Computer Hope
Software => Computer viruses and spyware => Topic started by: frustrated89 on April 12, 2009, 07:46:28 PM
-
I think this came from downloading a flashcodec which is the only thing that I've downloaded in forever anyways! When i do a search in a search engine and click on a result it opens up another window and redirects to some random site. I downloaded HijackThis which got rid of it popping up new windows but it's still redirecting me to random sites. Please help me get rid of this thing, it's driving me nuts!
-
Try Malwarebytes Anti-Malware
www.malwarebytes.org (http://www.malwarebytes.org)
and SUPERAntiSpyware
www.superantispyware.com (http://www.superantispyware.com)
-
I downloaded malwarebytes and installed well at least i thought so and it didn't work when i clicked on it to open. Is there something that I can do to change that? I uninstalled it and downloaded it again but it did the same thing.
-
Follow the guidelines .......
http://www.computerhope.com/forum/index.php/topic,46313.0.html
Post the three logs and a specialist assist you.
-
So I downloaded Superspyware but it's not opening up. Then i went to the link that was provided if there was problems and I downloaded the Definitions one which it opened and installed, well it seems that it did however I still have no application that I can click that works. This is what's coming up when I click the application file.
[attachment deleted by admin]
-
I downloaded Malwarebytes and I installed it however the program isn't opening.
-
See if you can run HijackThis......
Stay cool....one of the guys will get you up and running.
-
remember- if hijackthis crashes or won't start, trying renaming the program to something else. common suggestion is "sniper.exe".
a hijackthis log is better then no log; virus removal is tougher if it comes down to guesswork. ;D
-
okay so I ran HijackThis. Here is my log file.
[attachment deleted by admin]
-
OK, there are problems evident........one of the MS will help you out,
-
okay, so i did a scan with Trend MicroScan and i looked at the logs and it said TROJ_DLOAD.WY and that it was unable to clean. Is there different steps to be taken if it's a trojan horse?
-
Disable Windows Defender
We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.
- Open Windows Defender
- Click on Tools > Option
- Scroll down and uncheck Use real-time protection (recommended)
- After you uncheck this, click on the Save button and then exit Windows Defender
- Now on your keyboard press and hold Ctrl+Alt and then press the Delete key tow times to bring up the Task Manager.
- Locate MSASCui.exe then right click on it and choose End Process. Click Yes on the Task Manager Security Warning.
.
After all of the fixes are complete it is very important that you enable real-time protection again.
----------
Disable Ad-Aware as it may interfere with repairs
- Click the Settings button, Auto Scans tab, and under Scan on Ad-Aware startup
- Be sure both selections for No automated scan are checked (green).
- Then click Save and close Ad-Aware.
.
----------
Open HijackThis and select Do a system scan only.
Place a check mark next to the following entries: (if there)
- R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
- O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
- O17 - HKLM\System\CCS\Services\Tcpip\..\{DE29503C-DC84-4376-B98F-74A264518032}: NameServer = 85.255.112.177,85.255.112.117
- O17 - HKLM\System\CCS\Services\Tcpip\..\{ECE83E20-69E7-4581-9AD9-6BAC8C3922D3}: NameServer = 85.255.112.177,85.255.112.117
- O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.177,85.255.112.117
- O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.177,85.255.112.117
- O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.177,85.255.112.117
.
Important: Close all windows except for HijackThis and then click Fix checked.
Exit HijackThis.
----------
1. Right-click the network icon in the System Tray.
2. From the pop-up menu, select "Diagnose and Repair".
3. Click "Automatically get new IP settings for the network adapter 'Local Area Connection'". At this stage there is annoyingly no "Reset network adapter" option.
4. In the "Windows needs your permission to continue" box, click Continue.
5. Wait for the "Repairing" window to complete (takes a while).
6. In the Windows Network Diagnostics window, click "Reset the network adapter 'Local Area Connection'".
7. You should see "The problem has been resolved".
8. Click Close.
----------
Download Malwarebytes' Anti-Malware (MBAM) (http://www.besttechie.net/tools/mbam-setup.exe)
- Double-click mbam-setup.exe and follow the prompts to install the program.
- At the end, be sure a checkmark is placed next to the following:
- Update Malwarebytes' Anti-Malware
- Launch Malwarebytes' Anti-Malware
- Then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select Perform quick scan, then click Scan.
- When the scan is complete, click OK, then Show Results to view the results.
- Be sure that everything is checked, and click Remove Selected.
- When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
- The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
- Copy and Paste the entire report in your next reply.
Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.
-
(Before I read the last posting) I did a scan again with Trend MicroScan and looked at the logs. And I went into the Temporary Files folder where it had said this TROJ_DLOAD.WY would be, I deleted whatever was in the folder and it seems to have worked. When I searched for something and clicked on it, it actually went to where it should and before it wouldn't. I tried this for a couple of searches and it was working. Do you think that this thing is gone?
-
Do you think that this thing is gone?
No it's not gone. The O17 entries in the HijackThis fix are from a Wareout infection. It will take a few scans to be sure it's completely gone. Malware almost never comes in just one file and location.
-
Nevermind. It didn't stop doing it. I'm going to do the instructions you gave me right away!
-
This is on a laptop that has a wireless connection. Would this part be different?
1. Right-click the network icon in the System Tray.
2. From the pop-up menu, select "Diagnose and Repair".
3. Click "Automatically get new IP settings for the network adapter 'Local Area Connection'". At this stage there is annoyingly no "Reset network adapter" option.
4. In the "Windows needs your permission to continue" box, click Continue.
5. Wait for the "Repairing" window to complete (takes a while).
6. In the Windows Network Diagnostics window, click "Reset the network adapter 'Local Area Connection'".
7. You should see "The problem has been resolved".
8. Click Close.
-
Just skip that for now.
-
I downloaded the Malwarebytes' anti-malware, installed it but the program won't open. When I click to open it I'm prompted by Windows Defender asking whether or not to allow which I click allow but still nothing happens, what can I do?
-
I've got Norton Protection Center, i downloaded combofix and trend microscan. User account control is what is popping up asking whether or not to continue. When i click continue, the program still doesn't open up. it's not windows defender, sorry.
-
Don't run ComboFix yet. You could damage your computer. Please stick to my instructions to make things easier on both of us :)
Go to the folder C:\Program Files\Malwarebytes' Anti-Malware
Open the Malwarebytes' Anti-Malware folder and right click on the mbam icon and choose Rename. Give it any random name, xzy123 or whatever. Then double click the newly renamed mbam icon and see if it will run.
-
still not working :'(
-
Try this please.
Download the NVT Malware Remover Tool (http://www.novirusthanks.org/dl.php?get=NVT_Malware_Remover_Tool_English.zip) to your desktop.
* Unzip the file and then run the installer.
* Once installed click on the Update tab and check for updates.
* Next click the Scan tab and then click Scan button to begin the scanner.
* If any threats are found select the Remove button and then click Apply
* Next select the button next to Copy in DETECTED folder then click Apply
* Next at the top of the scanner window click Menu then select Open DETECTED folder
* Post that log back here.
* Restart the computer.
-
After I did the scan it said that No malicious files were found. and I went to check out the log and nothing is there.
Getting difficult?
-
Rename ComboFix to Combo-Fix and try to run it. Post the log.
-
how do i disable trend micro officescan, do u know?
-
Just continue on with ComboFix. Allow it to run if Trend Micro tries to block it.
-
When will I know that it's finished?? or what will happen when it is finished?
-
What stage is it on?
-
well it's showing the log file in Notepad, but that's it.
-
Copy that log and post it here. Or save it to the desktop and attach it. either way I need the log.
Did ComboFix restart the computer? If not the restart it after posting the log.
-
here is the log file... sorry i just realized i put it twice.
[attachment deleted by admin]
-
OK things should get easier now.
I don't see anything that needs to be done with ComboFix so try to open, update and run MalwareBytes now. Please post the log it creates.
But first you need to get rid of Norton which is still running.
Download the Norton Removal Tool (SymNRT) (http://www.majorgeeks.com/Norton_Removal_Tool_SymNRT_d4749.html) to your Desktop.
Once downloaded please close ALL open browsers, also save any work because this may require a restart.
- Go to your desktop and double click on the removal tool and then click Setup.
- Once open Click Next
- Accept the license agreement and click Next
- Type in the letters/numbers that you see into the text box then click Next.
- Then click Next and the tool will start running.
- Once finished restart the PC.
- Delete Nortonremoval tool from your Desktop.
.
----------
Now update and run MalwareBytes.
-
I'm running Malwarebytes right now, it is FINALLY working!!! Are we almost in the clear?
-
I think we are. Depends on what MalwareBytes finds.
-
Here is the log....
[attachment deleted by admin]
-
That found some of the same files that ComboFix was supposed to fix so we need to do another scan to make sure it is gone. This will only take a few minutes.
Download DDS by sUBs (http://www.forospyware.com/sUBs/dds) and save it to your desktop. Alternate DDS download link (http://download.bleepingcomputer.com/sUBs/dds.scr)
Vista users right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)
* XP users Double click on dds to run it.
* If your antivirus or firewall try to block DDS then please allow it to run.
* When finished DDS will open two (2) logs.
1) DDS.txt
2) Attach.txt
* Save both logs to your desktop.
* Please include the entire contents of both logs in your next reply.
Note: DDS will instruct you to post the Attach.txt log as an attachment.
Please just post it as you would any other log by copy and pasting it into the reply.
Also let me know how the computer is acting now?
-
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_09-03-16.01)
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 28/06/2007 12:38:01 PM
System Uptime: 13/04/2009 11:27:21 PM (0 hours ago)
Motherboard: Intel Corporation | | CAPELL VALLEY(NAPA) CRB
Processor: Genuine Intel(R) CPU T2080 @ 1.73GHz | U2E1 | 800/mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 100 GiB total, 64.395 GiB free.
D: is FIXED (NTFS) - 10 GiB total, 9.923 GiB free.
E: is CDROM ()
==== Disabled Device Manager Items =============
==== System Restore Points ===================
==== Installed Programs ======================
2007 Microsoft Office Suite Service Pack 1 (SP1)
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player 10 ActiveX
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Adobe Shockwave Player
Atheros Driver Installation Program
Bluetooth Stack for Windows by Toshiba
CD/DVD Drive Acoustic Silencer
Choice Guard
DVD MovieFactory for TOSHIBA
FF Ver 3.4- UofM Home Version 080123
HijackThis 2.0.2
Intel(R) Graphics Media Accelerator Driver
Java(TM) SE Runtime Environment 6
JMP Student Edition
Malwarebytes' Anti-Malware
Map Button (Windows Live Toolbar)
Microsoft Application Error Reporting
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Plus 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Search Enhancement Pack
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft Visual C++ 2005 Redistributable
Microsoft Windows Media Video 9 VCM
Microsoft XML Parser
MSVCRT
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
NVT Malware Remover Tool v2.0.8b1
Realtek High Definition Audio Driver
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB958439)
Security Update for Microsoft Office Excel 2007 (KB958437)
Security Update for Microsoft Office PowerPoint 2007 (KB951338)
Security Update for Microsoft Office Publisher 2007 (KB950114)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB956828)
Security Update for Microsoft Office Word 2007 (KB956358)
Security Update for Visio 2007 (KB947590)
Smart Menus (Windows Live Toolbar)
Super TextTwist
Synaptics Pointing Device Driver
Texas Instruments PCIxx21/x515/xx12 drivers.
TIPCI
TOSHIBA Assist
TOSHIBA ConfigFree
TOSHIBA Disc Creator
TOSHIBA Extended Tiles for Windows Mobility Center
TOSHIBA Hardware Setup
Toshiba Registration
TOSHIBA SD Memory Utilities
TOSHIBA Software Modem
TOSHIBA Speech System Applications
TOSHIBA Speech System SR Engine(U.S.) Version1.0
TOSHIBA Speech System TTS Engine(U.S.) Version1.0
TOSHIBA Supervisor Password
TOSHIBA Value Added Package
Trend Micro OfficeScan Client
Update for Microsoft Office 2007 Help for Common Features (KB957244)
Update for Microsoft Office Access 2007 Help (KB957241)
Update for Microsoft Office Excel 2007 Help (KB957242)
Update for Microsoft Office InfoPath 2007 Help (KB957243)
Update for Microsoft Office Outlook 2007 (KB952142)
Update for Microsoft Office Outlook 2007 Help (KB957246)
Update for Microsoft Office PowerPoint 2007 Help (KB957247)
Update for Microsoft Office Publisher 2007 Help (KB957249)
Update for Microsoft Office Word 2007 Help (KB957252)
Update for Microsoft Script Editor Help (KB957253)
Update for Office 2007 (KB946691)
Update for Outlook 2007 Junk Email Filter (kb962871)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Toolbar
Windows Live Upload Tool
WinDVD for TOSHIBA
==== End Of File ===========================
[attachment deleted by admin]
-
My computer is working fine. I think that the search thing is working right now. Please tell me that everything is okay now??
-
OK I found another one so it needs to be taken care of. This should be the last scan.
Delete these files/folders, as follows:
1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C
KillAll::
DDS::
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
Folder::
c:\windows\system32\gxvxccounter
3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!
(http://i154.photobucket.com/albums/s258/evilfantasy69/CFScript-1.gif)
ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.
Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze
----------
Your Java is out of date.
Older versions have vulnerabilities that malicious sites can use to infect your system.
First install the new Sun Java Runtime Environment (http://www.majorgeeks.com/Sun_Java_Runtime_Environment_d4648.html)
Note: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.
Be sure to close all browser windows before beginning the install.
Remove the old version(s)
Download JavaRa (http://www.majorgeeks.com/JavaRa_d5967.html)
- Unzip the file and open the JavaRa.exe
- Click Remove Older Versions
- JavaRa will search for and remove any outdated version of Java and remove any that are found.
- Click Additional Tasks
- Place a check next to Remove Useless JRE Files and click Go
- Exit JavaRa
- Delete the JavaRa files from the Desktop
.
Additional Note: The Java Quick Starter (JQS.exe) (http://java.sun.com/javase/6/docs/technotes/guides/jweb/otherFeatures/jqs.html) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.
-
here it is
ComboFix 09-04-14.01 - Natasha 14/04/2009 0:14.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.2.1033.18.1013.302 [GMT -5:00]
Running from: c:\users\Natasha\Desktop\Combo-Fix.exe
Command switches used :: c:\users\Natasha\Desktop\CFScript.txt
AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated)
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\gxvxccounter
.
((((((((((((((((((((((((( Files Created from 2009-03-14 to 2009-04-14 )))))))))))))))))))))))))))))))
.
2009-04-14 04:14 . 2009-04-14 04:14 -------- d-----w c:\users\Natasha\AppData\Roaming\Malwarebytes
2009-04-14 01:57 . 2009-04-14 01:57 -------- d-----w c:\program files\NVT Malware Remover Tool
2009-04-14 01:29 . 2009-04-06 20:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-14 01:29 . 2009-04-06 20:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-14 01:29 . 2009-04-14 01:29 -------- d-----w c:\users\All Users\Malwarebytes
2009-04-14 01:29 . 2009-04-14 01:29 -------- d-----w c:\programdata\Malwarebytes
2009-04-14 01:29 . 2009-04-14 01:29 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-13 22:05 . 2009-04-13 22:07 -------- d-----w C:\ComboFix
2009-04-12 00:01 . 2009-04-13 00:49 -------- dc----w c:\windows\system32\DRVSTORE
2009-04-11 23:58 . 2009-04-13 00:49 -------- d-----w c:\users\All Users\Lavasoft
2009-04-11 23:58 . 2009-04-13 00:49 -------- d-----w c:\programdata\Lavasoft
2009-04-10 14:35 . 2009-04-13 19:39 14040 ----a-w c:\windows\cfgall.ini
2009-04-10 14:05 . 2009-04-10 14:05 -------- d-----w C:\Quarantine
2009-04-10 14:04 . 2009-04-10 14:04 -------- d-----w c:\windows\system32\log
2009-04-10 14:03 . 2009-04-13 00:01 -------- d-----w c:\program files\Trend Micro
2009-04-10 13:52 . 2009-04-10 13:52 -------- d-----w c:\users\Natasha\AppData\Roaming\InstallShield
2009-04-02 02:29 . 2009-04-02 02:29 0 ---ha-w c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-14 05:19 . 2007-06-28 17:46 16384 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
2009-04-14 05:19 . 2007-06-28 17:46 16384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2009-04-14 05:19 . 2007-06-28 17:46 131072 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2009-04-14 05:19 . 2009-04-14 05:19 2048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
2009-04-14 05:19 . 2009-04-14 05:19 2048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
2009-04-14 04:10 . 2008-02-12 22:41 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-04-14 04:08 . 2008-02-12 22:42 -------- d-----w c:\programdata\Symantec
2009-04-13 02:20 . 2009-04-13 03:04 15087689 ----a-w c:\program files\PROCESSLIST.DB
2009-04-13 02:20 . 2009-04-13 03:04 1143446 ----a-w c:\program files\PROCESSLISTRELATED.DB
2009-04-13 00:22 . 2009-04-12 14:05 444 ----a-w C:\aaw7boot.log
2009-04-10 14:07 . 2006-11-02 10:25 51200 ----a-w c:\windows\Inf\infpub.dat
2009-04-10 14:07 . 2006-11-02 10:25 86016 ----a-w c:\windows\Inf\infstrng.dat
2009-04-10 14:07 . 2006-11-02 10:25 86016 ----a-w c:\windows\Inf\infstor.dat
2009-03-12 14:57 . 2006-11-02 11:18 -------- d-----w c:\program files\Windows Mail
2009-03-12 14:16 . 2007-07-26 21:43 -------- d-----w c:\programdata\Microsoft Help
2009-02-27 17:34 . 2007-09-27 19:53 32768 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2009-02-27 17:34 . 2007-09-27 19:53 16384 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
2009-02-27 17:34 . 2007-09-27 19:53 16384 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2009-02-21 17:53 . 2008-03-08 03:09 -------- d-----w c:\program files\Windows Live
2009-02-09 03:10 . 2009-03-11 14:46 2033152 ----a-w c:\windows\System32\win32k.sys
2009-02-07 00:52 . 2009-02-07 00:52 49504 ----a-w c:\windows\System32\sirenacm.dll
2009-01-15 06:11 . 2009-02-12 03:53 827392 ----a-w c:\windows\System32\wininet.dll
2008-12-19 09:01 . 2008-05-26 14:56 680 ----a-w c:\users\Natasha\AppData\Local\d3d9caps.dat
2008-12-19 02:52 . 2006-11-02 12:50 174 --sha-w c:\program files\desktop.ini
2007-07-27 16:46 . 2007-06-28 04:00 112408 ----a-w c:\users\Natasha\AppData\Local\GDIPFONTCACHEV1.DAT
.
((((((((((((((((((((((((((((( SnapShot@2009-04-13_22.33.35.23 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-12-06 23:40 . 2009-04-14 05:21 45788 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2009-04-14 05:21 61744 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2007-06-28 04:01 . 2009-04-14 03:23 10836 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-381672913-1497699758-3801013932-1000_UserData.bin
+ 2007-06-28 04:01 . 2009-04-14 05:21 10836 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-381672913-1497699758-3801013932-1000_UserData.bin
+ 2007-06-28 17:46 . 2009-04-14 05:19 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2007-06-28 17:46 . 2009-04-14 03:21 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2007-06-28 17:46 . 2009-04-14 05:19 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2007-06-28 17:46 . 2009-04-14 03:21 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-04-14 03:21 . 2009-04-14 03:21 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-04-14 05:19 . 2009-04-14 05:19 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-04-14 05:19 . 2009-04-14 05:19 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-04-14 03:21 . 2009-04-14 03:21 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-04-14 05:20 . 2008-11-27 20:52 296224 c:\windows\temp\TZ5345.EXE
- 2006-11-02 12:43 . 2009-04-14 03:09 262144 c:\windows\System32\config\systemprofile\ntuser.dat
+ 2006-11-02 12:43 . 2009-04-14 05:13 262144 c:\windows\System32\config\systemprofile\ntuser.dat
+ 2007-06-28 17:46 . 2009-04-14 05:19 131072 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2007-06-28 17:46 . 2009-04-14 03:21 131072 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2006-11-02 12:47 . 2009-04-14 05:22 262144 c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
- 2006-11-02 12:47 . 2009-04-14 03:23 262144 c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
- 2006-11-02 12:47 . 2009-04-14 03:23 262144 c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2006-11-02 12:47 . 2009-04-14 05:22 262144 c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2007-06-28 04:10 . 2009-04-14 03:19 729848 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2007-06-28 04:10 . 2009-04-14 05:18 729848 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2006-11-10 417792]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-02-07 3885408]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"WindowsWelcomeCenter"="oobefldr.dll" - c:\windows\System32\oobefldr.dll [2008-01-19 2153472]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-10-27 815104]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2005-12-16 188416]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-11-06 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-11-06 106496]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-11-06 81920]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2006-12-12 411768]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2006-12-07 55416]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2006-12-12 448632]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2006-12-12 530552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2008-11-27 718120]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2006-11-07 3772416]
"NDSTray.exe"="NDSTray.exe" [BU]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= c:\progra~1\COMMON~1\ULEADS~1\vio\dvacm.acm
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{29DF42F3-06E5-4AF2-8F87-01E0CA882130}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"TCP Query User{48B3A74E-4778-4E18-BAF0-32A825034145}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{50C363D8-B98A-4FD4-9ED7-889E9B7E8B41}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{5BA02A87-7C49-47E6-9A1E-F75B19E442C5}c:\\program files\\gamehouse\\texttwist\\texttwist.exe"= UDP:c:\program files\gamehouse\texttwist\texttwist.exe:Super TextTwist
"UDP Query User{A838F259-EA07-402D-9C96-64E3B1E37CC4}c:\\program files\\gamehouse\\texttwist\\texttwist.exe"= TCP:c:\program files\gamehouse\texttwist\texttwist.exe:Super TextTwist
"{ED272B27-4716-433F-9940-EA6C64A86A2F}"= UDP:c:\users\Natasha\AppData\Local\Temp\7zSD2E8.tmp\SymNRT.exe:Norton Removal Tool
"{0A6322AA-EAA4-43F4-8775-C76C9D4AD2A5}"= TCP:c:\users\Natasha\AppData\Local\Temp\7zSD2E8.tmp\SymNRT.exe:Norton Removal Tool
"{76D597C6-402F-46BE-997F-F89B5E58B1AC}"= UDP:11050:Trend Micro OfficeScan Listener
R3 TmProxy;OfficeScan NT Proxy Service;c:\program files\Trend Micro\OfficeScan Client\TmProxy.exe [2008-08-21 652552]
S2 SeaPort;SeaPort;c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe [2009-01-14 226656]
S2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\TmXPFlt.sys [2008-11-26 205328]
S2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\TmPreFlt.sys [2008-11-26 36368]
S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [2006-11-20 7168]
.
Contents of the 'Scheduled Tasks' folder
2009-04-13 c:\windows\Tasks\User_Feed_Synchronization-{2863D096-11F2-4FDE-893A-3C671B4EAF22}.job
- c:\windows\system32\msfeedssync.exe [2008-06-12 07:33]
.
.
------- Supplementary Scan -------
.
uSearchURL,(Default) = hxxp://g.msn.ca/0SEENCA/SAOS01?FORM=TOOLBR
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.
**************************************************************************
catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-14 00:22
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\audiodg.exe
c:\windows\System32\agrsmsvc.exe
c:\program files\Toshiba\ConfigFree\CFSvcs.exe
c:\program files\Trend Micro\OfficeScan Client\NTRtScan.exe
c:\windows\System32\TODDSrv.exe
c:\program files\Toshiba\Power Saver\TosCoSrv.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\Trend Micro\OfficeScan Client\TmListen.exe
c:\windows\temp\TZ5345.EXE
c:\program files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
c:\windows\System32\conime.exe
c:\program files\Toshiba\ConfigFree\NDSTray.exe
c:\program files\Synaptics\SynTP\SynToshiba.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Toshiba\ConfigFree\CFSwMgr.exe
c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: ~,10time:~,-3machine was rebootedCombobatch-by
ComboFix-quarantined-files.txt 2009-04-14 05:33
ComboFix2.txt 2009-04-14 03:35
Pre-Run: 71,636,881,408 bytes free
Post-Run: 71,556,997,120 bytes free
188 --- E O F --- 2009-04-14 00:44
-
I ran Malwarebytes which found 1 object infected. I clicked remove and it did its process. After the computer restarted I did a scan again and it did not detect any object infected. Is it gone now?
-
c:\windows\temp\TZ5345.EXE <--- Looks like trouble, unless it's something to do with hiding combo fix from malware??
Don't do anything until EvilFantasy replies :P
-
that's part of combofix, I believe.
-
Time to clean up. Let me know if you have any questions.
- Click START then RUN
- Now type Combo-fix /u in the runbox
- Make sure there's a space between Combo-fix and /u
- Then hit Enter.
- The above procedure will:
- Delete the following:
- ComboFix and its associated files and folders.
- Reset the clock settings.
- Hide file extensions, if required.
- Hide System/Hidden files, if required.
- Set a new, clean Restore Point.
.
----------
Go to c:\windows\temp\ and delete
everything in the temp folder.
----------
Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your Desktop.
Alternate download link (http://majorgeeks.com/ATF_Cleaner_d4949.html)
Note: Vista users must use Run As Administrator (http://vistasupport.mvps.org/run_as_administrator.htm)
- Under Main: Select Files to Delete choose: Select All.
- Click the Empty Selected button.
- If you use Firefox browser click Firefox at the top and choose: Select All
- Click the Empty Selected button.
If you would like to keep your saved passwords click No at the prompt.
- If you use Opera browser click Opera at the top and choose: Select All
- Click the Empty Selected button.
If you would like to keep your saved passwords click No at the prompt.
- Click Exit on the Main menu to close the program.
Note that your system will run slower for a reboot or two after having used this tool so don't panic.
----------
Download OTCleanIt.exe (http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe) and save it to your Desktop.
- Double-click OTCleanIt.exe.
- Click the CleanUp! button.
- Select Yes when the "Begin cleanup Process?" prompt appears.
- If you are prompted to Reboot during the cleanup, select Yes.
- The tool will delete itself once it finishes, if not delete it yourself.
.
Important: Restart the computer before continuing.
----------
Use the Secunia Software Inspector (http://secunia.com/software_inspector) to check for out of date software.
- Click Start Now
- Check the box next to Enable thorough system inspection.
- Click Start
- Allow the scan to finish and scroll down to see if any updates are needed.
- Update anything listed.
.
----------
Go to Microsoft Windows Update (http://windowsupdate.microsoft.com/) and get all critical updates.
----------
I suggest using WOT - Web of Trust (http://www.mywot.com/). WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.
SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html) - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* (http://www.bleepingcomputer.com/tutorials/tutorial49.html)Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/forums/tutorial49.html)
* If you don't know what ActiveX controls are, see here (http://www.webopedia.com/TERM/A/ActiveX_control.html)
Check out Keeping Yourself Safe On The Web (http://evilfantasy.wordpress.com/2008/05/20/keeping-yourself-safe-on-the-web/) for tips and free tools to help keep you safe in the future.
Also see Slow Computer? It May Not Be Malware (http://evilfantasy.wordpress.com/2008/05/24/slow-computer-it-may-not-be-malware/) for free cleaning/maintenance tools to help keep your computer running smooth.
-
Thank you VERY VERY VERY much for all your help and patience with me!
-
Your welcome.
Safe surfing... (|