Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

dcom exploits attacks

  • 21-03-2010 11:26pm
    #1
    Registered Users, Registered Users 2 Posts: 1,279 ✭✭✭


    opened new thread to give reports back on my progress of trying to get rid of these DCOM attacks


Comments

  • Registered Users, Registered Users 2 Posts: 1,279 ✭✭✭endasmail


    DDS (Ver_10-03-17.01) - NTFSx86
    Run by Enda at 23:33:14.23 on 21/03/2010
    Internet Explorer: 8.0.6001.18882
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2008.1006 [GMT 0:00]
    SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
    ============== Running Processes ===============
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k secsvcs
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\OEM\OSD_1.2\OsdService.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Windows\System32\igfxtray.exe
    C:\Windows\System32\igfxpers.exe
    C:\Windows\RtHDVCpl.exe
    C:\Program Files\Alwil Software\Avast4\ashDisp.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Google\Gmail Notifier\gnotify.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Windows\ehome\ehtray.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\The TechGuys\Launch\Launch.exe
    C:\Program Files\OEM\OSD_1.2\osd.exe
    C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Windows\ehome\ehsched.exe
    C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Windows\ehome\ehRecvr.exe
    C:\Program Files\O2\O2 Broadband USB Modem\O2 Broadband.exe
    C:\Windows\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Users\Enda\Downloads\dds.com
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Program Files\Skype\Toolbars\Shared\SkypeNames.exe
    ============== Pseudo HJT Report ===============
    uStart Page = hxxp://www.google.ie/
    mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=DSGI&bmod=DSGI
    mDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=DSGI&bmod=DSGI
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
    BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
    TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
    uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
    uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
    uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
    mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [RtHDVCpl] RtHDVCpl.exe
    mRun: [Google EULA Launcher] c:\program files\google\google eula\GoogleEULALauncher.exe IE
    mRun: [UpdateP2GShortCut] "c:\program files\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\power2go" updatewithcreateonce "software\cyberlink\power2go\5.0"
    mRun: [UCam_Menu] "c:\program files\cyberlink\youcam\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\youcam" update "software\cyberlink\youcam\1.0"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
    mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] c:\program files\google\gmail notifier\gnotify.exe
    StartupFolder: c:\users\enda\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\launch.lnk - c:\windows\installer\{4a65dad2-e914-4923-9c2a-81b968a68ce2}\_A685CC3126A7CC37D335DE.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\osd.lnk - c:\windows\installer\{73289228-1853-4623-982a-eb17ff0270ca}\_1F0B30F16FFA954160D1AF.exe
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableLUA = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
    IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll
    IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
    IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
    DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    TCP: {05358068-EFCF-4639-A0C6-66BCD3599AC3} = 62.40.32.33 8.8.8.8
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: igfxcui - igfxdev.dll
    ============= SERVICES / DRIVERS ===============
    R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-11-25 114768]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-11-25 20560]
    R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2009-11-25 53328]
    R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-11-25 138680]
    R2 OsdService;OSD Service;c:\program files\oem\osd_1.2\OsdService.exe [2008-2-22 94208]
    R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-11-25 254040]
    R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-11-25 352920]
    R3 GpdDevDPort;GpdDevDPort;c:\windows\system32\directport.sys [2008-5-21 7168]
    R3 GpdKbFilter;GpdKbFilter;c:\windows\system32\kbfiltr.sys [2008-4-22 8192]
    R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-12-3 112128]
    S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
    =============== Created Last 30 ================
    2010-03-16 13:22:35 0 d
    w- c:\program files\AskBarDis
    2010-03-15 15:00:49 92032 ----a-w- c:\windows\system32\drivers\ewusbmdm.sys
    2010-03-15 15:00:49 23424 ----a-w- c:\windows\system32\drivers\ewdcsc.sys
    2010-03-11 21:58:05 24064 ----a-w- c:\windows\system32\nshhttp.dll
    2010-03-11 21:58:03 411648 ----a-w- c:\windows\system32\drivers\http.sys
    2010-03-11 21:58:03 30720 ----a-w- c:\windows\system32\httpapi.dll
    2010-03-09 01:39:53 293376 ----a-w- c:\windows\system32\browserchoice.exe
    2010-02-26 09:43:35 70744 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
    2010-02-25 14:08:18 2048 ----a-w- c:\windows\system32\tzres.dll
    ==================== Find3M ====================
    2010-03-15 15:00:49 51200 ----a-w- c:\windows\inf\infpub.dat
    2010-03-15 15:00:49 143360 ----a-w- c:\windows\inf\infstrng.dat
    2010-03-15 15:00:48 86016 ----a-w- c:\windows\inf\infstor.dat
    2010-02-24 10:16:06 181632
    w- c:\windows\system32\MpSigStub.exe
    2010-01-25 12:00:35 471552 ----a-w- c:\windows\system32\secproc_isv.dll
    2010-01-25 12:00:35 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
    2010-01-25 12:00:35 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
    2010-01-25 12:00:22 471552 ----a-w- c:\windows\system32\secproc.dll
    2010-01-25 11:58:52 332288 ----a-w- c:\windows\system32\msdrm.dll
    2010-01-25 08:21:20 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
    2010-01-25 08:21:20 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
    2010-01-25 08:21:18 518144 ----a-w- c:\windows\system32\RMActivate.exe
    2010-01-25 08:21:18 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
    2010-01-06 15:39:38 1696256 ----a-w- c:\windows\system32\gameux.dll
    2010-01-06 15:38:47 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
    2010-01-06 13:30:41 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
    2010-01-02 06:38:20 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-01-02 06:32:33 71680 ----a-w- c:\windows\system32\iesetup.dll
    2010-01-02 06:32:33 109056 ----a-w- c:\windows\system32\iesysprep.dll
    2010-01-02 04:57:00 133632 ----a-w- c:\windows\system32\ieUnatt.exe
    2009-12-22 20:47:58 665600 ----a-w- c:\windows\inf\drvindex.dat
    2009-12-22 02:35:52 37665 ----a-w- c:\windows\fonts\GlobalUserInterface.CompositeFont
    2008-01-21 02:43:21 174 --sha-w- c:\program files\desktop.ini
    2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
    2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
    2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
    2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
    2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
    2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
    2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
    2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
    2009-11-27 01:23:27 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
    2008-04-21 14:46:25 8192 --sha-w- c:\windows\users\default\NTUSER.DAT
    ============= FINISH: 23:34:14.82 ===============
    ower2Go
    QuickTime
    Realtek High Definition Audio Driver
    Realtek USB 2.0 Card Reader
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB978380)
    Security Update for Microsoft Office Excel 2007 (KB978382)
    Security Update for Microsoft Office PowerPoint 2007 (KB957789)
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB969613)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Skype web features
    Skype™ 4.1
    TAS Books 3
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft Office 2007 Help for Common Features (KB963673)
    Update for Microsoft Office Excel 2007 Help (KB963678)
    Update for Microsoft Office InfoPath 2007 (KB976416)
    Update for Microsoft Office OneNote 2007 Help (KB963670)
    Update for Microsoft Office Powerpoint 2007 Help (KB963669)
    Update for Microsoft Office Script Editor Help (KB963671)
    Update for Microsoft Office Word 2007 (KB974561)
    Update for Microsoft Office Word 2007 Help (KB963665)
    ==== Event Viewer Messages From Past Week ========
    21/03/2010 23:00:38, Error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
    21/03/2010 01:09:07, Error: LsaSrv [6033] - An anonymous session connected from 212.248.247.13 has attempted to open an LSA policy handle on this machine. The attempt was rejected with STATUS_ACCESS_DENIED to prevent leaking security sensitive information to the anonymous caller. The application that made this attempt needs to be fixed. Please contact the application vendor. As a temporary workaround, this security measure can be disabled by setting the \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\TurnOffAnonymousBlock DWORD value to 1. This message will be logged at most once a day.
    14/03/2010 10:14:54, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Search service to connect.
    14/03/2010 10:14:54, Error: Service Control Manager [7000] - The Windows Search service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    14/03/2010 10:11:36, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
    ==== End Of File ===========================
    dont no if i done that right but thats what i got back


  • Site Banned Posts: 1,167 ✭✭✭ASJ112


    looks ok

    Download the GMER Rootkit Scanner. Unzip it to your Desktop.

    Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

    Double-click gmer.exe. The program will begin to run.

    **Caution**
    These types of scans can produce false positives. Do NOT take any action on any
    "<--- ROOKIT" entries unless advised by a trained Security Analyst

    If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
    • Click NO
    • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is Unchecked.
    • Now click the Scan button.
      Once the scan is complete, you may receive another notice about rootkit activity.
    • Click OK.
    • GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
    • Save it where you can easily find it, such as your desktop.

    Post the contents of GMER.txt in your next reply.


  • Registered Users, Registered Users 2 Posts: 1,279 ✭✭✭endasmail


    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-03-22 18:10:20
    Windows 6.0.6002 Service Pack 2
    Running: gmer.exe; Driver: C:\Users\Enda\AppData\Local\Temp\pwlcypow.sys

    ---- User code sections - GMER 1.0.15 ----
    .text C:\Program Files\Internet Explorer\iexplore.exe[780] USER32.dll!SetWindowsHookExW 76FA87AD 3 Bytes JMP 6F859B29 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[780] USER32.dll!SetWindowsHookExW + 4 76FA87B1 1 Byte [F8]
    .text C:\Program Files\Internet Explorer\iexplore.exe[780] USER32.dll!CallNextHookEx 76FA8E3B 5 Bytes JMP 6F84D171 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[780] USER32.dll!UnhookWindowsHookEx 76FA98DB 5 Bytes JMP 6F7C486E C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[780] USER32.dll!CreateWindowExW 76FB1305 5 Bytes JMP 6F85D9BC C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[780] USER32.dll!DialogBoxParamW 76FD10B0 5 Bytes JMP 6F785689 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[780] USER32.dll!DialogBoxIndirectParamW 76FD2EF5 5 Bytes JMP 6F9543F7 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[780] USER32.dll!DialogBoxParamA 76FE8152 5 Bytes JMP 6F954394 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[780] USER32.dll!DialogBoxIndirectParamA 76FE847D 5 Bytes JMP 6F95445A C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[780] USER32.dll!MessageBoxIndirectA 76FFD4D9 5 Bytes JMP 6F954329 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[780] USER32.dll!MessageBoxIndirectW 76FFD5D3 5 Bytes JMP 6F9542BE C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[780] USER32.dll!MessageBoxExA 76FFD639 5 Bytes JMP 6F95425C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[780] USER32.dll!MessageBoxExW 76FFD65D 5 Bytes JMP 6F9541FA C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[780] ole32.dll!OleLoadFromStream 75D11E12 5 Bytes JMP 6F954778 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[780] ole32.dll!CoCreateInstance 75D49EA6 5 Bytes JMP 6F85DA18 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4156] USER32.dll!SetWindowsHookExW 76FA87AD 3 Bytes JMP 6F859B29 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4156] USER32.dll!SetWindowsHookExW + 4 76FA87B1 1 Byte [F8]
    .text C:\Program Files\Internet Explorer\iexplore.exe[4156] USER32.dll!CallNextHookEx 76FA8E3B 5 Bytes JMP 6F84D171 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4156] USER32.dll!UnhookWindowsHookEx 76FA98DB 5 Bytes JMP 6F7C486E C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4156] USER32.dll!CreateWindowExW 76FB1305 5 Bytes JMP 6F85D9BC C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4156] USER32.dll!DialogBoxParamW 76FD10B0 5 Bytes JMP 6F785689 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4156] USER32.dll!DialogBoxIndirectParamW 76FD2EF5 5 Bytes JMP 6F9543F7 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4156] USER32.dll!DialogBoxParamA 76FE8152 5 Bytes JMP 6F954394 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4156] USER32.dll!DialogBoxIndirectParamA 76FE847D 5 Bytes JMP 6F95445A C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4156] USER32.dll!MessageBoxIndirectA 76FFD4D9 5 Bytes JMP 6F954329 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4156] USER32.dll!MessageBoxIndirectW 76FFD5D3 5 Bytes JMP 6F9542BE C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4156] USER32.dll!MessageBoxExA 76FFD639 5 Bytes JMP 6F95425C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4156] USER32.dll!MessageBoxExW 76FFD65D 5 Bytes JMP 6F9541FA C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4156] ole32.dll!OleLoadFromStream 75D11E12 5 Bytes JMP 6F954778 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4156] ole32.dll!CoCreateInstance 75D49EA6 5 Bytes JMP 6F85DA18 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4964] USER32.dll!CreateWindowExW 76FB1305 5 Bytes JMP 6F85D9BC C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4964] USER32.dll!DialogBoxParamW 76FD10B0 5 Bytes JMP 6F785689 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4964] USER32.dll!DialogBoxIndirectParamW 76FD2EF5 5 Bytes JMP 6F9543F7 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4964] USER32.dll!DialogBoxParamA 76FE8152 5 Bytes JMP 6F954394 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4964] USER32.dll!DialogBoxIndirectParamA 76FE847D 5 Bytes JMP 6F95445A C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4964] USER32.dll!MessageBoxIndirectA 76FFD4D9 5 Bytes JMP 6F954329 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4964] USER32.dll!MessageBoxIndirectW 76FFD5D3 5 Bytes JMP 6F9542BE C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4964] USER32.dll!MessageBoxExA 76FFD639 5 Bytes JMP 6F95425C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4964] USER32.dll!MessageBoxExW 76FFD65D 5 Bytes JMP 6F9541FA C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    ---- User IAT/EAT - GMER 1.0.15 ----
    IAT C:\Windows\system32\services.exe[600] @ C:\Windows\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00130002
    IAT C:\Windows\system32\services.exe[600] @ C:\Windows\system32\services.exe [KERNEL32.dll!CreateProcessW] 00130000
    ---- Devices - GMER 1.0.15 ----
    AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 kbfiltr.sys
    AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 kbfiltr.sys
    AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
    AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
    ---- Registry - GMER 1.0.15 ----
    Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Media Center\Service\Scheduler@Heartbeat 0x12 0xC7 0x43 0x10 ...
    ---- EOF - GMER 1.0.15 ----

    thanks very much for putting the time into helping me out with this


  • Site Banned Posts: 1,167 ✭✭✭ASJ112


    hi

    Download ComboFix here :

    Link 1
    Link 2


    * IMPORTANT !!! Save ComboFix.exe to your Desktop


    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you don't know how to disable them then just continue on.

    • Double click on ComboFix.exe & follow the prompts.

    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    RcAuto1.gif


    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    whatnext.png


    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.


  • Registered Users, Registered Users 2 Posts: 1,279 ✭✭✭endasmail


    ComboFix 10-03-22.02 - Enda 23/03/2010 23:05:30.2.2 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2008.1138 [GMT 0:00]
    Running from: c:\users\Enda\Downloads\Desktop\ComboFix.exe
    SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
    .
    ((((((((((((((((((((((((( Files Created from 2010-02-23 to 2010-03-23 )))))))))))))))))))))))))))))))
    .
    2010-03-23 23:11 . 2010-03-23 23:12
    d
    w- c:\users\Enda\AppData\Local\temp
    2010-03-23 23:11 . 2010-03-23 23:11
    d
    w- c:\users\Default\AppData\Local\temp
    2010-03-16 13:22 . 2010-03-16 13:22
    d
    w- c:\program files\AskBarDis
    2010-03-15 15:00 . 2007-05-31 20:36 92032 ----a-w- c:\windows\system32\drivers\ewusbmdm.sys
    2010-03-15 15:00 . 2007-05-31 20:36 23424 ----a-w- c:\windows\system32\drivers\ewdcsc.sys
    2010-03-12 11:39 . 2010-03-12 11:39
    d
    w- c:\users\Default\AppData\Local\Microsoft Help
    2010-03-11 21:58 . 2010-02-20 23:06 24064 ----a-w- c:\windows\system32\nshhttp.dll
    2010-03-11 21:58 . 2010-02-20 23:05 30720 ----a-w- c:\windows\system32\httpapi.dll
    2010-03-11 21:58 . 2010-02-20 20:53 411648 ----a-w- c:\windows\system32\drivers\http.sys
    2010-03-09 15:24 . 2010-03-09 16:20
    d
    w- c:\windows\BDOSCAN8
    2010-03-09 01:39 . 2010-02-12 10:32 293376 ----a-w- c:\windows\system32\browserchoice.exe
    2010-02-26 09:43 . 2010-03-13 16:16 70744 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
    2010-02-25 14:08 . 2010-01-23 09:26 2048 ----a-w- c:\windows\system32\tzres.dll
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-03-20 19:27 . 2008-12-03 04:45
    d
    w- c:\program files\Google
    2010-03-15 15:00 . 2008-12-03 04:25
    d--h--w- c:\program files\InstallShield Installation Information
    2010-03-14 10:14 . 2008-12-03 04:49
    d
    w- c:\programdata\Microsoft Help
    2010-03-12 02:09 . 2009-11-06 18:03
    d
    w- c:\users\Enda\AppData\Roaming\Skype
    2010-03-12 02:02 . 2009-11-29 22:51
    d
    w- c:\users\Enda\AppData\Roaming\skypePM
    2010-03-12 02:00 . 2008-12-03 04:44
    d
    w- c:\program files\Microsoft Silverlight
    2010-03-11 22:52 . 2006-11-02 11:18
    d
    w- c:\program files\Windows Mail
    2010-02-26 09:43 . 2009-11-06 18:02 8224 ----a-w- c:\users\Enda\AppData\Local\GDIPFONTCACHEV1.DAT
    2010-02-24 10:16 . 2009-11-19 19:29 181632
    w- c:\windows\system32\MpSigStub.exe
    2010-02-01 23:48 . 2010-02-01 23:48 48648 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-7\Markup.dll
    2010-01-25 22:51 . 2009-09-05 12:28 48648 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\Markup.dll
    2010-01-25 12:00 . 2010-02-25 14:07 471552 ----a-w- c:\windows\system32\secproc_isv.dll
    2010-01-25 12:00 . 2010-02-25 14:07 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
    2010-01-25 12:00 . 2010-02-25 14:07 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
    2010-01-25 12:00 . 2010-02-25 14:07 471552 ----a-w- c:\windows\system32\secproc.dll
    2010-01-25 11:58 . 2010-02-25 14:07 332288 ----a-w- c:\windows\system32\msdrm.dll
    2010-01-25 08:21 . 2010-02-25 14:07 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
    2010-01-25 08:21 . 2010-02-25 14:07 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
    2010-01-25 08:21 . 2010-02-25 14:07 518144 ----a-w- c:\windows\system32\RMActivate.exe
    2010-01-25 08:21 . 2010-02-25 14:07 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
    2010-01-23 15:30 . 2010-01-23 15:30 48648 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-6\Markup.dll
    2010-01-23 15:30 . 2010-01-23 15:30 784136 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight-6\SpotlightResources.dll
    2010-01-18 01:50 . 2010-01-18 01:50 48648 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-5\Markup.dll
    2010-01-16 12:02 . 2009-07-14 14:46 784136 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
    2010-01-06 15:39 . 2010-02-25 14:07 1696256 ----a-w- c:\windows\system32\gameux.dll
    2010-01-06 15:38 . 2010-02-25 14:07 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
    2010-01-06 15:38 . 2010-02-25 14:07 173056 ----a-w- c:\windows\AppPatch\AcXtrnal.dll
    2010-01-06 15:38 . 2010-02-25 14:07 542720 ----a-w- c:\windows\AppPatch\AcLayers.dll
    2010-01-06 15:38 . 2010-02-25 14:07 458752 ----a-w- c:\windows\AppPatch\AcSpecfc.dll
    2010-01-06 15:38 . 2010-02-25 14:07 2159616 ----a-w- c:\windows\AppPatch\AcGenral.dll
    2010-01-06 13:30 . 2010-02-25 14:07 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
    2010-01-02 06:38 . 2010-01-21 21:47 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-01-02 06:32 . 2010-01-21 21:47 71680 ----a-w- c:\windows\system32\iesetup.dll
    2010-01-02 06:32 . 2010-01-21 21:47 109056 ----a-w- c:\windows\system32\iesysprep.dll
    2010-01-02 04:57 . 2010-01-21 21:47 133632 ----a-w- c:\windows\system32\ieUnatt.exe
    2009-12-23 23:39 . 2009-12-23 23:39 48648 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-4\Markup.dll
    2009-12-23 23:39 . 2009-12-23 23:39 784136 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight-5\SpotlightResources.dll
    2008-04-21 14:46 . 2008-04-21 14:46 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
    2008-08-06 15:20 279944 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-08-06 279944]
    [HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
    [HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-08-06 279944]
    [HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
    [HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-07-17 135680]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-08-25 150040]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-08-25 178712]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2008-08-25 154136]
    "RtHDVCpl"="RtHDVCpl.exe" [2008-05-07 6139904]
    "Google EULA Launcher"="c:\program files\Google\Google EULA\GoogleEULALauncher.exe" [2008-08-06 20480]
    "UpdateP2GShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-01-04 222504]
    "UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-09-13 222504]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
    "avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-10 417792]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
    "{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
    c:\users\Enda\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Launch.lnk - c:\windows\Installer\{4A65DAD2-E914-4923-9C2A-81B968A68CE2}\_A685CC3126A7CC37D335DE.exe [2008-12-3 17542]
    OSD.lnk - c:\windows\Installer\{73289228-1853-4623-982A-EB17FF0270CA}\_1F0B30F16FFA954160D1AF.exe [2008-12-12 21630]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @=&quot;Service"
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
    "VistaSp2"=hex(b):69,fc,9b,7d,22,83,ca,01
    R3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\DRIVERS\ewusbdev.sys [x]
    S1 aswSP;avast! Self Protection; [x]
    S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-11-24 20560]
    S2 aswMonFlt;aswMonFlt;c:\windows\system32\DRIVERS\aswMonFlt.sys [2009-11-24 53328]
    S2 OsdService;OSD Service;c:\program files\OEM\OSD_1.2\OsdService.exe [2008-02-22 94208]
    S3 GpdDevDPort;GpdDevDPort;c:\windows\system32\directport.sys [2008-05-21 7168]
    S3 GpdKbFilter;GpdKbFilter;c:\windows\system32\kbfiltr.sys [2008-04-22 8192]
    S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-07-15 112128]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    .
    Contents of the 'Scheduled Tasks' folder
    2010-01-31 c:\windows\Tasks\Norton Security Scan for susan.job
    - c:\program files\Norton Security Scan\Engine\2.3.0.44\Nss.exe [2009-10-03 18:58]
    2010-03-23 c:\windows\Tasks\User_Feed_Synchronization-{228A17C7-29CE-46A1-8544-74AA0BAA2A80}.job
    - c:\windows\system32\msfeedssync.exe [2010-01-21 04:56]
    .
    .
    Supplementary Scan
    .
    uStart Page = hxxp://www.google.ie/
    mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=DSGI&bmod=DSGI
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
    .
    **************************************************************************
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-03-23 23:12
    Windows 6.0.6002 Service Pack 2 NTFS
    scanning hidden processes ...
    scanning hidden autostart entries ...
    scanning hidden files ...
    scan completed successfully
    hidden files: 0
    **************************************************************************
    .
    LOCKED REGISTRY KEYS
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    Completion time: 2010-03-23 23:15:09
    ComboFix-quarantined-files.txt 2010-03-23 23:15
    Pre-Run: 123,380,117,504 bytes free
    Post-Run: 123,424,440,320 bytes free
    - - End Of File - - E269787DE631BDBAF1E2DE06AA7DCF2F


  • Advertisement
  • Site Banned Posts: 1,167 ✭✭✭ASJ112


    looks fine

    Download TFC to your desktop
    • Open the file and close any other windows.
    • It will close all programs itself when run, make sure to let it run uninterrupted.
    • Click the Start button to begin the process. The program should not take long to finish its job
    • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean





    Please download Malwarebytes' Anti-Malware from Here

    Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the entire report in your next reply.

    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.






    Go to Kaspersky website and perform an online antivirus scan.

    1. Read through the requirements and privacy statement and click on Accept button.
    2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    3. When the downloads have finished, click on Settings.
    4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
        Spyware, Adware, Dialers, and other potentially dangerous programs
        Archives
        Mail databases
      [*]Click on My Computer under Scan.
      [*]Once the scan is complete, it will display the results. Click on View Scan Report.
      [*]You will see a list of infected items there. Click on Save Report As....
      [*]Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.


    5. Registered Users, Registered Users 2 Posts: 8 tagday


      Does anyone know how to get rid of this, its says that my computer is at risk of viruses and of cource wants me to purchase it's Antivirus protection. It keeps poping up and will not let me uninstall it or do anything else on my laptop I already have McAfee on my laptop, but downloaded a pop up by mistake "AntiVir 2010" I also downloaded spybot search & destroy, carried out a scan but to no avail.


    6. Site Banned Posts: 1,167 ✭✭✭ASJ112


      make your own topic and do this

      Please download DDS and save it to your desktop.
      • Disable any script blocking protection
      • Double click dds.pif to run the tool.
      • When done, two DDS.txts will open.
      • Save both reports to your desktop.


      Please include the contents of the following in your next reply:

      DDS.txt
      Attach.txt.


    7. Registered Users, Registered Users 2 Posts: 1,279 ✭✭✭endasmail


      still getting attacks from LSASS and DCOM
      i updated the latest avast version 5
      they blocking the attacks
      any scan done has not showed up anything
      do people think it be ok anyway?


    8. Registered Users, Registered Users 2 Posts: 8 tagday


      ASJ112 wrote: »
      make your own topic and do this

      Please download DDS and save it to your desktop.
      • Disable any script blocking protection
      • Double click dds.pif to run the tool.
      • When done, two DDS.txts will open.
      • Save both reports to your desktop.


      Please include the contents of the following in your next reply:

      DDS.txt
      Attach.txt.


      Did the above and attached reports, what next!
      Attach Text.txt


      DDS.txt


    9. Advertisement
    10. Site Banned Posts: 1,167 ✭✭✭ASJ112


      endasmail yeah I'd say so, do you have the mbam and kaspersky logs anyway ?


      tagday do this

      Download TFC to your desktop
      • Open the file and close any other windows.
      • It will close all programs itself when run, make sure to let it run uninterrupted.
      • Click the Start button to begin the process. The program should not take long to finish its job
      • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean





      Please download Malwarebytes' Anti-Malware from Here

      Double Click mbam-setup.exe to install the application.
      • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
      • If an update is found, it will download and install the latest version.
      • Once the program has loaded, select "Perform Quick Scan", then click Scan.
      • The scan may take some time to finish,so please be patient.
      • When the scan is complete, click OK, then Show Results to view the results.
      • Make sure that everything is checked, and click Remove Selected.
      • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
      • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
      • Copy&Paste the entire report in your next reply.

      Extra Note:
      If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.






      Go to Kaspersky website and perform an online antivirus scan.

      1. Read through the requirements and privacy statement and click on Accept button.
      2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
      3. When the downloads have finished, click on Settings.
      4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
          Spyware, Adware, Dialers, and other potentially dangerous programs
          Archives
          Mail databases
        [*]Click on My Computer under Scan.
        [*]Once the scan is complete, it will display the results. Click on View Scan Report.
        [*]You will see a list of infected items there. Click on Save Report As....
        [*]Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.


      5. Registered Users, Registered Users 2 Posts: 1,279 ✭✭✭endasmail


        Malwarebytes' Anti-Malware 1.45
        www.malwarebytes.org
        Database version: 3930
        Windows 6.0.6002 Service Pack 2
        Internet Explorer 8.0.6001.18882
        30/03/2010 00:19:48
        mbam-log-2010-03-30 (00-19-48).txt
        Scan type: Quick scan
        Objects scanned: 102383
        Time elapsed: 4 minute(s), 56 second(s)
        Memory Processes Infected: 0
        Memory Modules Infected: 0
        Registry Keys Infected: 0
        Registry Values Infected: 0
        Registry Data Items Infected: 0
        Folders Infected: 0
        Files Infected: 0
        Memory Processes Infected:
        (No malicious items detected)
        Memory Modules Infected:
        (No malicious items detected)
        Registry Keys Infected:
        (No malicious items detected)
        Registry Values Infected:
        (No malicious items detected)
        Registry Data Items Infected:
        (No malicious items detected)
        Folders Infected:
        (No malicious items detected)
        Files Infected:
        (No malicious items detected)

        kaspersky is taking ages to get going
        am trying to download it

        thats the mbam log

        ill have to use another online scanneer cause that one is taking hours to download


      6. Registered Users, Registered Users 2 Posts: 8 tagday


        Well ASJ112 I tryed to carry out the three scans,
        first one just came up as "copyright 2002 - 2010"
        second one worked a treat and had done the job, log attached
        third one was churning away for about 90minutes, I left it and when I came back it was like my computer had restarted, so do not know if the scan was completed or not.

        The infected file "Anti Vir 2010" is still in programmes but has stoped poping up every couple of seconds.

        so thanks a million for that.


      7. Site Banned Posts: 1,167 ✭✭✭ASJ112


        hi

        Download ComboFix here :

        Link 1
        Link 2


        * IMPORTANT !!! Save ComboFix.exe to your Desktop


        • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you don't know how to disable them then just continue on.

        • Double click on ComboFix.exe & follow the prompts.

        • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

        • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


        **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

        RcAuto1.gif


        Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

        whatnext.png


        Click on Yes, to continue scanning for malware.

        When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.


      Advertisement