Microsoft Malicious Software Removal Tool?

J

jgoff14

New Member
How is it, anyone got it? Who loves it who hates it? I have a virus on my alienware notebook, AVG found it and calls it a virus but won't remove it. 'It's white listed' and should not be removed.
It's:

C:\Windows|system32\drivers\volsnap.sys

Virus detected is Win32/Patched.DX

I almost forgot, ever since getting it 3 days ago I have recieved bogus messages on all my computers saying your system is at risk would you like a free scan, say no, click the x it doesnt matter it 'starts' anyway so I stop it and did full scans on both (not the alienware) and removed anything I have seen. Just now there was a virus in my virus vault on my system in sig but I dont really browse with it not to mention any iffy sites. They are all running on my wireless network is there someway its getting on all the computers from the alienware? I dont want to but I am considering a fresh windows install and all 3 systems though I would be very grouchy and you would want to stay out of my way for a week or so if thats the case ;)
 
Last edited:
I'm curious to see what combofix thinks of the file as it could be infected and avg can't remove it as its a protected windows file.

Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

In your next reply please post:
  • The ComboFix log
  • A fresh HiJackThis log
  • An update on how your computer is running
 
Ok so when I posted originally last night I was in the middle of a Microsoft Mal. Tool scan. When it finished it said partially fixed, reboot, I did. AVG showed nothing now. I still took your advise you are so smart (I read some of your other posts). Some stuff was deleted but maybe you can make sense of it. I didn't try uploading the file to that website yet though I still may. I'm starting another ComboFix scan as soon as I'm done here. I will post it after. Is there any other programs I should try? The system wasn't running bad by any means so I was rather shocked to see an infection. I was mostly concerned about internet security so everytime I am done here I turn off my wireless card :D. Thanks in advance, as my friend Tony would say: "you guys are GRRRREAT:




ComboFix 10-05-21.04 - Jeremy 05/21/2010 20:10:20.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2047.844 [GMT -6:00]
Running from: c:\users\Jeremy\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2SU1S7VI\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\AutoRun.inf
c:\windows\system32\install.exe
c:\windows\system32\ReadMe.txt

.
((((((((((((((((((((((((( Files Created from 2010-04-22 to 2010-05-22 )))))))))))))))))))))))))))))))
.

2010-05-22 02:16 . 2010-05-22 02:17 -------- d-----w- c:\users\Jeremy\AppData\Local\temp
2010-05-22 02:16 . 2010-05-22 02:16 -------- d-----w- c:\users\Guest\AppData\Local\temp
2010-05-22 02:16 . 2010-05-22 02:16 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-05-22 02:16 . 2010-05-22 02:16 -------- d-----w- c:\users\Brittanie\AppData\Local\temp
2010-05-21 16:06 . 2010-05-21 16:07 -------- d-----w- c:\windows\system32\MpEngineStore
2010-05-12 08:42 . 2010-01-29 15:40 738816 ----a-w- c:\windows\system32\inetcomm.dll
2010-04-27 15:28 . 2010-04-27 15:28 4093280 ----a-w- c:\programdata\avg9\update\backup\avgui.exe
2010-04-27 15:28 . 2010-04-27 15:28 2064224 ----a-w- c:\programdata\avg9\update\backup\avgtray.exe
2010-04-27 15:28 . 2010-04-27 15:28 1276768 ----a-w- c:\programdata\avg9\update\backup\avgfrw.exe
2010-04-27 15:28 . 2010-04-27 15:28 1245464 ----a-w- c:\programdata\avg9\update\backup\avgabout.dll
2010-04-27 15:28 . 2010-04-27 15:28 4258144 ----a-w- c:\programdata\avg9\update\backup\avgcorex.dll
2010-04-27 15:26 . 2010-04-27 15:26 1690464 ----a-w- c:\programdata\avg9\update\backup\avgupd.dll
2010-04-27 15:26 . 2010-04-27 15:26 1038688 ----a-w- c:\programdata\avg9\update\backup\avgupd.exe
2010-04-27 15:26 . 2010-04-27 15:26 813336 ----a-w- c:\programdata\avg9\update\backup\avginet.dll
2010-04-27 15:26 . 2010-04-27 15:26 624920 ----a-w- c:\programdata\avg9\update\backup\avgiproxy.exe
2010-04-27 03:47 . 2010-04-27 03:47 652296 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsTemplate\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll
2010-04-27 03:47 . 2010-04-27 03:47 690952 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-04-27 03:46 . 2010-04-27 03:46 416128 ----a-w- c:\programdata\Microsoft\eHome\Packages\NetTV\Browse\NetTVResources.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-22 01:49 . 2009-03-28 21:38 48478 ----a-w- c:\programdata\nvModes.dat
2010-05-21 16:07 . 2009-10-13 02:34 12 ----a-w- c:\windows\bthservsdp.dat
2010-05-21 16:06 . 2009-09-11 02:10 226280 ----a-w- c:\windows\system32\drivers\volsnap.sys
2010-05-18 05:31 . 2010-02-13 04:19 -------- d-----w- c:\programdata\Lavasoft
2010-05-17 06:36 . 2010-04-13 07:27 -------- d-----w- c:\program files\HooTech
2010-05-12 23:02 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-05-12 23:02 . 2009-03-25 04:07 -------- d-----w- c:\programdata\Microsoft Help
2010-05-10 06:14 . 2009-11-04 05:33 -------- d-----w- c:\program files\CPUID
2010-05-01 02:08 . 2009-04-04 08:54 -------- d-----w- c:\program files\Lx_cats
2010-04-14 22:49 . 2010-04-14 22:49 -------- d-----w- c:\programdata\Office Genuine Advantage
2010-04-13 07:27 . 2010-04-13 07:27 -------- d-----w- c:\users\Jeremy\AppData\Roaming\HTNetMeter
2010-04-10 06:42 . 2009-03-25 03:31 680 ----a-w- c:\users\Jeremy\AppData\Local\d3d9caps.dat
2010-03-16 16:49 . 2010-03-16 16:49 72488 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-03-16 15:12 . 2010-01-04 04:54 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-16 15:12 . 2010-01-04 04:54 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-03-16 15:11 . 2010-01-04 04:54 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-05 14:01 . 2010-04-14 09:41 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-24 03:53 . 2009-03-25 03:32 102392 ----a-w- c:\users\Jeremy\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-23 11:10 . 2010-04-14 09:41 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-02-23 11:10 . 2010-04-14 09:41 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-02-23 11:10 . 2010-04-14 09:41 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-23 06:39 . 2010-03-31 12:03 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33 . 2010-03-31 12:03 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 06:33 . 2010-03-31 12:03 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 04:55 . 2010-03-31 12:03 133632 ----a-w- c:\windows\system32\ieUnatt.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-17 815104]
"LXCICATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\LXCItime.dll" [2006-11-21 106496]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-19 13793824]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-10-29 7862816]
"ProfilerU"="c:\program files\Saitek\SD6\Software\ProfilerU.exe" [2009-06-03 237568]
"SaiMfd"="c:\program files\Saitek\SD6\Software\SaiMfd.exe" [2009-06-03 131072]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-04-02 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-16 141608]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ActivControl]
2009-06-04 20:46 1084704 ----a-w- c:\program files\Activ Software\Activdriver\ActivControl2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-02 18:05 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2006-12-11 03:52 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-02-16 00:07 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
2006-12-06 04:55 54832 ----a-w- c:\program files\CyberLink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 21:40 155648 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 06:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2006-11-23 21:10 56928 ------w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-07-25 11:23 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):57,8e,5c,34,4a,37,ca,01

R1 jqqsynvo;jqqsynvo;c:\windows\system32\drivers\jqqsynvo.sys [x]
R3 ACTIVhidmini;Promethean USB Board Driver;c:\windows\system32\DRIVERS\ACTIVhidmini.sys [2009-05-05 58880]
R3 SaiH0762;SaiH0762;c:\windows\system32\DRIVERS\SaiH0762.sys [2008-04-05 136832]
R4 mv61xx;mv61xx;c:\windows\system32\drivers\mv61xx.sys [2007-06-15 143256]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2010-03-16 216200]
S1 NEOFLTR_650_14951;Juniper Networks TDI Filter Driver (NEOFLTR_650_14951);c:\windows\system32\Drivers\NEOFLTR_650_14951.SYS [2009-12-09 85288]
S2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-03-16 308064]
S2 lxci_device;lxci_device;c:\windows\system32\lxcicoms.exe [2007-02-02 537520]
S2 SaiDOutput;Saitek DirectOutput;c:\program files\Saitek\DirectOutput\DirectOutputService.exe [2008-04-04 147456]
S3 ActivHidSerMini;Promethean Serial Board Driver;c:\windows\system32\DRIVERS\activhidsermini.sys [2009-05-05 55936]
S3 prmvmouse;Promethean HID Mouse Service;c:\windows\system32\DRIVERS\activmouse.sys [2009-05-05 5632]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-05-22 c:\windows\Tasks\User_Feed_Synchronization-{1F9BC5D8-4AFC-48FE-8F97-9CCF5A1EF529}.job
- c:\windows\system32\msfeedssync.exe [2010-03-31 04:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://masteringphysics.com/
uInternet Settings,ProxyOverride = *.local
Trusted Zone: direct2drive.com\www
Trusted Zone: l-3com.com\slcsg01.CSW
Trusted Zone: l-3com.com\slcsg02.CSW
Trusted Zone: l-3com.com\slcsg03.CSW
Trusted Zone: l-3com.com\slcsg04.CSW
Trusted Zone: l-3com.com\slcsg05.CSW
Trusted Zone: l-3com.com\slcsg06.CSW
Trusted Zone: l-3com.com\slcsg07.CSW
Trusted Zone: l-3com.com\slcsg08.CSW
Trusted Zone: l-3com.com\slcsg09.CSW
Trusted Zone: l-3com.com\slcsg10.CSW
Trusted Zone: masteringphysics.com\www
Trusted Zone: thedieselstop.com\www
Trusted Zone: trymedia.com\fe
Trusted Zone: l-3com.com\slcsg01.CSW
Trusted Zone: l-3com.com\slcsg02.CSW
Trusted Zone: l-3com.com\slcsg03.CSW
Trusted Zone: l-3com.com\slcsg04.CSW
Trusted Zone: l-3com.com\slcsg05.CSW
Trusted Zone: l-3com.com\slcsg06.CSW
Trusted Zone: l-3com.com\slcsg07.CSW
Trusted Zone: l-3com.com\slcsg08.CSW
Trusted Zone: l-3com.com\slcsg09.CSW
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://remoteaccess.csw.l-3com.com/dana-cached/sc/JuniperSetupClient.cab
.
- - - - ORPHANS REMOVED - - - -

Notify-GoToAssist - c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
MSConfigStartUp-AVG8_TRAY - c:\progra~1\AVG\AVG8\avgtray.exe
MSConfigStartUp-EA Core - c:\program files\Electronic Arts\EADM\Core.exe
MSConfigStartUp-igndlm - c:\program files\Download Manager\DLM.exe
MSConfigStartUp-SpybotSD TeaTimer - c:\program files\Spybot - Search & Destroy\TeaTimer.exe
AddRemove-Download Manager - c:\program files\Download Manager\uninst.exe
AddRemove-EADM - c:\program files\Electronic Arts\EADM\Uninstall.exe
AddRemove-NWP v19.01 - c:\program files\Jane's Combat Simulations\Fleet Command\Uninstall NWP.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-21 20:17
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\users\Jeremy\AppData\Local\Temp\~DFDD71.tmp 16384 bytes
c:\users\Jeremy\AppData\Local\Temp\~DFDD8D.tmp 512 bytes

scan completed successfully
hidden files: 2

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2010-05-21 20:19:17
ComboFix-quarantined-files.txt 2010-05-22 02:19

Pre-Run: 73,525,571,584 bytes free
Post-Run: 75,638,669,312 bytes free

- - End Of File - - 2974904A713AFDC52021D50DFA3721B1












H J T Log
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:32:06 PM, on 5/21/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18904)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Saitek\SD6\Software\ProfilerU.exe
C:\Program Files\Saitek\SD6\Software\SaiMfd.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Windows\system32\taskeng.exe
C:\Windows\explorer.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Jeremy\Downloads\ComboFix.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Windows\system32\msfeedssync.exe
C:\32788R22FWJFW\n.pif

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://masteringphysics.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LXCICATS] rundll32 C:\Windows\system32\spool\DRIVERS\W32X86\3\LXCItime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -s
O4 - HKLM\..\Run: [ProfilerU] C:\Program Files\Saitek\SD6\Software\ProfilerU.exe
O4 - HKLM\..\Run: [SaiMfd] C:\Program Files\Saitek\SD6\Software\SaiMfd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O15 - Trusted Zone: http://www.direct2drive.com
O15 - Trusted Zone: http://www.masteringphysics.com
O15 - Trusted Zone: fe.trymedia.com
O16 - DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} (WMI Class) - http://support.dell.com/systemprofiler/SysProExe.CAB
O16 - DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader2.cab
O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} (JuniperSetupClientControl Class) - https://remoteaccess.csw.l-3com.com/dana-cached/sc/JuniperSetupClient.cab
O20 - AppInit_DLLs: C:\Windows\System32\avgrsstx.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxci_device - - C:\Windows\system32\lxcicoms.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Saitek DirectOutput (SaiDOutput) - Saitek - C:\Program Files\Saitek\DirectOutput\DirectOutputService.exe

--
End of file - 6179 bytes
 
Last edited:
System seems to be fine... I suppose. However it may not matter but just now I tried to open IE and it said unable this location is marked for deletion in the registry or something to that effect. I rebooted and it worked fine. It also said the same thing for Avant Browser...


ComboFix 10-05-21.04 - Jeremy 05/21/2010 20:32:53.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2047.789 [GMT -6:00]
Running from: c:\users\Jeremy\Downloads\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2010-04-22 to 2010-05-22 )))))))))))))))))))))))))))))))
.

2010-05-22 02:37 . 2010-05-22 02:37 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-05-22 02:37 . 2010-05-22 02:37 -------- d-----w- c:\users\Guest\AppData\Local\temp
2010-05-22 02:37 . 2010-05-22 02:37 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-05-22 02:37 . 2010-05-22 02:37 -------- d-----w- c:\users\Brittanie\AppData\Local\temp
2010-05-22 02:31 . 2010-05-22 02:31 388096 ----a-r- c:\users\Jeremy\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-05-22 02:31 . 2010-05-22 02:31 -------- d-----w- c:\program files\Trend Micro
2010-05-22 02:19 . 2010-05-22 02:37 -------- d-----w- c:\users\Jeremy\AppData\Local\temp
2010-05-21 16:06 . 2010-05-21 16:07 -------- d-----w- c:\windows\system32\MpEngineStore
2010-05-12 08:42 . 2010-01-29 15:40 738816 ----a-w- c:\windows\system32\inetcomm.dll
2010-04-27 15:28 . 2010-04-27 15:28 4093280 ----a-w- c:\programdata\avg9\update\backup\avgui.exe
2010-04-27 15:28 . 2010-04-27 15:28 2064224 ----a-w- c:\programdata\avg9\update\backup\avgtray.exe
2010-04-27 15:28 . 2010-04-27 15:28 1276768 ----a-w- c:\programdata\avg9\update\backup\avgfrw.exe
2010-04-27 15:28 . 2010-04-27 15:28 1245464 ----a-w- c:\programdata\avg9\update\backup\avgabout.dll
2010-04-27 15:28 . 2010-04-27 15:28 4258144 ----a-w- c:\programdata\avg9\update\backup\avgcorex.dll
2010-04-27 15:26 . 2010-04-27 15:26 1690464 ----a-w- c:\programdata\avg9\update\backup\avgupd.dll
2010-04-27 15:26 . 2010-04-27 15:26 1038688 ----a-w- c:\programdata\avg9\update\backup\avgupd.exe
2010-04-27 15:26 . 2010-04-27 15:26 813336 ----a-w- c:\programdata\avg9\update\backup\avginet.dll
2010-04-27 15:26 . 2010-04-27 15:26 624920 ----a-w- c:\programdata\avg9\update\backup\avgiproxy.exe
2010-04-27 03:47 . 2010-04-27 03:47 652296 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsTemplate\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll
2010-04-27 03:47 . 2010-04-27 03:47 690952 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-04-27 03:46 . 2010-04-27 03:46 416128 ----a-w- c:\programdata\Microsoft\eHome\Packages\NetTV\Browse\NetTVResources.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-22 01:49 . 2009-03-28 21:38 48478 ----a-w- c:\programdata\nvModes.dat
2010-05-21 16:07 . 2009-10-13 02:34 12 ----a-w- c:\windows\bthservsdp.dat
2010-05-21 16:06 . 2009-09-11 02:10 226280 ----a-w- c:\windows\system32\drivers\volsnap.sys
2010-05-18 05:31 . 2010-02-13 04:19 -------- d-----w- c:\programdata\Lavasoft
2010-05-17 06:36 . 2010-04-13 07:27 -------- d-----w- c:\program files\HooTech
2010-05-12 23:02 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-05-12 23:02 . 2009-03-25 04:07 -------- d-----w- c:\programdata\Microsoft Help
2010-05-10 06:14 . 2009-11-04 05:33 -------- d-----w- c:\program files\CPUID
2010-05-01 02:08 . 2009-04-04 08:54 -------- d-----w- c:\program files\Lx_cats
2010-04-14 22:49 . 2010-04-14 22:49 -------- d-----w- c:\programdata\Office Genuine Advantage
2010-04-13 07:27 . 2010-04-13 07:27 -------- d-----w- c:\users\Jeremy\AppData\Roaming\HTNetMeter
2010-04-10 06:42 . 2009-03-25 03:31 680 ----a-w- c:\users\Jeremy\AppData\Local\d3d9caps.dat
2010-03-16 16:49 . 2010-03-16 16:49 72488 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-03-16 15:12 . 2010-01-04 04:54 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-16 15:12 . 2010-01-04 04:54 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-03-16 15:11 . 2010-01-04 04:54 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-05 14:01 . 2010-04-14 09:41 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-24 03:53 . 2009-03-25 03:32 102392 ----a-w- c:\users\Jeremy\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-23 11:10 . 2010-04-14 09:41 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-02-23 11:10 . 2010-04-14 09:41 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-02-23 11:10 . 2010-04-14 09:41 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-23 06:39 . 2010-03-31 12:03 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33 . 2010-03-31 12:03 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 06:33 . 2010-03-31 12:03 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 04:55 . 2010-03-31 12:03 133632 ----a-w- c:\windows\system32\ieUnatt.exe
.

((((((((((((((((((((((((((((( SnapShot@2010-05-22_02.17.17 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-05-22 02:31 . 2010-05-22 02:31 1094656 c:\windows\Installer\23a48fe.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-17 815104]
"LXCICATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\LXCItime.dll" [2006-11-21 106496]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-19 13793824]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-10-29 7862816]
"ProfilerU"="c:\program files\Saitek\SD6\Software\ProfilerU.exe" [2009-06-03 237568]
"SaiMfd"="c:\program files\Saitek\SD6\Software\SaiMfd.exe" [2009-06-03 131072]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-04-02 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-16 141608]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ActivControl]
2009-06-04 20:46 1084704 ----a-w- c:\program files\Activ Software\Activdriver\ActivControl2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-02 18:05 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2006-12-11 03:52 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-02-16 00:07 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
2006-12-06 04:55 54832 ----a-w- c:\program files\CyberLink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 21:40 155648 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 06:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2006-11-23 21:10 56928 ------w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-07-25 11:23 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):57,8e,5c,34,4a,37,ca,01

R1 jqqsynvo;jqqsynvo;c:\windows\system32\drivers\jqqsynvo.sys [x]
R3 ACTIVhidmini;Promethean USB Board Driver;c:\windows\system32\DRIVERS\ACTIVhidmini.sys [2009-05-05 58880]
R3 SaiH0762;SaiH0762;c:\windows\system32\DRIVERS\SaiH0762.sys [2008-04-05 136832]
R4 mv61xx;mv61xx;c:\windows\system32\drivers\mv61xx.sys [2007-06-15 143256]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2010-03-16 216200]
S1 NEOFLTR_650_14951;Juniper Networks TDI Filter Driver (NEOFLTR_650_14951);c:\windows\system32\Drivers\NEOFLTR_650_14951.SYS [2009-12-09 85288]
S2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-03-16 308064]
S2 lxci_device;lxci_device;c:\windows\system32\lxcicoms.exe [2007-02-02 537520]
S2 SaiDOutput;Saitek DirectOutput;c:\program files\Saitek\DirectOutput\DirectOutputService.exe [2008-04-04 147456]
S3 ActivHidSerMini;Promethean Serial Board Driver;c:\windows\system32\DRIVERS\activhidsermini.sys [2009-05-05 55936]
S3 prmvmouse;Promethean HID Mouse Service;c:\windows\system32\DRIVERS\activmouse.sys [2009-05-05 5632]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-05-22 c:\windows\Tasks\User_Feed_Synchronization-{1F9BC5D8-4AFC-48FE-8F97-9CCF5A1EF529}.job
- c:\windows\system32\msfeedssync.exe [2010-03-31 04:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://masteringphysics.com/
uInternet Settings,ProxyOverride = *.local
Trusted Zone: direct2drive.com\www
Trusted Zone: l-3com.com\slcsg01.CSW
Trusted Zone: l-3com.com\slcsg02.CSW
Trusted Zone: l-3com.com\slcsg03.CSW
Trusted Zone: l-3com.com\slcsg04.CSW
Trusted Zone: l-3com.com\slcsg05.CSW
Trusted Zone: l-3com.com\slcsg06.CSW
Trusted Zone: l-3com.com\slcsg07.CSW
Trusted Zone: l-3com.com\slcsg08.CSW
Trusted Zone: l-3com.com\slcsg09.CSW
Trusted Zone: l-3com.com\slcsg10.CSW
Trusted Zone: masteringphysics.com\www
Trusted Zone: thedieselstop.com\www
Trusted Zone: trymedia.com\fe
Trusted Zone: l-3com.com\slcsg01.CSW
Trusted Zone: l-3com.com\slcsg02.CSW
Trusted Zone: l-3com.com\slcsg03.CSW
Trusted Zone: l-3com.com\slcsg04.CSW
Trusted Zone: l-3com.com\slcsg05.CSW
Trusted Zone: l-3com.com\slcsg06.CSW
Trusted Zone: l-3com.com\slcsg07.CSW
Trusted Zone: l-3com.com\slcsg08.CSW
Trusted Zone: l-3com.com\slcsg09.CSW
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://remoteaccess.csw.l-3com.com/dana-cached/sc/JuniperSetupClient.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-21 20:37
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2010-05-21 20:39:03
ComboFix-quarantined-files.txt 2010-05-22 02:39
ComboFix2.txt 2010-05-22 02:19

Pre-Run: 75,539,144,704 bytes free
Post-Run: 75,294,367,744 bytes free

- - End Of File - - 3C5DCB45DD88DA91D89ADDDA35247A95
 
Please rerun hijackthis and place check marks next to the following entries.

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O15 - Trusted Zone: fe.trymedia.com

Then click on fix checked at the bottom.

So everything is running ok now?
 
SEE PIC IN COMPRESSED FOLDER>>

I cant remove them I tried and they are still there. I rebooted, still there. I didnt get that message the first time. Also I know about the run as admin but I dont have the option to
 
Last edited:
You can get those using ComboFix.....Here's the code, but wait for John:


Code: 
Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
[-HKEY_CLASSES_ROOT\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
[-HKEY_CLASSES_ROOT\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]
[-HKEY_CLASSES_ROOT\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"=-
"Adobe Reader Speed Launcher"=-
"Adobe ARM"=-
"iTunesHelper"=-
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\fe.trymedia.com]


MrC
 
Mrc,

I hope you don't feel like you are stepping on my toes, cause you aren't. Please feel free to post whatever fixes are required. I know you and what your credentials are.


jgoff14,

Please perform the following procedure to get rid of those entries.

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box

Code: 
Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
[-HKEY_CLASSES_ROOT\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
[-HKEY_CLASSES_ROOT\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]
[-HKEY_CLASSES_ROOT\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"=-
"Adobe Reader Speed Launcher"=-
"Adobe ARM"=-
"iTunesHelper"=-
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\fe.trymedia.com]


3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!


CFScript-1.gif


ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Also please navigate to c:\windows\system32\drivers\etc\hosts. Right click on the hosts file and click on open and open it using notepad. If you have anything else listed in there beside this entry please post it in your next reply.

127.0.0.1 localhost

If you have more entries in there you can highlight all other entries and press the delete key, but make sure you leave the entry that is listed above alone.
 
jgoff14,

You can't run ComboFix without disabling your malware programs:

Code: 
ComboFix 10-05-21.04 - Jeremy 05/21/2010 20:10:20.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2047.844 [GMT -6:00]
Running from: c:\users\Jeremy\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\2SU1S7VI\ComboFix.exe
SP: [COLOR="Red"]Windows Defender *enabled*[/COLOR] (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
Disable malware programs

MrC
 
You must log in or register to reply here.
Back
Top