011-06-06 Includes\TrojansC-04.sbi (*)
2011-06-06 Includes\TrojansC-05.sbi (*)
2011-06-07 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

Shaba
2011-06-19, 21:43
Those are not dangerous but more like harmless.

Please see here (http://www.spybot.info/en/faq/37.html) how to prevent them coming.

Let me know if it helped.

SLRHCristy
2011-06-21, 02:09
Hi Shaba,

I changed the cookie settings, used the internet for a bit, ran Spybot, and no new problems found. Thank you!

Can you provide some information for final cleanup and protection?

Shaba
2011-06-22, 17:08
Sure but could you before that post me a fresh DDS log, please :)

SLRHCristy
2011-07-01, 22:14
Hi Shaba,

Had family emergency come up and lost track of getting the computer cleaned-my daughter was using playlist.com and other sites today, and now everything is slow and cannot even access spybot-says I do not have permissions. Here is the DDS log:

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.19088 BrowserJavaVersion: 1.6.0_20
Run by Jason at 13:06:36 on 2011-07-01
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2036.1122 [GMT -6:00]
.
AV: avast! antivirus *Enabled/Outdated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
SP: avast! antivirus *Enabled/Outdated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
"\\.\globalroot\Device\svchost.exe\svchost.exe"
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\RtHDVCpl.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Portrait Displays\HP My Display\dthtml.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Windows\System32\wpcumi.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe
C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Common Files\SupportSoft\bin\bcont.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.comcast.net?cid=NET_mmhpset
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Presario&pf=desktop
uInternet Settings,ProxyOverride = *.local
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: {5617ECA9-488D-4BA2-8562-9710B9AB78D2} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [HPAdvisor] c:\program files\hewlett-packard\hp advisor\HPAdvisor.exe autorun=AUTORUN
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Desktop Software] "c:\program files\common files\supportsoft\bin\bcont.exe" /ini "c:\program files\comcastui\desktop software\uinstaller.ini" /fromrun /starthidden
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [OsdMaestro] "c:\program files\hewlett-packard\on-screen osd indicator\OSD.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [DT HPW] c:\program files\portrait displays\hp my display\DTHtml.exe -startup_folder
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [WPCUMI] c:\windows\system32\WpcUmi.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ContentTransferWMDetector.exe] c:\program files\sony\content transfer\ContentTransferWMDetector.exe
StartupFolder: c:\users\jason\appdata\roaming\micros~1\windows\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\windows\system32\wpclsp.dll
LSP: mswsock.dll
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/resources/VistaMSNPUplden-us.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.0.1 205.171.3.25
TCP: Interfaces\{F7BD6E73-F03E-4C12-85B8-8ADE8BF19A9B} : DhcpNameServer = 192.168.0.1 205.171.3.25
Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\jason\appdata\roaming\mozilla\firefox\profiles\fjz7lecu.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2310140&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - LegendsOfZork Customized Web Search
FF - prefs.js: browser.startup.homepage - www.msn.com
FF - component: c:\users\jason\appdata\roaming\mozilla\firefox\profiles\fjz7lecu.default\extensions\{0fc0ec69-5eca-413a-a7cb-765fff3f9768}\components\FFExternalAlert.dll
FF - component: c:\users\jason\appdata\roaming\mozilla\firefox\profiles\fjz7lecu.default\extensions\{0fc0ec69-5eca-413a-a7cb-765fff3f9768}\components\RadioWMPCore.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - Ext: Sukoku: {7AB6D133-2A14-4C11-B3AD-35B1548D38F9} - c:\program files\mozilla firefox\extensions\{7AB6D133-2A14-4C11-B3AD-35B1548D38F9}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: LegendsOfZork Toolbar: {0fc0ec69-5eca-413a-a7cb-765fff3f9768} - %profile%\extensions\{0fc0ec69-5eca-413a-a7cb-765fff3f9768}
.
============= SERVICES / DRIVERS ===============
.
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-2-11 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-2-11 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2009-2-11 53328]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-10-24 1153368]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-2-11 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-2-11 352920]
S2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-2-11 138680]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-07-01 18:44:18 25984 ----a-w- c:\windows\system32\drivers\1205265706.sys
2011-07-01 04:11:11 -------- d-----w- c:\programdata\Sony Corporation
2011-07-01 04:02:35 -------- d-----w- c:\program files\common files\Sony Shared
2011-07-01 04:00:03 -------- d-----w- c:\users\jason\appdata\local\Downloaded Installations
2011-07-01 03:58:30 -------- d-----w- c:\program files\Sony
2011-06-28 23:35:02 276992 ----a-w- c:\windows\system32\schannel.dll
2011-06-16 21:26:09 75264 ----a-w- c:\windows\system32\drivers\dfsc.sys
2011-06-16 21:26:07 273408 ----a-w- c:\windows\system32\drivers\afd.sys
2011-06-16 21:26:05 146432 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-06-16 21:26:05 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-06-16 21:26:03 563200 ----a-w- c:\windows\system32\oleaut32.dll
2011-06-16 18:44:19 -------- d-sh--w- C:\$RECYCLE.BIN
2011-06-14 08:22:35 0 ----a-w- c:\users\jason\appdata\local\Pbegaxacodene.bin
.
==================== Find3M ====================
.
2011-05-28 06:08:58 916480 ----a-w- c:\windows\system32\wininet.dll
2011-05-28 06:04:30 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-05-28 06:04:17 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-05-28 06:04:03 71680 ----a-w- c:\windows\system32\iesetup.dll
2011-05-28 06:04:03 109056 ----a-w- c:\windows\system32\iesysprep.dll
2011-05-28 05:10:26 385024 ----a-w- c:\windows\system32\html.iec
2011-05-28 04:33:03 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2011-05-28 04:31:44 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-05-02 15:58:28 738816 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 12:49:51 213504 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-04-29 12:49:44 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-04-29 12:49:35 105984 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
.
============= FINISH: 13:07:12.47 ===============

Shaba
2011-07-09, 09:59
Hi and sorry for delay.

For some reason I didn't get an email notification.

Please rerun combofix and post back a fresh combofix log.

SLRHCristy
2011-07-10, 03:48
Shaba,

I cannot locate ComboFix on my computer, so I tried installing from the link you posted previously-it begins, but I cannot get it to run. First I get an error saying it cannot be renamed as ComboFix(2), then when I uninstalled ComboFix and re-installed per the instructions on bleepingcomputer.com, it gets to the beginning blue screen saying it is going to begin scanning, but then it never moves on to the next step as normal.

What should I try now?

Thanks!
Cristy

SLRHCristy
2011-07-13, 20:51
Shaba,

I cannot locate ComboFix on my computer, so I tried installing from the link you posted previously-it begins, but I cannot get it to run. First I get an error saying it cannot be renamed as ComboFix(2), then when I uninstalled ComboFix and re-installed per the instructions on bleepingcomputer.com, it gets to the beginning blue screen saying it is going to begin scanning, but then it never moves on to the next step as normal. I have done this several times, waiting at least two to three hours with nothing happening.

What should I try now?

Thanks!
Cristy

Shaba
2011-07-24, 09:01
Hi SLRHCristy

I am very sorry but I didn't get a notification this time either. I will now look manually if any new replies.

Please try to run combofix in safe mode and let me know it if works there.

SLRHCristy
2011-07-28, 06:35
Hi Shaba,

I was able to run ComboFix in safe mode, but the power went out right when ComboFix was preparing the log. Should I just run ComboFix again, or is there a way to retrieve the log?

Thanks,
Cristy

SLRHCristy
2011-07-28, 06:36
Just to clarify, the power went out in our town, not just on the computer...

SLRHCristy
2011-08-04, 17:04
Hi Shaba,

I don't know what happened to my last two posts. I seriously feel like someone has access to my file and is deleting my posts or something. I updated the same day you responded to me, but I do not see it here anywhere. Strange...anyhow, I ran combofix, but our power went out due to a thunderstorm when the system was generating the ComboFix log. Should I re-run combofix again, or how should I proceed?


Thanks!
Cristy

Shaba
2011-08-04, 17:34
Hi SLRHCristy

Yes I think it has been a forum bug because it did show my post as latest in board index before your latest one.

Yes please rerun combofix.

SLRHCristy
2011-08-04, 23:23
Hi Shaba,

Here is a fresh ComboFix log.

Thanks!
Cristy

ComboFix 11-08-04.02 - Jason 08/04/2011 14:09:26.3.2 - x86 NETWORK
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2036.1456 [GMT -6:00]
Running from: c:\users\Jason\Downloads\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\assembly\GAC_MSIL\desktop.ini
.
---- Previous Run -------
.
c:\windows\assembly\GAC_MSIL\desktop.ini
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_1205265706
.
.
((((((((((((((((((((((((( Files Created from 2011-07-04 to 2011-08-04 )))))))))))))))))))))))))))))))
.
.
2011-08-04 20:14 . 2011-08-04 20:15 -------- d-----w- c:\users\Jason\AppData\Local\temp
2011-08-04 20:14 . 2011-08-04 20:14 -------- d-----w- c:\users\Public\AppData\Local\temp
2011-08-04 20:14 . 2011-08-04 20:14 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-08-02 07:13 . 2011-07-13 03:39 6881616 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{5BF49CC8-32F7-4FF6-8569-34F81EAF1BA6}\mpengine.dll
2011-07-13 03:54 . 2011-06-02 12:59 2042368 ----a-w- c:\windows\system32\win32k.sys
2011-07-13 03:54 . 2011-04-20 14:47 375808 ----a-w- c:\windows\system32\winsrv.dll
2011-07-13 03:54 . 2011-04-20 14:44 49152 ----a-w- c:\windows\system32\csrsrv.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-16 14:48 . 2011-06-14 08:22 0 ----a-w- c:\users\Jason\AppData\Local\Pbegaxacodene.bin
2011-05-28 06:08 . 2011-06-16 21:25 916480 ----a-w- c:\windows\system32\wininet.dll
2011-05-28 06:04 . 2011-06-16 21:25 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-05-28 06:04 . 2011-06-16 21:25 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-05-28 06:04 . 2011-06-16 21:25 71680 ----a-w- c:\windows\system32\iesetup.dll
2011-05-28 06:04 . 2011-06-16 21:25 109056 ----a-w- c:\windows\system32\iesysprep.dll
2011-05-28 05:10 . 2011-06-16 21:25 385024 ----a-w- c:\windows\system32\html.iec
2011-05-28 04:33 . 2011-06-16 21:25 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2011-05-28 04:31 . 2011-06-16 21:25 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-05-25 01:14 . 2009-10-03 15:47 222080 ------w- c:\windows\system32\MpSigStub.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"HPAdvisor"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2008-01-19 942080]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"Desktop Software"="c:\program files\Common Files\SupportSoft\bin\bcont.exe" [2009-04-24 1025320]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2008-07-03 6266880]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"DT HPW"="c:\program files\Portrait Displays\HP My Display\DTHtml.exe" [2007-06-30 278528]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-03-26 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-03-26 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-03-26 133656]
"WPCUMI"="c:\windows\system32\WpcUmi.exe" [2006-11-02 176128]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
"ContentTransferWMDetector.exe"="c:\program files\Sony\Content Transfer\ContentTransferWMDetector.exe" [2009-11-20 583016]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S1 aswSP;avast! Self Protection; [x]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-09-15 20560]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\DRIVERS\aswMonFlt.sys [2009-09-15 53328]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-04 c:\windows\Tasks\User_Feed_Synchronization-{75F4A956-7178-4257-A9AE-BB2C68A6FF0E}.job
- c:\windows\system32\msfeedssync.exe [2011-06-16 04:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net?cid=NET_mmhpset
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Presario&pf=desktop
uInternet Settings,ProxyOverride = *.local
LSP: c:\windows\system32\wpclsp.dll
LSP: mswsock.dll
TCP: DhcpNameServer = 192.168.0.1 205.171.3.25
FF - ProfilePath - c:\users\Jason\AppData\Roaming\Mozilla\Firefox\Profiles\fjz7lecu.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2310140&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - LegendsOfZork Customized Web Search
FF - prefs.js: browser.startup.homepage - www.msn.com
FF - Ext: Sukoku: {7AB6D133-2A14-4C11-B3AD-35B1548D38F9} - c:\program files\Mozilla Firefox\extensions\{7AB6D133-2A14-4C11-B3AD-35B1548D38F9}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: LegendsOfZork Toolbar: {0fc0ec69-5eca-413a-a7cb-765fff3f9768} - %profile%\extensions\{0fc0ec69-5eca-413a-a7cb-765fff3f9768}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-04 14:16
Windows 6.0.6001 Service Pack 1 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\HWP26A4\4&2d4f67a9&0&UID16843008\Device Parameters\MODES]
@DACL=(02 0000)
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\HWP26A4\4&2d4f67a9&0&UID16843008\Properties\{83da6326-97a6-4088-9453-a1923f573b29}]
@DACL=(02 0000)
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\HWP26A4\4&2d4f67a9&0&UID16843008\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}]
@DACL=(02 0000)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(676)
c:\windows\system32\mswsock.dll
mswsock.dll 750f0000 241664 \\?\globalroot\systemroot\system32\mswsock.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Common Files\Portrait Displays\Shared\DTSRVC.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\windows\system32\WUDFHost.exe
c:\windows\RtHDVCpl.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Common Files\Portrait Displays\Shared\HookManager.exe
c:\windows\system32\wermgr.exe
c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
.
**************************************************************************
.
Completion time: 2011-08-04 14:21:27 - machine was rebooted
ComboFix-quarantined-files.txt 2011-08-04 20:21
.
Pre-Run: 307,328,016,384 bytes free
Post-Run: 305,092,399,104 bytes free
.
- - End Of File - - 2D21E3FC1C6E5CDCF6F9E5914A3D3A35

Shaba
2011-08-05, 10:41
Hi,

That log looks pretty fine now.

How is computer working at the moment?

SLRHCristy
2011-08-05, 17:28
Hi Shaba,

Seems to be running okay...still cannot run Spybot or ComboFix in normal mode-probably just need to uninstall and download a fresh version. What do you think? What's next?

Thanks!
Cristy

Shaba
2011-08-07, 08:28
Yes, please install fresh versions of both and try again if you can now run them in normal mode.

SLRHCristy
2011-08-12, 08:12
Hi Shaba,

There have been several issues-I am also no longer receiving email notifications when you reply, so apologies for the delayed response.

1. I cannot download Spybot S&D in normal mode-I keep getting an error:
"C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
The existing file is marked as Read Only.
Click Retry to remove the read-only attribute and try again, Ignore to skip this file, or Abort to cancel installation."

If I click retry, nothing happens...the screen stays the same. If I click Ignore, it looks like it installs, but it does not. Abort just cancels the whole process. If I try to run spybot from the shortcut on my desktop, I just get an error "Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item." If I try to run it from the small icon at the bottom right of the taskbar at the bottom of my screen, nothing happens.

2. Whenever I Google something and then click the link I wish to go to, I get re-directed and the bottom of my screen says "waiting for 100Ksearches.com", and I get taken to find-fast-answers.com.

3. I was logging in to look for a response from you two days ago-opened Firefox, started typing in a web address, and the whole computer shut down to a blue screen saying Windows shut down to prevent serious damage to my computer. Then the whole thing shut down.

I don't know what is happening, but seems pretty ugly from this side.

How should I proceed?

Shaba
2011-08-14, 13:04
1 and 2 indicate infection but 3 can be just a coincidence.

Has it happened again?

SLRHCristy
2011-08-15, 02:36
Hi Shaba,

The computer has not shut down again, but still having issues 1 and 2....

Should I try loading ComboFix and Spybot S&D in Safe Mode?

Shaba
2011-08-16, 17:38
Yes, please :)

SLRHCristy
2011-08-20, 01:28
Shaba,

My family keeps using the computer no matter how much I tell them not to, and now I logged in, and EVERYTHING is just gone!! No desktop icons, no programs, no pictures, nothing.

What do I do?



Thanks,
Cristy

Shaba
2011-08-27, 19:22
Sorry for delay again.

It sounds to me that reformatting is required due to severe symptoms.

Do you have windows media available?

SLRHCristy
2011-09-07, 16:41
Shaba,

I'm not sure which programs you refer to when you say Windows media...I see Windows programs listed when I click on the start menu and then click on all programs, such as Windows Defender, Windows Media Center, etc...?

Thanks,
Cristy

Shaba
2011-09-08, 07:12
I mean by windows media physical media, that is windows installation DVD.

SLRHCristy
2011-09-23, 21:35
Hi Shaba,

My last message never posted-sorry for the delay.

We have Windows Vista Home Premium, but I cannot find the startup disk. Is there somewhere I can go online to validate our license or something? Not sure how to do recovery without the disk.

Thanks,
Cristy

Shaba
2011-09-26, 07:37
Have you made any recovery disks upon purchase of computer?