WiredWX Hobby Weather ToolsLog in

 


descriptionantivir pro Emptyantivir pro

more_horiz
Hello, I have antivir pro loading on my computer and multiple error messages. I changed the proxy settings so I could access the internet, but was unable to download hijack this. My hijackthis and mbam programs produce error messages when I try to run. Thank you, Jeff

descriptionantivir pro EmptyRe: antivir pro

more_horiz
Hi, Welcome to GeekPolice.net!

Could you please go into Safe Mode with Networking and run this:

To get into Safe Mode with Networking please restart your computer and rapidly tap F8 until it asks what mode you want to boot into, please choose Safe Mode with Networking, then download and run the following:

(If you cannot download in Safe Mode, please try transferring it over to in the infected machine with a USB Drive.

Please download ComboFix antivir pro Combofix from BleepingComputer.com

Alternate link: GeeksToGo.com

Alternate link: Forospyware.com

Rename ComboFix.exe to commy.exe before you save it to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
  • Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

antivir pro Query_RC
Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
antivir pro RC_successful

  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.

descriptionantivir pro EmptyRe: antivir pro

more_horiz
Thank you, sneakyone!


ComboFix 10-08-06.01 - jeff 08/06/2010 14:15:09.1.2 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1781 [GMT -8:00]
Running from: c:\documents and settings\jeff\desktop\commy.exe
Command switches used :: /stepdel
AV: AVG Anti-Virus SBS Edition *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\jeff\Local Settings\Application Data\dxfniucap
c:\documents and settings\jeff\Local Settings\Application Data\dxfniucap\qqqifavtssd.exe
C:\Images
c:\documents and settings\Administrator\GoToAssistDownloadHelper.exe
c:\documents and settings\jeff\Local Settings\Application Data\dxfniucap\qqqifavtssd.exe
c:\images\DirCfg.ini
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2010-07-06 to 2010-08-06 )))))))))))))))))))))))))))))))
.

2010-07-24 00:12 . 2010-07-24 00:12 388096 ----a-r- c:\documents and settings\jeff\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-07-23 23:44 . 2010-07-23 23:44 -------- d-----w- c:\program files\Trend Micro
2010-07-23 14:11 . 2010-07-23 14:11 -------- d-----w- c:\program files\iPod
2010-07-23 14:06 . 2010-07-23 14:06 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.1.5\SetupAdmin.exe
2010-07-22 19:02 . 2008-04-14 00:12 159232 ----a-w- c:\windows\system32\ptpusd.dll
2010-07-22 19:02 . 2008-04-13 18:45 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2010-07-22 19:02 . 2008-04-13 18:45 15104 ----a-w- c:\windows\system32\dllcache\usbscan.sys
2010-07-22 19:02 . 2001-08-18 06:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2010-07-21 14:55 . 2010-08-06 22:02 118784 ----a-w- c:\windows\system32\chg.exe
2010-07-16 19:47 . 2010-07-16 19:47 711168 ----a-w- c:\documents and settings\dprins\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\pmv307hw-1007080-0-main.dll
2010-07-16 16:58 . 2010-07-19 16:11 -------- d-----w- c:\program files\Windows Live Safety Center
2010-07-15 23:00 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-15 20:52 . 2010-07-15 20:52 77568 ----a-w- c:\windows\system32\drivers\WUDFPF.SYS
2010-07-15 19:40 . 2010-07-15 20:58 -------- d-----w- c:\windows\system32\MpEngineStore
2010-07-10 16:11 . 2010-07-10 16:11 -------- d-----w- c:\documents and settings\drvictor\Local Settings\Application Data\Apple

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-06 16:28 . 2008-12-12 15:34 -------- d-----w- c:\program files\Wisdom
2010-07-23 14:12 . 2010-06-18 14:37 -------- d-----w- c:\program files\iTunes
2010-07-23 14:11 . 2010-01-04 05:17 -------- d-----w- c:\program files\Common Files\Apple
2010-07-15 23:10 . 2008-11-17 19:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-07-06 18:50 . 2010-07-08 23:57 171904 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat
2010-07-05 07:46 . 2010-07-05 07:46 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-05 07:46 . 2010-07-05 07:46 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-06-30 19:31 . 2010-06-30 19:31 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer
2010-06-29 18:10 . 2010-06-29 18:10 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee
2010-06-29 17:54 . 2010-06-29 17:54 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-06-23 06:50 . 2010-02-25 22:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-18 14:39 . 2010-01-04 15:39 -------- d-----w- c:\documents and settings\dprins\Application Data\Apple Computer
2010-06-18 14:35 . 2010-06-18 14:35 -------- d-----w- c:\program files\Bonjour
2010-06-18 14:31 . 2010-05-03 18:18 -------- d-----w- c:\program files\Safari
2010-06-18 14:30 . 2010-06-18 14:30 71992 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.33.16.0\SetupAdmin.exe
2010-06-14 14:31 . 2006-02-28 02:00 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-05-19 00:35 . 2010-05-19 00:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-19 00:35 . 2010-05-19 00:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-11 15:29 . 2010-05-11 15:29 666112 ----a-w- c:\documents and settings\dprins\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\pmv306hw-1004220-0-main.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-11-26 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-11-26 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-11-26 137752]
"PDF Complete"="c:\program files\PDF Complete\pdfsty.exe" [2008-04-07 318488]
"SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 525824]
"Recguard"="c:\windows\Sminst\Recguard.exe" [2006-05-12 1138688]
"Scheduler"="c:\windows\SMINST\Scheduler.exe" [2006-07-10 872448]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-07-09 2048352]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-07-13 47904]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
VPN Client.lnk - c:\windows\Installer\{CCBAA1F7-E5E1-48B2-9ED9-A79C6A37CE78}\Icon3E5562ED7.ico [2009-1-20 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-07-30 17:13 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-12-12 15:26 10536 ----a-w- c:\program files\Citrix\GoToAssist\508\g2awinlogon.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [12/19/2008 7:57 AM 12552]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [12/19/2008 7:57 AM 108552]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [12/19/2008 7:57 AM 335240]
S1 oxpar;%OXPAR.SVCDESC%;c:\windows\system32\drivers\oxpar.sys [1/24/2007 2:28 AM 80128]
S2 0098011228158574mcinstcleanup;McAfee Application Installer Cleanup (0098011228158574);c:\docume~1\ADMINI~1\LOCALS~1\Temp\009801~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\009801~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [1/9/2009 9:55 AM 297752]
S2 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [11/17/2008 11:51 AM 576024]
S3 oxmf;OXPCI Bus enumerator;c:\windows\system32\drivers\oxmf.sys [1/24/2007 2:28 AM 21888]
S3 Oxmfuf;Filter driver for OX16PCI95x ports;c:\windows\system32\drivers\oxmfuf.sys [1/24/2007 2:28 AM 5888]
S3 oxser;OX16C95x Serial port driver;c:\windows\system32\drivers\oxser.sys [1/24/2007 2:28 AM 70784]
.
Contents of the 'Scheduled Tasks' folder

2010-07-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 19:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.drudgereport.com/
uInternet Settings,ProxyServer = http=127.0.0.1:6522
uInternet Settings,ProxyOverride =
FF - ProfilePath - c:\documents and settings\jeff\Application Data\Mozilla\Firefox\Profiles\wgvfa3ci.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.drudgereport.com/
FF - prefs.js: network.proxy.type - 0
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
HKCU-Run-dcvrrvmm - c:\documents and settings\jeff\Local Settings\Application Data\dxfniucap\qqqifavtssd.exe
HKLM-Run-dcvrrvmm - c:\documents and settings\jeff\Local Settings\Application Data\dxfniucap\qqqifavtssd.exe



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(836)
c:\program files\Citrix\GoToAssist\508\G2AWinLogon.dll
.
Completion time: 2010-08-06 14:24:12
ComboFix-quarantined-files.txt 2010-08-06 22:24

Pre-Run: 44,928,225,280 bytes free
Post-Run: 46,055,038,976 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - A56D2C2F33D599CC6A1D1F8DCEA2FF1F

descriptionantivir pro EmptyRe: antivir pro

more_horiz
I'm sorry, things were looking better so I ran MBAM- I should have waited for instructions. Here is the log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4401

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

8/6/2010 3:16:10 PM
mbam-log-2010-08-06 (15-16-10).txt

Scan type: Quick scan
Objects scanned: 151481
Time elapsed: 2 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\SolutionAV (Rogue.AntivirSolutionPro) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

descriptionantivir pro EmptyRe: antivir pro

more_horiz
Hi.

Re-running ComboFix to remove infections:

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:


    DDS::
    uInternet Settings,ProxyServer = http=127.0.0.1:6522
    uInternet Settings,ProxyOverride =

  4. Save this as CFScript.txt, in the same location as ComboFix.exe

    antivir pro Cfscriptb4

  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.

descriptionantivir pro EmptyRe: antivir pro

more_horiz
Ok, I reran combofix. I will be away for a few days so I will follow the rest of your instructions next wk. Thanks very much!


ComboFix 10-08-06.01 - jeff 08/06/2010 17:05:37.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1431 [GMT -8:00]
Running from: c:\documents and settings\jeff\Desktop\Combofix.exe
Command switches used :: c:\documents and settings\jeff\Desktop\CFScript.txt
AV: AVG Anti-Virus SBS Edition *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2010-07-07 to 2010-08-07 )))))))))))))))))))))))))))))))
.

2010-08-06 23:12 . 2010-04-29 23:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-06 23:12 . 2010-08-06 23:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-06 23:12 . 2010-04-29 23:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-06 22:10 . 2010-08-06 22:24 -------- d-----w- C:\commy
2010-07-24 00:12 . 2010-07-24 00:12 388096 ----a-r- c:\documents and settings\jeff\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-07-23 23:44 . 2010-07-23 23:44 -------- d-----w- c:\program files\Trend Micro
2010-07-23 14:11 . 2010-07-23 14:11 -------- d-----w- c:\program files\iPod
2010-07-23 14:06 . 2010-07-23 14:06 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.1.5\SetupAdmin.exe
2010-07-22 19:02 . 2008-04-14 00:12 159232 ----a-w- c:\windows\system32\ptpusd.dll
2010-07-22 19:02 . 2008-04-13 18:45 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2010-07-22 19:02 . 2008-04-13 18:45 15104 ----a-w- c:\windows\system32\dllcache\usbscan.sys
2010-07-22 19:02 . 2001-08-18 06:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2010-07-16 19:47 . 2010-07-16 19:47 711168 ----a-w- c:\documents and settings\carl\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\pmv307hw-1007080-0-main.dll
2010-07-16 16:58 . 2010-07-19 16:11 -------- d-----w- c:\program files\Windows Live Safety Center
2010-07-15 23:00 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-15 20:52 . 2010-07-15 20:52 77568 ----a-w- c:\windows\system32\drivers\WUDFPF.SYS
2010-07-15 19:40 . 2010-07-15 20:58 -------- d-----w- c:\windows\system32\MpEngineStore
2010-07-10 16:11 . 2010-07-10 16:11 -------- d-----w- c:\documents and settings\jeff\Local Settings\Application Data\Apple

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-07 01:02 . 2008-12-12 15:34 -------- d-----w- c:\program files\Wisdom
2010-07-23 14:12 . 2010-06-18 14:37 -------- d-----w- c:\program files\iTunes
2010-07-23 14:11 . 2010-01-04 05:17 -------- d-----w- c:\program files\Common Files\Apple
2010-07-15 23:10 . 2008-11-17 19:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-07-06 18:50 . 2010-07-08 23:57 171904 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat
2010-07-05 07:46 . 2010-07-05 07:46 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-05 07:46 . 2010-07-05 07:46 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-06-30 19:31 . 2010-06-30 19:31 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer
2010-06-29 18:10 . 2010-06-29 18:10 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee
2010-06-29 17:54 . 2010-06-29 17:54 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-06-18 14:39 . 2010-01-04 15:39 -------- d-----w- c:\documents and settings\carl\Application Data\Apple Computer
2010-06-18 14:35 . 2010-06-18 14:35 -------- d-----w- c:\program files\Bonjour
2010-06-18 14:31 . 2010-05-03 18:18 -------- d-----w- c:\program files\Safari
2010-06-18 14:30 . 2010-06-18 14:30 71992 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.33.16.0\SetupAdmin.exe
2010-06-14 14:31 . 2006-02-28 02:00 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-05-19 00:35 . 2010-05-19 00:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-19 00:35 . 2010-05-19 00:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-11 15:29 . 2010-05-11 15:29 666112 ----a-w- c:\documents and settings\carl\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\pmv306hw-1004220-0-main.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-11-26 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-11-26 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-11-26 137752]
"PDF Complete"="c:\program files\PDF Complete\pdfsty.exe" [2008-04-07 318488]
"SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 525824]
"Recguard"="c:\windows\Sminst\Recguard.exe" [2006-05-12 1138688]
"Scheduler"="c:\windows\SMINST\Scheduler.exe" [2006-07-10 872448]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-07-09 2048352]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-07-13 47904]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
VPN Client.lnk - c:\windows\Installer\{CCBAA1F7-E5E1-48B2-9ED9-A79C6A37CE78}\Icon3E5562ED7.ico [2009-1-20 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-07-30 17:13 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-12-12 15:26 10536 ----a-w- c:\program files\Citrix\GoToAssist\508\g2awinlogon.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [12/19/2008 7:57 AM 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [12/19/2008 7:57 AM 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [12/19/2008 7:57 AM 108552]
R1 oxpar;%OXPAR.SVCDESC%;c:\windows\system32\drivers\oxpar.sys [1/24/2007 2:28 AM 80128]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [1/9/2009 9:55 AM 297752]
R2 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [11/17/2008 11:51 AM 576024]
R3 oxmf;OXPCI Bus enumerator;c:\windows\system32\drivers\oxmf.sys [1/24/2007 2:28 AM 21888]
R3 Oxmfuf;Filter driver for OX16PCI95x ports;c:\windows\system32\drivers\oxmfuf.sys [1/24/2007 2:28 AM 5888]
R3 oxser;OX16C95x Serial port driver;c:\windows\system32\drivers\oxser.sys [1/24/2007 2:28 AM 70784]
S2 0098011228158574mcinstcleanup;McAfee Application Installer Cleanup (0098011228158574);c:\docume~1\ADMINI~1\LOCALS~1\Temp\009801~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\009801~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
.
Contents of the 'Scheduled Tasks' folder

2010-07-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 19:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.drudgereport.com/
FF - ProfilePath - c:\documents and settings\jeff\Application Data\Mozilla\Firefox\Profiles\wgvfa3ci.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.drudgereport.com/
FF - prefs.js: network.proxy.type - 0
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-06 17:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(980)
c:\program files\Citrix\GoToAssist\508\G2AWinLogon.dll

- - - - - - - > 'explorer.exe'(2380)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-08-06 17:10:15
ComboFix-quarantined-files.txt 2010-08-07 01:10
ComboFix2.txt 2010-08-06 22:24

Pre-Run: 43,887,230,976 bytes free
Post-Run: 43,898,691,584 bytes free

- - End Of File - - 20D38656318A534F9F1D715D9BF951E6

descriptionantivir pro EmptyRe: antivir pro

more_horiz
Hi.

Please go to Kaspersky website and perform an online antivirus scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.
  • descriptionantivir pro EmptyRe: antivir pro

    more_horiz
    Hi, the computer seems to running well now. Thanks for your help. Here is the kaspersky scan:

    --------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER 7.0: scan report
    Wednesday, August 11, 2010
    Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
    Kaspersky Online Scanner version: 7.0.26.13
    Last database update: Wednesday, August 11, 2010 11:42:51
    Records in database: 4128448
    --------------------------------------------------------------------------------

    Scan settings:
    scan using the following database: extended
    Scan archives: yes
    Scan e-mail databases: yes

    Scan area - My Computer:
    C:\
    D:\
    E:\
    T:\

    Scan statistics:
    Objects scanned: 83215
    Threats found: 2
    Infected objects found: 3
    Suspicious objects found: 0
    Scan duration: 01:55:46


    File name / Threat / Threats count
    C:\Documents and Settings\Administrator\Local Settings\Temp\7zS1.tmp\vnchooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c 1
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\2TQ7QJUJ\TVRemote[1].exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c 1
    C:\Program Files\RealVNC\VNC4\wm_hooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1

    Selected area has been scanned.

    descriptionantivir pro EmptyRe: antivir pro

    more_horiz
    Hi.


    Your computer is now clean. Now, time to remove the tools used, and update your computer to prevent vulnerability.

    Updating System Restore
    Now to get you off to a good start we will clean your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:
    • Select Start > All Programs > Accessories > System tools > System Restore.
    • On the dialogue box that appears select Create a Restore Point
    • Click NEXT
    • Enter a name e.g. Clean
    • Click CREATE.


    You now have a clean restore point.

    To get rid of the bad ones:
    • Select Start > All Programs > Accessories > System tools > Disk Cleanup.
    • In the Drop down box that appears select your main drive e.g. C
    • Click OK
    • The System will do a calculation of temporary/old files, and then display a dialogue box.
    • Select the More Options Tab.
    • At the bottom will be a System Restore box with a CLEANUP button click this
    • Accept the Warning and select OK again, the program will close and you are done.


    ========

    Removing the tools
    Now, to remove all of the tools we used and the files and folders they created, please do the following:

    Download OTC.exe by OldTimer:
    • Save it to your Desktop.
    • Double click OTC.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
      Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.


    ============

    Service Pack upgrade
    Please consider upgrading to Windows XP SP3, because it includes all previously released updates. It also includes a small number of new functionalities. Some of the updates that Service Pack 3 provides, you may not have. It is now available via Windows Update.

    More info about SP3: Here

    =====

    Update Programs
    Please download the newest version of Adobe Acrobat Reader from Adobe.com

    Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
    Go to the Control Panel and enter Add or Remove Programs.
    Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.

    Once old versions are gone, please install the newest version.



    Please download the newest version of Java from Java.com.

    Before installing: it is important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.
    Go to the Control Panel and enter Add or Remove Programs.
    Search in the list for all previous installed versions of Java (J2SE Runtime Environment). Please uninstall/remove each of them.

    Once old versions are gone, please install the newest version.

    ===============

    Here are some prevention tips I have provided:

    1. Don't download files from untrusted websites or websites that seem suspious.

    2. Don't use torrents they are a good way to get lots of malware.

    3. Don't download and use cracks/warez/keygens they are illegal and are another good way to contract malware.

    4. Disable autorun XP or Vista/7

    5. Always make sure you have the latest Windows updates. windowsupdate.microsoft.com

    6. Don't ever click on the links inside of a popup.

    7. Make sure you know what you install you can make sure it is not know for being a virus by just simply searching about it on google.

    8. Use a Site Advisor so you don't go to sites that will infect you. Mcafee Siteadvisor

    9. Also there are many holes and flaws in Internet Explorer I recommend using Firefox 3 to keep you more safe.

    10. Always keep your Java and Adobe updated.

    11. Don't fall for the Scareware. What is Scareware? it is a website made to download a rogue Antivirus on your system that will scare you into buying their fake software due to false detections.

    12. Always have a Firewall and a Antivirus.

    Thanks for choosing GeekPolice, see this page if you would like to leave feedback or contribute to our site. Do you have any more questions?

    For more information please visit Here

    descriptionantivir pro EmptyRe: antivir pro

    more_horiz
    privacy_tip Permissions in this forum:
    You cannot reply to topics in this forum