Problem with my wireless conection BROADCOM 802.11b/g WLAN

Hi guys,

Previusly you help me with a virus that I had in my pc, the only problem left is that my wireless conection is off. I can’t see anything in my conections. I check the driver and it look like some of the information is dobuble and I think that is the problem.

Can you help me with this last problem?

Thank you

Furtake

Please visit this webpage for a tutorial on downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

See the area: Using ComboFix, and when done, post the log back here.

Transfer it from a clean computer on to the infected one, via flash drive or burnt cd.

ComboFix 10-02-24.01 - IRVING FURTAKE 02/24/2010 15:31:08.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.563 [GMT -8:00]
Running from: c:\documents and settings\IRVING FURTAKE\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Outdated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\LOG.TXT
c:\recycler\NPROTECT
c:\recycler\S-1-5-21-618903273-2983810304-944034971-500
c:\windows\AUTOLNCH.REG
c:\windows\Downloaded Program Files\popcaploader.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_AVPsys
-------\Service_Passthru


((((((((((((((((((((((((( Files Created from 2010-01-24 to 2010-02-24 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-23 09:00 . 2008-05-18 21:05 -------- d-----w- c:\program files\Common Files\LogiShrd
2010-02-23 08:59 . 2008-05-18 21:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Logishrd
2009-12-12 20:20 . 2009-08-01 04:18 354560 ----a-w- c:\windows\system32\TuneUpDefragService.exe
2009-12-11 20:20 . 2009-12-01 02:59 12136 ----a-w- c:\windows\system32\drivers\kernelx86.sys
2009-12-04 22:15 . 2009-12-04 22:15 40128 ------w- c:\windows\system32\drivers\mmfpuslv.sys
2009-12-04 00:14 . 2009-12-08 23:25 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-04 00:13 . 2009-12-08 23:25 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-30 21:40 . 2009-11-25 02:44 79488 ----a-w- c:\documents and settings\IRVING FURTAKE\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2007-11-19 00:44 . 2007-11-19 00:44 774144 ----a-w- c:\program files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]
"SightSpeed"="c:\program files\SightSpeed\SightSpeed.exe" [2008-11-03 4789048]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-09-28 344064]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-19 729178]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-05-04 794624]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2005-10-12 409600]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2004-03-09 1294446]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2005-09-16 274432]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-10 110592]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-08-01 233534]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-12 136600]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-27 413696]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-29 198160]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-03-14 1443072]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2006-3-19 118784]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mmfpuslv.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Barsaka"=explorer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\SightSpeed\\SightSpeed.exe"=

R0 mmfpuslv;mmfpuslv;c:\windows\system32\drivers\mmfpuslv.sys [12/4/2009 2:15 PM 40128]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [3/13/2008 4:52 PM 33800]
R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [3/13/2008 4:49 PM 472320]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [8/22/2005 1:06 AM 231424]
S2 NOD32FiXTemDono;Eset Nod32 Boot;c:\windows\system32\regedt32.exe [8/10/2004 7:00 AM 3584]
S3 kernelx86;Kernel Debug Service;c:\windows\system32\drivers\kernelx86.sys [11/30/2009 6:59 PM 12136]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2010-02-24 c:\windows\Tasks\Mantenimiento con 1 clic.job
- c:\program files\TuneUp Utilities 2008\OneClickStarter.exe [2008-04-21 19:45]
.
.
------- Supplementary Scan -------
.
uStart Page = www.yahoo.com/
uDefault_Search_URL = hxxp://www.google.com/ie
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=laptop
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: PUFLITE - hxxp://irvingfurtake.point2agent.com/Office/ColpaControls/Photo/Control/PUFLITE.CAB
DPF: {C8AEB218-8B7A-4E15-AC17-0EE8D99B80EB} - hxxp://ll.g.gametap.com/static/cab_headless/GameTapWebUpdater.cab
FF - ProfilePath - c:\documents and settings\IRVING FURTAKE\Application Data\Mozilla\Firefox\Profiles\nvhnsfht.default\
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.interval - 750000
FF - user.js: nglayout.initialpaint.delay - 750
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-(Default) - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-24 15:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????3?0?2?0??????? ???B?????????????hLC? ??????

scanning hidden files ...


c:\windows\TEMP\Perflib_Perfdata_844.dat 16384 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(496)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(444)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Ahead\InCD\InCDsrv.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\nexon\Mabinogi\npkcmsvc.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\dllhost.exe
c:\windows\eHome\ehmsas.exe
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HPQ\SHARED\HPQWMI.exe
c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2010-02-24 15:47:46 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-24 23:47

Pre-Run: 24,306,159,616 bytes free
Post-Run: 24,410,349,568 bytes free

- - End Of File - - 95F22B8176D5D4DD7D1E8238FBA325C3

Re-running ComboFix to remove infections:

• Close any open browsers.
  
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  
• Open notepad and copy/paste the text in the quotebox below into it:
  

  
  Registry::
  [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
  "Barsaka"=-
  
  AWF::
  NOORPHANS::
  

• Save this as CFScript.txt, in the same location as ComboFix.exe
  
  
  
  
• Referring to the picture above, drag CFScript into ComboFix.exe
  
• When finished, it shall produce a log for you at C:\ComboFix.txt
  
• Please post the contents of the log in your next reply.

=====

Please go HERE. Copy and paste the following file path in to the box.

c:\windows\system32\drivers\kernelx86.sys

Do the same for these two files:

C:\windows\system32\userinit.exe
c:\windows\system32\drivers\mmfpuslv.sys

Then click submit.

Please post the results (URL) to your next reply.

!! MAKE SURE TO Re-Analise the file !!

=====

Please download DragonFix by DragonMaster Jay, and save it to your Desktop. Right click and Extract All, and save the files to your Desktop.

• Please disable realtime protection. The only realtime protection that gets in the way and need to be disabled: Windows Defender, Microsoft Security Essentials, Spybot TeaTimer, WinPatrol, and Ad-Aware AdWatch. If you have anyone of those, please disable them.
  
• Double-click DragonFix.reg, and follow the prompt(s).
  
• Please reboot your computer.

===

Please post the ComboFix log and VirusTotal URLS in your next reply.

Hi Dragon Master Jay

Here is the firs result, about the second thing I have to do, do I have to run it in the computer that is not infected or it has to be in the one that is infected? The one infeted does not have any conection to the Internet.

ComboFix 10-02-24.01 - IRVING FURTAKE 02/25/2010 14:16:12.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.601 [GMT -8:00]
Running from: c:\documents and settings\IRVING FURTAKE\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\IRVING FURTAKE\Desktop\CFScript.txt
AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Outdated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_Passthru


((((((((((((((((((((((((( Files Created from 2010-01-25 to 2010-02-25 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-23 09:00 . 2008-05-18 21:05 -------- d-----w- c:\program files\Common Files\LogiShrd
2010-02-23 08:59 . 2008-05-18 21:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Logishrd
2009-12-12 20:20 . 2009-08-01 04:18 354560 ----a-w- c:\windows\system32\TuneUpDefragService.exe
2009-12-11 20:20 . 2009-12-01 02:59 12136 ----a-w- c:\windows\system32\drivers\kernelx86.sys
2009-12-04 22:15 . 2009-12-04 22:15 40128 ------w- c:\windows\system32\drivers\mmfpuslv.sys
2009-12-04 00:14 . 2009-12-08 23:25 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-04 00:13 . 2009-12-08 23:25 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-30 21:40 . 2009-11-25 02:44 79488 ----a-w- c:\documents and settings\IRVING FURTAKE\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2007-11-19 00:44 . 2007-11-19 00:44 774144 ----a-w- c:\program files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]
"SightSpeed"="c:\program files\SightSpeed\SightSpeed.exe" [2008-11-03 4789048]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-09-28 344064]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-19 729178]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-05-04 794624]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2005-10-12 409600]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2004-03-09 1294446]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2005-09-16 274432]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-10 110592]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-08-01 233534]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-12 136600]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-27 413696]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-29 198160]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-03-14 1443072]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2006-3-19 118784]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mmfpuslv.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\SightSpeed\\SightSpeed.exe"=

R0 mmfpuslv;mmfpuslv;c:\windows\system32\drivers\mmfpuslv.sys [12/4/2009 2:15 PM 40128]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [3/13/2008 4:52 PM 33800]
R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [3/13/2008 4:49 PM 472320]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [8/22/2005 1:06 AM 231424]
S2 NOD32FiXTemDono;Eset Nod32 Boot;c:\windows\system32\regedt32.exe [8/10/2004 7:00 AM 3584]
S3 kernelx86;Kernel Debug Service;c:\windows\system32\drivers\kernelx86.sys [11/30/2009 6:59 PM 12136]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2010-02-25 c:\windows\Tasks\Mantenimiento con 1 clic.job
- c:\program files\TuneUp Utilities 2008\OneClickStarter.exe [2008-04-21 19:45]
.
.
------- Supplementary Scan -------
.
uStart Page = www.yahoo.com/
uDefault_Search_URL = hxxp://www.google.com/ie
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: PUFLITE - hxxp://irvingfurtake.point2agent.com/Office/ColpaControls/Photo/Control/PUFLITE.CAB
DPF: {C8AEB218-8B7A-4E15-AC17-0EE8D99B80EB} - hxxp://ll.g.gametap.com/static/cab_headless/GameTapWebUpdater.cab
FF - ProfilePath - c:\documents and settings\IRVING FURTAKE\Application Data\Mozilla\Firefox\Profiles\nvhnsfht.default\
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.interval - 750000
FF - user.js: nglayout.initialpaint.delay - 750
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-(Default) - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-25 14:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????3?0?2?0??@???? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(496)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3644)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Ahead\InCD\InCDsrv.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\nexon\Mabinogi\npkcmsvc.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\eHome\ehmsas.exe
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HPQ\SHARED\HPQWMI.exe
c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2010-02-25 14:30:29 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-25 22:30
ComboFix2.txt 2010-02-24 23:47

Pre-Run: 24,430,780,416 bytes free
Post-Run: 24,381,558,784 bytes free

- - End Of File - - F6E555A22A26BB683EB32DE71AFD493E

Thank you.

Try to do this please and tell me if the Internet gets back up:

Please download the Fix IE Utility to your desktop.

Before running the utility, make sure that all your Internet Explorer windows are closed!

• Extract the contents of the .zip file to your desktop.
  
• Double click the Fix IE Utility button to run the tool.
  
• Click Run Utility
  
• Click OK when you see 'Re-registered all files'
  
• Open Internet Explorer and see if it works.

Hi Dragon Master Jay,

I try but no wireless!!! sorry is there anything elese that I can do?

Regards,

Furtake

I only have internet via wireless in that computer.

Regards,

Furtake

Ok here it is:

Running from: C:\Documents and Settings\IRVING FURTAKE\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\IRVING FURTAKE\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Cannot access: C:\WINDOWS\system32\drivers\mmfpuslv.sys

[1] 2009-12-04 14:15:23 40128 C:\WINDOWS\system32\drivers\mmfpuslv.sys ()





Finished!

Thank you !

Re-running ComboFix to remove infections:

• Close any open browsers.
  
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  
• Open notepad and copy/paste the text in the quotebox below into it:
  

  
  killall::
  File::
  C:\WINDOWS\system32\drivers\mmfpuslv.sys
  

• Save this as CFScript.txt, in the same location as ComboFix.exe
  
  
  
  
• Referring to the picture above, drag CFScript into ComboFix.exe
  
• When finished, it shall produce a log for you at C:\ComboFix.txt
  
• Please post the contents of the log in your next reply.

Ok Here it is!

ComboFix 10-02-24.01 - IRVING FURTAKE 03/03/2010 22:57:45.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.553 [GMT -8:00]
Running from: c:\documents and settings\IRVING FURTAKE\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\IRVING FURTAKE\Desktop\CFScript.txt
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Outdated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
"c:\windows\system32\drivers\mmfpuslv.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\mmfpuslv.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_mmfpuslv
-------\Service_mmfpuslv


((((((((((((((((((((((((( Files Created from 2010-02-04 to 2010-03-04 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-23 09:00 . 2008-05-18 21:05 -------- d-----w- c:\program files\Common Files\LogiShrd
2010-02-23 08:59 . 2008-05-18 21:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Logishrd
2009-12-12 20:20 . 2009-08-01 04:18 354560 ----a-w- c:\windows\system32\TuneUpDefragService.exe
2009-12-11 20:20 . 2009-12-01 02:59 12136 ----a-w- c:\windows\system32\drivers\kernelx86.sys
2007-11-19 00:44 . 2007-11-19 00:44 774144 ----a-w- c:\program files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]
"SightSpeed"="c:\program files\SightSpeed\SightSpeed.exe" [2008-11-03 4789048]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-09-28 344064]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-19 729178]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-05-04 794624]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2005-10-12 409600]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2004-03-09 1294446]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2005-09-16 274432]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-10 110592]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-08-01 233534]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-12 136600]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-27 413696]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-29 198160]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-03-14 1443072]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2006-3-19 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\SightSpeed\\SightSpeed.exe"=

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [3/13/2008 4:52 PM 33800]
R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [3/13/2008 4:49 PM 472320]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [8/22/2005 1:06 AM 231424]
S2 NOD32FiXTemDono;Eset Nod32 Boot;c:\windows\system32\regedt32.exe [8/10/2004 7:00 AM 3584]
S3 kernelx86;Kernel Debug Service;c:\windows\system32\drivers\kernelx86.sys [11/30/2009 6:59 PM 12136]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2010-03-04 c:\windows\Tasks\Mantenimiento con 1 clic.job
- c:\program files\TuneUp Utilities 2008\OneClickStarter.exe [2008-04-21 19:45]
.
.
------- Supplementary Scan -------
.
uStart Page = www.yahoo.com/
uDefault_Search_URL = hxxp://www.google.com/ie
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: PUFLITE - hxxp://irvingfurtake.point2agent.com/Office/ColpaControls/Photo/Control/PUFLITE.CAB
DPF: {C8AEB218-8B7A-4E15-AC17-0EE8D99B80EB} - hxxp://ll.g.gametap.com/static/cab_headless/GameTapWebUpdater.cab
FF - ProfilePath - c:\documents and settings\IRVING FURTAKE\Application Data\Mozilla\Firefox\Profiles\nvhnsfht.default\
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.interval - 750000
FF - user.js: nglayout.initialpaint.delay - 750
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-(Default) - (no file)
SafeBoot-mmfpuslv.sys



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-04 01:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????3?0?2?0??????? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(512)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2380)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Ahead\InCD\InCDsrv.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\nexon\Mabinogi\npkcmsvc.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\rundll32.exe
c:\windows\eHome\ehmsas.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HPQ\SHARED\HPQWMI.exe
c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2010-03-04 01:32:06 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-04 09:32
ComboFix2.txt 2010-02-25 22:30
ComboFix3.txt 2010-02-24 23:47

Pre-Run: 24,326,377,472 bytes free
Post-Run: 24,283,955,200 bytes free

- - End Of File - - 6C799C3E4436D4E449852FBF445C4E99

Regards,

There is a dangerous backdoor trojan on your system. This is a sign of total system compromise.
Backdoor trojans are very dangerous because they compromise system integrity by making changes that allow it to by used by the attacker for malicious purposes. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to: http://www.viruslist.com/en/viruses/glossary?glossid=189208417
I would counsel you to immediately disconnect this PC from the Internet and from your network if it is on a network. Disconnect the infected computer until the computer can be cleaned.
Then, access this information from a non-compromised computer to follow the steps needed.
If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable. Do NOT change passwords or do any transactions while using the infected computer because the attacker may get the new passwords and transaction information. (If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connecting again.) Banking and credit card institutions should be notified to apprise them of your situation (possible security breach). To protect your information that may have been compromised, I recommend reading these references:

• How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
  
• What Should I Do If I've Become A Victim Of Identity Theft?
  
• Identity Theft Victims Guide - What to do
  

Though the backdoor has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired so you can never be sure that you have completely removed a backdoor trojan. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove backdoor trojans cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with such a piece of malware, the best course of action would be a reformat and clean reinstall of the OS. This is something I don't like to recommend normally, but in most cases it is the best solution for your safety. Making this decision is based on what the computer is used for, and what information can be accessed from it. For more information, please read these references very carefully:

• When should I re-format? How should I reinstall?
  
• Help: I Got Hacked. Now What Do I Do?
  
• Help: I Got Hacked. Now What Do I Do? Part II
  
• Where to draw the line? When to recommend a format and reinstall?
  

Guides for format and reinstall: http://www.GeekPolice.net/tutorials-guides-f13/how-to-reformat-and-reinstall-your-operating-system-t15119.htm#95115

http://www.helpmyos.com/tutorials-software-alternatives-to-proprietary-f19/how-to-reformat-and-reinstall-your-operating-system-the-easy-way-t1307.htm#3143
However, if you do not have the resources to reinstall your computer's OS and would like me to attempt to clean it, I will be happy to do so. But please consider carefully before deciding against a reformat.
If you do make that decision, I will do my best to help you clean the computer of any infections, but you must understand that once a machine has been taken over by this type of malware, I cannot guarantee that it will be 100% secure even after disinfection or that the removal will be successful.

Please let me know what you have decided to do in your next post. Should you have any questions, please feel free to ask.

Dragon Master Jay,

Thank you for your help and all your team!!! I tink I will have to format my pc, I need it for my work and have all my information here. I got this virus from my messenger, a "FRIEND" send me pictures from a trip and there it was the virus.

I thank you again and will see you soon.

I do have a question, wich antivirus is the best?

Regards,

Furtake

Kaspersky Antivirus > Kaspersky.com -- All-time (paid version only)

Avira Free > FreeAV.com -- Best free antivirus

==========


If you plan on formatting and reinstalling, make sure to backup your serious files, pictures, etc. Doing a reformat will get rid of all data.