need help with virus

Question

david888m 0 Newbie Poster

14 Years Ago

BRIEF BACKGROUND
Two weeks ago, Avira's rescue CD reported for one computer: "Contains code of the Boot.1 virus". However, the closest match in their database is W-Boot.1 for which an alias is Dr. Web's WBoot. Malwarebytes saw nothing. AVG saw nothing. Dr. Web reported for another computer: "A: Boot Sector" and status as "NYB". but I tried detected anything. Since then, suspicious activities continued even though no antimalware solution is able to detect anything. Disabling network access is a primary activity of this virus. It also deletes and corrupts various device drivers or files associated with their functioning, interferes with OS repair and installation, sometimes interferes with antimalware installation, and occasionally hides the d: hard disk. My lans on 4 computers show a red X, saying that "A network cable is unplugged." A total of 7 nics on 4 computers have been affected. I previously got DSL access back for about 24 hours by fdisk/format and by System Restore. I was able to get dialup access back by installing a new OS.

CURRENT ISSUES
After flashing the bios, cleaning the mbr by fdisk /mbr and fdisk/mbr, formatting the whole hard disk, and reinstalling XP on one of the computers, I'm unable to get dsl internet access back. When I tried to format, it aborted twice at 27% with the message "not ready" before it went through all the way. One lan shows a red X, saying that "A network cable is unplugged." Another nic that installed many times before keep getting installation errors. A third nic that installed many times before cannot be detected. Also, I'm not getting audio. Compared to previous fdisking and formatting that brought back dsl for about 24 hours on this same computer, I have a flash drive with some backup data plugged in. Could that be the reason?

LOGS
Malwarebytes' Anti-Malware 1.44
Database version: 3902
Windows 5.1.2600 Service Pack 1
Internet Explorer 6.0.2800.1106

3/23/2010 2:17:12 AM
mbam-log-2010-03-23 (02-17-12).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 114758
Time elapsed: 12 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

DDS (Ver_09-12-01.01) - FAT32x86
Run by XPUser at 9:40:30.15 on Tue 03/23/2010
Internet Explorer: 6.0.2800.1106
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.511.361 [GMT -8:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wpabaln.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\XPUser\My Documents\Downloads\qby679ys.exe
C:\DOCUME~1\XPUser\LOCALS~1\Temp\RarSFX2\78tr28.exe
C:\DOCUME~1\XPUser\LOCALS~1\Temp\RarSFX2\k6mdsXP.exe
C:\Documents and Settings\XPUser\Desktop\TEMP\dds.scr

============== Pseudo HJT Report ===============

EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\System32\browseui.dll
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\xpuser\applic~1\mozilla\firefox\profiles\u8ap84wl.default\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 avgntmgr;avgntmgr;c:\windows\system32\drivers\avgntmgr.sys [2010-3-22 22360]
R1 avgntdd;avgntdd;c:\windows\system32\drivers\avgntdd.sys [2010-3-22 45416]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [2010-3-22 20160]
S3 UF100;HAWKING UF100 USB 10/100 Network Adapter;c:\windows\system32\drivers\UF100.sys [2010-3-22 26238]

=============== Created Last 30 ================

2010-03-23 17:38:34 0 ----a-w- c:\documents and settings\xpuser\defogger_reenable
2010-03-23 15:47:31 0 d-----w- c:\documents and settings\xpuser\DoctorWeb
2010-03-23 07:17:32 0 d-----w- c:\docume~1\xpuser\applic~1\Malwarebytes
2010-03-23 07:17:23 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-23 07:17:19 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-03-23 07:17:18 18520 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-23 07:17:17 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-23 06:18:52 0 d-sh--w- C:\FOUND.001
2010-03-23 06:16:43 0 d-----w- c:\program files\Avira
2010-03-23 06:16:43 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira
2010-03-23 05:24:38 0 d-sh--w- c:\documents and settings\all users\DRM
2010-03-23 05:22:49 0 d-----w- c:\program files\common files\MSSoap
2010-03-23 05:20:13 0 d--h--w- c:\program files\WindowsUpdate
2010-03-23 05:20:13 0 d-----w- c:\program files\Online Services
2010-03-23 05:19:51 0 d-----w- c:\program files\Messenger
2010-03-23 05:19:46 0 d-----w- c:\program files\MSN Gaming Zone
2010-03-23 05:19:05 0 d-----w- c:\program files\Windows NT
2010-03-23 04:37:57 0 d-----w- c:\program files\common files\ODBC
2010-03-23 04:37:52 0 d-----w- c:\program files\common files\SpeechEngines
2010-03-23 04:37:20 0 d-----r- c:\documents and settings\all users\Documents

==================== Find3M ====================

2010-03-23 05:21:34 21640 ----a-w- c:\windows\system32\emptyregdb.dat

============= FINISH: 9:43:29.32 ===============

DDS (Ver_09-12-01.01) - FAT32x86
Run by XPUser at 9:40:30.15 on Tue 03/23/2010
Internet Explorer: 6.0.2800.1106
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.511.361 [GMT -8:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wpabaln.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\XPUser\My Documents\Downloads\qby679ys.exe
C:\DOCUME~1\XPUser\LOCALS~1\Temp\RarSFX2\78tr28.exe
C:\DOCUME~1\XPUser\LOCALS~1\Temp\RarSFX2\k6mdsXP.exe
C:\Documents and Settings\XPUser\Desktop\TEMP\dds.scr

============== Pseudo HJT Report ===============

EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\System32\browseui.dll
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\xpuser\applic~1\mozilla\firefox\profiles\u8ap84wl.default\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 avgntmgr;avgntmgr;c:\windows\system32\drivers\avgntmgr.sys [2010-3-22 22360]
R1 avgntdd;avgntdd;c:\windows\system32\drivers\avgntdd.sys [2010-3-22 45416]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [2010-3-22 20160]
S3 UF100;HAWKING UF100 USB 10/100 Network Adapter;c:\windows\system32\drivers\UF100.sys [2010-3-22 26238]

=============== Created Last 30 ================

2010-03-23 17:38:34 0 ----a-w- c:\documents and settings\xpuser\defogger_reenable
2010-03-23 15:47:31 0 d-----w- c:\documents and settings\xpuser\DoctorWeb
2010-03-23 07:17:32 0 d-----w- c:\docume~1\xpuser\applic~1\Malwarebytes
2010-03-23 07:17:23 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-23 07:17:19 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-03-23 07:17:18 18520 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-23 07:17:17 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-23 06:18:52 0 d-sh--w- C:\FOUND.001
2010-03-23 06:16:43 0 d-----w- c:\program files\Avira
2010-03-23 06:16:43 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira
2010-03-23 05:24:38 0 d-sh--w- c:\documents and settings\all users\DRM
2010-03-23 05:22:49 0 d-----w- c:\program files\common files\MSSoap
2010-03-23 05:20:13 0 d--h--w- c:\program files\WindowsUpdate
2010-03-23 05:20:13 0 d-----w- c:\program files\Online Services
2010-03-23 05:19:51 0 d-----w- c:\program files\Messenger
2010-03-23 05:19:46 0 d-----w- c:\program files\MSN Gaming Zone
2010-03-23 05:19:05 0 d-----w- c:\program files\Windows NT
2010-03-23 04:37:57 0 d-----w- c:\program files\common files\ODBC
2010-03-23 04:37:52 0 d-----w- c:\program files\common files\SpeechEngines
2010-03-23 04:37:20 0 d-----r- c:\documents and settings\all users\Documents

==================== Find3M ====================

2010-03-23 05:21:34 21640 ----a-w- c:\windows\system32\emptyregdb.dat

============= FINISH: 9:43:29.32 ===============

ATTACH.TXT
DDS (Ver_09-12-01.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 3/22/2010 1:32:19 PM
System Uptime: 3/22/2010 10:15:48 PM (11 hours ago)

Motherboard: ASUSTeK Computer INC. | | A7N8X2.0
Processor: AMD Athlon(tm) XP | Socket A | 1094/100mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (FAT32) - 10 GiB total, 6.018 GiB free.
D: is Removable
E: is CDROM (CDFS)
F: is CDROM (CDFS)

==== Disabled Device Manager Items =============

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: SM Bus Controller
Device ID: PCI\VEN_10DE&DEV_0064&SUBSYS_0C111043&REV_A2\3&13C0B0C5&0&09
Manufacturer:
Name: SM Bus Controller
PNP Device ID: PCI\VEN_10DE&DEV_0064&SUBSYS_0C111043&REV_A2\3&13C0B0C5&0&09
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Multimedia Audio Controller
Device ID: PCI\VEN_10DE&DEV_006A&SUBSYS_80951043&REV_A1\3&13C0B0C5&0&30
Manufacturer:
Name: Multimedia Audio Controller
PNP Device ID: PCI\VEN_10DE&DEV_006A&SUBSYS_80951043&REV_A1\3&13C0B0C5&0&30
Service:

==== System Restore Points ===================

RP1: 3/22/2010 9:39:57 PM - System Checkpoint
RP2: 3/22/2010 9:51:54 PM - Unsigned driver install
RP3: 3/22/2010 9:54:18 PM - Unsigned driver install
RP4: 3/22/2010 10:16:21 PM - Avira AntiVir Personal - 3/22/2010 22:16
RP5: 3/22/2010 10:25:15 PM - Avira AntiVir Personal - 3/22/2010 22:25

==== Installed Programs ======================

Avira AntiVir Personal - Free Antivirus
HijackThis 2.0.2
Malwarebytes' Anti-Malware
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Mozilla Firefox (3.6)
WebFldrs XP

==== Event Viewer Messages From Past Week ========

3/22/2010 2:20:40 PM, error: System Error [1003] - Error code 1000008e, parameter1 c0000005, parameter2 8053ce49, parameter3 f545799c, parameter4 00000000.
3/22/2010 1:41:27 PM, error: NetBT [4311] - Initialization failed because the driver device could not be created.
3/22/2010 1:35:30 PM, error: atapi [9] - The device, \Device\Ide\IdePort1, did not respond within the timeout period.
3/22/2010 1:35:30 PM, error: atapi [11] - The driver detected a controller error on \Device\Ide\IdePort1.
3/22/2010 1:32:38 PM, error: Setup [60055] - Windows Setup encountered non-fatal errors during installation. Please check the setuperr.log found in your Windows directory for more information.

==== End Of File ===========================

ESET wouldn't run, but Trend Micro Housecall reports "No threats found".

Thank you in advance for suggestions and comments.

virus-malware windows-virus

2 Contributors
6 Replies
341 Views
2 Weeks Discussion Span
Latest Post 14 Years Ago Latest Post by jholland1964

jholland1964 650 Posting Expert

14 Years Ago

I have a flash drive with some backup data plugged in. Could that be the reason?

Yes, most definitely the backup data may very well be infected. I hate to tell you but you really should clean out that flash drive completely, even though you will lose backup data, there is no way of knowing exactly what is infected on there but it should go to be safe.
The second thing, if I am reading this correctly, these 4 computers are networked together. You need remove that networking for now and work on only ONE computer and get it clean. Install all new copies of the software you use, don't use backups if at all possible.

After that one computer is clean then, don't network it to others but pick another and get that one also clean, and so on. After all computers are clean is when you can then network them together.
Looking at the DDS scans there are unknown files running on both of those logs, are these from two different computers or did you just post the log twice?
The files showing as running when the scans were done and which are unknown for sure are:
C:\Documents and Settings\XPUser\My Documents\Downloads\qby679ys.exe
C:\DOCUME~1\XPUser\LOCALS~1\Temp\RarSFX2\78tr28.exe
C:\DOCUME~1\XPUser\LOCALS~1\Temp\RarSFX2\k6mdsXP.exe

The MBA-M scan is obviously not correct because it shows a full scan was run but the number of Objects scanned: 114758 but it only took 12 minutes to run. This cannot be correct. A full scan should have taken at least one hour.

Frankly, I would just do a full reformat on that one computer, using your Windows CD it would as quick or quicker rather than trying to repair. Install all your drivers from your drivers disk so that you can go online then go to the Windows Update and update to SP3. Get that one computer up and running, download and install a NEW copy of Avira, a new copy of MBA-M, update them of course. Do full scans with both to be certain the computer is totally clean. Then do the same with each of the other computers. Then and only then begin to network the computers together, one at a time.
Don't use that flash drive unless you can be absolutely certain it is 100% clean.

Edited 14 Years Ago by jholland1964 because: n/a

jholland1964 650 Posting Expert

14 Years Ago

Could my computer have gotten reinfected by a website?

Absolutely, or a download, an email...
Who told you to run combofix? Where are the logs? Are you 100% familiar with combofix and how to read and interpret each and every line of the logs? Just running combofix does not necessarily remove all infection, it can remove some of the infected files but very often additional steps are required. Am very confused as to why, after a full wipe and reformat there would be infected files found UNLESS the disk used either was not legal OR was an image of the computer with the infected files in the image. A full reformat and reinstall should have totally wiped the hard drive.

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

david888m 0 Newbie Poster · Answer 1 · 2010-03-25T05:34:54+00:00

I'm thinking that the virus could have displaced the mbr. I read about a virus that moved the mbr to sector 7 of track 0 and redirected examination of itself to the mbr.

I'm thinking of editing track 0 (location of a possible hidden virus
and displaced mbr) and repairing with XP's fixboot and fixmbr.

Can I repair XP SP3 with SP1 CD and follow up with SP3 update?
Alternatively, would I have to combine XP SP1 with SP3 update by a
"slipstreaming process"? Has anybody done slipstreaming?

david888m 0 Newbie Poster · Answer 2 · 2010-04-05T02:01:37+00:00

The most heavily infected was the Dell. I flashed the bios, used Avira boot virus removal tool, installed Linux (Freespire followed by Ubuntu Desktop), fdisked, and reformatted with windows, reinstalled Windows, and ran ComboFix (found 3 infected system files). I've scanned many times with Avira, Dr. Web, Malwarebytes, Trend Micro, DDS, GMER, etc., but found nothing.

I haven't seen any suspicious symptoms for a week or so. I was browsing earlier today when the Dell froze with a blue screen. After rebooting, I lost my DSL. The DSL network icon is gone. The modem icons are present, but modified and nonfunctional. The modem and nics are gone from Device Manager. These are some of the symptoms I had before. Could my computer have gotten reinfected by a website?

david888m 0 Newbie Poster · Answer 3 · 2010-04-12T23:19:26+00:00

There are numerous posts all over the web stating that some viruses are able to survive high formatting; low formatting had to be used to get rid of them. I had already tested and discovered on another hard disk that my virus(es) survived bios flashing, fixing boot record and high formatting. Fdisking without low formatting appeared to have gotten rid of them on the test system. I'm hoping that I wouldn't have to low format and destroy my disk caching. My Windows 2000 installation CD's are legal (having received them as a Microsoft Academy student) and have been used for installation many times over the years without infection problems.

I don't know how to interpret Combofix logs. A Malwarebytes staff member asked me to run it. I posted various logs of the Dell were posted Mar 29 2010, 11:10 PM, Post #11 at http://forums.malwarebytes.org/index.php?showtopic=43559&st=20&gopid=231386&#entry231386
He had been examing my logs for the Asus. It will probably be a while before he looks at my Combofix logs on the Dell. Below is a newer Combofix log done on April 7th. Thanks.

ComboFix 10-04-05.06 - Administrator 04/07/2010 0:27.2.1 - FAT32x86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.254.148 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\TEMP\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\winnt\system32\comres.dll . . . is infected!!

c:\winnt\system32\qmgr.dll . . . is infected!!

c:\winnt\system32\comres.dll . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2010-03-07 to 2010-04-07 )))))))))))))))))))))))))))))))
.

2010-04-07 04:38 . 2010-04-07 04:38 16384 ----a-w- c:\winnt\system32\Perflib_Perfdata_4e0.dat
2010-04-06 23:31 . 2010-04-06 23:31 -------- d-----w- C:\WUTemp
2010-04-06 22:26 . 2010-04-06 22:26 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer
2010-04-06 22:23 . 2010-04-06 22:23 -------- d-----w- c:\program files\QuickTime
2010-04-06 22:23 . 2010-04-06 22:23 -------- d-----w- c:\program files\Apple Software Update
2010-04-06 22:22 . 2010-04-06 22:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-04-05 02:41 . 2010-04-05 02:41 -------- d-----w- c:\program files\ToniArts
2010-04-05 02:41 . 2010-04-05 02:41 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-03 18:33 . 2010-04-03 18:33 -------- d-----w- C:\FOUND.000
2010-03-31 16:27 . 2010-03-31 16:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2010-03-31 16:26 . 2010-03-31 16:26 -------- d-----w- c:\program files\Yahoo!
2010-03-30 20:43 . 2010-03-30 20:43 -------- d-s---w- c:\documents and settings\Administrator\UserData
2010-03-30 05:46 . 2010-03-30 05:46 -------- d-----w- c:\program files\NetZero
2010-03-30 05:46 . 2010-03-30 05:46 -------- d-----w- c:\documents and settings\All Users\Application Data\NetZero
2010-03-30 05:46 . 2010-03-30 05:46 -------- d-----w- C:\NetZeroInstaller
2010-03-29 04:52 . 2010-03-29 04:52 -------- d-----w- c:\program files\FXDD - MetaTrader 4
2010-03-28 21:56 . 1999-12-06 20:00 12560 ----a-w- c:\winnt\system32\dllcache\chtbrkr.dll
2010-03-28 21:56 . 1999-12-06 20:00 12560 ----a-w- c:\winnt\system32\chtbrkr.dll
2010-03-28 21:56 . 1999-12-06 20:00 1577216 ----a-w- c:\winnt\system32\dllcache\cjime.exe
2010-03-28 21:56 . 1999-12-06 20:00 1577216 ----a-w- c:\winnt\system32\cjime.exe
2010-03-28 21:55 . 1999-12-06 20:00 1409792 ----a-w- c:\winnt\system32\phime.exe
2010-03-28 21:55 . 1999-12-06 20:00 1409792 ----a-w- c:\winnt\system32\dllcache\phime.exe
2010-03-28 21:36 . 1999-08-05 20:11 290816 ----a-w- c:\winnt\system32\IMEPAD.DLL
2010-03-28 21:36 . 1999-08-05 20:11 290816 ----a-w- c:\winnt\system32\dllcache\imepad.dll
2010-03-28 21:25 . 2010-03-28 21:25 -------- d-----w- c:\documents and settings\Administrator\Application Data\Canon
2010-03-28 20:52 . 2010-03-28 20:52 -------- d-----w- c:\documents and settings\Administrator\Application Data\Foxit Software
2010-03-28 20:51 . 2010-03-28 20:51 -------- d-----w- c:\program files\Foxit Software
2010-03-28 20:51 . 2010-03-28 20:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\Foxit
2010-03-28 20:20 . 2010-03-28 20:21 -------- d-----w- c:\program files\IZArc
2010-03-28 20:18 . 2010-03-28 20:18 -------- d-----w- c:\winnt\ShellNew
2010-03-28 20:16 . 2010-03-28 20:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\Microsoft Web Folders
2010-03-28 19:35 . 2010-03-28 19:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\SogouPY.users
2010-03-28 19:34 . 2010-03-28 19:34 -------- d-----w- c:\program files\SogouInput
2010-03-28 19:34 . 2010-03-28 19:34 -------- d-----w- c:\documents and settings\Administrator\Application Data\SogouPY
2010-03-28 19:31 . 1999-12-06 20:00 12560 ----a-w- c:\winnt\system32\dllcache\chsbrkr.dll
2010-03-28 19:31 . 1999-12-06 20:00 12560 ----a-w- c:\winnt\system32\chsbrkr.dll
2010-03-28 19:31 . 1999-12-06 20:00 3442432 ----a-w- c:\winnt\system32\pyime.exe
2010-03-28 19:31 . 1999-12-06 20:00 3442432 ----a-w- c:\winnt\system32\dllcache\pyime.exe
2010-03-28 10:08 . 2007-10-23 13:27 110592 ----a-w- c:\documents and settings\Administrator\Application Data\U3\temp\cleanup.exe
2010-03-28 10:01 . 1998-10-29 20:45 306688 ----a-w- c:\winnt\IsUninst.exe
2010-03-28 09:57 . 2008-05-02 14:41 3493888 ---ha-w- c:\documents and settings\Administrator\Application Data\U3\temp\Launchpad Removal.exe
2010-03-28 09:56 . 2010-03-28 09:56 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3
2010-03-28 09:53 . 2010-03-28 09:53 -------- d-----w- C:\dell
2010-03-28 09:43 . 1996-01-09 14:38 283648 ----a-w- c:\winnt\uninst.exe
2010-03-28 09:10 . 2010-03-28 09:10 2829 ----a-w- c:\documents and settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Quattro.pif
2010-03-28 06:47 . 2010-03-28 06:47 -------- d-----w- c:\winnt\system32\Macromed
2010-03-28 06:18 . 2010-03-28 06:18 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Microsoft
2010-03-28 00:05 . 2010-03-28 00:05 -------- d-----w- c:\documents and settings\Administrator\DoctorWeb
2010-03-27 18:57 . 2010-03-30 07:57 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-27 18:54 . 2010-03-27 18:55 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-03-27 17:58 . 2010-03-27 17:58 -------- d-----w- c:\program files\Avira
2010-03-27 17:58 . 2010-03-27 17:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-03-27 17:58 . 2009-03-30 13:32 97512 ----a-w- c:\winnt\system32\drivers\avipbb.sys
2010-03-27 17:58 . 2009-03-24 19:07 65240 ----a-w- c:\winnt\system32\drivers\avgntflt.sys
2010-03-27 17:58 . 2009-02-13 15:28 18520 ----a-w- c:\winnt\system32\drivers\avgntmgr.sys
2010-03-27 17:58 . 2009-02-13 15:16 64488 ----a-w- c:\winnt\system32\drivers\avgntdd.sys
2010-03-27 17:58 . 2010-03-27 17:58 -------- d-----w- c:\winnt\winsxs
2010-03-27 17:54 . 2010-03-27 17:54 -------- d-----w- c:\winnt\system32\Windows Media
2010-03-27 17:53 . 2010-03-27 17:54 -------- d--h--w- c:\winnt\$NtUpdateRollupPackUninstall$
2010-03-27 17:53 . 2010-03-27 17:54 -------- d-----w- c:\winnt\msiinst.tmp
2010-03-27 17:52 . 2010-03-27 17:52 -------- d-----w- c:\winnt\ime
2010-03-27 17:52 . 2010-03-27 17:52 -------- d-----w- c:\winnt\system32\Microsoft
2010-03-27 17:47 . 2010-03-27 17:47 -------- d-----w- c:\winnt\system32\ie_de
2010-03-27 17:47 . 2010-03-27 17:47 -------- d-----w- c:\winnt\system32\CertSrv
2010-03-27 17:47 . 2010-03-27 17:47 -------- d-----w- c:\winnt\ServicePackFiles
2010-03-27 17:46 . 2003-06-19 16:05 3856 ------w- c:\winnt\system32\SVCPACK1.DLL
2010-03-27 17:44 . 2003-06-19 18:05 977680 ----a-w- c:\winnt\system32\vfpodbc.dll
2010-03-27 17:43 . 2003-06-19 18:05 85776 ----a-w- c:\winnt\system32\smlogsvc.exe
2010-03-27 17:42 . 2003-06-19 18:05 444176 ----a-w- c:\winnt\system32\oieng400.dll
2010-03-27 17:41 . 2003-06-19 18:05 33616 ------w- c:\winnt\system32\drivers\fips.sys
2010-03-27 17:40 . 2003-06-19 18:05 305664 ----a-w- c:\winnt\system32\msihnd.dll
2010-03-27 17:40 . 2003-09-20 01:53 64512 ----a-w- c:\winnt\system32\msiexec.exe
2010-03-27 17:40 . 2003-06-19 18:05 2017792 ----a-w- c:\winnt\system32\msi.dll
2010-03-27 17:40 . 2004-07-19 23:56 319760 ----a-w- c:\winnt\system32\msexcl40.dll
2010-03-27 17:40 . 2003-09-26 07:42 512272 ----a-w- c:\winnt\system32\msexch40.dll
2010-03-27 17:40 . 2003-06-19 18:05 4126 ----a-w- c:\winnt\system32\msdxmlc.dll
2010-03-27 17:37 . 2003-06-19 18:05 74000 ----a-w- c:\winnt\system32\uniime.dll
2010-03-27 17:37 . 2003-06-19 18:05 74000 ----a-w- c:\winnt\system32\dllcache\uniime.dll
2010-03-27 17:35 . 2003-06-19 18:05 206096 ----a-w- c:\winnt\system32\infosoft.dll
2010-03-27 17:34 . 2004-03-11 18:29 97552 ----a-w- c:\winnt\system32\comrepl.dll
2010-03-27 17:33 . 2010-03-27 17:33 0 ----a-w- c:\winnt\nsreg.dat
2010-03-27 17:33 . 2010-03-27 17:33 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-03-27 17:10 . 2010-03-30 04:46 38224 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys
2010-03-27 17:10 . 2010-03-30 04:45 19160 ----a-w- c:\winnt\system32\drivers\mbam.sys
2010-03-27 17:10 . 2010-03-27 17:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-27 17:10 . 2010-03-27 17:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-27 16:52 . 2010-03-27 16:52 -------- d-----w- C:\UNINST
2010-03-27 08:44 . 2010-03-27 08:44 -------- d-----w- C:\UTIL
2010-03-27 08:43 . 2010-03-27 08:43 -------- d-----w- c:\program files\SSH Communications Security
2010-03-27 08:43 . 2010-03-27 08:43 -------- d-----w- c:\program files\RegClean
2010-03-27 08:43 . 2010-03-27 08:43 -------- d-----w- c:\program files\QPRO
2010-03-27 08:42 . 2010-03-27 08:42 -------- d-----w- c:\program files\ATF Cleaner
2010-03-27 08:35 . 2010-03-27 08:35 -------- d-----w- c:\program files\Juno
2010-03-27 08:33 . 2010-04-04 17:24 -------- d-----r- C:\MYDOCS
2010-03-27 08:33 . 2010-03-27 08:33 -------- d-----w- C:\juno2
2010-03-27 08:33 . 2010-03-27 08:33 -------- d-----w- C:\juno1
2010-03-27 08:33 . 2010-03-27 08:33 -------- d-----w- C:\Index
2010-03-27 08:33 . 2010-03-27 08:33 -------- d-----w- C:\Futures
2010-03-27 08:33 . 2010-03-27 08:33 -------- d-----w- C:\FOREX
2010-03-27 08:33 . 2010-03-27 08:33 -------- d-----w- C:\EXPORT
2010-03-27 08:32 . 2010-03-27 08:32 -------- d-----w- C:\COMM
2010-03-27 08:32 . 2010-03-27 08:32 -------- d-----w- C:\BAT
2010-03-27 08:32 . 2010-03-27 08:32 -------- d-----w- C:\antbar
2010-03-27 08:29 . 2010-03-27 08:29 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Scansoft
2010-03-27 08:15 . 2006-09-13 04:00 74240 ----a-w- c:\documents and settings\All Users\Application Data\CanonBJ\IJPrinter\CNMWINNT\Canon MP160 Printer\LanguageModules\0409\CNMsr83.dll
2010-03-27 08:15 . 2006-09-13 04:00 73216 ----a-w- c:\documents and settings\All Users\Application Data\CanonBJ\IJPrinter\CNMWINNT\Canon MP160 Printer\LanguageModules\0411\CNMlr83.dll
2010-03-27 08:15 . 2006-09-13 04:00 42496 ----a-w- c:\documents and settings\All Users\Application Data\CanonBJ\IJPrinter\CNMWINNT\Canon MP160 Printer\LanguageModules\0411\CNMsr83.dll
2010-03-27 08:15 . 2006-09-13 04:00 334848 ----a-w- c:\documents and settings\All Users\Application Data\CanonBJ\IJPrinter\CNMWINNT\Canon MP160 Printer\LanguageModules\0409\CNMur83.dll
2010-03-27 08:15 . 2006-09-13 04:00 249344 ----a-w- c:\documents and settings\All Users\Application Data\CanonBJ\IJPrinter\CNMWINNT\Canon MP160 Printer\LanguageModules\0411\CNMur83.dll
2010-03-27 08:15 . 2006-09-13 04:00 130048 ----a-w- c:\documents and settings\All Users\Application Data\CanonBJ\IJPrinter\CNMWINNT\Canon MP160 Printer\LanguageModules\0409\CNMlr83.dll
2010-03-27 08:15 . 2003-06-19 18:05 12592 ----a-w- c:\winnt\system32\drivers\usbscan.sys
2010-03-27 08:15 . 2010-03-27 08:15 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield
2010-03-27 08:15 . 2010-03-27 08:15 -------- d-----w- c:\documents and settings\Administrator\Application Data\ScanSoft
2010-03-27 08:14 . 2010-03-27 08:14 -------- d-----w- c:\program files\Common Files\ScanSoft Shared
2010-03-27 08:14 . 2010-03-27 08:14 -------- d-----w- c:\documents and settings\All Users\Application Data\ScanSoft
2010-03-27 08:14 . 2010-03-27 08:14 -------- d-----w- c:\program files\ScanSoft
2010-03-27 08:13 . 2010-03-27 08:13 -------- d-----w- c:\program files\Common Files\InstallShield
2010-03-27 08:13 . 2010-03-27 08:13 -------- d--h--w- c:\documents and settings\All Users\Application Data\CanonBJ
2010-03-27 08:13 . 2006-09-13 04:00 69632 ----a-w- c:\winnt\system32\Spool\prtprocs\w32x86\CNMPP83.DLL
2010-03-27 08:13 . 2006-09-13 04:00 27136 ----a-w- c:\winnt\system32\Spool\prtprocs\w32x86\CNMPD83.DLL
2010-03-27 08:13 . 2006-09-13 04:00 197632 ----a-w- c:\winnt\system32\CNMLM83.DLL
2010-03-27 08:13 . 2010-03-27 08:13 -------- d--h--w- c:\winnt\system32\CanonIJ Uninstaller Information
2010-03-27 08:12 . 2006-05-26 09:54 135168 ----a-w- c:\winnt\system32\CNCL160.DLL
2010-03-27 08:12 . 2006-04-13 15:22 73728 ----a-w- c:\winnt\system32\CNCU160.DLL
2010-03-27 08:12 . 2010-03-27 08:12 -------- d--h--w- c:\program files\CanonBJ

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-28 21:25 . 2010-03-28 21:25 5058 ----a-w- c:\winnt\Help\hhcolreg.dat
2010-03-27 07:42 . 2010-03-27 07:42 -------- d-----w- c:\program files\microsoft frontpage
2010-03-27 07:41 . 2010-03-27 07:41 558142 ----a-w- c:\winnt\java\Packages\4LBHFJ9J.ZIP
2010-03-27 07:41 . 2010-03-27 07:41 2678 ----a-w- c:\winnt\java\Packages\Data\6QB53FP3.DAT
2010-03-27 07:41 . 2010-03-27 07:41 2474 ----a-w- c:\winnt\java\Packages\Data\31FP37D7.DAT
2010-03-27 07:41 . 2010-03-27 07:41 2678 ----a-w- c:\winnt\java\Packages\Data\9JZ13T7H.DAT
2010-03-27 07:41 . 2010-03-27 07:41 2474 ----a-w- c:\winnt\java\Packages\Data\3PFFHBNZ.DAT
2010-03-27 07:41 . 2010-03-27 07:41 156441 ----a-w- c:\winnt\java\Packages\LVLZZVF5.ZIP
2010-03-27 07:41 . 2010-03-27 07:40 2678 ----a-w- c:\winnt\java\Packages\Data\TVF5BRTV.DAT
2010-03-27 07:41 . 2010-03-27 07:40 2678 ----a-w- c:\winnt\java\Packages\Data\NDZLZ7H7.DAT
2010-03-27 07:41 . 2010-03-27 07:40 2678 ----a-w- c:\winnt\java\Packages\Data\L31VFPJX.DAT
2010-03-27 07:40 . 2010-03-27 07:40 21952 ---h--w- c:\program files\folder.htt
2010-03-27 07:39 . 2010-03-27 07:39 15012 ----a-w- c:\winnt\system32\emptyregdb.dat
2010-03-27 07:38 . 2010-03-27 07:38 -------- d-----w- c:\program files\Accessories
.

((((((((((((((((((((((((((((( SnapShot@2010-04-05_04.31.08 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-03-27 07:30 . 2010-04-06 21:23 99048 c:\winnt\system32\FNTCACHE.DAT
- 2010-03-27 07:30 . 2010-04-04 20:57 99048 c:\winnt\system32\FNTCACHE.DAT
+ 2010-04-06 22:23 . 2010-04-06 22:23 24064 c:\winnt\Installer\{A260B422-70E1-41E2-957D-F76FA21266D5}\AppleSoftwareUpdateIco.exe
+ 2010-03-27 17:42 . 2003-06-19 18:05 244224 c:\winnt\system32\dllcache\qmgr.dll
+ 2010-04-06 22:23 . 2010-04-06 22:23 7424000 c:\winnt\Installer\4b5e8.msi
+ 2010-04-06 22:23 . 2010-04-06 22:23 1527808 c:\winnt\Installer\4b5e4.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NetZero_uoltray"="c:\program files\NetZero\exec.exe" [2009-10-05 1779712]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [2003-06-19 111376]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2006-10-17 1197648]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 185896]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 75304]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [2003-06-19 186640]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

.
Contents of the 'Scheduled Tasks' folder

2010-04-06 c:\winnt\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 19:42]
.
.
------- Supplementary Scan -------
.
uSearchURL,(Default) = hxxp://my.netzero.net/s/search?r=minisearch
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
LSP: %SystemRoot%\system32\msafd.dll
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ort6yxoa.default\
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-07 00:38
Windows 5.0.2195 Service Pack 4 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(164)
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL

- - - - - - - > 'explorer.exe'(324)
c:\winnt\AppPatch\AcLayers.DLL
c:\program files\ScanSoft\OmniPageSE4.0\OpHookSE4.dll
c:\winnt\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\sched.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\winnt\system32\regsvc.exe
c:\winnt\system32\MSTask.exe
c:\winnt\system32\stisvc.exe
c:\winnt\System32\WBEM\WinMgmt.exe
.
**************************************************************************
.
Completion time: 2010-04-07 00:41:37 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-07 04:41
ComboFix2.txt 2010-04-05 04:33

Pre-Run: 763,559,936 bytes free
Post-Run: 815,276,032 bytes free

- - End Of File - - F40A69E0183B7F3235CFFAE566600581

jholland1964 650 Posting Expert Team Colleague Featured Poster · Answer 4 · 2010-04-13T01:23:02+00:00

David, I am sorry, but since this was requested by another forum you are going to have to stick with what you are doing there. Using two forums to repair something is a very bad idea. Steps given by each could conflict and cause more problems than you have now. Since the malwarebytes' forum (which is excellent) requested the Combofix run then you are going to have to stick with them on this one through to the end and we can no longer offer assistance for this problem here.