News: Cexx forums, with volunteers dedicated to helping you remove malware and stay protected
 
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
May 18, 2013, 14:09:34
linktree cexx.org - Support Forums  >  Spyware-Related Stuff  >  Spyware - Help!
linktree Topic: S.M.A.R.T. HDD
Pages: [1]   Go Down
« previous next »
  Print  
Topic: S.M.A.R.T. HDD  (Read 1699 times)
0 Members and 1 Guest are viewing this topic.
« on: April 12, 2012, 15:06:28 »
jerky Offline
Jr. Member

WWW 		**

Karma: 0
Posts: 64
Some program called SMART HDD just popped up om my computer and ran a diagnostic check (that I didn't ask for) and said my computer is in critical condition and offered to repair the problem. I know it's a scam but I can't delete the program ( I get an error message) and it doesn't appear in programs under the Control Panel....also not in the Programs file....my desk top has disappeared but I am still able to log on to Internet....all of the files in My Music have disappeared but My Pictures appear to still be there....any idea what this is and how to get rid of it...and how to see if it did any damage ?

Many thanks
Logged
« Reply #1 on: April 12, 2012, 22:28:13 »
dvk01 Offline
Administrator WWW
Karma: 6
Posts: 308
First clear your Java cache as shown http://www.java.com/en/download/help/5000020300.xml
Then follow advice here and post the logs those programs make in your next reply to this topic
Logged
Derek
Microsoft MVP/Consumer Security
The Spykiller | Security and Privacy | Hedgehog Rescue
« Reply #2 on: April 13, 2012, 10:37:38 »
jerky Offline
Jr. Member

WWW 		**

Karma: 0
Posts: 64
What advice here ? Not sure what that refers to...
I did clear the Java cache.


Sorry
Logged
« Reply #3 on: April 13, 2012, 11:09:11 »
dvk01 Offline
Administrator WWW
Karma: 6
Posts: 308
follow the link under the here  and run the scans & post teh logs so we can help you
Logged
Derek
Microsoft MVP/Consumer Security
The Spykiller | Security and Privacy | Hedgehog Rescue
« Reply #4 on: April 18, 2012, 16:43:09 »
jerky Offline
Jr. Member

WWW 		**

Karma: 0
Posts: 64
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by kgkight at 20:39:26 on 2012-04-18
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1023.501 [GMT -4:00]
.
AV: Avira Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\StartupMonitor.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Softland\FBackup 4\fbaSched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lxdncoms.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\All Users\Application Data\Anti-phishing Domain Advisor\visicom_antiphishing.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://blekkosearch.mystart.com/blekkotb_soc/?source=86adbc52&toolbarid=blekkotb_soc&u=2012041968BD4813AF83B2A3940CDE62&tbp=homepage
uInternet Settings,ProxyOverride = <local>
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: I Want This: {11111111-1111-1111-1111-110011221158} - c:\program files\i want this\I Want This.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Blekko search bar: {7d9e1adc-7db1-4eaf-b6c7-7e062074e6be} - c:\program files\blekkotb_soc\blekkotb_019X.dll
BHO: ALOT Appbar Helper: {85f5cf95-ec8f-49fc-bb3f-38c79455cba2} - c:\program files\alotappbar\bin\bho\ALOTHelperBHO.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: FreeWorkz Games: {d1ecd019-8423-43de-98d1-7892af2da309} - c:\program files\freeworkz\FreeWorkzIE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: RebateRobot BHO: {fa3fedf6-1a34-4076-9f25-a26a2de6a401} - c:\program files\rebaterobot\RebateRobot.dll
TB: ALOT Appbar: {a531d99c-5a22-449b-83da-872725c6d0ed} - c:\program files\alotappbar\bin\ALOTHelper.dll
TB: Blekko search bar: {7d9e1adc-7db1-4eaf-b6c7-7e062074e6be} - c:\program files\blekkotb_soc\blekkotb_019X.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [FBackup Scheduler] "c:\program files\softland\fbackup 4\fbaSched.exe"
uRun: [cdloader] "c:\documents and settings\kgkight\application data\mjusbsp\cdloader2.exe" MAGICJACK
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [PC Speed Maximizer] "c:\program files\pc speed maximizer\SPMStarter.exe"
uRun: [SPMTray] "c:\program files\pc speed maximizer\SPMTray.exe"
mRun: [Run StartupMonitor] StartupMonitor.exe
mRun: [MMTray] c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe
mRun: [avgnt] 220043003a005c00500072006f006700720061006d002000460069006c00650073005c00410076006900720061005c0041006e007400690056006900720020004400650073006b0074006f0070005c006100760067006e0074002e00650078006500220020002f006d0069006e000000
mRun: [Anti-phishing Domain Advisor] "c:\documents and settings\all users\application data\anti-phishing domain advisor\visicom_antiphishing.exe"
uPolicies-explorer: NoDesktop = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F}
IE: {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - {1FBA04EE-3024-11D2-8F1F-0000F87ABD16}   c:\program files\irfanview\ebay\ebay.htm - c:\program files\irfanview\ebay\ebay.htm\inprocserver32 does not exist!
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} - hxxp://pubgis.co.pinellas.fl.us/CFIDE/classes/CFJava.cab
DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} - hxxp://download.mcafee.com/molbin/Shared/MGBrwFld.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - hxxp://download.ebay.com/turbo_lister/US/install.cab
DPF: {33363249-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/i263_32.cab
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} - hxxp://www.worldwinner.com/games/v50/pool/pool.cab
DPF: {38AB0814-B09B-4378-9940-14A19638C3C2} - hxxp://www.auctiva.com/Aurigma/ImageUploader57.cab
DPF: {41F17733-B041-4099-A042-B518BB6A408C} - hxxp://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/drakken/us/win/QuickTimeInstaller.exe
DPF: {474F00F5-3853-492C-AC3A-476512BBC336} - hxxp://picasaweb.google.com/s/v/14.22/uploader2.cab
DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,81/mcinsctl.cab
DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} - hxxp://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
DPF: {5D80A6D1-B500-47DA-82B8-EB9875F85B4D} - hxxp://dl.google.com/dl/desktop/nv/GoogleGadgetPluginIEWin.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1129420743546
DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - hxxp://mediaplayer.walmart.com/installer/install.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {94B82441-A413-4E43-8422-D49930E69764} - hxxps://webchat.dell.com/Media/VisitorChat/TLIEFlash.CAB
DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} - hxxp://zone.msn.com/bingame/zpagames/zpa_hrtz.cab99160.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab
DPF: {BC0AE9E6-E549-4554-A222-EA083A894683} - hxxp://a01-b01.mypicturetown.com/P2PwebCmdController/x/Upld_47.CAB
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,19/mcgdmgr.cab
DPF: {C487F60B-59B9-47D9-BFDF-AB26786F8823} - hxxp://zone.msn.com/bingame/zpagames/zpa_stoo.cab62201.cab
DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.0/jinstall-1_4_0-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - hxxp://fdl.msn.com/zone/datafiles/heartbeat.cab
TCP: DhcpNameServer = 207.69.188.186 207.69.188.187
TCP: Interfaces\{387928BE-44A0-4D38-8967-FB146F39BE77} : DhcpNameServer = 207.69.188.186 207.69.188.187
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~3\MpShHook.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll
.
============= SERVICES / DRIVERS ===============
.
R0 BsStor;InCD Storage Helper Driver;c:\windows\system32\drivers\bsstor.sys [2003-12-29 9344]
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2012-2-9 36000]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2012-2-9 86224]
R2 AntiVirService;Avira Realtime Protection;c:\program files\avira\antivir desktop\avguard.exe [2012-2-9 110032]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2012-2-9 74640]
R2 BsUDF;InCD UDF Driver;c:\windows\system32\drivers\bsudf.sys [2003-12-29 441728]
R2 lxdn_device;lxdn_device;c:\windows\system32\lxdncoms.exe -service --> c:\windows\system32\lxdncoms.exe -service [?]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 Bulk503;Chameleon Mega Digital Camera;
S3 ISO503;Chameleon Mega Video Camera;
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\lavasoft\ad-aware\kernexplorer.sys --> c:\program files\lavasoft\ad-aware\KernExplorer.sys [?]
S3 vsdatant;vsdatant;
S3 WLNR;WLNR;
.
=============== Created Last 30 ================
.
2012-04-19 00:32:54   --------   d-----w-   c:\documents and settings\kgkight\application data\PC Speed Maximizer
2012-04-19 00:13:19   --------   d-----w-   c:\documents and settings\kgkight\application data\InfraRecorder
2012-04-19 00:13:09   --------   d-----w-   c:\program files\BurnToDisk
2012-04-19 00:12:48   --------   d-----w-   c:\program files\PC Speed Maximizer
2012-04-19 00:12:43   --------   d-----w-   c:\documents and settings\kgkight\local settings\application data\antiphishing-vmninternethelper1_1dn
2012-04-19 00:12:42   --------   d-----w-   c:\documents and settings\all users\application data\Anti-phishing Domain Advisor
2012-04-19 00:12:34   --------   d-----w-   c:\documents and settings\kgkight\local settings\application data\I Want This
2012-04-19 00:12:33   --------   d-----w-   c:\program files\I Want This
2012-04-19 00:12:27   --------   d-----w-   c:\documents and settings\all users\application data\blekko toolbars
2012-04-19 00:12:22   --------   d-----w-   c:\documents and settings\kgkight\application data\blekkotb_soc
2012-04-19 00:12:09   --------   d-----w-   c:\program files\blekkotb_soc
2012-04-18 18:41:59   326144   ---ha-w-   c:\documents and settings\all users\application data\VUOyWqOYGdRXu.exe
2012-04-17 06:32:24   56200   ---ha-w-   c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\{73190e90-7c85-4906-91f8-3a07a42fd58a}\offreg.dll
2012-04-17 06:25:44   6582328   ---ha-w-   c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\{73190e90-7c85-4906-91f8-3a07a42fd58a}\mpengine.dll
2012-04-12 21:45:43   221696   ---ha-w-   c:\documents and settings\all users\application data\5loqmR2jIGSkFC.exe
2012-04-12 21:40:10   300544   ---ha-w-   c:\documents and settings\all users\application data\NaDwLaiRnW.exe
2012-04-12 21:38:03   96296   --sh--w-   c:\documents and settings\kgkight\application data\dplaysvr.exe
2012-04-12 21:38:03   19456   --sh--w-   c:\documents and settings\kgkight\application data\dplayx.dll
2012-04-08 04:19:20   --------   d--h--w-   c:\program files\VideoLAN
2012-04-08 04:19:01   --------   d--h--w-   c:\program files\FreeWorkz
2012-04-08 04:18:52   --------   d--h--w-   c:\program files\alotappbar
2012-04-08 04:18:52   --------   d--h--w-   c:\documents and settings\kgkight\application data\alotappbar
2012-04-08 04:10:59   --------   d--h--w-   c:\program files\common files\DivX Shared
2012-04-08 04:09:49   --------   d--h--w-   c:\documents and settings\all users\application data\DivX
2012-04-04 05:53:56   182160   ---ha-w-   c:\program files\internet explorer\plugins\nppdf32.dll
2012-03-31 16:24:59   153041   ---ha-w-   c:\documents and settings\all users\SPL165.tmp
.
==================== Find3M  ====================
.
2012-03-01 11:01:32   916992   ---ha-w-   c:\windows\system32\wininet.dll
2012-03-01 11:01:32   43520   ---ha-w-   c:\windows\system32\licmgr10.dll
2012-03-01 11:01:32   1469440   ---h--w-   c:\windows\system32\inetcpl.cpl
2012-02-29 14:10:16   177664   ---ha-w-   c:\windows\system32\wintrust.dll
2012-02-29 14:10:16   148480   ---ha-w-   c:\windows\system32\imagehlp.dll
2012-02-29 12:17:40   385024   ---ha-w-   c:\windows\system32\html.iec
2012-02-23 13:18:36   237072   ---h--w-   c:\windows\system32\MpSigStub.exe
2012-02-14 01:27:04   499712   ---ha-w-   c:\windows\system32\msvcp71.dll
2012-02-14 01:27:04   348160   ---ha-w-   c:\windows\system32\msvcr71.dll
2012-02-07 15:02:40   1070352   ---ha-w-   c:\windows\system32\MSCOMCTL.OCX
2012-02-03 09:22:18   1860096   ---ha-w-   c:\windows\system32\win32k.sys
2012-01-26 16:11:51   187776   ---ha-w-   c:\windows\system32\drivers\acpi.sys
2012-01-23 20:55:43   3116   ---ha-w-   c:\windows\system32\ASOROSet.bin
.
============= FINISH: 20:39:51.79 ===============
Logged
« Reply #5 on: April 18, 2012, 22:55:45 »
dvk01 Offline
Administrator WWW
Karma: 6
Posts: 308
Delete any existing version of ComboFix you have sitting on your desktop
Please read and follow all these instructions very carefully
Do not edit or remove any information or user names etc, otherwise we cannot fix the problem. If you insist on editing out anything then I will close the topic & refuse to offer any help.

Download ComboFix from Here or Hereto your Desktop.
As you download it rename it to username123.exe


**Note:  It is important that it is saved directly to your desktop  and run from the desktop and not any other folder on your computer**
--------------------------------------------------------------------
1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • Very Important! Temporarily disable your anti-virus and  anti-malware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results" or stop combofix running at all
  • Click on THIS LINK to see instructions on how to temporarily disable many security programs while running combofix. The list does not cover every program. If yours is not listed and you don't know how to disable it, please ask.
  • Remember to re enable the protection again after combofix has finished
--------------------------------------------------------------------
2. Close any open browsers and any other programs you might have running
Double click on renamed combofix.exe & follow the prompts.
If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?"
Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
When finished, it will produce a report for you. 
Please post the "C:\ComboFix.txt" for further review


****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read HERE why we disable autoruns

Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version. 

Please tell us if it has cured the problems or if there are any outstanding issues
Logged
Derek
Microsoft MVP/Consumer Security
The Spykiller | Security and Privacy | Hedgehog Rescue
« Reply #6 on: April 19, 2012, 08:19:45 »
jerky Offline
Jr. Member

WWW 		**

Karma: 0
Posts: 64
1. I cannot locate Combofix on my computer although I believe that I down loaded it a couple of months ago. This virus has removed my desktop so it doesn't appear there...I looked at the control panel and it was not listed as an active program.

2. I use Avira anti-virus but cannot figure out how to disable it because I cannot find it.
Logged
« Reply #7 on: April 19, 2012, 09:10:56 »
dvk01 Offline
Administrator WWW
Karma: 6
Posts: 308
you need to download a new copy of combofix
if you can't save to desktop, then save it anywhere you can easily find it & run it
Logged
Derek
Microsoft MVP/Consumer Security
The Spykiller | Security and Privacy | Hedgehog Rescue
« Reply #8 on: April 19, 2012, 14:57:39 »
jerky Offline
Jr. Member

WWW 		**

Karma: 0
Posts: 64
Derek...looks like my desktop is back !!! Here is the log.  Thanks



ComboFix 12-04-19.01 - kgkight 04/19/2012  18:18:28.4.1 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1023.501 [GMT -4:00]
Running from: c:\documents and settings\kgkight\Desktop\ComboFix.exe
AV: Avira Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\5loqmR2jIGSkFC
c:\documents and settings\All Users\Application Data\5loqmR2jIGSkFC.exe
c:\documents and settings\All Users\Application Data\NaDwLaiRnW.exe
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\SPL165.tmp
c:\documents and settings\kgkight\Application Data\dplaysvr.exe
c:\documents and settings\kgkight\Application Data\dplayx.dll
c:\windows\system32\dllcache\wmpvis.dll
.
.
(((((((((((((((((((((((((   Files Created from 2012-03-19 to 2012-04-19  )))))))))))))))))))))))))))))))
.
.
2012-04-19 00:32 . 2012-04-19 00:32   --------   d-----w-   c:\documents and settings\kgkight\Application Data\PC Speed Maximizer
2012-04-19 00:13 . 2012-04-19 00:36   --------   d-----w-   c:\documents and settings\kgkight\Application Data\InfraRecorder
2012-04-19 00:13 . 2012-04-19 00:13   --------   d-----w-   c:\program files\BurnToDisk
2012-04-19 00:12 . 2012-04-19 00:12   --------   d-----w-   c:\program files\PC Speed Maximizer
2012-04-19 00:12 . 2012-04-19 00:12   --------   d-----w-   c:\documents and settings\kgkight\Local Settings\Application Data\antiphishing-vmninternethelper1_1dn
2012-04-19 00:12 . 2012-04-19 00:12   --------   d-----w-   c:\documents and settings\All Users\Application Data\Anti-phishing Domain Advisor
2012-04-19 00:12 . 2012-04-19 00:12   --------   d-----w-   c:\documents and settings\kgkight\Local Settings\Application Data\I Want This
2012-04-19 00:12 . 2012-04-19 00:12   --------   d-----w-   c:\program files\I Want This
2012-04-19 00:12 . 2012-04-19 00:12   --------   d-----w-   c:\documents and settings\All Users\Application Data\blekko toolbars
2012-04-19 00:12 . 2012-04-19 00:12   --------   d-----w-   c:\documents and settings\kgkight\Application Data\blekkotb_soc
2012-04-19 00:12 . 2012-04-19 00:12   --------   d-----w-   c:\program files\blekkotb_soc
2012-04-18 18:41 . 2012-04-18 18:39   326144   ---ha-w-   c:\documents and settings\All Users\Application Data\VUOyWqOYGdRXu.exe
2012-04-17 06:32 . 2012-04-19 05:45   56200   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{73190E90-7C85-4906-91F8-3A07A42FD58A}\offreg.dll
2012-04-17 06:25 . 2012-03-14 02:15   6582328   ---ha-w-   c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{73190E90-7C85-4906-91F8-3A07A42FD58A}\mpengine.dll
2012-04-08 04:21 . 2012-04-08 04:21   --------   d--h--w-   c:\documents and settings\kgkight\Application Data\vlc
2012-04-08 04:19 . 2012-04-08 04:19   --------   d--h--w-   c:\program files\VideoLAN
2012-04-08 04:19 . 2012-04-08 04:19   --------   d--h--w-   c:\program files\FreeWorkz
2012-04-08 04:18 . 2012-04-08 04:18   --------   d--h--w-   c:\program files\alotappbar
2012-04-08 04:18 . 2012-04-08 04:18   --------   d--h--w-   c:\documents and settings\kgkight\Application Data\alotappbar
2012-04-08 04:11 . 2012-04-08 04:14   --------   d--h--w-   c:\documents and settings\kgkight\Application Data\DivX
2012-04-08 04:10 . 2012-04-08 04:12   --------   d--h--w-   c:\program files\Common Files\DivX Shared
2012-04-08 04:09 . 2012-04-08 04:13   --------   d--h--w-   c:\documents and settings\All Users\Application Data\DivX
2012-04-04 05:53 . 2012-04-04 05:53   182160   ---ha-w-   c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-14 02:15 . 2012-01-12 02:29   6582328   ---ha-w-   c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2012-03-01 11:01 . 2004-01-21 21:16   916992   ---ha-w-   c:\windows\system32\wininet.dll
2012-03-01 11:01 . 2002-09-03 19:42   43520   ---ha-w-   c:\windows\system32\licmgr10.dll
2012-03-01 11:01 . 2002-09-03 19:40   1469440   ---h--w-   c:\windows\system32\inetcpl.cpl
2012-02-29 14:10 . 2002-09-03 20:03   177664   ---ha-w-   c:\windows\system32\wintrust.dll
2012-02-29 14:10 . 2002-09-03 19:40   148480   ---ha-w-   c:\windows\system32\imagehlp.dll
2012-02-29 12:17 . 2004-08-04 05:59   385024   ---ha-w-   c:\windows\system32\html.iec
2012-02-23 13:18 . 2012-01-12 02:29   237072   ---h--w-   c:\windows\system32\MpSigStub.exe
2012-02-15 23:07 . 2012-02-09 23:20   137416   ---ha-w-   c:\windows\system32\drivers\avipbb.sys
2012-02-14 01:27 . 2003-03-19 02:14   499712   ---ha-w-   c:\windows\system32\msvcp71.dll
2012-02-14 01:27 . 2003-02-21 08:42   348160   ---ha-w-   c:\windows\system32\msvcr71.dll
2012-02-07 15:02 . 2012-02-07 15:02   1070352   ---ha-w-   c:\windows\system32\MSCOMCTL.OCX
2012-02-03 09:22 . 2002-09-03 20:03   1860096   ---ha-w-   c:\windows\system32\win32k.sys
2012-01-26 16:11 . 2002-09-03 19:32   187776   ---ha-w-   c:\windows\system32\drivers\acpi.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7d9e1adc-7db1-4eaf-b6c7-7e062074e6be}]
2012-03-14 19:42   85288   ----a-w-   c:\program files\blekkotb_soc\blekkotb_019X.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{85F5CF95-EC8F-49fc-BB3F-38C79455CBA2}]
2012-03-21 18:33   48488   ---ha-w-   c:\program files\alotappbar\bin\BHO\ALOTHelperBHO.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D1ECD019-8423-43de-98D1-7892AF2DA309}]
2012-04-08 04:19   140288   ---ha-w-   c:\program files\FreeWorkz\FreeWorkzIE.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FA3FEDF6-1A34-4076-9F25-A26A2DE6A401}]
2011-12-04 05:05   88576   ---ha-w-   c:\program files\RebateRobot\RebateRobot.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{A531D99C-5A22-449b-83DA-872725C6D0ED}"= "c:\program files\alotappbar\bin\ALOTHelper.dll" [2012-03-21 48488]
"{7d9e1adc-7db1-4eaf-b6c7-7e062074e6be}"= "c:\program files\blekkotb_soc\blekkotb_019X.dll" [2012-03-14 85288]
.
[HKEY_CLASSES_ROOT\clsid\{a531d99c-5a22-449b-83da-872725c6d0ed}]
.
[HKEY_CLASSES_ROOT\clsid\{7d9e1adc-7db1-4eaf-b6c7-7e062074e6be}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FBackup Scheduler"="c:\program files\Softland\FBackup 4\fbaSched.exe" [2010-03-09 2013008]
"cdloader"="c:\documents and settings\kgkight\Application Data\mjusbsp\cdloader2.exe" [2011-08-23 50592]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="220043003a005c00500072006f006700720061006d002000460069006c00650073005c00410076006900720061005c0041006e007400690056006900720020004400650073006b0074006f0070005c006100760067006e0074002e00650078006500220020002f006d0069006e000000" [X]
"Run StartupMonitor"="StartupMonitor.exe" [2000-05-20 86016]
"MMTray"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2004-04-20 118784]
"Anti-phishing Domain Advisor"="c:\documents and settings\All Users\Application Data\Anti-phishing Domain Advisor\visicom_antiphishing.exe" [2011-07-29 217256]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders   msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-03 13:10   843712   ---ha-w-   c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DwlClient]
2004-05-28 01:05   323584   ---h--w-   c:\program files\Common Files\Dell\EUSW\Support.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FBackup Scheduler]
2010-03-09 15:56   2013008   ---ha-w-   c:\program files\Softland\FBackup 4\fbaSched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2009-02-26 23:36   30040   ---ha-w-   c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxdnamon]
2009-01-29 15:43   16040   ---ha-w-   c:\program files\Lexmark 2600 Series\lxdnamon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
2004-04-20 20:50   53248   ---h--w-   c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
2004-04-20 20:50   118784   ---h--w-   c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2003-10-06 19:16   5058560   ---h--w-   c:\windows\SYSTEM32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2003-10-06 19:16   741376   ---h--w-   c:\windows\SYSTEM32\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-07-05 22:36   421888   ---ha-w-   c:\program files\QuickTime\QTTask.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Lexmark 2600 Series\\frun.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare Software\\bin\\EasyShare.exe"=
"c:\\Program Files\\WinMX\\WinMX.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\SYSTEM32\\lxdncoms.exe"=
"c:\\Program Files\\Lexmark 2600 Series\\lxdnmon.exe"=
"c:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\lxdnpswx.exe"=
"c:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\lxdnjswx.exe"=
"c:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\lxdntime.exe"=
"c:\\Program Files\\Lexmark 2600 Series\\lxdnlscn.exe"=
"c:\\Documents and Settings\\kgkight\\Application Data\\mjusbsp\\magicJack.exe"=
.
R0 BsStor;InCD Storage Helper Driver;c:\windows\SYSTEM32\DRIVERS\bsstor.sys [12/29/2003 10:20 PM 9344]
R1 avkmgr;avkmgr;c:\windows\SYSTEM32\DRIVERS\avkmgr.sys [2/9/2012 7:20 PM 36000]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2/9/2012 7:20 PM 86224]
R2 BsUDF;InCD UDF Driver;c:\windows\SYSTEM32\DRIVERS\bsudf.sys [12/29/2003 10:20 PM 441728]
R2 lxdn_device;lxdn_device;c:\windows\system32\lxdncoms.exe -service --> c:\windows\system32\lxdncoms.exe -service [?]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 8:19 PM 13592]
S3 Bulk503;Chameleon Mega Digital Camera;
S3 ISO503;Chameleon Mega Video Camera;
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?]
S3 WLNR;WLNR;
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper   REG_MULTI_SZ      getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-19 c:\windows\Tasks\fba_Daily Backup.job
- c:\program files\Softland\FBackup 4\fbaSchedStarter.exe [2010-04-16 15:56]
.
2012-04-19 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]
.
2012-04-18 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-215539009-2608142635-1263807789-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-01-30 22:45]
.
2012-04-18 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-215539009-2608142635-1263807789-1009.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-01-30 22:45]
.
2012-04-13 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-215539009-2608142635-1263807789-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-01-30 22:45]
.
2012-04-15 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-215539009-2608142635-1263807789-1009.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-01-30 22:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://blekkosearch.mystart.com/blekkotb_soc/?source=86adbc52&toolbarid=blekkotb_soc&u=2012041968BD4813AF83B2A3940CDE62&tbp=homepage
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 207.69.188.186 207.69.188.187
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {5D80A6D1-B500-47DA-82B8-EB9875F85B4D} - hxxp://dl.google.com/dl/desktop/nv/GoogleGadgetPluginIEWin.cab
DPF: {BC0AE9E6-E549-4554-A222-EA083A894683} - hxxp://a01-b01.mypicturetown.com/P2PwebCmdController/x/Upld_47.CAB
.
Supplementary scan did not complete!
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-PC Speed Maximizer - c:\program files\PC Speed Maximizer\SPMStarter.exe
HKCU-Run-SPMTray - c:\program files\PC Speed Maximizer\SPMTray.exe
AddRemove-Nero - Burning Rom!UninstallKey - c:\program files\Ahead\nero\uninstall\UNNERO.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-19 18:32
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2012-04-19  18:54:03
ComboFix-quarantined-files.txt  2012-04-19 22:53
ComboFix2.txt  2012-01-27 18:55
.
.
Post-Run: 15,684,472,832 bytes free
.
- - End Of File - - 1DE6F33CF042909FA7115E29377CE76A
Logged
« Reply #9 on: April 19, 2012, 23:03:33 »
dvk01 Offline
Administrator WWW
Karma: 6
Posts: 308
next
download & run this
http://download.bleepingcomputer.com/grinler/unhide.exe
then
Download the attached CFScript.txt  and save it to your  desktop ( click on the link underneath this post & if you are using internet explorer when the "File download" pop up comes press SAVE and choose desktop  in the list of selections in that window & press save)
Disable any antivirus/antimalware/firewall realtime protection or script blocking in the same way you did previously before running combofix & remember to re-enable it when it has finished
Close any open browsers
Then drag the CFScript.txt into the ComboFix.exe or renamed combofix icon  as shown in the screenshot below.

 



 

This will start ComboFix again.  It may ask to reboot.  Post the contents of Combofix.txt in your next reply


Note: these instructions and script were created specifically for this user.  If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system and will not fix your problem. If you have a similar problem start your own topic in the malware fixing forum

This will create a zip file inside C:\QooBox\quarantine named something like  [38]-Submit_2008-01-17@17.50.zip 

at the end it will pop up an alert  & open your browser and  ask you to send the zip file

please follow those instructions. We need to see the zip file before we can carry on with the fix

If there is no pop up alert or open browser then

please go to  http://www.thespykiller.co.uk/index.php?board=1.0 and upload these files so I can examine them and if needed distribute them to antivirus companies.
Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press send to  upload the files ( do not post HJT logs there as they will not get dealt with)

Files to submit:
the zip file  inside C:\QooBox\quarantine created by combofix named something like  [38]-Submit_2008-01-17@17.50.zip 

or to
http://www.bleepingcomputer.com/submit-malware.php?channel=38
Logged
Derek
Microsoft MVP/Consumer Security
The Spykiller | Security and Privacy | Hedgehog Rescue
« Reply #10 on: August 02, 2012, 11:27:15 »
jerky Offline
Jr. Member

WWW 		**

Karma: 0
Posts: 64
I know this is an old thread, but I just realized that even tho this solved my problem I did not have my external haed drive plugged in... I just attempted to retrieve a file from the hard drive and realized that the files have disappeared...can we run thru this again ? And I'll connect the hard drive before I begin.

Thanks
Logged
« Reply #11 on: August 02, 2012, 11:38:08 »
dvk01 Offline
Administrator WWW
Karma: 6
Posts: 308
plug in external & run unhide
then run combofix again
Logged
Derek
Microsoft MVP/Consumer Security
The Spykiller | Security and Privacy | Hedgehog Rescue
 
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by SMF 1.1.18 | SMF © 2013, Simple Machines Page created in 0.111 seconds with 19 queries.