16 replies to this topic

[RIZZIES]

Malware bytes found Files Detected: 1
C:\Windows\System32\DFDWiz.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
I ran another quick scan and nothing was found . SWhat should i do

[LDTate]

Please don't attach the scan results, use Copy/Paste

Logs will be closed if you haven't replied within 3 days


DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Vista and Windows 7 users:
1. These tools MUST be run from the executable. (.exe) every time you run them
2. With Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

You might want to print these instructions out.


Please download DDS by sUBs from one of the following links and save it to your desktop.

• DDS.scr
  
• DDS.pif
• Disable any script blocking protection (How to Disable your Security Programs)
  
• Double click DDS icon to run the tool (may take up to 3 minutes to run)
  
• When done, DDS.txt will open.
  
• After a few moments, attach.txt will open in a second window.
  
• Save both reports to your desktop.

---------------------------------------------------

• Post the contents of the DDS.txt in your next reply

[RIZZIES]

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.6001.18000
Run by Ronni at 19:05:57 on 2012-05-17
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2942.2182 [GMT -4:00]
.
AV: CA Anti-Virus *Enabled/Updated* {57B5C44D-AAB5-DBC9-741B-542BE5A132EA}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\cavrid.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://compaq-desktop.aol.com/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: {10134636-E7AF-4AC5-A1DC-C7C44BB97D81} - No File
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [<NO NAME>]
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [cctray] "c:\program files\ca\ca internet security suite\cctray\cctray.exe"
mRun: [CAVRID] "c:\program files\ca\ca internet security suite\ca anti-virus\CAVRID.exe"
mRun: [cafw] c:\program files\ca\ca internet security suite\ca personal firewall\cafw.exe -cl
mRun: [capfasem] c:\program files\ca\ca internet security suite\ca personal firewall\capfasem.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
LSP: c:\windows\system32\VetRedir.dll
Trusted Zone: intuit.com\ttlc
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 167.206.254.1 167.206.254.2
TCP: Interfaces\{1D673272-229C-46B3-8E44-6A872B1F279B} : DhcpNameServer = 167.206.254.1 167.206.254.2
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Notify: PFW - UmxWnp.Dll
.
============= SERVICES / DRIVERS ===============
.
R0 KmxFw;KmxFw;c:\windows\system32\drivers\KmxFw.sys [2008-3-19 103952]
R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [2008-3-21 63504]
R1 KmxFile;KmxFile;c:\windows\system32\drivers\KmxFile.sys [2008-3-21 45584]
R1 KmxFilter;HIPS Core Filter Driver;c:\windows\system32\drivers\KmxFilter.sys [2008-5-30 51704]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R1 VET-FILT;VET File System Filter;c:\windows\system32\drivers\vet-filt.sys [2008-11-14 26352]
R1 VET-REC;VET File System Recognizer;c:\windows\system32\drivers\vet-rec.sys [2008-11-14 21104]
R1 VETMONNT;VET File Monitor;c:\windows\system32\drivers\vetmonnt.sys [2008-11-14 161008]
R2 CAISafe;CAISafe;c:\program files\ca\ca internet security suite\ca anti-virus\isafe.exe [2008-11-14 144696]
R2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\common files\intuit\update service v4\IntuitUpdateService.exe [2011-8-25 13672]
R2 KmxCF;KmxCF;c:\windows\system32\drivers\KmxCF.sys [2008-6-4 138744]
R2 KmxSbx;KmxSbx;c:\windows\system32\drivers\KmxSbx.sys [2008-3-21 66576]
R2 UmxAgent;HIPS Event Manager;c:\program files\ca\sharedcomponents\hipsengine\UmxAgent.exe [2007-10-18 1010192]
R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\ca\sharedcomponents\hipsengine\UmxCfg.exe [2007-10-18 801296]
R2 UmxPol;HIPS Policy Manager;c:\program files\ca\sharedcomponents\hipsengine\UmxPol.exe [2008-4-15 281104]
R2 VETMSGNT;VET Message Service;c:\program files\ca\ca internet security suite\ca anti-virus\vetmsg.exe [2008-11-14 255312]
R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [2008-5-30 88816]
R3 VETEBOOT;VET Boot Scan Engine;c:\windows\system32\drivers\veteboot.sys [2008-11-14 130280]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-29 253088]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 rcmirror;rcmirror;c:\windows\system32\drivers\rcmirror.sys [2008-10-8 3328]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-05-17 20:21:40 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{02da4321-59e3-4945-b569-16e7d842b74a}\offreg.dll
2012-05-17 20:19:15 6737808 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{02da4321-59e3-4945-b569-16e7d842b74a}\mpengine.dll
2012-04-30 02:46:22 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-30 02:46:22 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
.
==================== Find3M ====================
.
2012-04-04 19:56:40 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-15 18:51:51 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-02-23 14:18:36 237072 ------w- c:\windows\system32\MpSigStub.exe
.
============= FINISH: 19:06:27.05 ===============

[LDTate]

did you post the whole DDS log?

[RIZZIES]

Yes i posted the whole log
i even posted the dot on top of the log before dds
i have the attach log saved to my desktop also

[LDTate]

OK.
I'm not seeing anything bad but lets run another tool.



Please do not attach the scan results from Combofx. Use copy/paste.


Vista and Windows 7 users:
1. These tools MUST be run from the executable. (.exe) every time you run them
2. With Admin Rights (Right click, choose "Run as Administrator")


Download ComboFix from one of these locations:

Link 1
Link 2 If using this link, Right Click and select Save As.


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
  
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
  
  Note: If you have XP SP3, use the XP SP2 package.
  If Vista or Windows 7, skip the Recovery Console part
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.


Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.

Please do not attach the scan results from Combofx. Use copy/paste.

Also please describe how your computer behaves at the moment.

[RIZZIES]

I dont like the changes that combofix makes and am afraid to run it is there any other test I can do instead
I am running vista

[LDTate]

http://www.eset.eu/online-scanner
Go here to run an online scannner from ESET.
Click the green ESET Online Scanner button.
Read the End User License Agreement and check the box: YES, I accept the Terms of Use.
Click on the Start button next to it.
You may receive an alert on the address bar that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then click Insall ActiveX component.
A new window will appear asking "Do you want to install this software?"".
Answer Yes to download and install the ActiveX controls that allows the scan to run.
Click Start.
Make sure that the option "Remove found threats" is Unchecked
Click Scan to begin.
If offered the option to get information or buy software. Just close the window.
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic.

[RIZZIES]

scan archives and scan for potentially unsafe applications is not checked on eset.I will run it the way it is. If u want me to check these options please let me know.

[LDTate]

Check those items.
Run as instructed please

[RIZZIES]

I was running the scan before I got your reply.So i stopped and restarted the scan with those items checked. it said there were no threats . I wil post the log but it doesnt say anything about the full scan I ran only the first one.


ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
esets_scanner_update returned -1 esets_gle=53251

[LDTate]

That looks good.
How's it running?

[RIZZIES]

seems to be running ok the only thing is the flash keeps getting stuck while i am playing farmville
otherwise i have no other problems

[LDTate]

What flash?

[RIZZIES]

when i switch farms on farmville it says the flashplayer is not running do u want to stop i click no and it starts working
i think it is the adobe flashplayer

[LDTate]

Can't really help with that other than suggesting you make sure your flash player is up to date

[LDTate]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!