Explore.exe and services.exe virus - Windows XP...!!!

[SuperDave]

As for the SUPERAntiSpyware files detected, are they removed completely?
Of those detected the following are still present in quarantine:

   C:\Documents and Settings\ADMIN\Cookies\admin@atdmt[2].txt
   C:\Documents and Settings\ADMIN\Cookies\admin@doubleclick[1].txt
   C:\Documents and Settings\ADMIN\Cookies\[email protected][2].txt
   C:\Documents and Settings\ADMIN\Cookies\[email protected][2].txt

You can delete them but if you do a complete reformat, they will be removed.

Also, when I re-installed my current XP I tried installing the driver for my Ethernet adapter but received the message "cannot find any inf files".
Another member here mentioned this could be due to a bad CD-ROM drive. Is there any way to tell before installing again so I don't encounter this same issue? And is it it necessary to back up anything other than personal files, such as drivers?
 

If you're installing a new OS, all the necessary drivers will be installed.

[Rezinus]

Sounds good.

And thanks again for your kind help!

[Rezinus]

...

[Rezinus]

SuperDave -

My PC is running fairly well now, however I ran ComboFix again and it said it detected the same rootkit activity. Is this normal?


I am going to keep this OS for now as well as it is running smoother.
Can you assist me with resting my configurations etc.? My Malwarebytes' won't autostart, and I am still getting a recovery console boot screen that I would like to remove if possible.

[SuperDave]

I ran ComboFix again and it said it detected the same rootkit activity. Is this normal?

Please post the log.

My Malwarebytes' won't autostart

The free version won't autostart. You have to initiate the scans yourself. Only the paid version if full-time protection.

recovery console boot screen that I would like to remove if possible

I'm not sure what you mean by this.

[Rezinus]

When I first downloaded ComboFix, it asked to install a recovery console which added an extra screen at startup that appears for 2 seconds, then continues to boot normally.


Also, I have a boot.bak file in my C:\ drive folder which wasn't there before. Is it necessary, and how do I get rid of it?


Here is the latest combofix log:

ComboFix 10-12-13.02 - ADMIN 12/13/2010  20:43:30.3.1 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.735.526 [GMT -8:00]
Running from: c:\documents and settings\ADMIN\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 4.2 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
 * Resident AV is active

.

(((((((((((((((((((((((((   Files Created from 2010-11-14 to 2010-12-14  )))))))))))))))))))))))))))))))
.

2010-12-03 21:34 . 2010-12-03 21:34   --------   d-----r-   C:\MSOCache
2010-12-03 03:23 . 2010-12-03 03:23   --------   d-----w-   C:\S3Graphics

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 20:23 . 2008-04-14 12:00   974848   ----a-w-   c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2008-04-14 12:00   974848   ----a-w-   c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2008-04-14 12:00   954368   ----a-w-   c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2008-04-14 12:00   953856   ----a-w-   c:\windows\system32\mfc40u.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTPreset"="VTPreset.exe" [2004-02-25 45056]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2010-06-24 2202704]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
2010-11-24 19:40   42320   ----a-w-   c:\program files\AOL Desktop 9.6\aol.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Google Update"="c:\documents and settings\ADMIN\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
"AOL Fast Start"="c:\program files\AOL Desktop 9.6\AOL.EXE" -b

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe"
"AudioDeck"=c:\program files\VIA\VIAudioi\SBADeck\ADeck.exe 1
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe"
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
"HostManager"=c:\program files\Common Files\AOL\1291349301\ee\AOLSoftware.exe
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\acs\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\acs\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1291349301\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [4/28/2010 8:17 AM 114984]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [6/24/2010 9:27 AM 95896]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 10:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 10:41 AM 67656]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [6/24/2010 9:27 AM 810144]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12/3/2010 11:18 AM 363344]
R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\TuneUp Utilities 2011\TuneUpUtilitiesService32.exe [11/23/2010 8:13 AM 1483072]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [12/3/2010 11:18 AM 20952]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2011\TuneUpUtilitiesDriver32.sys [10/7/2010 1:34 PM 10064]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2010-12-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1614895754-1078081533-1177238915-1003Core.job
- c:\documents and settings\ADMIN\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-12-04 06:48]

2010-12-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1614895754-1078081533-1177238915-1003UA.job
- c:\documents and settings\ADMIN\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-12-04 06:48]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\ADMIN\Application Data\Mozilla\Firefox\Profiles\8ymy8l6l.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: [email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-13 20:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1614895754-1078081533-1177238915-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(656)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
Completion time: 2010-12-13  20:50:07
ComboFix-quarantined-files.txt  2010-12-14 04:50

Pre-Run: 70,897,635,328 bytes free
Post-Run: 70,916,878,336 bytes free

- - End Of File - - 1DB66DA4F8A3240708A0E2400D8D0321

[SuperDave]

however I ran ComboFix again and it said it detected the same rootkit activity.

There is no sign of rootkit activity in any of the scans we did.

it asked to install a recovery console which added an extra screen at startup that appears for 2 seconds,

This is the way it's supposed to work. It's there to allow you to use the Recovery Console to make repairs to your computer. If you have your OS disk, you can remove the Recovery Console by following these instructions.

I have a boot.bak file in my C:\ drive folder which wasn't there before

I don't see it in the ComboFix log. Perhaps this scan will find it.

Download DDS from HERE or HERE and save it to your desktop.

Vista users right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)

* XP users Double click on dds to run it.
* If your antivirus or firewall try to block DDS then please allow it to run.
* When finished DDS will open two (2) logs.

1) DDS.txt
2) Attach.txt

* Save both logs to your desktop.
* Please copy and paste the entire contents of both logs in your next reply.

Note: DDS will instruct you to post the Attach.txt log as an attachment.
Please just post it as you would any other log by copy and pasting it into the reply.

[Rezinus]

I have tried to do the steps for removing Recovery Console without any luck.

I tried attach a screenshot for you to see the object  boot.bak but the file was too large.



Here is the log for DDS.txt:


DDS (Ver_10-12-12.02) - NTFSx86 
Run by ADMIN at 12:29:59.17 on Thu 12/16/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.735.335 [GMT -8:00]

AV: ESET NOD32 Antivirus 4.2 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\TuneUp Utilities 2011\TuneUpUtilitiesService32.exe
C:\Program Files\TuneUp Utilities 2011\TuneUpUtilitiesApp32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\ADMIN\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [VTPreset] VTPreset.exe
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\8ymy8l6l.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\documents and settings\admin\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: [email protected] - c:\program files\java\jre6\lib\deploy\jqs\ff

---- FIREFOX POLICIES ----
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000

============= SERVICES / DRIVERS ===============

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2010-4-28 114984]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2010-6-24 95896]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2010-6-24 810144]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-12-14 363344]
R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\tuneup utilities 2011\TuneUpUtilitiesService32.exe [2010-11-23 1483072]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-12-14 20952]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\tuneup utilities 2011\TuneUpUtilitiesDriver32.sys [2010-10-7 10064]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2010-12-14 27064]

=============== Created Last 30 ================

2010-12-15 23:20:35   --------   d-----w-   c:\program files\Windows Media Connect 2
2010-12-15 04:21:54   421888   ----a-w-   c:\windows\system32\ac3filter.acm
2010-12-15 04:21:46   --------   d-----w-   c:\program files\XP Codec Pack
2010-12-15 00:45:58   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-15 00:45:53   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-12-15 00:45:53   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-12-15 00:25:36   --------   d-----w-   c:\docume~1\admin\locals~1\applic~1\VS Revo Group
2010-12-15 00:25:25   27064   ----a-w-   c:\windows\system32\drivers\revoflt.sys
2010-12-15 00:25:22   --------   d-----w-   c:\program files\VS Revo Group
2010-12-14 23:37:39   --------   d-----w-   c:\documents and settings\admin\Shared
2010-12-14 23:37:39   --------   d-----w-   c:\documents and settings\admin\Incomplete
2010-12-14 23:36:54   --------   d-----w-   c:\docume~1\admin\applic~1\MP3Rocket
2010-12-14 23:36:52   --------   d-----w-   c:\program files\MP3 Rocket
2010-12-14 22:06:36   73728   ----a-w-   c:\windows\system32\javacpl.cpl
2010-12-14 00:26:37   --------   d-----w-   c:\windows\system32\appmgmt
2010-12-13 20:42:23   --------   d--h--w-   c:\windows\system32\GroupPolicy
2010-12-11 00:03:49   --------   d-----w-   c:\docume~1\admin\locals~1\applic~1\ESET
2010-12-10 23:56:54   --------   d-sha-r-   C:\cmdcons
2010-12-09 23:50:01   --------   d-----w-   c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-12-09 23:50:01   --------   d-----w-   c:\docume~1\admin\applic~1\SUPERAntiSpyware.com
2010-12-09 23:49:36   --------   d-----w-   c:\program files\SUPERAntiSpyware
2010-12-08 23:10:15   --------   d-----w-   c:\program files\Lavalys
2010-12-04 06:48:11   --------   d-----w-   c:\docume~1\admin\locals~1\applic~1\Google
2010-12-03 21:43:27   33104   ----a-w-   c:\windows\system32\spool\prtprocs\w32x86\msonpppr.dll
2010-12-03 21:43:27   32592   ----a-w-   c:\windows\system32\msonpmon.dll
2010-12-03 21:35:59   --------   d-----w-   c:\windows\SHELLNEW
2010-12-03 21:35:30   --------   d-----w-   c:\docume~1\admin\locals~1\applic~1\Microsoft Help
2010-12-03 19:18:32   --------   d-----w-   c:\docume~1\admin\applic~1\Malwarebytes
2010-12-03 19:18:22   --------   d-----w-   c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-12-03 18:39:44   --------   d-----w-   c:\windows\system32\LogFiles
2010-12-03 07:31:43   --------   d-----w-   c:\program files\Windows Media Player 11
2010-12-03 06:24:15   --------   d-----w-   c:\windows\ie8updates
2010-12-03 06:23:23   221184   ----a-w-   c:\windows\system32\wmpns.dll
2010-12-03 06:18:04   602112   -c----w-   c:\windows\system32\dllcache\msfeeds.dll
2010-12-03 06:18:04   55296   -c----w-   c:\windows\system32\dllcache\msfeedsbs.dll
2010-12-03 06:18:02   247808   -c----w-   c:\windows\system32\dllcache\ieproxy.dll
2010-12-03 06:18:02   12800   -c----w-   c:\windows\system32\dllcache\xpshims.dll
2010-12-03 06:18:00   743424   -c----w-   c:\windows\system32\dllcache\iedvtool.dll
2010-12-03 06:17:59   1991680   -c----w-   c:\windows\system32\dllcache\iertutil.dll
2010-12-03 06:17:50   11080704   -c----w-   c:\windows\system32\dllcache\ieframe.dll
2010-12-03 06:13:09   455680   -c----w-   c:\windows\system32\dllcache\mrxsmb.sys
2010-12-03 06:07:35   2146304   -c----w-   c:\windows\system32\dllcache\ntkrnlmp.exe
2010-12-03 06:07:34   2189952   -c----w-   c:\windows\system32\dllcache\ntoskrnl.exe
2010-12-03 06:07:32   2024448   -c----w-   c:\windows\system32\dllcache\ntkrpamp.exe
2010-12-03 06:07:23   5120   ----a-w-   c:\windows\system32\xpsp4res.dll
2010-12-03 06:04:42   272128   -c----w-   c:\windows\system32\dllcache\bthport.sys
2010-12-03 06:04:42   272128   ------w-   c:\windows\system32\drivers\bthport.sys
2010-12-03 06:01:33   --------   d-----w-   c:\windows\system32\PreInstall
2010-12-03 06:01:31   --------   d--h--w-   c:\windows\$hf_mig$
2010-12-03 05:47:17   --------   d-----w-   c:\program files\ESET
2010-12-03 05:44:39   --------   d-----w-   c:\docume~1\admin\locals~1\applic~1\Temp
2010-12-03 05:30:21   --------   d-----w-   c:\docume~1\admin\locals~1\applic~1\Adobe
2010-12-03 05:13:42   --------   d-----w-   c:\program files\CCleaner
2010-12-03 04:57:02   --------   d-----w-   c:\program files\Defraggler
2010-12-03 04:31:43   31552   ----a-w-   c:\windows\system32\TURegOpt.exe
2010-12-03 04:31:42   29504   ----a-w-   c:\windows\system32\uxtuneup.dll
2010-12-03 04:31:33   --------   d-----w-   c:\docume~1\admin\applic~1\TuneUp Software
2010-12-03 04:31:25   --------   d-----w-   c:\program files\TuneUp Utilities 2011
2010-12-03 04:30:46   --------   d-----w-   c:\docume~1\alluse~1\applic~1\TuneUp Software
2010-12-03 04:30:10   --------   d-sh--w-   c:\docume~1\alluse~1\applic~1\{24036256-BFDB-4CD3-BE8A-A3D6160F2E16}
2010-12-03 04:09:51   --------   d-----w-   c:\docume~1\admin\applic~1\AOL
2010-12-03 04:09:24   58696   ----a-w-   c:\windows\system32\AOLParconLink.exe
2010-12-03 04:08:47   33588   ----a-r-   c:\windows\system32\drivers\wanatw4.sys
2010-12-03 04:08:35   --------   d-----w-   c:\docume~1\admin\locals~1\applic~1\AOL
2010-12-03 04:08:15   --------   d-----w-   c:\program files\common files\AOL
2010-12-03 04:08:14   --------   d-----w-   c:\program files\common files\aolshare
2010-12-03 04:08:14   --------   d-----w-   c:\program files\AOL Desktop 9.6
2010-12-03 04:01:34   472808   ----a-w-   c:\windows\system32\deployJava1.dll
2010-12-03 04:01:34   472808   ----a-w-   c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2010-12-03 03:51:11   17920   -c----w-   c:\windows\system32\dllcache\msyuv.dll
2010-12-03 03:39:36   207488   ----a-r-   c:\windows\system32\drivers\vinyl97.sys
2010-12-03 03:29:34   331184   ------w-   c:\windows\system32\difxapi.dll
2010-12-03 03:29:34   --------   d-----w-   c:\program files\VIA
2010-12-03 03:28:11   --------   d-----w-   c:\windows\system32\SoftwareDistribution
2010-12-03 03:25:45   --------   d-----w-   c:\windows\system32\ReinstallBackups
2010-12-03 03:25:41   --------   d-----w-   c:\program files\S3
2010-12-03 03:23:53   306688   ----a-w-   c:\windows\IsUninst.exe
2010-12-03 03:23:44   --------   d-----w-   c:\documents and settings\admin\WINDOWS
2010-12-03 03:23:42   --------   d-----w-   C:\S3Graphics
2010-12-03 03:18:38   --------   d-----w-   c:\program files\Driver-Soft
2010-12-03 03:03:33   --------   d-sh--w-   c:\documents and settings\admin\IECompatCache
2010-12-03 03:02:33   --------   d-sh--w-   c:\documents and settings\admin\PrivacIE
2010-12-03 03:01:03   --------   d-sh--w-   c:\documents and settings\admin\IETldCache

==================== Find3M  ====================

2010-11-24 19:40:53   499712   ----a-w-   c:\windows\system32\msvcp71.dll
2010-11-24 19:40:53   348160   ----a-w-   c:\windows\system32\msvcr71.dll
2010-11-18 18:12:44   81920   ----a-w-   c:\windows\system32\isign32.dll
2010-11-06 00:26:58   916480   ----a-w-   c:\windows\system32\wininet.dll
2010-11-06 00:26:58   43520   ----a-w-   c:\windows\system32\licmgr10.dll
2010-11-06 00:26:58   1469440   ----a-w-   c:\windows\system32\inetcpl.cpl
2010-11-03 12:25:54   385024   ----a-w-   c:\windows\system32\html.iec
2010-10-28 13:13:22   290048   ----a-w-   c:\windows\system32\atmfd.dll
2010-10-26 13:25:00   1853312   ----a-w-   c:\windows\system32\win32k.sys
2010-09-18 20:23:26   974848   ----a-w-   c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25   974848   ----a-w-   c:\windows\system32\mfc42.dll
2010-09-18 06:53:25   954368   ----a-w-   c:\windows\system32\mfc40.dll
2010-09-18 06:53:25   953856   ----a-w-   c:\windows\system32\mfc40u.dll

============= FINISH: 12:31:09.81 ===============





Attach.txt:


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-12-12.02)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 12/2/2010 6:30:51 PM
System Uptime: 12/16/2010 7:30:36 AM (5 hours ago)

Motherboard:   |  | P4M266A-8235
Processor:               Intel(R) Pentium(R) 4 CPU 2.40GHz | Socket 478 | 2405/133mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 75 GiB total, 64.175 GiB free.
D: is CDROM ()
E: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: EPSON Scanner
Device ID: USB\VID_04B8&PID_0839&MI_00\6&296D8F17&0&0000
Manufacturer:
Name: EPSON Scanner
PNP Device ID: USB\VID_04B8&PID_0839&MI_00\6&296D8F17&0&0000
Service:

==== System Restore Points ===================

RP1: 12/13/2010 9:07:18 PM - System Checkpoint
RP2: 12/14/2010 2:00:23 PM - Removed Java(TM) 6 Update 22
RP3: 12/14/2010 2:06:14 PM - Installed Java(TM) 6 Update 23
RP4: 12/14/2010 2:47:49 PM - Software Distribution Service 3.0
RP5: 12/14/2010 4:35:29 PM - Revo Uninstaller Pro's restore point - Ask Toolbar
RP6: 12/14/2010 4:36:03 PM - Removed Ask Toolbar.
RP7: 12/14/2010 4:36:33 PM - Revo Uninstaller Pro's restore point - Malwarebytes' Anti-Malware
RP8: 12/15/2010 3:17:31 PM - Software Distribution Service 3.0
RP9: 12/15/2010 3:53:23 PM - Software Distribution Service 3.0
RP10: 12/15/2010 3:59:34 PM - Software Distribution Service 3.0

==== Installed Programs ======================

Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader X
AOL Uninstaller (Choose which Products to Remove)
CCleaner
Defraggler
Driver Genius Professional Edition
ESET NOD32 Antivirus
EVEREST Ultimate Edition v5.50
Google Chrome
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB952287)
Java Auto Updater
Java(TM) 6 Update 23
Malwarebytes' Anti-Malware
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Software Update for Web Folders  (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft VC9 runtime libraries
Mozilla Firefox (3.6.12)
MP3 Rocket
Platform
ProSavageDDR and Utilities
Revo Uninstaller Pro 2.5.0
S3Display
S3Gamma2
S3Info2
S3Overlay
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
SUPERAntiSpyware
TuneUp Utilities 2011
TuneUp Utilities Language Pack (en-US)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VIA Platform Device Manager
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Winrar 3.93
XP Codec Pack

==== Event Viewer Messages From Past Week ========

12/15/2010 3:21:17 PM, error: Windows Update Agent [20]  - Installation Failure: Windows failed to install the following update with error 0x80070643: Windows Media Player 11.
12/15/2010 3:02:00 PM, error: SideBySide [59]  - Resolve Partial Assembly failed for Microsoft.VC80.CRT. Reference error message: The referenced assembly is not installed on your system. .
12/15/2010 3:02:00 PM, error: SideBySide [59]  - Generate Activation Context failed for C:\Program Files\MP3 Rocket\lib\jacob-1.14.1-x86.dll. Reference error message: The operation completed successfully. .
12/15/2010 3:02:00 PM, error: SideBySide [32]  - Dependent Assembly Microsoft.VC80.CRT could not be found and Last Error was The referenced assembly is not installed on your system.

==== End Of File ===========================

[SuperDave]

I can't see anything amiss in the logs.

Download Dr.Web CureIt to the desktop:
Dr WebCureIt

• Double-click the launch.exe or cureit.exe file and Allow to run the express scan
  
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
• Once the short scan has finished, just let it cure whatever it finds...

  o Now, go to Settings >> Change Settings
  o Go to Actions tab >> under Objects section, change the settings to below
  Infected objects - Cure
  Incurable objects - Report
  Suspicious objects - Report
  o Don't change any other settings

• Start the scan again. This time, choose Complete Scan
  
• Click the green arrow button at the right, and the scan will start.
• After the scan finished, click Select all
  
• Click on Cure and choose Report incurable (means take no actions.. Don't "move", or "rename" or "delete")
  
• When the scan has finished, in the menu, click File and choose Save report list
  
• Save the report to your Desktop. The report will be called DrWeb.csv
• Post DrWeb.csv in your next reply (Open it as Notepad).. Do NOT reboot the computer yet..
  

[Rezinus]

SuperDave -

I wasn't able to open the link provided, is there an alternative download location?
Thanks

[SuperDave]

Sorry. Try this one.

Download Dr.Web CureIt to the desktop:
Dr WebCureIt

• Double-click the launch.exe or cureit.exe file and Allow to run the express scan
  
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
• Once the short scan has finished, just let it cure whatever it finds...

  o Now, go to Settings >> Change Settings
  o Go to Actions tab >> under Objects section, change the settings to below
  Infected objects - Cure
  Incurable objects - Report
  Suspicious objects - Report
  o Don't change any other settings

• Start the scan again. This time, choose Complete Scan
  
• Click the green arrow button at the right, and the scan will start.
• After the scan finished, click Select all
  
• Click on Cure and choose Report incurable (means take no actions.. Don't "move", or "rename" or "delete")
  
• When the scan has finished, in the menu, click File and choose Save report list
  
• Save the report to your Desktop. The report will be called DrWeb.csv
• Post DrWeb.csv in your next reply (Open it as Notepad).. Do NOT reboot the computer yet..
  

[Rezinus]

SuperDave -

That link didn't work for me either.

[SuperDave]

That link didn't work for me either.

Darn! I even tried it before I posted it and it worked.

I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

• Click on to download the ESET Smart Installer. Save it to your desktop.
  
• Double click on the icon on your desktop.
  

•Check
•Click the button.
•Accept any security warnings from your browser.
•Check
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push
•Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the button.
•Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

[Rezinus]

SuperDave -

I have ESET NOD32 installed on my PC. Can I do a scan with that, or should I use the link you provided?

Also, how do I remove DDS from my desktop? Do I just delete it?
Thanks
Rez

[SuperDave]

Also, how do I remove DDS from my desktop? Do I just delete it?

Yes. Any program on your desktop can just be deleted.
I would prefer that you use the ESET on-line scan as it is better because it's working from the outside.
It has come to my attention that you are currently seeking help at GeekPolice.net in this thread for the same computer and the same problem. This is not a very effective way to have your computer cleaned because I have no idea which tools the other helper told you to run and he has no idea which ones I asked you to use with possible disasterous results. This is one of the unwritten rules in malware cleaning.