Computer Hope
Software => Computer viruses and spyware => Virus and spyware removal => Topic started by: DennisT on October 30, 2010, 03:32:50 PM
-
We have 3 computers here at home. I try really hard to maintain them. Always updating; they always have AV. I was really blind-sided by this last night.
Problem is 5 yr old HP 4805 laptop, with Win. XP, SP2, etc. We have wireless router running for household. I use AVG AV on everything else here, but after a MS update a couple years ago I had trouble loading AVG so switched to Avast' AV for this laptop only. Seemed to work OK. This laptop is the, "floater," for household and various kids, (yeah, that's bad already). So every few weeks I snag it as it goes by and check updating and AV. Dump, for example, grand-daughter's left-in 10 layers of doll house games, etc.
A short time ago I got it, turned it on and Avast had expired. Wanting to try AVG again, I went to add/delete and deleted Avast. Marked a new restore-point as, "before new AVG." Downloaded AVG successfully and updated it.
Last night one of the older grand-kids brought it in with, "problems." Turned it on and got all kinds of virus flags. I tried to open AVG and got window saying AVG.exe infected and would not open. The original HP factory loaded, "try me-pay me later," AV threw a window which I eventually tried. That merely ran a 60 second, "scan," scrolled a ton of various virus example names and offered to sell me a fix if I bought it on line. So much for that.
This morning I tried to get into Help and Support to activate the old restore point but got same window, Help & Support is infected and cannot open.
I have NO programs or archives in the laptop that are important. No tax info, banking etc. info at all. I could easily dump the whole thing and reload from scratch if it comes to that. (Can't remember, though, if HP included an XP disc)
SO: I don't know where to begin. I tried to do my homework here in this forum and read before posting topic. I don't know if this is virus or malware, or both. (What's the difference?) I see a post to download, (if possible), highjackthis and re-naming it. (Where-ever things are re-named). ????
I'd pack the whole thing to a computer store but I'm 67 and with retirement income what it is I need to try something myself. I can get around computer operations OK, but I'm not a guru-hobbist that lives with them. So I need specific directions.
If someone can give me a tip where to begin that would be wonderful. Thanks for listening, Dennis
-
Please follow the instructions in the following link and post your logs:
http://www.computerhope.com/forum/index.php/topic,46313.0.html
-
Thank you, Allan:
I had found your link when doing homework earlier. I just was not certain if that was where I needed to begin. I'm now using that. I have always been told my wireless router was my firewall and to install no others. I've stayed with that.
I do not use TeaTime, so skipped that.
I am now trying to access Control Panel and if successful, will list here any unusual items shown under add/delete.
Dennis
-
When I try to bring up control panel, add or remove programs, I get window that says rundll32.exe is infected and application cannot be executed.
Where do I go next on the trouble shooting chart?
Dennis
-
The only, original factory skeleton AV in this laptop just popped up a window that included the following:
virus: Win32/Nugel.E
attacked from 147.77.153.71, port 27047
attacked port 7793
A few minutes later same window says something about, "BankerFoxA."
I hope my laptop is not currenting communiting with the internet drawing in more junk/risk. ??
Dennis
-
Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer. I am working under the guidance of one of the specialist of this forum so it may take a bit longer to process your logs.
1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.
If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*******************************
Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
Save Rkill to your desktop.
There are 4 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click Rkill and choose Run as Administrator
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.
Rkill.exe (http://download.bleepingcomputer.com/grinler/rkill.exe)
Rkill.com (http://download.bleepingcomputer.com/grinler/rkill.com)
Rkill.scr (http://download.bleepingcomputer.com/grinler/rkill.scr)
Rkill.pif (http://download.bleepingcomputer.com/grinler/rkill.pif)
Once you've gotten one of them to run then try to immediately run the following.
Now download and Run exeHelper.
Please download exeHelper from Raktor (http://www.raktor.net/exeHelper/exeHelper.com) to your desktop. Double-click on exeHelper.com to run the fix. A black window should pop up, press any key to close once the fix is completed. A log file named log.txt will be created in the directory where you ran exeHelper.com Attach the log.txt file to your next message.
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).
***************************************
SUPERAntiSpyware
If you already have SUPERAntiSpyware be sure to check for updates before scanning!
Download SuperAntispyware Free Edition (SAS) (http://www.superantispyware.com/download.html)
* Double-click the icon on your desktop to run the installer.
* When asked to Update the program definitions, click Yes
* If you encounter any problems while downloading the updates, manually download and unzip them from here
* Next click the Preferences button.
•Under Start-Up Options uncheck Start SUPERAntiSpyware when Windows starts
* Click the Scanning Control tab.
* Under Scanner Options make sure only the following are checked:
•Close browsers before scanning
•Scan for tracking cookies
•Terminate memory threats before quarantining
•Please leave the others unchecked
•Click the Close button to leave the control center screen.
* On the main screen click Scan your computer
* On the left check the box for the drive you are scanning.
* On the right choose Perform Complete Scan
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete a summary box will appear. Click OK
* Make sure everything in the white box has a check next to it, then click Next
* It will quarantine what it found and if it asks if you want to reboot, click Yes
•To retrieve the removal information please do the following:
•After reboot, double-click the SUPERAntiSpyware icon on your desktop.
•Click Preferences. Click the Statistics/Logs tab.
•Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
•It will open in your default text editor (preferably Notepad).
•Save the notepad file to your desktop by clicking (in notepad) File > Save As...
* Save the log somewhere you can easily find it. (normally the desktop)
* Click close and close again to exit the program.
*Copy and Paste the log in your post.
************************************
(http://img233.imageshack.us/img233/7729/mbamicontw5.gif) Please download Malwarebytes Anti-Malware from here (http://www.malwarebytes.org/mbam/program/mbam-setup.exe).
Double Click mbam-setup.exe to install the application.
- Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select "Perform Full Scan", then click Scan.
- The scan may take some time to finish,so please be patient.
- When the scan is complete, click OK, then Show Results to view the results.
- Make sure that everything is checked, and click Remove Selected.
- When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
- Please save the log to a location you will remember.
- The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
- Copy and paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
*****************************************
Download Security Check by screen317 from one of the following links and save it to your desktop.
Link 1 (http://screen317.spywareinfoforum.org/SecurityCheck.exe)
Link 2 (http://screen317.changelog.fr/SecurityCheck.exe)
* Unzip SecurityCheck.zip and a folder named Security Check should appear.
* Open the Security Check folder and double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.
Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.
-
Thank you, Dave:
First, this laptop has a built in wireless adapter. I run a wireless router here which includes serving the desktop machine I am typing this on. Do I need to disable the wireless feature from the infected laptop before I do anything else? (If so, how?) (I've tried a few things and wondered if the virus would try to access the internet to cause more problems, that's why I'm asking)
Otherwise, I'm ready to follow your instructions. Some sound a bit complicated, but I can ask more questions along the line and I'm not in a hurry.
Dennis
-
Do I need to disable the wireless feature from the infected laptop before I do anything else? (If so, how?) (I've tried a few things and wondered if the virus would try to access the internet to cause more problems, that's why I'm asking)
No. Don't disable the wireless. But if you ever need to disable it there should be a small button on your laptop to do this. Please proceed with the rest of the instructions.
-
Dave and All:
This is curious stuff..........
Turned laptop on today following your directions to continue. I tried to go on line to download the Rkill program and just got screen that said couldn't access internet. (Keep in mind we are on a radio wireless high speed here that runs from our house to next farm, -10 miles-, from there to grain elevator and into town. Often we can't get on line) Anyway, I could work from this desk machine so I downloaded Rkill onto a CD and then downloaded exe.Helper on second CD.
Shoved the Rkill disc into laptop. Brought up a black window showing Rkill and blinking cursor. After about 15 seconds it went blank. I was uncertain if Rkill did anything at all. In case it did, I put in exe-Helper disc and it brought up the window showing it's icon. Clicked on icon and asked it to run. Immediately I got a window that it was having trouble and did I want to report to MicroSoft. I said no, and figured I hit a dead end.
Then I got a window from the laptop's original skimpy AV program asking if I wanted to quarantine malware? Knowing I was departing from your directions a bit, I clicked yes. After that I was able to get the Grisoft AVG to open, (before it wouldn't saying it was infected). I was able to run a scan. Scan found two corrupted files and maleware, "Trojan.FakeAVIGen39." It put that into the virus vault.
Then I rebooted. Laptop came up showing no obvious signs anything was wrong. I brought up AVG again and ran a second, complete scan which then showed no problems.
Now what do you suggest? Sorry I departed from your suggestions but I thought I saw an, "open door," and I jumped through it. I notice you seem to recommend, "SUPERantispyware," Should I download that? I have, "Spybot, Search and Destroy," but didn't use it recently.
Lastly, I'm still having trouble getting on line but I'm holding off getting excited about for the moment. And I still do not trust this machine is clean.
I might consider deleting Spybot and installing Superantispyware and running it.
?
Dennis
-
Update:
Ran the laptop several times, rebooting between sessions. All Grisoft AVG and Spybot scans now returning clean. (But I don't trust even that) However, MS Internet Explorer 7 will still not find it's way on line. Merely returns the same largely white screen that it cannot access the internet, "maybe I'm not connected, " etc. All other computers in the house accessing fine. So I think the infection glitched IE. Otherwise laptop seems to be functioning fine although I've not tried doing a lot.
I did remember I have hundreds of condensed, low res thumbnail logging/railroad photos in this machine in pdf groups. I've not tried to access those. I wonder if infections interfer with such files?
Tips on a more comprehensive cleaning and repair/replacement of IE would be appreciated. I hope I did my part sufficiently well on all this....I'm really trying hard.
Thank you,
Dennis
-
More update:
Just fired up the laptop and updated Grisoft AVG. Then ran scan. Picked up," Trojan Horse Generic39.CBVD." So something is still residing in this machine somewhere.
I'm wondering if I need a more powerful cleaning agent.
Dennis
-
you haven't posted any of the logs SuperDave requested.
-
BC:
That's because I've had nothing yet to post. I had once read warnings about multiple spyware programs having conflict, that's why I asked earlier if I could continue with Superantispyware, etc., having SpyBot already. I eventually answered my own question when I carefully read Dave's signature line showing he was running both. My laptop no longer will access the internet, so I downloaded SuperantiSpy on this machine, put it on CD and put it in my laptop. I doubt it could request updates but I ran it anyway. I now have that log via Notepad. I'm next downloading the other programs as Dave asked and will accumulate all logs to post when finished. I'll move the logs onto a CD, load that on this machine, then I can cut/paste to forum post.
Dennis
-
I hope this works. Here are the logs.
Back when trying to run Rkill and exe.helper I didn't get any info back; (Not sure laptop was doing well then)
I'll post now and see if any of this works.
Looks like, "checkup," sees me as having one poor security area. (Like the teacher scolding the kid)
Dennis
[recovering disk space - old attachment deleted by admin]
-
Well, only the final attachment made it. Guess I'll do each separately.
This should the the SASpyware report.
Dennis
[recovering disk space - old attachment deleted by admin]
-
Finally, the Malware report.
Dennis
[recovering disk space - old attachment deleted by admin]
-
Figured out how to bundle logs.
Rkill:
This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as Dennis on 11/01/2010 at 16:37:32.
Services Stopped:
Processes terminated by Rkill or while it was running:
D:\rkill.exe
Rkill completed on 11/01/2010 at 16:37:42.
SASW:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 11/01/2010 at 11:58 AM
Application Version : 4.45.1000
Core Rules Database Version : 5767
Trace Rules Database Version: 3579
Scan type : Complete Scan
Total Scan Time : 02:19:35
Memory items scanned : 420
Memory threats detected : 0
Registry items scanned : 5972
Registry threats detected : 0
File items scanned : 72252
File threats detected : 90
Adware.Tracking Cookie
C:\Documents and Settings\Dennis\Cookies\dennis@1071638897[1].txt
C:\Documents and Settings\Dennis\Cookies\dennis@chitika[1].txt
C:\Documents and Settings\Dennis\Cookies\dennis@belnk[1].txt
C:\Documents and Settings\Dennis\Cookies\dennis@invitemedia[2].txt
C:\Documents and Settings\Dennis\Cookies\[email protected][1].txt
C:\Documents and Settings\Dennis\Cookies\dennis@adecn[2].txt
C:\Documents and Settings\Dennis\Cookies\dennis@qksrv[2].txt
C:\Documents and Settings\Dennis\Cookies\[email protected][2].txt
C:\Documents and Settings\Dennis\Cookies\dennis@tribalfusion[2].txt
C:\Documents and Settings\Dennis\Cookies\dennis@tracking[1].txt
C:\Documents and Settings\Dennis\Cookies\[email protected][1].txt
C:\Documents and Settings\Dennis\Cookies\[email protected][1].txt
C:\Documents and Settings\Dennis\Cookies\dennis@revsci[2].txt
C:\Documents and Settings\Dennis\Cookies\dennis@media6degrees[1].txt
C:\Documents and Settings\Dennis\Cookies\dennis@bravenet[2].txt
C:\Documents and Settings\Dennis\Cookies\dennis@xxxcounter[1].txt
C:\Documents and Settings\Dennis\Cookies\[email protected][2].txt
C:\Documents and Settings\Dennis\Cookies\[email protected][2].tx
C:\Documents and Settings\Dennis\Cookies\dennis@realmedia[1].txt
C:\Documents and Settings\Dennis\Cookies\[email protected][2].txt
C:\Documents and Settings\Dennis\Cookies\dennis@imrworldwide[1].txt
C:\Documents and Settings\Dennis\Cookies\[email protected][2].txt
C:\Documents and Settings\Dennis\Cookies\dennis@bannerspace[2].txt
C:\Documents and Settings\Dennis\Cookies\[email protected][1].txt
C:\Documents and Settings\Dennis\Cookies\dennis@advertising[2].txt
C:\Documents and Settings\Dennis\Cookies\[email protected][2].txt
C:\Documents and Settings\Dennis\Cookies\[email protected][2].txt
C:\Documents and Settings\Dennis\Cookies\[email protected][2].txt
C:\Documents and Settings\Dennis\Cookies\dennis@dealtime[1].txt
C:\Documents and Settings\Dennis\Cookies\[email protected][2].txt
C:\Documents and Settings\Dennis\Cookies\dennis@toplist[1].txt
C:\Documents and Settings\Dennis\Cookies\dennis@atwola[2].txt
C:\Documents and Settings\Dennis\Cookies\[email protected][1].txt
C:\Documents and Settings\Dennis\Cookies\[email protected][1].txt
C:\Documents and Settings\Dennis\Cookies\dennis@atdmt[2].txt
C:\Documents and Settings\Dennis\Cookies\dennis@nextag[2].txt
C:\Documents and Settings\Dennis\Cookies\[email protected][1].txt
C:\Documents and Settings\Dennis\Cookies\dennis@tripod[1].txt
C:\Documents and Settings\Dennis\Cookies\dennis@serving-sys[1].txt
C:\Documents and Settings\Dennis\Cookies\[email protected][1].txt
C:\Documents and Settings\Dennis\Cookies\dennis@adprotraffic[2].txt
C:\Documents and Settings\Dennis\Cookies\dennis@247realmedia[1].txt
C:\Documents and Settings\Dennis\Cookies\dennis@adknowledge[1].txt
C:\Documents and Settings\Dennis\Cookies\[email protected][2].txt
C:\Documents and Settings\Dennis\Cookies\dennis@specificclick[1].txt
C:\Documents and Settings\Dennis\Cookies\[email protected][2].txt
C:\Documents and Settings\Dennis\Cookies\dennis@kanoodle[2].txt
C:\Documents and Settings\Dennis\Cookies\[email protected][1].txt
C:\Documents and Settings\Dennis\Cookies\dennis@rambler[1].txt
C:\Documents and Settings\Dennis\Cookies\dennis@intellisrv[1].txt
C:\Documents and Settings\Dennis\Cookies\[email protected][2].txt
C:\Documents and Settings\Dennis\Cookies\[email protected][2].txt
C:\Documents and Settings\Dennis\Cookies\dennis@overture[1].txt
C:\Documents and Settings\Dennis\Cookies\dennis@advertpro[1].txt
C:\Documents and Settings\Dennis\Cookies\dennis@2o7[2].txt
C:\Documents and Settings\Dennis\Cookies\[email protected][2].txt
C:\Documents and Settings\Dennis\Cookies\[email protected][1].txt
C:\Documents and Settings\Dennis\Cookies\dennis@roiservice[1].txt
C:\Documents and Settings\Dennis\Cookies\dennis@insightexpressai[2].txt
C:\Documents and Settings\Dennis\Cookies\dennis@questionmarket[1].txt
C:\Documents and Settings\Dennis\Cookies\dennis@trafficmp[2].txt
C:\Documents and Settings\Dennis\Cookies\[email protected][1].txt
C:\Documents and Settings\Dennis\Cookies\[email protected][1].txt
C:\Documents and Settings\Dennis\Cookies\dennis@list[1].txt
C:\Documents and Settings\Dennis\Cookies\[email protected][1].txt
C:\Documents and Settings\Dennis\Cookies\dennis@xiti[1].txt
C:\Documents and Settings\Dennis\Cookies\dennis@trafficholder[1].txt
C:\Documents and Settings\Dennis\Cookies\dennis@ocxxx[2].txt
core.insightexpressai.com [ C:\Documents and Settings\Dennis\Application Data\Macromedia\Flash Player\#SharedObjects\6LWYEY94 ]
msntest.serving-sys.com [ C:\Documents and Settings\Dennis\Application Data\Macromedia\Flash Player\#SharedObjects\6LWYEY94 ]
Mal:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 5016
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11
11/1/2010 2:42:14 PM
mbam-log-2010-11-01 (14-42-14).txt
Scan type: Full scan (C:\|)
Objects scanned: 205704
Time elapsed: 1 hour(s), 37 minute(s), 51 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
CClean:
Results of screen317's Security Check version 0.99.6
Windows XP Service Pack 3
Internet Explorer 7 Out of date!
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
AVG 2011
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
Java 2 Runtime Environment, SE v1.4.2
Adobe Reader 7.0.8
Out of date Adobe Reader installed!
````````````````````````````````
Process Check:
objlist.exe by Laurent
AVG avgwdsvc.exe
AVG avgtray.exe
AVG avgrsx.exe
AVG avgnsx.exe
AVG avgemc.exe
````````````````````````````````
DNS Vulnerability Check:
POOR! (Vulnerable to DNS cache poisoning!!-- Consider OPENDNS)
``````````End of Log````````````
-
Can you now get on the internet?If you can, please run these scans.
Please download: HiJackThis (http://go.trendmicro.com/free-tools/hijackthis/HijackThisInstaller.exe) to your Desktop.
- Double Click the HijackThis icon, located on your Desktop.
- By Default, it will install to: C:\Program Files\Trend Micro\HijackThis
- Accept the license agreement.
- Click the Open the Misc Tools section button.
- Place a checkmark beside Calculate MD5 of files if possible. Then, click Back.
- Click Do a System Scan and Save a Logfile. Or, if you see a white screen, click Scan.
- Please post the log in your next reply.
**************************************
Download Security Check by screen317 from one of the following links and save it to your desktop.
Link 1 (http://screen317.spywareinfoforum.org/SecurityCheck.exe)
Link 2 (http://screen317.changelog.fr/SecurityCheck.exe)
* Unzip SecurityCheck.zip and a folder named Security Check should appear.
* Open the Security Check folder and double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.
Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.
If you still can't access the Net, please run this and post the log. ps. You can save money by using CD-+RW's. There re-writable.
Please run Notepad (start > All Programs > Accessories >
Notepad) and copy and paste the text in the code box into a new file:
@echo off
>Log1.txt (
ipconfig /all
nslookup google.com
nslookup yahoo.com
ping -n 2 google.com
ping -n 2 yahoo.com
route print
)
start Log1.txt
del %0
•Go to the File menu at the top of the Notepad and select Save as.
•Select save in: desktop
•Fill in File name: test.bat
•Save as type: All file types (*.*)
•Click save.
•Close the Notepad.
•Locate and double-click test.bat on the desktop.
•A notepad opens, copy and paste the content it (log1.txt) to your reply.
-
Whew. I really appreciate your help SuperDave. As clearly as you post instructions, I must admit I still struggle getting things lined up right. ( ! )
Here we go:
Ahhhhhhhhhhhh. This turned into a big mess for me. I can paste the two logs into Notepad. When I save as onto desktop the resulting icon I've never seen before. Something like a gear. All this done on this, my desktop machine, as laptop still cannot access the Net.
If I click on resulting, "gear," icon, I get a black window with a lot of different stuff in it and the file name ends in, "cmd.exe." It also seems to scroll quickly, and exit.
I have to leave for a while. When I get back I'll begin all over again.
Dennis
-
I can paste the two logs into Notepad
The logs are already created in Notepad. All you need to do it copy and paste them in your reply. If that doesn't work, just attach the logs to your reply.
-
Here we go again:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:23:05 AM, on 11/3/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17091)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Location Finder\LocationFinder.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\AVG\AVG10\avgemcx.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:10293
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (filesize 63128 bytes, MD5 F17B2B264072B921FC66A0BE16626BAB)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG10\avgssie.dll (filesize 2922848 bytes, MD5 4B36A4C4E8BC9A6E64147F7B2A20CB94)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (filesize 1879896 bytes, MD5 022C2F6DCCDFA0AD73024D254E62AFAC)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeC:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (filesize 98304 bytes, MD5 9B4C1812595C389AB9CCF1FF3B315248)
O4 - HKLM\..\Run: [TV Now] C:\Program Files\HPQ\Notebook Utilities\TvNow.exe /RK (filesize 282624 bytes, MD5 1CFC40FC03D3EC281C96B88245117FF7)
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s (filesize 45056 bytes, MD5 291822FC9D05FBBEFB0EC008FE2213F3)
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXEC:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exeC:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exeC:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" (filesize 65536 bytes, MD5 364784A6F653DF81B76424A39DBA237B)
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" (filesize 868352 bytes, MD5 6B7DA9DB5A15F762A7A56DF0006A531B)
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exeC:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe (filesize 4608 bytes, MD5 EA3BE7F5CDEF0FE4DF1BF6DBFE7ABDE0)
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exeC:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" (filesize 241664 bytes, MD5 B75B654EE1DA99876461B24597AE3FF3)
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exeC:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exeC:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exeC:\Program Files\AVG\AVG10\avgtray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (filesize 1695232 bytes, MD5 3E930C641079443D4DE036167A69CAA2)
O4 - HKCU\..\Run: [Microsoft Location Finder] "C:\Program Files\Microsoft Location Finder\LocationFinder.exe" (filesize 101080 bytes, MD5 7512EC7190DBEA84D34B5C21E7AFAD4C)
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exeC:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE (filesize 111376 bytes, MD5 6C23E670AC7B272F74910EB9BEE5E414)
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (filesize 29696 bytes, MD5 43362B96870CE8649F4F2EC893DA93F0)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll (filesize 65636 bytes, MD5 4ACFBF6AB1BBE79DBD665C186B3B5AFD)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll (filesize 65636 bytes, MD5 4ACFBF6AB1BBE79DBD665C186B3B5AFD)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (filesize 1879896 bytes, MD5 022C2F6DCCDFA0AD73024D254E62AFAC)
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (filesize 1879896 bytes, MD5 022C2F6DCCDFA0AD73024D254E62AFAC)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (filesize 558080 bytes, MD5 AAC1D4EE39DF138C5D30AC5883E3B59F)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (filesize 558080 bytes, MD5 AAC1D4EE39DF138C5D30AC5883E3B59F)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (filesize 1695232 bytes, MD5 3E930C641079443D4DE036167A69CAA2)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (filesize 1695232 bytes, MD5 3E930C641079443D4DE036167A69CAA2)
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30155.www3.hp.com/ediags/hpfix/sj/en/check/qdiagh.cab?326
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG10\avgpp.dll (filesize 201568 bytes, MD5 01F59CEB86096527A68137C2AAF97E7A)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLLC:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exeC:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
O23 - Service: AVG6 Service (AvgServ) - Unknown owner - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe (file missing)
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\avgwdsvc.exeC:\Program Files\AVG\AVG10\avgwdsvc.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exeC:\WINDOWS\System32\gearsec.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exeC:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exeC:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exeC:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Office Source Engine (ose) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (file missing)
--
End of file - 11183 bytes
Results of screen317's Security Check version 0.99.6
Windows XP Service Pack 3
Internet Explorer 7 Out of date!
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
AVG 2011
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
HijackThis 2.0.2
CCleaner
Java 2 Runtime Environment, SE v1.4.2
Adobe Reader 7.0.8
Out of date Adobe Reader installed!
Mozilla Firefox (3.6.12)
````````````````````````````````
Process Check:
objlist.exe by Laurent
AVG avgwdsvc.exe
AVG avgtray.exe
AVG avgrsx.exe
AVG avgnsx.exe
AVG avgemc.exe
````````````````````````````````
DNS Vulnerability Check:
POOR! (Vulnerable to DNS cache poisoning!!-- Consider OPENDNS)
``````````End of Log````````````
Ahhhh. That's the way I would have done it to begin with. Hope this helps.
Meeting tonight; then back at it. I think we're gaining.
Dennis
-
Disable/Remove Windows Messenger (http://www.majorgeeks.com/DisableRemove_Windows_Messenger_d2327.html) to the desktop to remove Windows Messenger.
Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.
Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.
Exit out of MessengerDisable then delete the two files that were put on the desktop.
**********************************
Open HijackThis and select Do a system scan only
Place a check mark next to the following entries: (if there)
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:10293
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (filesize 1695232 bytes, MD5 3E930C641079443D4DE036167A69CAA2)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (filesize 1695232 bytes, MD5 3E930C641079443D4DE036167A69CAA2)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (filesize 1695232 bytes, MD5 3E930C641079443D4DE036167A69CAA2)
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
O23 - Service: Office Source Engine (ose) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (file missing)
Important: Close all open windows except for HijackThis and then click Fix checked.
Once completed, exit HijackThis.
**********************************
Please download the newest version of Adobe Acrobat Reader from Adobe.com (http://www.adobe.com/products/acrobat/readstep2.html)
Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs.
Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.
Once old versions are gone, please install the newest version.
****************************************
Please download ComboFix (http://img7.imageshack.us/img7/4930/combofix.gif) from BleepingComputer.com (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Alternate link: GeeksToGo.com (http://subs.geekstogo.com/ComboFix.exe)
Rename ComboFix.exe to commy.exe before you save it to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here (http://www.bleepingcomputer.com/forums/topic114351.html)
Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console[/list]
(http://img.photobucket.com/albums/v666/sUBs/Query_RC.gif)
Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
(http://img.photobucket.com/albums/v666/sUBs/RC_successful.gif)
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.
If you have problems with ComboFix usage, see How to use ComboFix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
-
Hi:
Out of caution, I decided to post this with a question.
First, when attempting to go on-line to the Net, I had once recently seen, "can't find proxy server," when trying to open IE. In town yesterday I asked my ISP about proxy server and he said they don't use it and I shouldn't have it. So in IE Tools, I found it checked; I unchecked it. I couldn't remember what I should have in the first place.
I can now access the Net.
Next I just did everything on your last list stopping just before ComboFix. (Deleted Messenger, removed old Adobe Reader and installed the latest version) Using the laptop itself to do downloads.
I cannot find ComboFix on the BleepingComputer site at all. I looked at GeeksToGo and found it under an alternate download site. While doing that I noticed some forum comments, etc., that warned about not using ComboFix unless under highly trained supervision, (but that's you.) And, as you admonished, warnings about turning off AV and spyware, etc. Apparently someone was using ComboFix and thereafter could not boot up their computer.
Now that I'm nervous after reading that, I am thinking of going into Control Panel and doing Removes for HiJack This and the other programs you suggested so far. The restarting my laptop. Then I'll, "turn off AVG and SpyBot."
After all that I'll download ComboFix from an alternative site.
As a side comment, now that I can go on-line to the Net, were I not otherwise aware, I'd think this laptop is running fine. A long time ago I decided that even when I think a machine is running clean, I STILL don't trust that something hasn't inflitrated and is sitting in there waiting to do harm. So I agree with continuing to purge this laptop, no matter how good it's beginning to look.
So should I fully delete your earlier download suggestions and continue with ComboFix after that as I stated above?
Dennis
-
After all that I'll download ComboFix from an alternative site.
When you click on the first download link you should just get a download box. What browser are you using? You may have to use Internet Explorer but I just tried it with FireFox and it works.
So should I fully delete your earlier download suggestions and continue with ComboFix after that as I stated above?
You can uninstall HJT. We are finished with it. Please run ComboFix and post the logs.
-
Whew; again...
I'm using IE. (I downloaded Firefox a day or so ago in case IE was un-fixable)
I disabled AVG for the 15 minutes, (which appears to be the maximum) By the time I got under way, that time expired during ComboFix, but CF saw it and put up a warning. I simply un-installed AVG. Then I brought ComboFix back up and proceeded as you directed. It came to a blue box with, "preparing to run." I waited, and it asked to download Recovery Console, which I did. Then, before I could type in the line you wanted ending in, "stepdel," it went into AutoScan. Ran through some 50 processes. I just let it go. The end log is included here:
ComboFix 10-11-03.04 - Dennis 11/04/2010 19:35:05.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.446.189 [GMT -7:00]
Running from: c:\documents and settings\Dennis\Desktop\commy.exe
.
((((((((((((((((((((((((( Files Created from 2010-10-05 to 2010-11-05 )))))))))))))))))))))))))))))))
.
2010-11-04 06:12 . 2010-11-04 06:12 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-11-03 14:17 . 2010-11-03 14:17 -------- d-----w- c:\program files\Trend Micro
2010-11-01 23:33 . 2010-11-01 23:33 -------- d-----w- c:\documents and settings\Dennis\Local Settings\Application Data\Mozilla
2010-11-01 19:52 . 2010-11-01 19:52 -------- d-----w- c:\documents and settings\Dennis\Application Data\Malwarebytes
2010-11-01 19:52 . 2010-11-01 19:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-11-01 16:27 . 2010-11-01 16:27 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-11-01 01:00 . 2010-11-01 01:10 -------- d-----w- C:\f5b763e5d84ff038215219e7ba16
2010-11-01 00:15 . 2010-09-18 06:53 954368 ------w- c:\windows\system32\dllcache\mfc40.dll
2010-11-01 00:15 . 2010-09-18 06:53 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2010-11-01 00:15 . 2010-09-18 06:53 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
2010-11-01 00:14 . 2010-08-23 16:12 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
2010-10-31 23:47 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-10-30 04:03 . 2010-10-30 04:03 -------- d-----w- c:\documents and settings\Dennis\Application Data\AVG10
2010-10-30 03:57 . 2010-10-30 03:57 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2010-10-30 03:51 . 2010-11-05 02:23 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
2010-10-30 03:50 . 2010-10-30 03:50 -------- d-----w- c:\program files\AVG
2010-10-30 03:18 . 2010-10-30 03:50 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 19:23 . 2003-03-31 02:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2003-03-31 02:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2003-03-31 02:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2003-03-31 02:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-09 13:38 . 2004-02-07 01:05 832512 ----a-w- c:\windows\system32\wininet.dll
2010-09-09 13:38 . 2003-03-31 02:00 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-09 13:38 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-09-09 13:38 . 2003-03-31 02:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-09-08 15:57 . 2004-08-04 05:59 389120 ----a-w- c:\windows\system32\html.iec
2010-09-01 11:51 . 2003-03-31 02:00 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2003-03-31 02:00 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2003-03-31 02:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2003-03-31 02:00 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2003-03-31 02:00 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2009-05-15 01:50 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12 . 2003-03-31 02:00 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17 . 2003-03-31 02:00 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45 . 2004-05-22 02:54 590848 ----a-w- c:\windows\system32\rpcrt4.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Location Finder"="c:\program files\Microsoft Location Finder\LocationFinder.exe" [2005-08-25 101080]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-12-12 335872]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2004-01-16 229376]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-05-22 98304]
"TV Now"="c:\program files\HPQ\Notebook Utilities\TvNow.exe" [2003-01-30 282624]
"Display Settings"="c:\program files\HPQ\Notebook Utilities\hptasks.exe" [2002-08-15 45056]
"QT4HPOT"="c:\program files\HPQ\One-Touch\OneTouch.EXE" [2003-03-13 102400]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2003-05-22 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-05-22 610304]
"HPHmon05"="c:\windows\System32\hphmon05.exe" [2003-05-23 483328]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-02 65536]
"RoxioDragToDisc"="c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-07-19 868352]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2003-07-17 184412]
"CARPService"="carpserv.exe" [2003-05-21 4608]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb08.exe" [2003-03-12 172032]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
c:\documents and settings\Dennis\Start Menu\Programs\Startup\
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1996-12-9 111376]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Qualcomm\Eudora\EuShlExt.dll" [2005-06-08 86016]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\ATCS Monitor\\atcsmon.exe"=
R3 CALIAUD;Conexant AMC 3D ENVIRONMENTAL AUDIO;c:\windows\system32\drivers\caliaud.sys [5/21/2004 6:27 PM 291328]
R3 CALIHALA;CALIHALA;c:\windows\system32\drivers\calihal.sys [5/21/2004 6:27 PM 244608]
R3 DP83815;National Semiconductor Corp. DP83815/816 NDIS 5.0 Miniport Driver;c:\windows\system32\drivers\DP83815.sys [7/16/2003 6:01 PM 28280]
S2 AvgCore;AVG6 Kernel;\??\c:\progra~1\Grisoft\AVG6\avgcore.sys --> c:\progra~1\Grisoft\AVG6\avgcore.sys [?]
S2 AvgFsh;AVG6 Rezident Driver;\??\c:\progra~1\Grisoft\AVG6\avgfsh.sys --> c:\progra~1\Grisoft\AVG6\avgfsh.sys [?]
S2 AvgServ;AVG6 Service;c:\progra~1\Grisoft\AVG6\avgserv.exe --> c:\progra~1\Grisoft\AVG6\avgserv.exe [?]
S3 LEX_NIC_SERVICE;IEEE 802.11 Wireless NIC Win2000 Driver;c:\windows\system32\drivers\Express.sys [4/16/2003 6:00 PM 57344]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
uInternet Settings,ProxyOverride = <local>
FF - ProfilePath - c:\documents and settings\Dennis\Application Data\Mozilla\Firefox\Profiles\w8arz9zr.default\
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJPI142.dll
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-HPHUPD05 - c:\program files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-04 19:40
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????4?5?4?0??????? ?deB???????????????B? ??????
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(3088)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-11-04 19:44:58
ComboFix-quarantined-files.txt 2010-11-05 02:44
Pre-Run: 44,638,343,168 bytes free
Post-Run: 44,634,873,856 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
- - End Of File - - 855AE7DCFB7C6D1C7976972B2C5442BD
So did I do wrong by not finding a place or opportunity to type in that one line?
Presently I have un-installed ALL my protection programs in preparation for ComboFix. So when we finish, I'll need to begin all over to download everything I, or YOU suggest, I need.
Since this is now a defense-less laptop, I'll turn it off until I hear from you again.
I'm glad YOU understand these logs. ?????????
Dennis
-
I simply un-installed AVG
Before we continue download and install a free antivirus.
Remember to only install one antivirus!
1) Avast! Home Edition (http://www.majorgeeks.com/Avast_Home_Edition_d1968.html)
2) AVG Free Edition (http://www.majorgeeks.com/download.php?det=886)
3) Avira AntiVir Personal (http://www.majorgeeks.com/AntiVir_Personal_Edition_7_d955.html)
4) Microsoft Security Essentials for Windows Vista\Windows 7 (http://majorgeeks.com/Microsoft_Security_Essentials_for_Windows_VistaWindows_7_d6242.html) - 64 bit Download (http://majorgeeks.com/downloadget.php?id=6242&file=5&evp=9112d44b71f157fc5d7fcd7724b088ca)
4-a) Microsoft Security Essentials for Windows XP (http://majorgeeks.com/Microsoft_Security_Essentials_for_Windows_XP_d6243.html)
5) Comodo Antivirus (http://www.majorgeeks.com/Comodo_AntiVirus_d5109.html) (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" if you choose this one)
6) PC Tools AntiVirus Free Edition (http://www.majorgeeks.com/PC_Tools_AntiVirus_Free_Edition_d5469.html)
It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts. If you choose to install more than one antivirus program on your computer, then only one of them should be active in memory at a time.
********************************************
So did I do wrong by not finding a place or opportunity to type in that one line?
No. The log looks ok.
SysProt Antirootkit
Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).
http://sites.google.com/site/sysprotantirootkit/ (http://sites.google.com/site/sysprotantirootkit/)
Unzip it into a folder on your desktop.
- Double click Sysprot.exe to start the program.
- Click on the Log tab.
- In the Write to log box select the following items.
- Process << Selected
- Kernel Modules << Selected
- SSDT << Selected
- Kernel Hooks << Selected
- IRP Hooks << NOT Selected
- Ports << NOT Selected
- Hidden Files << Selected
- At the bottom of the page
- Hidden Objects Only << Selected
- Click on the Create Log button on the bottom right.
- After a few seconds a new window should appear.
- Select Scan Root Drive. Click on the Start button.
- When it is complete a new window will appear to indicate that the scan is finished.
- The log will be saved automatically in the same folder Sysprot.exe was
extracted to. Open the text file and copy/paste the log here.
[/list]
-
Good Morning. I'm home again and back to work.
Yesterday I downloaded AVG 2011, installed it and updated it. Then I re-booted, brought up AVG and updated it again. I stopped when there were no more updates.
Here is the SysProtLog:
SysProt AntiRootkit v1.0.1.0
by swatkat
******************************************************************************************
******************************************************************************************
No Hidden Processes found
******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: EF9D4000
Module End: EF9EC000
Hidden: Yes
Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: F7A89000
Module End: F7A8B000
Hidden: Yes
******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwOpenProcess
Address: EF7166C0
Driver Base: EF714000
Driver End: EF71E000
Driver Name: \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys
Function Name: ZwTerminateProcess
Address: EF716770
Driver Base: EF714000
Driver End: EF71E000
Driver Name: \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys
Function Name: ZwTerminateThread
Address: EF716810
Driver Base: EF714000
Driver End: EF71E000
Driver Name: \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys
Function Name: ZwWriteVirtualMemory
Address: EF7168B0
Driver Base: EF714000
Driver End: EF71E000
Driver Name: \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys
******************************************************************************************
******************************************************************************************
No Kernel Hooks found
******************************************************************************************
******************************************************************************************
No IRP Hooks found
******************************************************************************************
******************************************************************************************
Ports:
Local Address: DENNISLAPTOP:NETBIOS-SSN
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING
Local Address: DENNISLAPTOP:1026
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\alg.exe
State: LISTENING
Local Address: DENNISLAPTOP:MICROSOFT-DS
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING
Local Address: DENNISLAPTOP:EPMAP
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\svchost.exe
State: LISTENING
Local Address: DENNISLAPTOP:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA
Local Address: DENNISLAPTOP:138
Remote Address: NA
Type: UDP
Process: System
State: NA
Local Address: DENNISLAPTOP:NETBIOS-NS
Remote Address: NA
Type: UDP
Process: System
State: NA
Local Address: DENNISLAPTOP:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA
Local Address: DENNISLAPTOP:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA
Local Address: DENNISLAPTOP:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA
Local Address: DENNISLAPTOP:4500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\lsass.exe
State: NA
Local Address: DENNISLAPTOP:500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\lsass.exe
State: NA
Local Address: DENNISLAPTOP:MICROSOFT-DS
Remote Address: NA
Type: UDP
Process: System
State: NA
******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\Qoobox\BackEnv\AppData.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Cache.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Cookies.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Desktop.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Favorites.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\History.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\LocalAppData.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\LocalSettings.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Music.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\NetHood.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Personal.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Pictures.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\PrintHood.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Profiles.Folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Profiles.Folder.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Programs.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Recent.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\SendTo.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\SetPath.bat
Status: Access denied
Object: C:\Qoobox\BackEnv\StartMenu.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\StartUp.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\SysPath.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Templates.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\VikPev00
Status: Access denied
-
I'd like to scan your machine with ESET OnlineScan
•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan (http://eset.com/onlinescan)
•Click the (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetOnline.png) button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
- Click on (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstall.png) to download the ESET Smart Installer. Save it to your desktop.
- Double click on the (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstallDesktopIcon.png) icon on your desktop.
•Check (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetAcceptTerms.png)
•Click the (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetStart.png) button.
•Accept any security warnings from your browser.
•Check (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetScanArchives.png)
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png)
•Push (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png), and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetBack.png) button.
•Push (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetFinish.png)
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt
-
OK:
I brought up this forum on the laptop. Held control key and clicked the link once. After a while nothing happened, so I did that over double-clicking. Then I noticed an eset something running on top along the tool bar. Now I have two of those listed up there. (Probably should have walked away the first time and looked later to see what was happening)
Not sure I should hit, "back." So I'll wait a while.
Using IE here, apparently I have two functions to perform: Get the link up and click on the green ESET bar. Then nothing I do until log appears.
So far, I see no green bar.
Dennis
-
I might be progressing........
Will report more soon.
Dennis
-
Dave:
It ran for a long time, but showing progress continually. I think it scanned OK. However, at the end it, "found no infections." Hence, (I think), it offered NO option for keeping a log.
My novice opinion can be no other than to think it just didn't find anything to do.
??
I finished, and chose the uninstall option. I can do this over again if you wish or if I did anything wrong. But it acted fine.
Dennis
-
So, how's your computer working now?
-
Based on everything I now observe, my laptop seems perfectly healthy. That appearing to be the situation, my only remaining desire is to load whatever basic protection programs that are appropriate, that I do not now have.
Judging from what I remember of your signature line, you run AV, (AVG?), SpyBot and maybe the SuperSpyWare you had me run. I'm open for basic recommendations.
You may have noticed I'm not quick to jump up and say everything is fixed. That's because I have a bit of mis-trust for computers.
What do things look like to you?
Dennis
-
We ran a lot of scans and haven't picked anything too serious. Let's do some cleanup.
You may keep SAS and MBAM. Update them and run them every so often to keep the bugs out.
* Click START then RUN - Vista users press the Windows Key and the R keys together for the Run box.
* Now type commy /uninstall in the runbox
* Make sure there's a space between commy and /Uninstall
* Then hit Enter
* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.
*********************************
Clean out your temporary internet files and temp files.
Download TFC by OldTimer (http://oldtimer.geekstogo.com/TFC.exe) to your desktop.
Double-click TFC.exe to run it.
Note: If you are running on Vista, right-click on the file and choose Run As Administrator
TFC will close all programs when run, so make sure you have saved all your work before you begin.
* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.
Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.
**************************************
Looking over your log it seems you don't have any evidence of a third party firewall.
Firewalls protect against hackers and malicious intruders. You need to download a free firewall from one of these reliable vendors.
Remember only install ONE firewall
1) Comodo Personal Firewall (http://www.majorgeeks.com/Comodo_Personal_Firewall_d5033.html) (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" and uncheck any HopSurf and/or Ask.com options if you choose this one)
2) Online Armor (http://www.majorgeeks.com/Online_Armor_Free_d4872.html)
3) Agnitum Outpost (http://www.majorgeeks.com/Outpost_Firewall_Free_d1056.html)
4) PC Tools Firewall Plus (http://www.majorgeeks.com/PC_Tools_Firewall_Plus_d5470.html)
If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.
*********************************
Use the Secunia Software Inspector (http://secunia.com/software_inspector) to check for out of date software.
•Click Start Now
•Check the box next to Enable thorough system inspection.
•Click Start
•Allow the scan to finish and scroll down to see if any updates are needed.
•Update anything listed.
.
----------
Go to Microsoft Windows Update (http://windowsupdate.microsoft.com/) and get all critical updates.
----------
I suggest using WOT - Web of Trust (http://www.mywot.com/). WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.
SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html)- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer (http://www.bleepingcomputer.com/forums/tutorial49.html) from Spyware and Malware
* If you don't know what ActiveX controls are, see here (http://www.webopedia.com/TERM/A/ActiveX_control.html)
Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. (http://www.safer-networking.org/en/spybotsd/index.html) Guide: Use Spybot's Immunize Feature (http://www.bleepingcomputer.com/tutorials/tutorial43.html#immunize) to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ (http://www.safer-networking.org/en/faq/index.html)
Check out Keeping Yourself Safe On The Web (http://evilfantasy.wordpress.com/2008/05/20/keeping-yourself-safe-on-the-web/) for tips and free tools to help keep you safe in the future.
Also see Slow Computer? It may not be Malware (http://evilfantasy.wordpress.com/2008/05/24/slow-computer-it-may-not-be-malware/) for free cleaning/maintenance tools to help keep your computer running smoothly.
Safe Surfing!
-
Dave:
Evidently I already uninstalled Commy earlier when I was following one of your directives and had trouble, "turning off," programs. (So I uninstalled it) All that I had was the desktop icon, which in now deleted. I hope this didn't hurt anything.
I created a restore point.
I ran TFC and re-started.
I loaded a firewall....choosing Online Armor. Question: How do I find out if I'm using the MS firewall? Apparently, my wireless router is not a firewall as I've been told. (I thought I was good already for firewalls)
I brought up Secunia, but it wants Sun Java. I guess I don't have that. It's been a long day, I'll continue with downloading Java tomorrow. (So far, I've often avoided Java)
Dennis
-
Question: How do I find out if I'm using the MS firewall? Apparently, my wireless router is not a firewall as I've been told. (I thought I was good already for firewalls)
Look for it in the Control Panel under Windows Firewall or the Security Center. Java is your choice.
-
Dave:
After a few sessions here's where I stand:
MS Firewall is in this laptop, however, it was and is disabled.
I ran Secunia and updated that list.
I am now updating MS Windows update.
I will nex add Web of Trust.
I've never used SpyWare Blaster, but will add that too.
I'll update, again, SpyBot.
?
Dennis
-
Dave:
Thank you so much for all your help. Things look like they are running fine now. Plus, I've learned a lot. You are a great benefit to the forum.
Cheers,
Dennis