Welcome guest. Before posting on our computer help forum, you must register. Click here it's easy and free.

Author Topic: Need help removing all malware  (Read 4635 times)

0 Members and 1 Guest are viewing this topic.

js2881

    Topic Starter


    Rookie

    Need help removing all malware
    « on: January 27, 2010, 02:54:29 PM »
    Hello everyone,

    Yesterday, my desktop pc running windows xp sp 3 became infected with what seemed like multiple viruses. I saw numerous symptoms:

    A) my ability to connect to the internet was gone
    B) my wallpaper changed to a green screen with a black warning message about spyware
    C) constant popup messages - one mentioned something about the Worm.Win32.Netsky infecting my computer; another said "click here to protect your computer from spyware!" and another said "Attention! System detected a potential hazard (TrojanSPM/LX) on your computer that may infect executable files. You private information and PC safety is at risk."

    Luckily, I was able to get internet access on a friend's computer to read the malware removal guide posted here. After following all of the steps, it seems that most, but not all, of the malware is gone on my pc. My internet connection is now working on my pc, and all of the popups have disappeared. The green screen on my desktop wallpaper is gone as well. However, now all of my icons there are highlighted for some unknown reason (although the icons all work fine).  I just wanted to be sure that all the bad stuff is gone.

    Attached are my SAS, MBAM, and HJT logs. I actually did 2 scans w/ MBAM - I did the  quick scan first, which hardly found anything, and then a full scan which found more malware. Both logs are attached.





    [Saving space, attachment deleted by admin]

    js2881

      Topic Starter


      Rookie

      Re: Need help removing all malware
      « Reply #1 on: January 27, 2010, 04:49:39 PM »
      These are the same logs I attached in my first post, but I am copy and pasting them this time since I noticed that most people seem to use this method.

      SUPERAntiSpyware Scan Log
      http://www.superantispyware.com

      Generated 01/26/2010 at 09:34 PM

      Application Version : 4.23.1006

      Core Rules Database Version : 4521
      Trace Rules Database Version: 2333

      Scan type       : Complete Scan
      Total Scan Time : 03:38:10

      Memory items scanned      : 174
      Memory threats detected   : 0
      Registry items scanned    : 7216
      Registry threats detected : 1
      File items scanned        : 87828
      File threats detected     : 4

      Rogue.Agent/Gen
         [Wallpaper] C:\WINDOWS\SYSTEM32\WARNING.HTML
         C:\WINDOWS\SYSTEM32\WARNING.HTML

      Adware.Tracking Cookie
         C:\Documents and Settings\Ralph\Cookies\[email protected][3].txt

      Trojan.Agent/Gen
         C:\WINDOWS\system32\41.exe

      Rogue.Agent/Gen-Nullo[DLL]
         C:\WINDOWS\SYSTEM32\SNDIPAVI32.DLL


      Malwarebytes' Anti-Malware 1.44
      Database version: 3585
      Windows 5.1.2600 Service Pack 3
      Internet Explorer 8.0.6001.18702

      1/26/2010 4:58:18 PM
      mbam-log-2010-01-26 (16-58-18).txt

      Scan type: Quick Scan
      Objects scanned: 126171
      Time elapsed: 6 minute(s), 39 second(s)

      Memory Processes Infected: 0
      Memory Modules Infected: 0
      Registry Keys Infected: 1
      Registry Values Infected: 0
      Registry Data Items Infected: 0
      Folders Infected: 0
      Files Infected: 0

      Memory Processes Infected:
      (No malicious items detected)

      Memory Modules Infected:
      (No malicious items detected)

      Registry Keys Infected:
      HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{376892ae-1825-4e5f-9f85-23f9640051cc} (Trojan.BHO) -> Quarantined and deleted successfully.

      Registry Values Infected:
      (No malicious items detected)

      Registry Data Items Infected:
      (No malicious items detected)

      Folders Infected:
      (No malicious items detected)

      Files Infected:
      (No malicious items detected)




      Malwarebytes' Anti-Malware 1.44
      Database version: 3585
      Windows 5.1.2600 Service Pack 3 (Safe Mode)
      Internet Explorer 8.0.6001.18702

      1/26/2010 11:22:36 PM
      mbam-log-2010-01-26 (23-22-36).txt

      Scan type: Full Scan (A:\|C:\|)
      Objects scanned: 211833
      Time elapsed: 1 hour(s), 32 minute(s), 28 second(s)

      Memory Processes Infected: 1
      Memory Modules Infected: 0
      Registry Keys Infected: 0
      Registry Values Infected: 2
      Registry Data Items Infected: 10
      Folders Infected: 0
      Files Infected: 8

      Memory Processes Infected:
      C:\WINDOWS\SYSTEM32\smss32.exe (Trojan.FakeAlert) -> Unloaded process successfully.

      Memory Modules Infected:
      (No malicious items detected)

      Registry Keys Infected:
      (No malicious items detected)

      Registry Values Infected:
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
      HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.

      Registry Data Items Infected:
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\winlogon32.exe -> Quarantined and deleted successfully.
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: system32\winlogon32.exe -> Quarantined and deleted successfully.
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\winlogon32.exe) Good: (userinit.exe) -> Quarantined and deleted successfully.
      HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
      HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
      HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
      HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

      Folders Infected:
      (No malicious items detected)

      Files Infected:
      C:\SDFix\dummy.sys (Malware.Trace) -> Quarantined and deleted successfully.
      C:\SDFix\apps\dummy.sys (Malware.Trace) -> Quarantined and deleted successfully.
      C:\WINDOWS\SYSTEM32\smss32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
      C:\WINDOWS\SYSTEM32\helper32.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
      C:\WINDOWS\SYSTEM32\Winlogon32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
      C:\WINDOWS\SYSTEM32\41.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
      C:\WINDOWS\SYSTEM32\IS15.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
      C:\WINDOWS\SYSTEM32\warning.html (Trojan.FakeAlert) -> Quarantined and deleted successfully.




      Logfile of Trend Micro HijackThis v2.0.2
      Scan saved at 13:12:53, on 1/27/2010
      Platform: Windows XP SP3 (WinNT 5.01.2600)
      MSIE: Internet Explorer v8.00 (8.00.6001.18702)
      Boot mode: Safe mode

      Running processes:
      C:\WINDOWS\System32\smss.exe
      C:\WINDOWS\system32\winlogon.exe
      C:\WINDOWS\system32\services.exe
      C:\WINDOWS\system32\lsass.exe
      C:\WINDOWS\system32\svchost.exe
      C:\Program Files\Windows Defender\MsMpEng.exe
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\Explorer.EXE
      C:\Program Files\Windows Defender\MSASCui.exe
      C:\Program Files\Internet Explorer\IEXPLORE.EXE
      C:\WINDOWS\system32\ctfmon.exe
      C:\Program Files\Internet Explorer\IEXPLORE.EXE
      C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
      C:\Program Files\Trend Micro\HijackThis\sniper.exe.exe

      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
      R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
      O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
      O2 - BHO: (no name) - {1FD79A59-37B1-459B-9097-09F9FAB8A523} - (no file)
      O2 - BHO: File Print FedEx Kinko's - {9566395F-43D2-4c64-B525-B501FFA276E2} - mscoree.dll (file missing)
      O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
      O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
      O3 - Toolbar: File Print FedEx Kinko's - {9566395f-43d2-4c64-b525-b501ffa276e2} - mscoree.dll (file missing)
      O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
      O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
      O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
      O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
      O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
      O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
      O4 - HKLM\..\Run: [MPTBox] C:\PROGRA~1\Canon\MULTIP~1\MPTBox.exe
      O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
      O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
      O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
      O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
      O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
      O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
      O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
      O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
      O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
      O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
      O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
      O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
      O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
      O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
      O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
      O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
      O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
      O4 - Global Startup: Picture Package Menu.lnk = ?
      O4 - Global Startup: Picture Package VCD Maker.lnk = ?
      O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
      O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
      O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
      O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
      O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
      O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
      O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
      O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
      O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
      O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr.com/install/download/tgctlcm.cab
      O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
      O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
      O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by106fd.bay106.hotmail.msn.com/resources/MsnPUpld.cab
      O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229540297140
      O16 - DPF: {69432678-2906-2705-1128-068943397621} -
      O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1263759585985
      O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://us-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
      O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} (Java Plug-in 1.6.0_13) -
      O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
      O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
      O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
      O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
      O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
      O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
      O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
      O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
      O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
      O23 - Service: Nero BackItUp Scheduler 4.0 - Unknown owner - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe (file missing)
      O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
      O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
      O23 - Service: PsExec (PSEXESVC) - Unknown owner - C:\WINDOWS\PSEXESVC.EXE (file missing)
      O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
      O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
      O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
      O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
      O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
      O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

      --
      End of file - 8771 bytes

      Dr Jay

      • Malware Removal Specialist


      • Specialist
      • Moderator emeritus
      • Thanked: 119
      • Experience: Guru
      • OS: Windows 10
      Re: Need help removing all malware
      « Reply #2 on: January 28, 2010, 11:02:04 AM »
      Hello.

      Please visit this webpage for instructions for downloading and running ComboFix:

      http://www.bleepingcomputer.com/combofix/how-to-use-combofix

      Post the log from ComboFix when you've accomplished that.
      ~Dr Jay

      js2881

        Topic Starter


        Rookie

        Re: Need help removing all malware
        « Reply #3 on: January 28, 2010, 02:39:16 PM »
        Just ran combofix. I also ran it yesterday after finishing the first 6 steps, but I was missing some of the instructions and forgot to install the windows recovery console. This time I did it right. I should also mention that I installed Avast before running combofix the second time.


        Here are my 2 combofix logs. For some reason, internet explorer keeps freezing when I try to copy and paste them. I can only attach them.



        [Saving space, attachment deleted by admin]

        js2881

          Topic Starter


          Rookie

          Re: Need help removing all malware
          « Reply #4 on: January 28, 2010, 03:11:09 PM »
          Ok, here is the copy and pasted version of my second (most recent) log for combofix. Internet explorer still freezes whenever I try and copy and paste my first log - I am guessing because that one is too large. It is still attached in my post before this one.



          ComboFix 10-01-27.06 - Ralph 01/28/2010  15:48:16.3.1 - x86
          Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.767.321 [GMT -5:00]
          Running from: c:\documents and settings\Ralph\Desktop\ComboFix.exe
          AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
          .

          (((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
          .

          c:\documents and settings\Ralph\Application Data\ibunuqul.inf
          c:\documents and settings\Ralph\Start Menu\Programs\AVI Codec Pack +
          c:\documents and settings\Ralph\Start Menu\Programs\AVI Codec Pack +\Check For Updates.lnk
          c:\documents and settings\Ralph\Start Menu\Programs\AVI Codec Pack +\Uninstall.lnk
          c:\program files\AVI Codec Pack
          c:\program files\AVI Codec Pack\AC3\ac3filter.ax
          c:\program files\AVI Codec Pack\AC3\dialog_patch.exe
          c:\program files\AVI Codec Pack\DivX 3.11\DivX.inf
          c:\program files\AVI Codec Pack\DivX 3.11\DIVX_c32.ax
          c:\program files\AVI Codec Pack\DivX 3.11\DivXa32.acm
          c:\program files\AVI Codec Pack\DivX 3.11\DivXc32.dll
          c:\program files\AVI Codec Pack\DivX 3.11\DivXc32f.dll
          c:\program files\AVI Codec Pack\DivX 3.11\L3codeca.acm
          c:\program files\AVI Codec Pack\divx.chm
          c:\program files\AVI Codec Pack\ffdhow\ffdshow.ax
          c:\program files\AVI Codec Pack\ffdhow\ffdshow.ax.manifest
          c:\program files\AVI Codec Pack\ffdhow\libavcodec.dll
          c:\program files\AVI Codec Pack\ffdhow\libmpeg2_ff.dll
          c:\program files\AVI Codec Pack\ffdhow\libmplayer.dll
          c:\program files\AVI Codec Pack\ffdhow\TomsMoComp_ff.dll
          c:\program files\AVI Codec Pack\LAYER-3\L3CODECP.ACM
          c:\program files\AVI Codec Pack\LAYER-3\RaMp3Cfg.exe
          c:\program files\AVI Codec Pack\uninstall.exe
          C:\s
          c:\windows\cycoku.scr
          c:\windows\system32\_003819_.tmp.dll
          c:\windows\system32\_003820_.tmp.dll
          c:\windows\system32\_003821_.tmp.dll
          c:\windows\system32\_003822_.tmp.dll
          c:\windows\system32\_003829_.tmp.dll
          c:\windows\system32\_003830_.tmp.dll
          c:\windows\system32\_003831_.tmp.dll
          c:\windows\system32\_003833_.tmp.dll
          c:\windows\system32\_003834_.tmp.dll
          c:\windows\system32\_003837_.tmp.dll
          c:\windows\system32\_003838_.tmp.dll
          c:\windows\system32\_003840_.tmp.dll
          c:\windows\system32\_003841_.tmp.dll
          c:\windows\system32\_003842_.tmp.dll
          c:\windows\system32\_003844_.tmp.dll
          c:\windows\system32\_003847_.tmp.dll
          c:\windows\system32\_003848_.tmp.dll
          c:\windows\system32\_003852_.tmp.dll
          c:\windows\system32\_003853_.tmp.dll
          c:\windows\system32\_003855_.tmp.dll
          c:\windows\system32\_003858_.tmp.dll
          c:\windows\system32\_003860_.tmp.dll
          c:\windows\system32\_003861_.tmp.dll
          c:\windows\system32\_003862_.tmp.dll
          c:\windows\system32\_003863_.tmp.dll
          c:\windows\system32\_003866_.tmp.dll
          c:\windows\system32\_003867_.tmp.dll
          c:\windows\system32\_003868_.tmp.dll
          c:\windows\system32\_003869_.tmp.dll
          c:\windows\system32\_003870_.tmp.dll
          c:\windows\system32\_003875_.tmp.dll
          c:\windows\system32\_003877_.tmp.dll
          c:\windows\system32\camenot.vbs
          c:\windows\ygunoqe._sy

          .
          (((((((((((((((((((((((((   Files Created from 2009-12-28 to 2010-01-28  )))))))))))))))))))))))))))))))
          .

          2010-01-28 01:09 . 2010-01-19 11:42   19024   ----a-w-   c:\windows\system32\drivers\aswFsBlk.sys
          2010-01-28 01:09 . 2010-01-19 13:13   162640   ----a-w-   c:\windows\system32\drivers\aswSP.sys
          2010-01-28 01:09 . 2010-01-19 11:43   23248   ----a-w-   c:\windows\system32\drivers\aswRdr.sys
          2010-01-28 01:09 . 2010-01-19 11:46   46544   ----a-w-   c:\windows\system32\drivers\aswTdi.sys
          2010-01-28 01:09 . 2010-01-19 11:43   100304   ----a-w-   c:\windows\system32\drivers\aswmon2.sys
          2010-01-28 01:09 . 2010-01-19 11:43   94672   ----a-w-   c:\windows\system32\drivers\aswmon.sys
          2010-01-28 01:09 . 2010-01-19 11:42   28240   ----a-w-   c:\windows\system32\drivers\aavmker4.sys
          2010-01-28 01:09 . 2010-01-19 11:57   38848   ----a-w-   c:\windows\system32\avastSS.scr
          2010-01-28 01:09 . 2010-01-19 11:57   152672   ----a-w-   c:\windows\system32\aswBoot.exe
          2010-01-28 01:09 . 2010-01-28 01:09   --------   d-----w-   c:\program files\Alwil Software
          2010-01-28 01:09 . 2010-01-28 01:09   --------   d-----w-   c:\documents and settings\All Users\Application Data\Alwil Software
          2010-01-27 20:18 . 2010-01-27 20:18   --------   d-----w-   c:\program files\Common Files\Java
          2010-01-27 18:33 . 2010-01-27 18:33   578560   ----a-w-   c:\windows\system32\dllcache\user32.dll
          2010-01-27 18:29 . 2010-01-27 18:29   --------   d-sh--w-   c:\documents and settings\Administrator\IETldCache
          2010-01-17 22:57 . 2009-11-21 15:51   471552   ------w-   c:\windows\system32\dllcache\aclayers.dll
          2010-01-17 21:05 . 2010-01-17 21:05   --------   d-----w-   c:\program files\Windows Resource Kits
          2010-01-17 20:28 . 2009-02-09 12:10   617472   ----a-w-   c:\windows\system32\advapi32.dll

          .
          ((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
          .
          2010-01-28 20:57 . 2004-11-19 19:35   --------   d-----w-   c:\documents and settings\All Users\Application Data\DIGStream
          2010-01-28 20:41 . 2010-01-26 22:39   52224   ----a-w-   c:\documents and settings\Ralph\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
          2010-01-28 20:41 . 2009-03-28 21:36   117760   ----a-w-   c:\documents and settings\Ralph\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
          2010-01-28 20:40 . 2008-05-11 16:23   --------   d---a-w-   c:\documents and settings\All Users\Application Data\TEMP
          2010-01-28 14:31 . 2009-09-19 02:29   --------   d-----w-   c:\program files\SpywareBlaster
          2010-01-27 20:18 . 2010-01-27 20:18   61440   ----a-w-   c:\documents and settings\Ralph\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-48cdcd29-n\decora-sse.dll
          2010-01-27 20:18 . 2010-01-27 20:18   503808   ----a-w-   c:\documents and settings\Ralph\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-40458530-n\msvcp71.dll
          2010-01-27 20:18 . 2010-01-27 20:18   499712   ----a-w-   c:\documents and settings\Ralph\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-40458530-n\jmc.dll
          2010-01-27 20:18 . 2010-01-27 20:18   348160   ----a-w-   c:\documents and settings\Ralph\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-40458530-n\msvcr71.dll
          2010-01-27 20:18 . 2010-01-27 20:18   12800   ----a-w-   c:\documents and settings\Ralph\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-48cdcd29-n\decora-d3d.dll
          2010-01-27 20:17 . 2008-12-27 04:50   411368   ----a-w-   c:\windows\system32\deploytk.dll
          2010-01-17 23:17 . 2009-09-30 13:37   3695616   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\AutoLaunch.exe
          2010-01-17 23:17 . 2009-09-30 13:37   2353992   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Ad-Aware.exe
          2010-01-17 23:13 . 2008-12-26 23:40   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
          2010-01-17 23:12 . 2010-01-17 23:12   5115824   ----a-w-   c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
          2010-01-17 21:24 . 2003-04-19 00:40   143712   ----a-w-   c:\documents and settings\Ralph\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
          2010-01-08 23:16 . 2003-04-14 22:52   --------   d--h--w-   c:\program files\InstallShield Installation Information
          2010-01-07 21:07 . 2009-09-19 02:33   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
          2010-01-07 21:07 . 2009-09-19 02:33   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
          2010-01-04 22:19 . 2006-06-05 01:50   4700   ----a-w-   c:\documents and settings\Ralph\Application Data\ViewerApp.dat
          2009-12-23 04:49 . 2009-06-10 16:15   256   ----a-w-   c:\windows\system32\pool.bin
          2009-12-23 04:34 . 2009-12-23 04:34   --------   d-----w-   c:\documents and settings\Ralph\Application Data\Blackberry Desktop
          2009-12-03 19:45 . 2007-11-28 01:25   --------   d-----w-   c:\documents and settings\Ralph\Application Data\LimeWire
          2009-12-03 19:37 . 2008-09-24 00:14   --------   d-----w-   c:\program files\Incomplete
          2009-12-03 19:37 . 2007-11-28 01:17   --------   d-----w-   c:\program files\LimeWire
          2009-12-02 23:26 . 2007-11-28 01:18   --------   d-----w-   c:\program files\Java
          2009-11-03 01:42 . 2009-12-02 16:51   195456   ------w-   c:\windows\system32\MpSigStub.exe
          2009-10-14 00:28 . 2009-10-14 00:28   187150   ----a-w-   c:\program files\log.txt
          2004-07-25 01:46 . 2004-05-17 19:15   0   --sh--r-   c:\program files\q330994.exe
          2004-05-24 04:32 . 2004-05-23 15:50   0   --sh--r-   c:\program files\power scan
          2004-07-25 01:46 . 2004-05-17 19:15   0   --sha-r-   c:\windows\nem216.dll
          2004-07-25 01:46 . 2004-05-28 11:36   0   --sha-r-   c:\windows\SYSTEM\wmscrop.exe
          .

          (((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
          .
          .
          *Note* empty entries & legit default entries are not shown
          REGEDIT4

          [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
          "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
          "NvMediaCenter"="c:\windows\System32\NVMCTRAY.DLL" [2003-10-06 49152]
          "DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
          "ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]

          [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
          "NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-10-06 5058560]
          "BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
          "DVDSentry"="c:\windows\System32\DSentry.exe" [2002-08-14 28672]
          "MoneyStartUp10.0"="c:\program files\Microsoft Money\System\Activation.exe" [2001-07-25 241714]
          "RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2003-04-14 26112]
          "AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 684032]
          "MPTBox"="c:\progra~1\Canon\MULTIP~1\MPTBox.exe" [2002-11-09 172032]
          "Omnipage"="c:\program files\ScanSoft\OmniPageSE\opware32.exe" [2002-02-21 49152]
          "nwiz"="nwiz.exe" [2003-10-06 741376]
          "DIGStream"="c:\program files\DIGStream\digstream.exe" [2005-05-18 282624]
          "Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]
          "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-09-11 218032]
          "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
          "dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
          "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
          "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
          "RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2008-03-06 236016]
          "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
          "avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-01-19 2743104]

          c:\documents and settings\All Users\Start Menu\Programs\Startup\
          Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
          Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
          Picture Package Menu.lnk - c:\program files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe [2006-6-4 151552]
          Picture Package VCD Maker.lnk - c:\program files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe [2006-6-4 106496]

          [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
          BootExecute   REG_MULTI_SZ      autocheck autochk *\0stera\0lsdelete

          [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
          @="Service"

          [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
          @="Service"

          [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
          "EnableFirewall"= 0 (0x0)

          [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
          "%windir%\\system32\\sessmgr.exe"=
          "c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
          "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
          "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
          "c:\\Program Files\\LimeWire\\LimeWire.exe"=
          "c:\\Program Files\\Kinko's\\FPFK\\FPKMain.exe"=
          "c:\\Program Files\\Kinko's\\FPFK\\Kinkos.Jupiter.GUI.Queue.exe"=
          "c:\\Program Files\\iTunes\\iTunes.exe"=

          R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [9/30/2009 8:37 AM 64160]
          R1 aswSP;aswSP;c:\windows\SYSTEM32\DRIVERS\aswSP.sys [1/27/2010 8:09 PM 162640]
          R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [12/4/2008 1:50 PM 8944]
          R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/4/2008 1:50 PM 55024]
          R2 aswFsBlk;aswFsBlk;c:\windows\SYSTEM32\DRIVERS\aswFsBlk.sys [1/27/2010 8:09 PM 19024]
          R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/10/2007 1:01 PM 24652]
          R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
          S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 9:49 AM 1028432]
          S3 MTK;Media Technology Kernel Driver;c:\windows\system32\Drivers\mtk.sys --> c:\windows\system32\Drivers\mtk.sys [?]
          S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/4/2008 1:50 PM 7408]
          .
          Contents of the 'Scheduled Tasks' folder

          2010-01-26 c:\windows\Tasks\AppleSoftwareUpdate.job
          - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 22:57]

          2010-01-28 c:\windows\Tasks\MP Scheduled Scan.job
          - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
          .
          .
          ------- Supplementary Scan -------
          .
          IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
          IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
          DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
          DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
          DPF: {69432678-2906-2705-1128-068943397621}
          DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} - hxxp://us-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
          .
          - - - - ORPHANS REMOVED - - - -

          AddRemove-AVI Codec Pack - c:\program files\AVI Codec Pack\uninstall.exe
          AddRemove-HijackThis - c:\program files\Trend Micro\HijackThis\HijackThis.exe



          **************************************************************************

          catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
          Rootkit scan 2010-01-28 15:56
          Windows 5.1.2600 Service Pack 3 NTFS

          scanning hidden processes ... 

          scanning hidden autostart entries ...

          scanning hidden files ... 

          scan completed successfully
          hidden files: 0

          **************************************************************************
          .
          --------------------- DLLs Loaded Under Running Processes ---------------------

          - - - - - - - > 'explorer.exe'(3728)
          c:\windows\system32\WININET.dll
          c:\program files\ScanSoft\OmniPageSE\ophook32.dll
          c:\windows\system32\ieframe.dll
          c:\windows\system32\mshtml.dll
          c:\windows\system32\msls31.dll
          c:\windows\system32\webcheck.dll
          c:\windows\system32\WPDShServiceObj.dll
          c:\windows\system32\PortableDeviceTypes.dll
          c:\windows\system32\PortableDeviceApi.dll
          .
          ------------------------ Other Running Processes ------------------------
          .
          c:\program files\Alwil Software\Avast5\AvastSvc.exe
          c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
          c:\program files\Java\jre6\bin\jqs.exe
          c:\program files\Canon\MultiPASS4\MPSERVIC.EXE
          c:\windows\System32\nvsvc32.exe
          c:\windows\BCMSMMSG.exe
          c:\windows\system32\RUNDLL32.EXE
          c:\program files\Canon\CAL\CALMAIN.exe
          c:\program files\iPod\bin\iPodService.exe
          c:\windows\system32\wscntfy.exe
          c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
          .
          **************************************************************************
          .
          Completion time: 2010-01-28  16:05:00 - machine was rebooted
          ComboFix-quarantined-files.txt  2010-01-28 21:04
          ComboFix2.txt  2010-01-27 18:23
          ComboFix3.txt  2009-10-14 00:26
          ComboFix4.txt  2008-12-27 05:32

          Pre-Run: 6,692,040,704 bytes free
          Post-Run: 6,607,384,576 bytes free

          WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
          [boot loader]
          timeout=2
          default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
          [operating systems]
          c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
          multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

          - - End Of File - - 04B28143226CD4BC3F9B780E7780095A

          Dr Jay

          • Malware Removal Specialist


          • Specialist
          • Moderator emeritus
          • Thanked: 119
          • Experience: Guru
          • OS: Windows 10
          Re: Need help removing all malware
          « Reply #5 on: January 28, 2010, 07:43:00 PM »
          Please download the latest version of Kaspersky GetSystemInfo (GSI) from Kaspersky.fr and save it to your Desktop.
          • Please close all other applications running on your system.
          • Please double click GetSystemInfo.exe to open it.
          • Click the Settings button.
          • Set it to Maximum
          • IMPORTANT! Then please click Customize - choose Driver / Ports tab and
          • Uncheck Scan Ports.
          • Click Create Report to run it.
          • It will create a zip folder called GetSystemInfo_XXXXXXXXXXXXXX.zip on your Desktop. Please upload the folder to Kaspersky GSI Parser and click the Submit button.
          Please copy and paste the url of the GSI Parser report (not the log) in your next reply.
          ~Dr Jay

          js2881

            Topic Starter


            Rookie

            Re: Need help removing all malware
            « Reply #6 on: January 29, 2010, 07:58:21 AM »

            Dr Jay

            • Malware Removal Specialist


            • Specialist
            • Moderator emeritus
            • Thanked: 119
            • Experience: Guru
            • OS: Windows 10
            Re: Need help removing all malware
            « Reply #7 on: January 29, 2010, 08:44:55 AM »
            Please delete this file: C:\WINDOWS\SYSTEM32\MMAVILNG.exe

            ==

            Now to get you off to a good start we will clean your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:
            • Select Start > All Programs > Accessories > System tools > System Restore.
            • On the dialogue box that appears select Create a Restore Point
            • Click NEXT
            • Enter a name e.g. Clean
            • Click CREATE
            You now have a clean restore point, to get rid of the bad ones:
            • Select Start > All Programs > Accessories > System tools > Disk Cleanup.
            • In the Drop down box that appears select your main drive e.g. C
            • Click OK
            • The System will do some calculation and the display a dialogue box with TABS
            • Select the More Options Tab.
            • At the bottom will be a system restore box with a CLEANUP button click this
            • Accept the Warning and select OK again, the program will close and you are done
            To remove all of the tools we used and the files and folders they created, please do the following:
            Please download OTC.exe by OldTimer:
            • Save it to your Desktop.
            • Double click OTC.exe.
            • Click the CleanUp! button.
            • If you are prompted to Reboot during the cleanup, select Yes.
            • The tool will delete itself once it finishes.
            Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

            ==

            Please download TFC by OldTimer to your desktop
            • Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
            • It will close all programs when run, so make sure you have saved all your work before you begin.
            • Click the Start
              button to begin the process. Depending on how often you clean temp
              files, execution time should be anywhere from a few seconds to a minute
              or two. Let it run uninterrupted to completion.
            • Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.
            ==

            Download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.
            • Save it to your Desktop.
            • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
            • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
            ~Dr Jay

            js2881

              Topic Starter


              Rookie

              Re: Need help removing all malware
              « Reply #8 on: January 29, 2010, 03:21:13 PM »
              Ok, I did all the steps in the order you suggested. I should mention that when the computer rebooted after running OTC, a windows dialogue box popped up. It said "The system has recovered from a serious error. A log of this error has been created." It showed a couple of buttons with the option of sending a copy of the report to microsoft. I sent the report, but the screen at the microsoft website said "Corrupted error report." It also said "Unfortunately, the error report you submitted is corrupted and can't be analyzed." It mentioned something about how corrupted reports are rare, and said it could be the result of something wrong with my software or hardware. I am not sure if any of this is significant or not, but I thought I would let you know.


              Here is the Security Check checkup.txt you requested:

               Results of screen317's Security Check version 0.99.1    
               Windows XP Service Pack 3 
              ``````````````````````````````
              Antivirus/Firewall Check:

               Windows Firewall Enabled! 
               avast! Free Antivirus   
               eTrust EZ Antivirus   
              ``````````````````````````````
              Anti-malware/Other Utilities Check:

               Ad-Aware
               SpywareBlaster 4.2   
               Windows Defender   
               Windows Defender Signatures   
               CCleaner     
               Java(TM) 6 Update 18 
               Java Auto Updater   
               Out of date Java installed!
               Adobe Flash Player 10 
              Adobe Reader 7.1.0
              Out of date Adobe Reader installed!
              ``````````````````````````````
              Process Check: 
              objlist.exe by Laurent

               Windows Defender MSMpEng.exe 
               Ad-Aware AAWService.exe is disabled!
               Ad-Aware AAWTray.exe is disabled!
              ``````````````````````````````
              DNS Vulnerability Check:

               Unknown. This method cannot test your vulnerability to DNS cache poisoning.

              `````````End of Log```````````

              Dr Jay

              • Malware Removal Specialist


              • Specialist
              • Moderator emeritus
              • Thanked: 119
              • Experience: Guru
              • OS: Windows 10
              Re: Need help removing all malware
              « Reply #9 on: January 29, 2010, 04:17:57 PM »
              Please download the newest version of Adobe Acrobat Reader from Adobe.com

              Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
              Go to the Control Panel and enter Add or Remove Programs.
              Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.

              Once old versions are gone, please install the newest version.

              ==

              Please download the newest version of Java from Java.com.

              Before installing: it is important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.
              Go to the Control Panel and enter Add or Remove Programs.
              Search in the list for all previous installed versions of Java. (J2SE Runtime Environment). Please uninstall/remove each of them.

              Once old versions are gone, please install the newest version.

              ==

              Please read the following information that I have provided, which will help you prevent malicious software in the future. Please keep in mind, malware is a continuous danger on the Internet. It is highly important to stay safe while browsing, to prevent re-infection.

              Software recommendations

              Firewall
              • Tallemu Online Armor: the free version is just as good as the premium. I have linked you to the free version.
              • Comodo Firewall: the free version is just as good as the premium. I have linked you to the free version. The optional security suite enhances the firewall by 40% increase. If you would like to install the suite that includes antivirus, then remove your old antivirus first.
              • PC Tools Firewall Plus: free and excellent firewall.
              AntiSpyware
              • SpywareBlaster
                SpywareBlaster is a program that prevents spyware from installing on your computer. A tutorial on using SpywareBlaster may be found here.
              • Spybot - Search & Destroy.
                Spybot - Search & Destroy is a spyware and adware removal program. It also has realtime protection, TeaTimer to help safeguard your computer against spyware. (The link for Spybot - Search & Destroy contains a tutorial that will help you download, install, and begin using Spybot).
              NOTE: Please keep ALL of these programs up-to-date and run them whenever you suspect a problem to prevent malware problems.

              Resident Protection help
              A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall, and scanning anti-spyware program at a time. Passive protectors such as SpywareBlaster can be run with any of them.

              Rogue programs help
              There are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here:
              http://www.spywarewarrior.com/rogue_anti-spyware.htm

              Securing your computer
              • Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft.  To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
              • hpHosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. This prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is your local computer's loopback address, meaning it will be difficult to infect your computer in the future.
              Please consider using an alternate browser
              Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScript, can make it even more secure. Opera is another good option.

              If you are interested:
              See this page for more info about malware and prevention.
              ~Dr Jay

              js2881

                Topic Starter


                Rookie

                Re: Need help removing all malware
                « Reply #10 on: January 29, 2010, 05:22:59 PM »
                Thank you so much for all of your help. Can I take this to mean that I am pretty much in the clear now?

                Oddly, I just installed the newest version of Java a couple of day ago.  Also, I noticed that you mentioned that Spywareblaster is a passive protector. Are the resident protection features in Ad-Aware and/or Windows Defender considered to be passive? I know you said to use just one at a time, so I wanted to know which of the two would be best, or if I should just stick with the realtime protection in Spybot - Search & Destroy?

                Thanks again for everything.



                Dr Jay

                • Malware Removal Specialist


                • Specialist
                • Moderator emeritus
                • Thanked: 119
                • Experience: Guru
                • OS: Windows 10
                Re: Need help removing all malware
                « Reply #11 on: January 29, 2010, 06:21:06 PM »
                Oops. Security Check needs updated to include the new update for Java.  ::)

                Anyway, if you are going to run Ad-Aware and Windows Defender, then disable Windows Defender. These two are active. SpywareBlaster, however is passive meaning that it can run with 1 active protection. :)
                ~Dr Jay