Next step? SAS and HJT apps can't load...

[GrimAbbott]

Avira found JAVA.dldr.agen.na.1 and another variant. IE is locked up and pop-up Security Warnings are making it impossible to get anything to run. The HJT exe won't run and the SuperAntiSpyware exe won't run, both start but terminate almost immediately. My AT&T Parental Controls app is locked up and I've pulled the network cable so this thing doesn't do even more damage.

What now?

[evilfantasy]

Try not to restart the computer until one of the tools we use does it  for you or tells you to.

1) Please download and run the below  tool named Rkill (courtesy of BleepingComputer.com) which  may help allow other programs to run.
 
There are 4 different  versions. If one of them won't run then download and try to run the next  one.
 
Vista and Windows 7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your  antivirus about this tool, ignore them or shutdown your antivirus.

* Rkill.com
* Rkill.scr
* Rkill.pif
* Rkill.exe

*  Double-click on the Rkill desktop icon to run the tool.
*  If using Vista or Windows 7 right-click on it and  choose Run As Administrator.
* A  black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
* When finished it will create a log.
* Please post the rkill.log in the next reply.

*  If Rkill does not run from the first link, delete the file, then  download and use the one provided in Link 2. If it does not work, repeat the process and attempt to use one of the remaining links until  the tool runs.
* Do not reboot until instructed.
* If the tool does not run from any of the links provided, please let me know.


Once you've gotten one of them to run then try to immediately run the following.


2) Download and run exeHelper

*  Please download  exeHelper from Raktor to your desktop.
* Double-click on  exeHelper.com to run the fix.
* A black window should pop up, press any key to close once the fix is completed.
* A log file named log.txt will be created in the directory where you ran exeHelper.com
*  Add the log.txt file to your next message.

Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs  together (they will both be in the one file).


3) If you already have Malwarebytes be sure to update it before running the scan!

Download Malwarebytes' Anti-Malware (MBAM)

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to the following:

* Update Malwarebytes' Anti-Malware
* Launch Malwarebytes' Anti-Malware

* Then click Finish
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy and Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

[GrimAbbott]

Unfortunately, none of the Rkill apps produced a log file. The DOS box would open, some text would briefly appear than the box would close and the bogus Security Warning would pop and say that some file (cmd.exe or pev.rkexe, for instance) was infected and asking me if I wanted to start the (bogus) AV application.

The machine still has not been restarted since the problem first surfaced.

[evilfantasy]

Restart the computer into Safe Mode and try running them.

[GrimAbbott]

rkill.com ran after computer was restarted in safe mode.

rkill log as requested:

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as Dad on 02/26/2010 at 23:55:45.


Processes terminated by Rkill or while it was running:


C:\Documents and Settings\Dad\Desktop\rkill.com


Rkill completed on 02/26/2010  at 23:55:46.

exeHelper log as requested:

exeHelper by Raktor
Build 20091220
Run at 23:56:22 on 02/26/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

Malwarebytes log as requested:

Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

2/27/2010 12:10:02 AM
mbam-log-2010-02-27 (00-10-02).txt

Scan type: Quick Scan
Objects scanned: 151375
Time elapsed: 7 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Malwarebytes could not update and gave an error message (screenshot in the attached jpeg file).

Thank you.

[Saving space, attachment deleted by admin]

[evilfantasy]

Try this please. Run Rkill and exeHelper again if needed but try it from Normal Mode first.

If you already have ComboFix be sure to delete it and download a new copy.

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note:  It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.
 
Double click combofix.exe & follow the prompts.
Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix

[GrimAbbott]

Rebooted to Normal mode, ComboFix ran.

ComboFix log as requested:

ComboFix 10-02-27.04 - Dad 02/27/2010  11:32:58.1.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.978.584 [GMT -8:00]
Running from: c:\documents and settings\Dad\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Mom\Local Settings\Application Data\ftbdbb
c:\documents and settings\Mom\Local Settings\Application Data\ftbdbb\krarsftav.exe
c:\recycler\S-1-5-21-4033299657-1658935796-1921181509-500

.
(((((((((((((((((((((((((   Files Created from 2010-01-27 to 2010-02-27  )))))))))))))))))))))))))))))))
.

2010-02-27 08:12 . 2010-01-08 00:07   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-27 08:12 . 2010-02-27 08:12   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-02-27 08:12 . 2010-01-08 00:07   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-02-27 07:59 . 2010-02-27 07:59   --------   d-----w-   c:\documents and settings\Dad\Application Data\Malwarebytes
2010-02-27 07:59 . 2010-02-27 07:59   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-22 08:20 . 2010-02-22 08:20   --------   d-----w-   c:\program files\Common Files\Wise Installation Wizard
2010-02-21 02:45 . 2010-02-21 03:29   --------   d-----w-   c:\documents and settings\Mom\Local Settings\Application Data\CutePDF Writer
2010-02-17 03:32 . 2010-02-17 03:32   --------   d-----w-   c:\documents and settings\James\Local Settings\Application Data\Identities
2010-02-14 11:14 . 2010-02-14 11:14   --------   d-----w-   c:\documents and settings\Sam\Local Settings\Application Data\Freecorder
2010-02-14 11:14 . 2010-02-14 11:14   --------   d-----w-   c:\documents and settings\Sam\Local Settings\Application Data\Conduit
2010-02-14 10:49 . 2010-02-14 10:49   --------   d-sh--w-   c:\documents and settings\Sam\PrivacIE

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-19 08:51 . 2009-10-25 21:50   1   ----a-w-   c:\documents and settings\Mom\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-02-19 06:32 . 2009-10-28 05:32   1   ----a-w-   c:\documents and settings\James\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-02-14 10:21 . 2009-11-01 05:39   1   ----a-w-   c:\documents and settings\Sam\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-01-18 19:15 . 2009-10-25 03:28   --------   d-----w-   c:\documents and settings\All Users\Application Data\NOS
2010-01-18 19:10 . 2010-01-18 19:09   1924200   ----a-w-   c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
2010-01-17 05:19 . 2010-01-17 05:19   23472   ----a-w-   c:\documents and settings\Mom\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-17 05:19 . 2010-01-17 05:19   --------   d-----w-   c:\documents and settings\Mom\Application Data\Intuit
2010-01-17 05:11 . 2010-01-17 05:07   --------   d-----w-   c:\program files\Quicken
2010-01-17 05:10 . 2010-01-17 05:10   4997120   ----a-w-   c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\161127-161225.dll
2010-01-17 05:08 . 2010-01-17 05:08   991232   ----a-w-   c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\16141-16157.dll
2010-01-17 05:08 . 2010-01-17 05:08   241664   ----a-w-   c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\QWPATCH.EXE
2010-01-17 05:08 . 2010-01-17 05:08   843776   ----a-w-   c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\161225-161321.dll
2010-01-17 05:08 . 2010-01-17 05:08   462848   ----a-w-   c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\161321-16141.dll
2010-01-17 05:08 . 2010-01-17 05:08   1008   ----a-w-   c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\rebase.cmd
2010-01-17 05:08 . 2010-01-17 05:08   23472   ----a-w-   c:\documents and settings\Dad\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-17 05:07 . 2010-01-17 05:07   --------   d-----w-   c:\documents and settings\Dad\Application Data\Intuit
2010-01-17 05:07 . 2010-01-17 05:07   --------   d-----w-   c:\program files\Common Files\Palo Alto Software
2010-01-17 05:07 . 2010-01-17 05:07   --------   d-----w-   c:\program files\Common Files\Intuit
2010-01-17 05:06 . 2010-01-17 05:06   --------   d-----w-   c:\documents and settings\All Users\Application Data\Intuit
2010-01-13 06:55 . 2009-10-25 05:42   1   ----a-w-   c:\documents and settings\Dad\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-01-05 06:57 . 2009-12-19 04:43   --------   d-----w-   c:\documents and settings\Mom\Application Data\Smilebox
2010-01-02 04:54 . 2009-12-31 19:06   --------   d-----w-   c:\program files\ATT Internet Tools
2009-12-31 23:10 . 2009-12-31 23:10   --------   d-----w-   c:\documents and settings\Dad\Application Data\OpenDNS Updater
2009-12-31 23:10 . 2009-12-31 23:10   --------   d-----w-   c:\program files\OpenDNS Updater
2009-12-31 19:06 . 2009-12-31 19:06   24576   ----a-w-   c:\windows\system32\msxml3a.dll
2009-12-31 16:50 . 2004-08-04 06:14   353792   ----a-w-   c:\windows\system32\drivers\srv.sys
2009-12-24 01:42 . 2010-01-06 06:11   52224   ----a-w-   c:\documents and settings\Dad\Application Data\Mozilla\Firefox\Profiles\imr34ayi.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\components\FFExternalAlert.dll
2009-12-24 01:42 . 2010-01-06 06:11   101376   ----a-w-   c:\documents and settings\Dad\Application Data\Mozilla\Firefox\Profiles\imr34ayi.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\components\RadioWMPCore.dll
2009-12-21 19:14 . 2004-08-04 07:56   916480   ----a-w-   c:\windows\system32\wininet.dll
2009-12-19 04:43 . 2009-12-19 04:43   57943   ----a-w-   c:\documents and settings\Mom\Application Data\Smilebox\uninstall.exe
2009-12-16 18:43 . 2004-08-04 07:56   343040   ----a-w-   c:\windows\system32\mspaint.exe
2009-12-14 19:15 . 2009-12-14 19:15   2146304   ----a-w-   c:\windows\system32\GPhotos.scr
2009-12-14 07:08 . 2004-08-04 07:56   33280   ----a-w-   c:\windows\system32\csrsrv.dll
2009-12-08 19:26 . 2004-08-04 06:20   2145280   ----a-w-   c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2006-02-28 09:00   2023936   ----a-w-   c:\windows\system32\ntkrnlpa.exe
2009-12-08 00:37 . 2009-10-25 03:34   56816   ----a-w-   c:\windows\system32\drivers\avgntflt.sys
2009-12-07 12:22 . 2009-12-07 12:22   266888   ----a-w-   c:\documents and settings\Mom\Application Data\Smilebox\SmileboxTray.exe
2009-12-07 12:22 . 2009-12-07 12:22   205448   ----a-w-   c:\documents and settings\Mom\Application Data\Smilebox\SmileboxDvd.exe
2009-12-07 12:22 . 2009-12-07 12:14   373384   ----a-w-   c:\documents and settings\Mom\Application Data\Smilebox\SmileboxStarter.exe
2009-12-07 12:22 . 2009-12-07 11:39   168584   ----a-w-   c:\documents and settings\Mom\Application Data\Smilebox\SmileboxBrowserEngine.dll
2009-12-07 12:14 . 2009-12-07 12:14   1593992   ----a-w-   c:\documents and settings\Mom\Application Data\Smilebox\SmileboxClient.exe
2009-12-07 11:39 . 2009-12-07 11:39   344712   ----a-w-   c:\documents and settings\Mom\Application Data\Smilebox\SmileboxDvdEngine.dll
2009-12-07 11:39 . 2009-12-07 11:39   123528   ----a-w-   c:\documents and settings\Mom\Application Data\Smilebox\SmileboxUpdater.exe
2009-12-05 13:33 . 2009-12-05 13:33   23472   ----a-w-   c:\documents and settings\Sam\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-04 18:22 . 2004-08-04 06:15   455424   ----a-w-   c:\windows\system32\drivers\mrxsmb.sys
2009-12-03 16:54 . 2009-12-03 16:54   70984   ----a-w-   c:\documents and settings\Mom\g2mdlhlpx.exe
2010-01-02 04:50 . 2010-01-02 04:50   94208   ----a-w-   c:\program files\mozilla firefox\components\blsfflock.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "c:\program files\Freecorder\tbFree.dll" [2009-11-10 2331672]

[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
2009-11-10 02:38   2331672   ----a-w-   c:\program files\Freecorder\tbFree.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "c:\program files\Freecorder\tbFree.dll" [2009-11-10 2331672]

[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{1392B8D2-5C05-419F-A8F6-B9F15A596612}"= "c:\program files\Freecorder\tbFree.dll" [2009-11-10 2331672]

[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-01-24 2289664]
"OpenDNS Updater"="c:\program files\OpenDNS Updater\OpenDNSUpdater.exe" [2009-11-16 839168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-07 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-07 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-07 137752]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-04-26 1015808]
"atchk"="c:\program files\Intel\AMT\atchk.exe" [2007-06-07 408344]
"PTHOSTTR"="c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2007-01-09 145184]
"IFXSPMGT"="c:\windows\system32\ifxspmgt.exe" [2007-05-23 677408]
"PDF Complete"="c:\program files\PDF Complete\pdfsty.exe" [2008-04-07 318488]
"SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 525824]
"CognizanceTS"="c:\progra~1\HEWLET~1\IAM\Bin\ASTSVCC.dll" [2003-12-22 17920]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-10-08 127036]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]
"Freecorder FLV Service"="c:\program files\Freecorder\FLVSrvc.exe" [2009-11-15 158752]
"blspcloader"="c:\program files\ATT Internet Tools\blsloader.exe" [2010-01-02 107856]

c:\documents and settings\James\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]

c:\documents and settings\Mom\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]

c:\documents and settings\Sam\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]

c:\documents and settings\Dad\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]
2007-02-07 01:30   74240   ----a-r-   c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages   REG_MULTI_SZ      SbHpNp scecli

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [6/13/2007 4:53 PM 101167]
R0 SbAlg;SbAlg;c:\windows\system32\drivers\SbAlg.sys [10/9/2006 12:31 PM 44720]
R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [6/14/2007 3:22 PM 13184]
R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [4/18/2007 6:32 PM 39080]
R1 RsvLock;RsvLock;c:\windows\system32\drivers\rsvlock.sys [6/13/2007 4:53 PM 5808]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [10/24/2009 7:34 PM 108289]
R2 ASBroker;Logon Session Broker;c:\windows\System32\svchost.exe -k Cognizance [8/3/2004 11:56 PM 14336]
R2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Cognizance [8/3/2004 11:56 PM 14336]
R2 HpFkCryptService;Drive Encryption Service;c:\program files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [7/9/2007 4:03 PM 221184]
R2 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [10/24/2009 5:11 PM 576024]
R2 UNS;Intel(R) Active Management Technology User Notification Service;c:\program files\Intel\AMT\UNS.exe [10/24/2009 4:57 PM 2521880]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [10/24/2009 4:09 PM 44800]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Cognizance   REG_MULTI_SZ      ASBroker ASChannel

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-01-24 19:30   451872   ----a-w-   c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.gbcph.org/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=smb&pf=desktop
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar Search - c:\documents and settings\All Users\Application Data\AOL\ieToolbar\resources\en-US\local\search.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
FF - ProfilePath - c:\documents and settings\Dad\Application Data\Mozilla\Firefox\Profiles\imr34ayi.default\
FF - component: c:\documents and settings\Dad\Application Data\Mozilla\Firefox\Profiles\imr34ayi.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\Dad\Application Data\Mozilla\Firefox\Profiles\imr34ayi.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\components\RadioWMPCore.dll
FF - component: c:\program files\Mozilla Firefox\components\blsfflock.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-emxamgqa - c:\documents and settings\Mom\Local Settings\Application Data\ftbdbb\krarsftav.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-27 11:38
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pdfcDispatcher]
"ImagePath"="c:\program files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(688)
c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll
c:\program files\Hewlett-Packard\IAM\bin\ItMsg.dll
c:\program files\Hewlett-Packard\IAM\Bin\TrayIcon.dll
c:\program files\Hewlett-Packard\IAM\bin\HPBrand.dll
c:\program files\Hewlett-Packard\IAM\Bin\ASChnl.dll
c:\program files\Hewlett-Packard\IAM\Bin\ItDAC.dll
c:\program files\Hewlett-Packard\IAM\Bin\ItReports.DLL
c:\program files\Hewlett-Packard\IAM\Bin\BioAuth.dll
c:\program files\Hewlett-Packard\IAM\Bin\ASBIoAT.dll
c:\program files\Hewlett-Packard\IAM\Bin\ittal.dll
c:\windows\SbHpNp.DLL
c:\windows\system32\igfxdev.dll

- - - - - - - > 'lsass.exe'(744)
c:\windows\SbHpNp.dll

- - - - - - - > 'explorer.exe'(3376)
c:\windows\system32\WININET.dll
c:\windows\system32\APSHook.dll
c:\documents and settings\Dad\Local Settings\Application Data\FLVService\lib\FLVSrvLib.dll
c:\program files\ATT Internet Tools\blshook.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Intel\AMT\atchksrv.exe
c:\windows\system32\ifxtcs.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Intel\AMT\LMS.exe
c:\windows\system32\IfxPsdSv.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Hewlett-Packard\IAM\bin\asghost.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Hewlett-Packard\Embedded Security Software\PSDrt.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
.
**************************************************************************
.
Completion time: 2010-02-27  11:56:53 - machine was rebooted
ComboFix-quarantined-files.txt  2010-02-27 19:56

Pre-Run: 63,368,904,704 bytes free
Post-Run: 63,747,186,688 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 7BFFD4F9093CB94CAA6AF6725A62F153


[Saving space, attachment deleted by admin]

[evilfantasy]

Looks okay. How is the computer running now?

I am suspicious of this file so let's scan it and see what it says.

Please go to Jotti's malware scan
(If more than one file needs scanned they must be done separately and logs posted for each one)

* Copy the file path in the below Code box:

Code: [Select]

c:\windows\system32\drivers\SafeBoot.sys* At the upload site, click once inside the window next to Browse.
* Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
* Next click Submit file
* Your file will possibly be entered into a queue which normally takes less than a minute to clear.
* This will perform a scan across multiple different virus scanning engines.
* Important: Wait for all of the scanning engines to complete.
* Once the scan is finished, Copy and then Paste the link in the address bar into your next reply.

[GrimAbbott]

After clicking "Submit file" it returns a "Status: File is empty (0 bytes).

When I navigate to this file (SafeBoot.sys) directly it shows 98.7 KB, created on 6/13/2007.

Operation of the PC seems to have stabilized. I'm having problems getting to the internet; the AT&T Parental Controls application does not seem to recognize my (parent) password. I found a workaround and will uninstall this app and keep checking.

[evilfantasy]

Okay lets do this then.


* Click START then RUN - Vista users press the Windows Key and the R keys for the Run box.
* Now type Combofix /Uninstall in the runbox
* Make sure there's a space between Combofix and /Uninstall
* Then hit Enter

* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.

----------

Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. 
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.

----------

ESET Online Scan

Scan your computer with the ESET FREE Online Virus Scan

* Click the ESET Online Scanner button.

* For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
* Click on the esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop
* Double click on the esetsmartinstaller_enu.exe icon on your desktop.
* Place a check mark next to YES, I accept the Terms of Use.

* Click the Start button.
* Accept any security warnings from your browser.
* Leave the check mark next to Remove found threats and place a check next to Scan archives.
* Click the Start button.
* ESET will then download updates, install, and begin scanning your computer. Please be patient as this can take some time.
* When the scan completes, click List of found threats.
* Next click Export to text file and save the file to your desktop using a name such as ESETScan. Include the contents of this report in your next reply.
* Click the <<Back button then click Finish.

In your next reply please include the ESET Online Scan Log

[GrimAbbott]

No threats found by eSet online scanner; consequently, no option was available to list the found threats or export to text file.

Running again just to make sure I didn't overlook something...

[evilfantasy]

If there was no log then that means nothing was found.


If there are no more malware issues we can finish up now.

Use the Secunia Software Inspector to check for out of date software.

* Click Start Scanner
* Check the box next to Enable thorough system inspection.
* Click Start
* Allow the scan to finish and scroll down to see if any updates are needed.
* Update anything listed.

----------

Go to Microsoft Windows Update and get all critical updates.

----------

If you are using or have installed IE6 you are using an outdated and soon to be unsupported version of Internet Explorer and I strongly suggest you update to the latest version directly from Microsoft Internet Explorer 8: Home page.

----------

I recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no realtime protection so will not interfere with each other. They do not use any significant amount of resources (except a little disk space) until you run a scan.

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy.
* Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.