Computer Hope
Software => Computer viruses and spyware => Topic started by: BigMac100 on November 30, 2010, 03:55:53 PM
-
Developed a virus call "ThinkPoint" about a week ago. I could not get on internet or even shut computer down. Ran computer under safe mode to end process but still having issues. Cannot open a desktop icon to a link without pop up window asking "choose the program you want to use to open this file". Computer running slow and have to restart just to get on internet. Please help. Ran AVG, program boggs system down.
-
Sorry, Service pack 2
-
Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.
1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.
If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
Save Rkill to your desktop.
There are 4 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click Rkill and choose Run as Administrator
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.
Rkill.exe (http://download.bleepingcomputer.com/grinler/rkill.exe)
Rkill.com (http://download.bleepingcomputer.com/grinler/rkill.com)
Rkill.scr (http://download.bleepingcomputer.com/grinler/rkill.scr)
Rkill.pif (http://download.bleepingcomputer.com/grinler/rkill.pif)
Once you've gotten one of them to run then try to immediately run the following.
Now download and Run exeHelper.
Please download exeHelper from Raktor (http://www.raktor.net/exeHelper/exeHelper.com) to your desktop.- Double-click on exeHelper.com to run the fix. A black window should pop up, press any key to close once the fix is completed. A log file named log.txt will be created in the directory where you ran exeHelper.com Attach the log.txt file to your next message.
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).
************************************************
SUPERAntiSpyware
If you already have SUPERAntiSpyware be sure to check for updates before scanning!
Download SuperAntispyware Free Edition (SAS) (http://www.superantispyware.com/download.html)
* Double-click the icon on your desktop to run the installer.
* When asked to Update the program definitions, click Yes
* If you encounter any problems while downloading the updates, manually download and unzip them from here
* Next click the Preferences button.
•Under Start-Up Options uncheck Start SUPERAntiSpyware when Windows starts
* Click the Scanning Control tab.
* Under Scanner Options make sure only the following are checked:
•Close browsers before scanning
•Scan for tracking cookies
•Terminate memory threats before quarantining
•Please leave the others unchecked
•Click the Close button to leave the control center screen.
* On the main screen click Scan your computer
* On the left check the box for the drive you are scanning.
* On the right choose Perform Complete Scan
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete a summary box will appear. Click OK
* Make sure everything in the white box has a check next to it, then click Next
* It will quarantine what it found and if it asks if you want to reboot, click Yes
•To retrieve the removal information please do the following:
•After reboot, double-click the SUPERAntiSpyware icon on your desktop.
•Click Preferences. Click the Statistics/Logs tab.
•Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
•It will open in your default text editor (preferably Notepad).
•Save the notepad file to your desktop by clicking (in notepad) File > Save As...
* Save the log somewhere you can easily find it. (normally the desktop)
* Click close and close again to exit the program.
*Copy and Paste the log in your post.
*******************************************
(http://img233.imageshack.us/img233/7729/mbamicontw5.gif) Please download Malwarebytes Anti-Malware from here (http://www.malwarebytes.org/mbam/program/mbam-setup.exe).
Double Click mbam-setup.exe to install the application.
- Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select "Perform Full Scan", then click Scan.
- The scan may take some time to finish,so please be patient.
- When the scan is complete, click OK, then Show Results to view the results.
- Make sure that everything is checked, and click Remove Selected.
- When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
- Please save the log to a location you will remember.
- The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
- Copy and paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
**************************************************
Download DDS from HERE (http://download.bleepingcomputer.com/sUBs/dds.scr) or HERE (http://www.forospyware.com/sUBs/dds) and save it to your desktop.
Vista users right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)
* XP users Double click on dds to run it.
* If your antivirus or firewall try to block DDS then please allow it to run.
* When finished DDS will open two (2) logs.
1) DDS.txt
2) Attach.txt
* Save both logs to your desktop.
* Please copy and paste the entire contents of both logs in your next reply.
Note: DDS will instruct you to post the Attach.txt log as an attachment.
Please just post it as you would any other log by copy and pasting it into the reply.
-
exeHelper by Raktor
Build 20100414
Run at 18:40:18 on 12/02/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Deleting file C:\WINDOWS\system32\sdra64.exe
Error deleting C:\WINDOWS\system32\sdra64.exe - Set for removal on reboot - PLEASE REBOOT
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--
-
Were you able to run the other scans after you rebooted the computer? I need to see the logs.
-
Sorry it took so long. I was unable to reboot. Had to go to safe mode to compile the info for you. Computer would not go to windows, just a black screen.
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 12/02/2010 at 09:14 PM
Application Version : 4.46.1000
Core Rules Database Version : 5934
Trace Rules Database Version: 3746
Scan type : Complete Scan
Total Scan Time : 02:20:58
Memory items scanned : 467
Memory threats detected : 0
Registry items scanned : 6444
Registry threats detected : 6
File items scanned : 90972
File threats detected : 53
Adware.Tracking Cookie
C:\Documents and Settings\Owner\Cookies\owner@media6degrees[2].txt
C:\Documents and Settings\Owner\Cookies\owner@realmedia[2].txt
C:\Documents and Settings\Owner\Cookies\owner@2o7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@revsci[1].txt
C:\Documents and Settings\Owner\Cookies\owner@collective-media[2].txt
C:\Documents and Settings\Owner\Cookies\owner@pointroll[2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\owner@casalemedia[2].txt
C:\Documents and Settings\Owner\Cookies\owner@ru4[2].txt
media.mtvnservices.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\D27KGRZX ]
C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
C:\Documents and Settings\NetworkService\Cookies\system@adbrite[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@adecn[1].txt
C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
C:\Documents and Settings\NetworkService\Cookies\system@advertise[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@advertising[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@adxpose[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@atdmt[1].txt
C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
C:\Documents and Settings\NetworkService\Cookies\system@collective-media[2].txt
C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
C:\Documents and Settings\NetworkService\Cookies\[email protected][3].txt
C:\Documents and Settings\NetworkService\Cookies\system@doubleclick[1].txt
C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
C:\Documents and Settings\NetworkService\Cookies\system@hitbox[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@invitemedia[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@lucidmedia[1].txt
C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
C:\Documents and Settings\NetworkService\Cookies\system@media6degrees[1].txt
C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
C:\Documents and Settings\NetworkService\Cookies\system@overture[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@pointroll[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@realmedia[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@ru4[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@statcounter[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@tacoda[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@technoratimedia[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@trafficmp[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@zedo[1].txt
media.mtvnservices.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\Z4WJR5GG ]
secure-us.imrworldwide.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\Z4WJR5GG ]
Trojan.Agent/Gen
C:\WINDOWS\system32\lowsec\local.ds
C:\WINDOWS\system32\lowsec\user.ds
C:\WINDOWS\system32\lowsec\user.ds.lll
C:\WINDOWS\system32\lowsec
Backdoor.Bot[ZBot]
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6}
HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6}
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905}
HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905}
Malware.Trace
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network#uid [ HOME-GE8G9I9WSN_B75BA27F2A0474F3 ]
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON#USERINIT
Trojan.Agent/Gen-IEFake
C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMP\RARSFX0\H\IEXPLORE.EXE
C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMP\RARSFX0\PROCS\IEXPLORE.EXE
Trojan.Agent/Gen-IExplorer[Fake]
C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMP\RARSFX0\NIRD\IEXPLORE.EXE
Trojan.Agent/Gen-Nullo[Short]
C:\SYSTEM VOLUME INFORMATION\_RESTORE{C289E17B-7714-4E43-B22E-77069D407D7C}\RP1532\A0147977.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{C289E17B-7714-4E43-B22E-77069D407D7C}\RP1532\A0147978.EXE
Trojan.Agent/Gen-SDRA
C:\WINDOWS\SYSTEM32\SDRA64.EXE
-
Dave,
The in the next step I'm to "please download Malwarebytes Anti-Malware from here"
This link is not a valid link. Do I go to the homepage and then download it? It takes me to CNET.
-
Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org
Database version: 5241
Windows 5.1.2600 Service Pack 2 (Safe Mode)
Internet Explorer 8.0.6001.18702
12/3/2010 7:07:45 PM
mbam-log-2010-12-03 (19-07-45).txt
Scan type: Full scan (C:\|)
Objects scanned: 241191
Time elapsed: 56 minute(s), 21 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 4
Registry Data Items Infected: 1
Folders Infected: 4
Files Infected: 21
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{C48635AD-D6B5-3EE4-AAA2-540D5A173658} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{C48635AD-D6B5-3EE4-AAA2-540D5A173658} (Backdoor.Bot) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{AE68DCDA-8750-2C94-BD9A-9EE9347F3964} (Spyware.Passwords.XGen) -> Value: {AE68DCDA-8750-2C94-BD9A-9EE9347F3964} -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rcudadi (Trojan.Hiloti.Gen) -> Value: Rcudadi -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{BCF5C73A-CE2B-6071-3164-85F31BB12C73} (Trojan.ZbotR.Gen) -> Value: {BCF5C73A-CE2B-6071-3164-85F31BB12C73} -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\RTHDBPL (Trojan.Agent) -> Value: RTHDBPL -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.
Folders Infected:
c:\documents and settings\Owner\application data\systemproc (Trojan.Agent) -> Quarantined and deleted successfully.
c:\program files\mozilla firefox\extensions\{8ce11043-9a15-4207-a565-0c94c42d590d} (Trojan.Swisyn) -> Quarantined and deleted successfully.
c:\program files\mozilla firefox\extensions\{8ce11043-9a15-4207-a565-0c94c42d590d}\chrome (Trojan.Swisyn) -> Quarantined and deleted successfully.
c:\program files\mozilla firefox\extensions\{8ce11043-9a15-4207-a565-0c94c42d590d}\chrome\content (Trojan.Swisyn) -> Quarantined and deleted successfully.
Files Infected:
c:\documents and settings\Owner\application data\Qerie\itlu.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\WINDOWS\cdrcph4.dll (Trojan.Hiloti.Gen) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\local settings\application data\725140.exe (Trojan.Hiloti.Gen) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\local settings\application data\725141.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\local settings\application data\734218.exe (Trojan.Hiloti.Gen) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\local settings\application data\734219.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\local settings\application data\762218.exe (Trojan.Hiloti.Gen) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\local settings\application data\762219.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\local settings\Temp\tmp50116e99\r.exe (Spyware.Zbot) -> Quarantined and deleted successfully.
c:\program files\AskSBar\bar\1.bin\A2HIGHIN.EXE (Trojan.Agent) -> Quarantined and deleted successfully.
c:\program files\AskSBar\bar\1.bin\A2PLUGIN.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\AskSBar\bar\1.bin\NPASKSBR.DLL (Trojan.Agent) -> Quarantined and deleted successfully.
c:\system volume information\_restore{c289e17b-7714-4e43-b22e-77069d407d7c}\RP1532\A0147958.exe (Trojan.Hiloti) -> Quarantined and deleted successfully.
c:\system volume information\_restore{c289e17b-7714-4e43-b22e-77069d407d7c}\RP1532\A0147979.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\system volume information\_restore{c289e17b-7714-4e43-b22e-77069d407d7c}\RP1532\A0150999.exe (Spyware.Zbot) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\0.12006703198118596.exe (Trojan.Hiloti) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\5.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\6.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\kzdwuvqpfuwaane.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\application data\Owovy\ewow.exe (Trojan.ZbotR.Gen) -> Quarantined and deleted successfully.
c:\program files\mozilla firefox\extensions\{8ce11043-9a15-4207-a565-0c94c42d590d}\chrome.manifest (Trojan.Swisyn) -> Quarantined and deleted successfully.
-
DDS (Ver_10-11-27.01) - NTFSx86
Run by Owner at 20:38:22.44 on Fri 12/03/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.254.74 [GMT -5:00]
FW: AVG Firewall *disabled* {8decf618-9569-4340-b34a-d78d28969b66}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kodak\printer\center\KodakSvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\PROGRA~1\MUSICM~1\MUSICM~2\MMDiag.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\364IVJ9Z\dds[1].scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.columbus.rr.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant =
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
mWinlogon: Userinit=userinit.exe,
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
uRun: [Yahoo! Pager] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [LDM] c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Microsoft Works Update Detection] c:\program files\common files\microsoft shared\works shared\WkUFind.exe
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [MMTray] "c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe"
mRun: [MimBoot] c:\progra~1\musicm~1\musicm~2\mimboot.exe
mRun: [Webroot Desktop Firewall] c:\program files\webroot\webroot desktop firewall\WDF.exe
mRun: [EKIJ5000StatusMonitor] c:\windows\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy.exe"
mRun: [SunJavaUpdateSched] c:\program files\java\jre6\bin\jusched.exe
mRun: [Dfesamiwokoje] rundll32.exe "c:\windows\ilihaxiqex.dll",Startup
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~2.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: Show All Original Images - c:\program files\netzero\qsacc\appres.dll/228
IE: Show Original Image - c:\program files\netzero\qsacc\appres.dll/227
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
Trusted Zone: musicmatch.com\online
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {83A4D5A6-E2C1-4EDD-AD48-1A1C50BD06EF} - hxxp://www.leaguelineup.com/_incl/uploader/ImageUploader6.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} - hxxps://webmail.na.avon.com/dwa7W.cab
DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} - hxxp://www.leaguelineup.com/XUpload.ocx
Filter: text/html - {fa3b1927-c810-48b5-ac12-120ccacb512d} -
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxsrvc.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
============= SERVICES / DRIVERS ===============
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 KodakSvc;Kodak AiO Device Service;c:\program files\kodak\printer\center\KodakSvc.exe [2008-2-28 18944]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2010-6-24 92008]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-11-8 38224]
=============== Created Last 30 ================
2010-11-30 23:50:14 -------- d-----w- c:\docume~1\owner\applic~1\Qerie
2010-11-30 23:50:14 -------- d-----w- c:\docume~1\owner\applic~1\Owuvw
2010-11-30 22:06:32 -------- d-----w- c:\docume~1\owner\locals~1\applic~1\{9943D1B2-DB9A-4D3E-A0F2-583F318A9828}
2010-11-30 21:09:15 230 ----a-w- C:\agtyjkj.bat
2010-11-27 19:47:04 -------- d-----w- c:\docume~1\owner\applic~1\Ysez
2010-11-27 19:47:04 -------- d-----w- c:\docume~1\owner\applic~1\Xiurz
2010-11-27 19:19:18 -------- d-----w- c:\docume~1\owner\applic~1\Owovy
2010-11-27 19:19:18 -------- d-----w- c:\docume~1\owner\applic~1\Edgubo
2010-11-25 21:06:05 -------- d-----w- c:\windows\system32\drivers\AVG
2010-11-25 02:56:29 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2010-11-25 02:56:29 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2010-11-25 01:45:52 -------- d-----w- c:\windows\system32\wbem\repository\FS
2010-11-25 01:45:52 -------- d-----w- c:\windows\system32\wbem\Repository
2010-11-24 23:59:49 -------- d-----w- c:\program files\Loaris
2010-11-09 19:13:46 -------- d--h--w- C:\$AVG
2010-11-08 22:29:39 -------- d-----w- c:\docume~1\owner\applic~1\AVG10
2010-11-08 22:23:59 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files
2010-11-08 22:19:59 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10
2010-11-08 22:18:52 -------- d-----w- c:\program files\AVG
2010-11-08 22:11:59 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-08 22:11:51 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-08 22:11:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-08 21:36:35 -------- d-----w- c:\docume~1\owner\locals~1\applic~1\Temp
2010-11-08 21:15:19 4526 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2010-11-08 20:44:59 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
==================== Find3M ====================
=================== ROOTKIT ====================
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST380011A rev.3.16 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3
device: opened successfully
user: MBR read successfully
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x812DC446]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x812e2504]; MOV EAX, [0x812e2580]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x81367030]
3 CLASSPNP[0xF92A305B] -> nt!IofCallDriver[0x804E37D5] -> [0x812FE550]
\Driver\atapi[0x81359468] -> IRP_MJ_CREATE -> 0x812DC446
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x137; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskST380011A_______________________________3.16____#4a33395641354a3
3202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x812DC292
user != kernel MBR !!!
sectors 156249998 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.
============= FINISH: 20:40:58.51 ===============
-
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_10-11-27.01)
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 9/10/2005 12:42:10 AM
System Uptime: 12/3/2010 8:33:34 PM (0 hours ago)
Motherboard: Dell Computer Corp. | | 0C2425
Processor: Intel(R) Pentium(R) 4 CPU 2.53GHz | Microprocessor | 2525/533mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 74 GiB total, 49.456 GiB free.
D: is CDROM ()
E: is CDROM ()
==== Disabled Device Manager Items =============
==== System Restore Points ===================
RP1441: 9/2/2010 3:54:43 PM - System Checkpoint
RP1442: 9/3/2010 4:22:20 PM - System Checkpoint
RP1443: 9/4/2010 4:48:39 PM - System Checkpoint
RP1444: 9/5/2010 5:21:23 PM - System Checkpoint
RP1445: 9/6/2010 5:48:49 PM - System Checkpoint
RP1446: 9/7/2010 6:50:48 PM - System Checkpoint
RP1447: 9/8/2010 3:00:24 AM - Software Distribution Service 3.0
RP1448: 9/9/2010 3:24:05 AM - System Checkpoint
RP1449: 9/10/2010 4:24:06 AM - System Checkpoint
RP1450: 9/11/2010 5:24:04 AM - System Checkpoint
RP1451: 9/12/2010 5:31:18 AM - System Checkpoint
RP1452: 9/13/2010 6:24:08 AM - System Checkpoint
RP1453: 9/14/2010 7:24:07 AM - System Checkpoint
RP1454: 9/15/2010 3:00:33 AM - Software Distribution Service 3.0
RP1455: 9/16/2010 3:20:35 AM - System Checkpoint
RP1456: 9/17/2010 3:34:33 AM - System Checkpoint
RP1457: 9/18/2010 3:43:54 AM - System Checkpoint
RP1458: 9/19/2010 4:34:33 AM - System Checkpoint
RP1459: 9/20/2010 5:12:04 AM - System Checkpoint
RP1460: 9/21/2010 6:00:57 AM - System Checkpoint
RP1461: 9/22/2010 6:02:18 AM - System Checkpoint
RP1462: 9/23/2010 6:49:58 AM - System Checkpoint
RP1463: 9/24/2010 7:49:57 AM - System Checkpoint
RP1464: 9/25/2010 8:49:58 AM - System Checkpoint
RP1465: 9/26/2010 8:51:28 AM - System Checkpoint
RP1466: 10/3/2010 4:27:04 PM - System Checkpoint
RP1467: 10/4/2010 3:00:28 AM - Software Distribution Service 3.0
RP1468: 10/5/2010 3:02:24 AM - System Checkpoint
RP1469: 10/5/2010 6:04:29 PM - Restore Operation
RP1470: 10/6/2010 3:00:29 AM - Software Distribution Service 3.0
RP1471: 10/7/2010 3:05:44 AM - System Checkpoint
RP1472: 10/8/2010 4:05:43 AM - System Checkpoint
RP1473: 10/9/2010 4:14:58 AM - System Checkpoint
RP1474: 10/10/2010 5:05:43 AM - System Checkpoint
RP1475: 10/11/2010 6:05:41 AM - System Checkpoint
RP1476: 10/12/2010 6:12:54 AM - System Checkpoint
RP1477: 10/13/2010 7:07:19 AM - System Checkpoint
RP1478: 10/14/2010 3:00:42 AM - Software Distribution Service 3.0
RP1479: 10/15/2010 3:07:17 AM - System Checkpoint
RP1480: 10/16/2010 3:18:26 AM - System Checkpoint
RP1481: 10/17/2010 4:18:26 AM - System Checkpoint
RP1482: 10/18/2010 5:18:31 AM - System Checkpoint
RP1483: 10/19/2010 6:18:26 AM - System Checkpoint
RP1484: 10/20/2010 6:18:59 AM - System Checkpoint
RP1485: 10/21/2010 7:19:03 AM - System Checkpoint
RP1486: 10/22/2010 7:39:39 AM - System Checkpoint
RP1487: 10/23/2010 8:39:40 AM - System Checkpoint
RP1488: 10/24/2010 8:40:45 AM - System Checkpoint
RP1489: 10/25/2010 9:39:40 AM - System Checkpoint
RP1490: 10/26/2010 10:39:40 AM - System Checkpoint
RP1491: 10/27/2010 11:54:12 AM - System Checkpoint
RP1492: 10/28/2010 11:54:32 AM - System Checkpoint
RP1493: 10/29/2010 11:55:17 AM - System Checkpoint
RP1494: 10/30/2010 12:08:52 PM - System Checkpoint
RP1495: 10/31/2010 12:56:23 PM - System Checkpoint
RP1496: 11/1/2010 1:05:31 PM - System Checkpoint
RP1497: 11/2/2010 1:55:18 PM - System Checkpoint
RP1498: 11/3/2010 3:08:22 PM - System Checkpoint
RP1499: 11/4/2010 3:27:06 PM - System Checkpoint
RP1500: 11/5/2010 3:27:37 PM - System Checkpoint
RP1501: 11/6/2010 4:23:07 PM - System Checkpoint
RP1502: 11/7/2010 7:07:32 PM - System Checkpoint
RP1503: 11/8/2010 4:09:44 PM - Restore Operation
RP1504: 11/8/2010 4:20:07 PM - Removed SUPERAntiSpyware Free Edition
RP1505: 11/8/2010 4:34:56 PM - avast! Free Antivirus Setup
RP1506: 11/8/2010 4:55:37 PM - avast! Free Antivirus Setup
RP1507: 11/8/2010 5:18:49 PM - Installed AVG 2011
RP1508: 11/8/2010 5:19:38 PM - Installed AVG 2011
RP1509: 11/9/2010 6:27:55 PM - System Checkpoint
RP1510: 11/10/2010 7:02:18 PM - System Checkpoint
RP1511: 11/11/2010 3:00:56 AM - Software Distribution Service 3.0
RP1512: 11/12/2010 3:02:23 AM - System Checkpoint
RP1513: 11/13/2010 4:02:22 AM - System Checkpoint
RP1514: 11/14/2010 5:02:19 AM - System Checkpoint
RP1515: 11/15/2010 5:12:44 AM - System Checkpoint
RP1516: 11/15/2010 9:58:10 PM - Removed AVG 2011
RP1517: 11/15/2010 10:00:31 PM - Removed AVG 2011
RP1518: 11/16/2010 10:51:00 PM - System Checkpoint
RP1519: 11/17/2010 10:56:11 PM - System Checkpoint
RP1520: 11/18/2010 11:50:59 PM - System Checkpoint
RP1521: 11/20/2010 12:51:03 AM - System Checkpoint
RP1522: 11/21/2010 1:51:00 AM - System Checkpoint
RP1523: 11/22/2010 2:51:01 AM - System Checkpoint
RP1524: 11/23/2010 4:41:13 PM - System Checkpoint
RP1525: 11/24/2010 8:44:13 PM - Restore Operation
RP1526: 11/25/2010 5:33:15 PM - Removed AVG 2011
RP1527: 11/25/2010 5:37:20 PM - Removed AVG 2011
RP1528: 11/25/2010 6:18:58 PM - Advanced Registry Optimizer 2010 - Before Installation
RP1529: 11/25/2010 6:20:22 PM - ADVANCED REGISTRY OPTIMIZER 2010- FIRST RUN
RP1530: 11/25/2010 6:32:34 PM - Software Distribution Service 3.0
RP1531: 11/25/2010 6:46:04 PM - Software Distribution Service 3.0
RP1532: 11/30/2010 4:54:23 PM - System Checkpoint
==== Installed Programs ======================
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader 9
Adobe Shockwave Player
Adobe SVG Viewer 3.0
aiofw
aioocr
aioprnt
aioscnnr
Apple Mobile Device Support
Apple Software Update
Ask Toolbar
Bonjour
center
Conexant D850 56K V.9x DFVc Modem
Cyber Security
Dell ResourceCD
FaxTools
FrostWire 4.13.5
Google Toolbar for Internet Explorer
Help_CTR
helptut
helpug
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
Intel(R) Extreme Graphics Driver
iTunes
Java(TM) 6 Update 16
KODAK All-in-One Printer Software
ksdip
Logitech Desktop Messenger
Logitech SetPoint
Malwarebytes' Anti-Malware
MapSend DirectRoute North America
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Money 2004
Microsoft Money 2004 System Pack
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Professional 2007
Microsoft Office Professional 2007 Trial
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Picture It! Photo Premium 9
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft Streets and Trips 2004
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Word 2002
Microsoft Works
Microsoft Works Suite Add-in for Microsoft Word
MobileMe Control Panel
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB973686)
Musicmatch® Jukebox
netbrdg
QuickTime
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2289158)
Security Update for 2007 Microsoft Office System (KB2344875)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Excel 2007 (KB2345035)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office Outlook 2007 (KB2288953)
Security Update for Microsoft Office PowerPoint 2007 (KB982158)
Security Update for Microsoft Office PowerPoint Viewer (KB2413381)
Security Update for Microsoft Office Publisher 2007 (KB982124)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB976325)
Security Update for Windows XP (KB977165-v2)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
SFR
SoundMAX
Spelling Dictionaries Support For Adobe Reader 8
SUPERAntiSpyware
TomTom HOME 2.7.5.2014
TomTom HOME Visual Studio Merge Modules
TWC Customer Controls
Uninstall Dual Mode Camera
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Outlook 2007 Junk Email Filter (KB2443839)
Update for Windows Internet Explorer 8 (KB975364)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925720)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB976749)
Walmart MP3 Music Downloads
WebFldrs XP
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 8
Windows Media Format Runtime
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
Yahoo! Browser Services
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Toolbar
==== Event Viewer Messages From Past Week ========
12/3/2010 7:11:29 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: IntelIde
12/3/2010 5:26:35 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm OMCI SASDIFSV SASKUTIL
12/3/2010 5:25:23 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
12/1/2010 9:45:42 PM, error: Service Control Manager [7023] - The iPod Service service terminated with the following error: Security must be initialized before any interfaces are marshalled or unmarshalled. It cannot be changed once initialized.
12/1/2010 6:40:48 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the iPod Service service to connect.
12/1/2010 6:40:48 PM, error: Service Control Manager [7000] - The iPod Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
12/1/2010 6:40:06 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service iPod Service with arguments "" in order to run the server: {063D34A4-BF84-4B8D-B699-E8CA06504DDE}
11/30/2010 5:05:35 PM, error: DCOM [10000] - Unable to start a DCOM Server: {D0AAD3D6-EB93-4363-A24E-2C3D80CDBAC7}. The error: "%5" Happened while starting this command: "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe" -Embedding
11/30/2010 5:05:33 PM, error: Service Control Manager [7001] - The SSDP Discovery Service service depends on the HTTP service which failed to start because of the following error: Access is denied.
11/30/2010 5:05:31 PM, error: Service Control Manager [7000] - The HTTP service failed to start due to the following error: Access is denied.
11/30/2010 4:10:34 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Apple Mobile Device service to connect.
11/30/2010 4:10:34 PM, error: Service Control Manager [7000] - The Apple Mobile Device service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
11/30/2010 4:09:58 PM, error: Service Control Manager [7034] - The TomTomHOMEService service terminated unexpectedly. It has done this 1 time(s).
11/30/2010 4:09:58 PM, error: Service Control Manager [7034] - The Kodak AiO Device Service service terminated unexpectedly. It has done this 1 time(s).
11/30/2010 4:09:58 PM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
11/30/2010 4:09:49 PM, information: Windows File Protection [64001] - File replacement was attempted on the protected system file mstsc.exe. This file was restored to the original version to maintain system stability. The file version of the bad file is 4.20.0.0, the version of the system file is 5.1.2600.2180.
11/27/2010 9:59:51 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
11/27/2010 8:05:44 PM, error: Service Control Manager [7022] - The WebClient service hung on starting.
11/27/2010 5:31:17 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
==== End Of File ===========================
-
Dave, I believe I have done everything as instructed even though I had to reboot twice during the DDS phase. Please let me know if there is anything you need.
Thank you!
-
This link is not a valid link. Do I go to the homepage and then download it? It takes me to CNET.
Yup. There's something amiss with that link. I'll have to check that out.
Download Disable/Remove Windows Messenger (http://www.majorgeeks.com/DisableRemove_Windows_Messenger_d2327.html) to the desktop to remove Windows Messenger.
Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.
Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.
Exit out of MessengerDisable then delete the two files that were put on the desktop.
***********************************************
Please go to Jotti's malware scan (http://virusscan.jotti.org/)
(If more than one file needs scanned they must be done separately and links posted for each one)
* Copy the file path in the below Code box:
C:\agtyjkj.bat
* At the upload site, click once inside the window next to Browse.
* Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
* Next click Submit file
* Your file will possibly be entered into a queue which normally takes less than a minute to clear.
* This will perform a scan across multiple different virus scanning engines.
* Important: Wait for all of the scanning engines to complete.
* Once the scan is finished, Copy and then Paste the link in the address bar into your next reply.
************************************************
I strongly recommend that you remove Ask from your computer because it;
•Promotes its toolbars on sites targeted to kids.
•Promotes its toolbars through ads that appear to be part of other companies' sites.
•Promotes its toolbars through other companies' spyware.
•Installs without any disclosure whatsoever and without any consent whatsoever.
•Solicits installations via "deceptive door openers" that do not accurately describe the offer; failing to affirmatively show a license agreement; linking to a EULA via an off-screen link.
•Makes confusing changes to users' browsers -- increasing Ask's revenues while taking users to pages they didn't intend to visit.
See Here (http://www.benedelman.org/spyware/ask-toolbars/) for more info.
If you choose to follow my recommendation then please go to Start > Control Panel > Add/Remove Programs and remove the following programs if present.
•AskBarDis or anything related to Ask
Then please find and delete this folder in bold (if present):
C:\Program Files\AskBarDis. or anything related to Ask.
****************************************************
P2P - I see you have P2P software installed on your machine (FrostWire). We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It is certainly contributing to your current situation.
Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.
I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.
***********************************************
Download Security Check by screen317 from one of the following links and save it to your desktop.
Link 1 (http://screen317.spywareinfoforum.org/SecurityCheck.exe)
Link 2 (http://screen317.changelog.fr/SecurityCheck.exe)
* Unzip SecurityCheck.zip and a folder named Security Check should appear.
* Open the Security Check folder and double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.
Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.
******************************************************
Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your desktop.
* Open OTL
* Copy and Paste the following text in the codebox into the Custom Scans/Fixes window.
:OTL
:otl
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
mRun: [Dfesamiwokoje] rundll32.exe "c:\windows\ilihaxiqex.dll",Startup
dRunOnce: [RunNarrator] Narrator.exe
Trusted Zone: musicmatch.com\online
:COMMANDS
[resethosts]
[purity]
[clearrestorepoints]
[emptytemp]
[start explorer]
* Click Run Fix
* OTLI2 may ask to reboot the machine. Please do so if asked.
* Click OK
* A report will open. Copy and Paste that report in your next reply.
Note: You may need two or more posts to fit them all in.
****************************************
Please open Command Prompt (Start > Run and type CMD and press OK [Vista/7: Start search: CMD and press enter])
Enter the following in to the black box, pressing enter after each line:
cd desktop
mbr.exe -f
exit
Post a log (MBR.log).
******************************
-
Dave,
I'm a little confused. When trying to remove Windows Messenger, I click the link you give "Download Disable/Remove Windows Messenger to the desktop to remove Windows Messenger". It takes me to Majorgeek.com. When I scroll down I see....
"This utility will allow you to disable Windows Messenger on per-user basis, or on a machine wide basis. Download the ZIP file and extract MessengerDisable.exe to your hard drive. You can either double click the EXE file, or create a shortcut to it, as you prefer. You can, optionally, use this utility to remove Windows Messenger from your machine. You may need Administrator level privileges to run this program."
The words "hard drive" is a link that takes me to an IBM website. When I exit out of it all and go back into it, sometimes there is a like "download" and it takes me to a Sprint site.
What do I do?
-
I tried the link and it works for me. There is no link in "harddrive" when I checked it. Did you actually download the program and run it?
In any case, if you can't get it to work, proceed with the rest of the instructions. It's not a big deal. I'm just trying to be thorough.
-
Thanks Dave for trying to be thorough, No I did not download and run. The phrase "harddrive" is highlighted in green and when I put my cursor on it a pop-up appears and when I click on it, it takes me to a link. Is there something else I can try to rid computer of messenger?
Also, I am having difficulty on the next step also. I can access the link but when I copy the code, it will not allow me to CTRL+V it to the window next to BROWSE.
-
Nor will it allow me to type the code, copy/paste or CTRL+V
-
Please just skip that one and go on with the next one. We'll return to it later.
-
Dave, I continue to have a hard time completing the second set of instructions. As you know, I am unable to remove windows messenger, can not complete Jotti's malware scan and when I try to remove ASK, I get a pop up window that says:
RunDLL
Error loading c:\PROGRA~1\AskBar\bar\l.bin\AskSBar.dll
The specified could not be found
I continued to Security Check by screen 317 and the results are below.
Thanks
-
Results of screen317's Security Check version 0.99.6
Windows XP Service Pack 2
Out of date service pack!! (http://windows.microsoft.com/en-us/windows/help/learn-how-to-install-windows-xp-service-pack-3-sp3)
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
Java(TM) 6 Update 16
Out of date Java installed!
Adobe Flash Player
Adobe Reader 9
Out of date Adobe Reader installed!
````````````````````````````````
Process Check:
objlist.exe by Laurent
````````````````````````````````
DNS Vulnerability Check:
Request Timed Out (Wireless Internet connection/Disconnected Internet/Proxy?)
``````````End of Log````````````
-
All processes killed
========== OTL ==========
========== OTL ==========
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
Error: Unable to interpret <[clearrestorepoints]> in the current context!
[EMPTYTEMP]
User: Administrator
->Temp folder emptied: 311296 bytes
->Temporary Internet Files folder emptied: 4949587 bytes
->Flash cache emptied: 3270 bytes
User: All Users
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 41044 bytes
User: LocalService
->Temp folder emptied: 65984 bytes
->Temporary Internet Files folder emptied: 102313967 bytes
->Java cache emptied: 1100115 bytes
->Flash cache emptied: 72568 bytes
User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 538987481 bytes
->Java cache emptied: 25082 bytes
->Flash cache emptied: 20987 bytes
User: Owner
->Temp folder emptied: 5210353 bytes
->Temporary Internet Files folder emptied: 45875376 bytes
->Java cache emptied: 9042236 bytes
->Google Chrome cache emptied: 819568 bytes
->Flash cache emptied: 2002126 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 1126364 bytes
%systemroot%\System32 .tmp files removed: 7103 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 37926273 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 64700720 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 34767 bytes
RecycleBin emptied: 5795726 bytes
Total Files Cleaned = 782.00 mb
OTL by OldTimer - Version 3.2.17.3 log created on 12092010_162522
Files\Folders moved on Reboot...
File\Folder C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5
\WPGNQVQN\main_6;sz=300x250;kl=N;!c=6;k2=617;k2=592;klg=en;kvid=X2M1KNbF2sU;kpu=SouljaBoy;
kr=F;khd=0;kt=K;ko=c;kpid=6;afc=1;kga=-1;kp=1;u=X2M1KNbF2sU_6;kgg=-1;kcr=us;custp=bpqhOEGlI-[1].htm not found!
File\Folder C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\WPGNQVQN\
music_rockpop;sz=300x250;kl=N;klg=en;kt=K;kga=-1;kr=F;kw=kiss+me+through+the+phone;kgg=-1;kcr=us;dc_dedup=1;kmyd=ad_creative_1;tile=1;dcopt=ist;ord=254769617428592[2].37 not found!
File\Folder C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\072XKNW3\activity;src=1318077;met=1;v=1;pid=18708550;aid=211740135;ko=0;cid=30287582;rid=30305459;rv=1;×tamp=
1234557888043;eid1=2;ecn1=1;etm1=5;eid2=40181;ecn2=1;etm2=0;[1].gif not found!
File\Folder C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\072XKNW3\main
_6;sz=300x250;kl=N;!c=6;k2=617;k2=35;kbz=1;klg=en;kvid=QhwQay4QiOw;kpu=universalmusicgroup;kr=F;khd=0;kt=K;
ko=p;kpid=6;afc=1;kga=-1;k1=hip%20hop;kp=1;u=QhwQay4QiOw_6;kg[1].htm not found!
File\Folder C:\Documents and Settings\Owner\Local Settings\Temp\~DF551E.tmp not found!
File\Folder C:\Documents and Settings\Owner\Local Settings\Temp\~DF58BD.tmp not found!
File\Folder C:\Documents and Settings\Owner\Local Settings\Temp\~DF60AB.tmp not found!
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\PINY6JD0\topic,113160.0[1].html moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\SuggestedSites.dat moved successfully.
Registry entries deleted on Reboot...
-
Dave, I was able to complete some of the instructions as you can see. However, the last instruction, CMD.
After entering cd desktop, I get this error when entering mbr.exe -f:
'mbr.exe" is not recognized as an internal or external command, operable program or batch file
Please let me know the next steps.
Thank You!
-
Update Your Java (JRE)
Old versions of Java have vulnerabilities that malware can use to infect your system.
First Verify your Java Version (http://www.java.com/en/download/installed.jsp)
If there are any other version(s) installed then update now.
Get the new version (if needed)
If your version is out of date install the newest version of the Sun Java Runtime Environment (http://www.majorgeeks.com/Sun_Java_Runtime_Environment_d4648.html).
Note: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.
Be sure to close ALL open web browsers before starting the installation.
Remove any old versions
1. Download JavaRa (http://raproducts.org/click/click.php?id=1) and unzip the file to your Desktop.
2. Open JavaRA.exe and choose Remove Older Versions
3. Once complete exit JavaRA.
4. Run CCleaner.
Additional Note: The Java Quick Starter (JQS.exe) (http://java.sun.com/javase/6/docs/technotes/guides/jweb/otherFeatures/jqs.html) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and reboot your computer.
*****************************************
Please download the newest version of Adobe Acrobat Reader from Adobe.com (http://www.adobe.com/products/acrobat/readstep2.html)
Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs.
Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.
Once old versions are gone, please install the newest version.
**************************************************
Delete An Uninstall Entry
•Start HijackThis
•Click on the Open the Misc Tools section
•Click on the Open Uninstall Manager button.
•Highlight the entry you want to remove.
Ask Toolbar
•Click Delete this entry
*********************************************
This next tool I want you to use will not run with AVG Anti-Virus. If this is what you're using for you AV program you will have to uninstall it. First, download a free AV program from the list below and install it. Then, run the AVG removal tool provide below. Next, run the ComboFix scan and post the log.
Remember to only install one antivirus!
1) Avast! Home Edition (http://www.majorgeeks.com/Avast_Home_Edition_d1968.html)
2) AVG Free Edition (http://www.majorgeeks.com/download.php?det=886)
3) Avira AntiVir Personal (http://www.majorgeeks.com/AntiVir_Personal_Edition_7_d955.html)
4) Microsoft Security Essentials for Windows Vista\Windows 7 (http://majorgeeks.com/Microsoft_Security_Essentials_for_Windows_VistaWindows_7_d6242.html) - 64 bit Download (http://majorgeeks.com/downloadget.php?id=6242&file=5&evp=9112d44b71f157fc5d7fcd7724b088ca)
4-a) Microsoft Security Essentials for Windows XP (http://majorgeeks.com/Microsoft_Security_Essentials_for_Windows_XP_d6243.html)
5) Comodo Antivirus (http://www.majorgeeks.com/Comodo_AntiVirus_d5109.html) (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" if you choose this one)
6) PC Tools AntiVirus Free Edition (http://www.majorgeeks.com/PC_Tools_AntiVirus_Free_Edition_d5469.html)
It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts. If you choose to install more than one antivirus program on your computer, then only one of them should be active in memory at a time.
*******************************************
AVG Antivirus - AVG Antivirus Remover utility (http://www.avg.com/download-tools)
**********************************************
Please download ComboFix (http://img7.imageshack.us/img7/4930/combofix.gif) from BleepingComputer.com (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Alternate link: GeeksToGo.com (http://subs.geekstogo.com/ComboFix.exe)
Rename ComboFix.exe to commy.exe before you save it to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here (http://www.bleepingcomputer.com/forums/topic114351.html)
Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console[/list]
(http://img.photobucket.com/albums/v666/sUBs/Query_RC.gif)
Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
(http://img.photobucket.com/albums/v666/sUBs/RC_successful.gif)
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.
If you have problems with ComboFix usage, see How to use ComboFix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
-
JavaRa 1.15 Removal Log.
Report follows after line.
------------------------------------
The JavaRa removal process was started on Mon Oct 26 18:01:06 2009
Found and removed: C:\Program Files\Java\jre1.5.0_01
Found and removed: C:\Program Files\Java\jre1.6.0_03
Found and removed: C:\Documents and Settings\Owner\Local Settings\Application Data\{3248F0A6-6813-11D6-A77B-00B0D0150010}
Found and removed: C:\Windows\System32\jupdate-1.5.0_01-b08.log
Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.5.0_01\
Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.6.0_03\
------------------------------------
Finished reporting.
JavaRa 1.15 Removal Log.
Report follows after line.
------------------------------------
The JavaRa removal process was started on Mon Oct 26 18:02:15 2009
------------------------------------
Finished reporting.
JavaRa 1.16 Removal Log.
Report follows after line.
------------------------------------
The JavaRa removal process was started on Thu Dec 09 20:05:36 2010
Found and removed: C:\Documents and Settings\Owner\Application Data\Sun\Java\jre1.6.0_16
------------------------------------
Finished reporting.
JavaRa 1.16 Removal Log.
Report follows after line.
------------------------------------
The JavaRa removal process was started on Thu Dec 09 20:06:26 2010
------------------------------------
Finished reporting.
JavaRa 1.16 Removal Log.
Report follows after line.
------------------------------------
The JavaRa removal process was started on Thu Dec 09 20:07:42 2010
------------------------------------
Finished reporting.
JavaRa 1.16 Removal Log.
Report follows after line.
------------------------------------
The JavaRa removal process was started on Thu Dec 09 20:11:26 2010
------------------------------------
Finished reporting.
-
Were you able to download and run the ComboFix scan?
-
Dave, sorry It's taken so long to get the results of your instructions. I have to re-boot/shut down about every other time I try to do something. Here are the results of ComboFix. I did not get AVG Antivirus removed
-
ComboFix 10-12-11.03 - Owner 12/11/2010 21:11:11.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.254.53 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\commy.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}
FW: AVG Firewall *Enabled* {8decf618-9569-4340-b34a-d78d28969b66}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Owner\Application Data\completescan
c:\documents and settings\Owner\Application Data\install
c:\documents and settings\Owner\Application Data\Xiurz
c:\documents and settings\Owner\Application Data\Ysez
c:\documents and settings\Owner\Application Data\Ysez\zavi.vif
c:\documents and settings\Owner\Local Settings\Application Data\{9943D1B2-DB9A-4D3E-A0F2-583F318A9828}
c:\documents and settings\Owner\Local Settings\Application Data\{9943D1B2-DB9A-4D3E-A0F2-583F318A9828}\chrome.manifest
c:\documents and settings\Owner\Local Settings\Application Data\{9943D1B2-DB9A-4D3E-A0F2-583F318A9828}\chrome\content\_cfg.js
c:\documents and settings\Owner\Local Settings\Application Data\{9943D1B2-DB9A-4D3E-A0F2-583F318A9828}\chrome\content\overlay.xul
c:\documents and settings\Owner\Local Settings\Application Data\{9943D1B2-DB9A-4D3E-A0F2-583F318A9828}\install.rdf
c:\program files\Need2Find
c:\program files\Need2Find\bar\1.bin\N2FFXTBR.JAR
c:\program files\Need2Find\bar\1.bin\N2NTSTBR.JAR
c:\program files\Need2Find\bar\1.bin\PARTNER.DAT
c:\program files\Need2Find\bar\Cache\0066FA0F
c:\program files\Need2Find\bar\Cache\00673A73
c:\program files\Need2Find\bar\History\search
c:\program files\Need2Find\bar\Settings\prevcfg.htm
c:\program files\Shared
c:\windows\system32\cache329
c:\windows\system32\cache329\B_329_0_0_106800.htm
c:\windows\system32\cache329\B_329_0_0_107400.htm
c:\windows\system32\cache329\B_329_1_0_449200.htm
c:\windows\system32\cache329\B_329_1_0_449600.htm
c:\windows\system32\cache329\B_329_1_0_454300.htm
c:\windows\system32\cache329\B_329_2_0_105300.htm
c:\windows\system32\cache329\B_329_2_0_106800.htm
c:\windows\system32\cache329\B_329_2_0_107400.htm
c:\windows\system32\cache329\B_329_3_0_106800.htm
c:\windows\system32\cache329\B_329_3_0_107400.htm
c:\windows\system32\cache329\B_329_4_0_111600.htm
c:\windows\system32\cache329\B_329_4_0_152400.htm
c:\windows\system32\cache329\B_329_4_0_155300.htm
c:\windows\system32\cache329\B_329_4_0_164100.htm
c:\windows\system32\cache329\t_B_329_0_0_106800.htm
c:\windows\system32\cache329\t_B_329_0_0_107400.htm
c:\windows\system32\cache329\t_B_329_1_0_449200.htm
c:\windows\system32\cache329\t_B_329_1_0_449600.htm
c:\windows\system32\cache329\t_B_329_1_0_454300.htm
c:\windows\system32\cache329\t_B_329_2_0_105300.htm
c:\windows\system32\cache329\t_B_329_2_0_106800.htm
c:\windows\system32\cache329\t_B_329_2_0_107400.htm
c:\windows\system32\cache329\t_B_329_3_0_106800.htm
c:\windows\system32\cache329\t_B_329_3_0_107400.htm
c:\windows\system32\cache329\t_B_329_4_0_111600.htm
c:\windows\system32\cache329\t_B_329_4_0_152400.htm
c:\windows\system32\cache329\t_B_329_4_0_155300.htm
c:\windows\system32\cache329\t_B_329_4_0_164100.htm
c:\windows\system32\tmp.reg
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At25.job
c:\windows\Tasks\At26.job
c:\windows\Tasks\At27.job
c:\windows\Tasks\At28.job
c:\windows\Tasks\At29.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At30.job
c:\windows\Tasks\At31.job
c:\windows\Tasks\At32.job
c:\windows\Tasks\At33.job
c:\windows\Tasks\At34.job
c:\windows\Tasks\At35.job
c:\windows\Tasks\At36.job
c:\windows\Tasks\At37.job
c:\windows\Tasks\At38.job
c:\windows\Tasks\At39.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At40.job
c:\windows\Tasks\At41.job
c:\windows\Tasks\At42.job
c:\windows\Tasks\At43.job
c:\windows\Tasks\At44.job
c:\windows\Tasks\At45.job
c:\windows\Tasks\At46.job
c:\windows\Tasks\At47.job
c:\windows\Tasks\At48.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
.
\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
.
((((((((((((((((((((((((( Files Created from 2010-11-12 to 2010-12-12 )))))))))))))))))))))))))))))))
.
2010-12-12 01:52 . 2010-12-12 01:52 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2010-12-11 00:17 . 2010-12-11 00:17 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-12-11 00:17 . 2010-12-11 00:17 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer
2010-12-11 00:01 . 2010-09-07 15:47 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-12-11 00:01 . 2010-09-07 15:52 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-12-11 00:01 . 2010-09-07 15:47 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-12-11 00:01 . 2010-09-07 15:52 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-12-11 00:01 . 2010-09-07 15:47 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-12-11 00:01 . 2010-09-07 15:47 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-12-11 00:01 . 2010-09-07 15:46 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-12-11 00:00 . 2010-09-07 16:12 38848 ----a-w- c:\windows\avastSS.scr
2010-12-11 00:00 . 2010-09-07 16:11 167592 ----a-w- c:\windows\system32\aswBoot.exe
2010-12-10 23:17 . 2010-12-10 23:17 388096 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-12-10 23:05 . 2010-12-10 23:05 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-12-10 23:04 . 2010-12-10 23:04 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
2010-12-10 23:04 . 2010-12-10 23:04 -------- d-----w- c:\program files\McAfee Security Scan
2010-12-10 00:34 . 2010-12-10 00:34 -------- d-----w- c:\program files\Common Files\Java
2010-12-10 00:33 . 2010-09-15 09:50 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-12-09 21:25 . 2010-12-09 21:25 -------- d-----w- C:\_OTL
2010-12-02 23:05 . 2010-12-02 23:05 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-11-30 23:50 . 2010-12-04 00:07 -------- d-----w- c:\documents and settings\Owner\Application Data\Qerie
2010-11-30 23:50 . 2010-12-02 03:01 -------- d-----w- c:\documents and settings\Owner\Application Data\Owuvw
2010-11-30 21:09 . 2010-11-30 21:09 230 ----a-w- C:\agtyjkj.bat
2010-11-27 19:19 . 2010-12-04 00:07 -------- d-----w- c:\documents and settings\Owner\Application Data\Owovy
2010-11-27 19:19 . 2010-12-02 03:01 -------- d-----w- c:\documents and settings\Owner\Application Data\Edgubo
2010-11-25 22:50 . 2010-11-25 22:50 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-11-25 21:06 . 2010-12-10 23:47 -------- d-----w- c:\windows\system32\drivers\AVG
2010-11-25 02:56 . 2001-08-17 18:48 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2010-11-25 02:56 . 2001-08-17 18:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2010-11-25 01:45 . 2010-11-25 01:45 -------- d-----w- c:\windows\system32\wbem\Repository
2010-11-24 23:59 . 2010-11-24 23:59 -------- d-----w- c:\program files\Loaris
2010-11-24 21:48 . 2010-11-24 21:48 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple Computer
2010-11-24 15:37 . 2010-11-24 15:38 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-11-24 12:17 . 2010-11-24 12:17 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-11-23 23:19 . 2010-11-23 23:19 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-29 22:42 . 2010-11-08 22:11 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-29 22:42 . 2010-11-08 22:11 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-15 07:29 . 2009-10-26 21:50 73728 ----a-w- c:\windows\system32\javacpl.cpl
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2006-12-01 4662776]
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-03-23 67128]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2010-06-24 247144]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-04-07 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-07 50688]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2006-01-20 28160]
"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2006-01-19 110592]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~2\mimboot.exe" [2006-01-19 11776]
"EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2008-02-15 1052672]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2006-10-04 53760]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-3-23 67128]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2007-2-2 532480]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [12/10/2010 7:01 PM 165584]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/10/2010 7:01 PM 17744]
R2 KodakSvc;Kodak AiO Device Service;c:\program files\Kodak\Printer\Center\KodakSvc.exe [2/28/2008 5:57 PM 18944]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [6/24/2010 9:41 AM 92008]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/10/2010 7:02 PM 136176]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [11/8/2010 5:11 PM 38224]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 7:49 AM 227232]
.
Contents of the 'Scheduled Tasks' folder
2010-11-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
2010-12-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-11 00:02]
2010-12-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-11 00:02]
2010-12-12 c:\windows\Tasks\User_Feed_Synchronization-{15BE7D63-A464-42B5-B135-F874DC36DC73}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.columbus.rr.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Show All Original Images - c:\program files\NetZero\qsacc\appres.dll/228
IE: Show Original Image - c:\program files\NetZero\qsacc\appres.dll/227
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
Trusted Zone: musicmatch.com\online
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: {83A4D5A6-E2C1-4EDD-AD48-1A1C50BD06EF} - hxxp://www.leaguelineup.com/_incl/uploader/ImageUploader6.cab
.
- - - - ORPHANS REMOVED - - - -
URLSearchHooks-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
HKLM-Run-Webroot Desktop Firewall - c:\program files\Webroot\Webroot Desktop Firewall\WDF.exe
HKLM-Run-Adobe Photo Downloader - c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
AddRemove-CS - c:\program files\CS\cs.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-11 21:24
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(624)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
Completion time: 2010-12-11 21:29:22
ComboFix-quarantined-files.txt 2010-12-12 02:29
ComboFix2.txt 2007-08-04 00:14
Pre-Run: 53,781,041,152 bytes free
Post-Run: 54,003,970,048 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
- - End Of File - - 0265D77BE2C3088F354422474419C642
-
Please let me know what to do next. Thanks
-
P2P - I see you have P2P software installed on your machine (FrostWire). We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It is certainly contributing to your current situation.
Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.
I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.
*******************************************
Re-running ComboFix to remove infections:
- Close any open browsers.
- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Open notepad and copy/paste the text in the quotebox below into it:
KillAll::
File::
C:\agtyjkj.bat
- Save this as CFScript.txt, in the same location as ComboFix.exe
(http://img19.imageshack.us/img19/5660/cfscriptb4.gif)
- Referring to the picture above, drag CFScript into ComboFix.exe
- When finished, it shall produce a log for you at C:\ComboFix.txt
- Please post the contents of the log in your next reply.
**********************************************
SysProt Antirootkit
Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).
http://sites.google.com/site/sysprotantirootkit/ (http://sites.google.com/site/sysprotantirootkit/)
Unzip it into a folder on your desktop.
- Double click Sysprot.exe to start the program.
- Click on the Log tab.
- In the Write to log box select the following items.
- Process << Selected
- Kernel Modules << Selected
- SSDT << Selected
- Kernel Hooks << Selected
- IRP Hooks << NOT Selected
- Ports << NOT Selected
- Hidden Files << Selected
- At the bottom of the page
- Hidden Objects Only << Selected
- Click on the Create Log button on the bottom right.
- After a few seconds a new window should appear.
- Select Scan Root Drive. Click on the Start button.
- When it is complete a new window will appear to indicate that the scan is finished.
- The log will be saved automatically in the same folder Sysprot.exe was extracted to.
Open the text file and copy/paste the log here.
[/list].
-
ComboFix 10-12-11.06 - Owner 12/12/2010 17:01:30.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.254.110 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\commy.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}
FILE ::
"C:\agtyjkj.bat"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\agtyjkj.bat
.
((((((((((((((((((((((((( Files Created from 2010-11-12 to 2010-12-12 )))))))))))))))))))))))))))))))
.
2010-12-12 01:52 . 2010-12-12 01:52 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2010-12-11 00:17 . 2010-12-11 00:17 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-12-11 00:17 . 2010-12-11 00:17 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer
2010-12-11 00:01 . 2010-09-07 15:47 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-12-11 00:01 . 2010-09-07 15:52 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-12-11 00:01 . 2010-09-07 15:47 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-12-11 00:01 . 2010-09-07 15:52 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-12-11 00:01 . 2010-09-07 15:47 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-12-11 00:01 . 2010-09-07 15:47 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-12-11 00:01 . 2010-09-07 15:46 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-12-11 00:00 . 2010-09-07 16:12 38848 ----a-w- c:\windows\avastSS.scr
2010-12-11 00:00 . 2010-09-07 16:11 167592 ----a-w- c:\windows\system32\aswBoot.exe
2010-12-10 23:17 . 2010-12-10 23:17 388096 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-12-10 23:05 . 2010-12-10 23:05 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-12-10 23:04 . 2010-12-10 23:04 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
2010-12-10 23:04 . 2010-12-10 23:04 -------- d-----w- c:\program files\McAfee Security Scan
2010-12-10 00:34 . 2010-12-10 00:34 -------- d-----w- c:\program files\Common Files\Java
2010-12-10 00:33 . 2010-09-15 09:50 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-12-09 21:25 . 2010-12-09 21:25 -------- d-----w- C:\_OTL
2010-12-02 23:05 . 2010-12-02 23:05 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-11-30 23:50 . 2010-12-04 00:07 -------- d-----w- c:\documents and settings\Owner\Application Data\Qerie
2010-11-30 23:50 . 2010-12-02 03:01 -------- d-----w- c:\documents and settings\Owner\Application Data\Owuvw
2010-11-27 19:19 . 2010-12-04 00:07 -------- d-----w- c:\documents and settings\Owner\Application Data\Owovy
2010-11-27 19:19 . 2010-12-02 03:01 -------- d-----w- c:\documents and settings\Owner\Application Data\Edgubo
2010-11-25 22:50 . 2010-11-25 22:50 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-11-25 21:06 . 2010-12-10 23:47 -------- d-----w- c:\windows\system32\drivers\AVG
2010-11-25 02:56 . 2001-08-17 18:48 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2010-11-25 02:56 . 2001-08-17 18:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2010-11-25 01:45 . 2010-11-25 01:45 -------- d-----w- c:\windows\system32\wbem\Repository
2010-11-24 23:59 . 2010-11-24 23:59 -------- d-----w- c:\program files\Loaris
2010-11-24 21:48 . 2010-11-24 21:48 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple Computer
2010-11-24 15:37 . 2010-11-24 15:38 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-11-24 12:17 . 2010-11-24 12:17 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-11-23 23:19 . 2010-11-23 23:19 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-29 22:42 . 2010-11-08 22:11 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-29 22:42 . 2010-11-08 22:11 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-15 07:29 . 2009-10-26 21:50 73728 ----a-w- c:\windows\system32\javacpl.cpl
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2006-12-01 4662776]
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-03-23 67128]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2010-06-24 247144]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-04-07 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-07 50688]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2006-01-20 28160]
"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2006-01-19 110592]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~2\mimboot.exe" [2006-01-19 11776]
"EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2008-02-15 1052672]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2006-10-04 53760]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-3-23 67128]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2007-2-2 532480]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [12/10/2010 7:01 PM 165584]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/10/2010 7:01 PM 17744]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [11/8/2010 5:11 PM 38224]
.
Contents of the 'Scheduled Tasks' folder
2010-11-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
2010-12-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-11 00:02]
2010-12-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-11 00:02]
2010-12-12 c:\windows\Tasks\User_Feed_Synchronization-{15BE7D63-A464-42B5-B135-F874DC36DC73}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.columbus.rr.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Show All Original Images - c:\program files\NetZero\qsacc\appres.dll/228
IE: Show Original Image - c:\program files\NetZero\qsacc\appres.dll/227
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
Trusted Zone: musicmatch.com\online
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: {83A4D5A6-E2C1-4EDD-AD48-1A1C50BD06EF} - hxxp://www.leaguelineup.com/_incl/uploader/ImageUploader6.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-12 17:17
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(624)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
- - - - - - - > 'explorer.exe'(3184)
c:\windows\system32\WININET.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Kodak\printer\center\KodakSvc.exe
c:\progra~1\MUSICM~1\MUSICM~2\MMDiag.exe
c:\program files\TomTom HOME 2\TomTomHOMEService.exe
c:\windows\System32\wdfmgr.exe
c:\program files\MUSICMATCH\Musicmatch Jukebox\mim.exe
c:\program files\Common Files\Logitech\KHAL\KHALMNPR.EXE
c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-12-12 17:31:19 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-12 22:31
ComboFix2.txt 2010-12-12 02:29
ComboFix3.txt 2007-08-04 00:14
Pre-Run: 54,277,595,136 bytes free
Post-Run: 54,260,031,488 bytes free
- - End Of File - - D6197011BB80546B85EE9F74A0B98483
-
SysProt AntiRootkit v1.0.1.0
by swatkat
******************************************************************************************
******************************************************************************************
No Hidden Processes found
******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: F04CA000
Module End: F04E2000
Hidden: Yes
Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: F97A6000
Module End: F97A8000
Hidden: Yes
Module Name: \??\C:\commy\catchme.sys
Service Name: catchme
Module Base: F9542000
Module End: F954A000
Hidden: Yes
Module Name: \??\C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
Service Name: ---
Module Base: F97FC000
Module End: F97FE000
Hidden: Yes
******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwClose
Address: F0684CF0
Driver Base: F067C000
Driver End: F06A3000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS
Function Name: ZwCreateKey
Address: F0684BAC
Driver Base: F067C000
Driver End: F06A3000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS
Function Name: ZwDeleteKey
Address: F0685160
Driver Base: F067C000
Driver End: F06A3000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS
Function Name: ZwDeleteValueKey
Address: F068508A
Driver Base: F067C000
Driver End: F06A3000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS
Function Name: ZwDuplicateObject
Address: F0684782
Driver Base: F067C000
Driver End: F06A3000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS
Function Name: ZwOpenKey
Address: F0684C86
Driver Base: F067C000
Driver End: F06A3000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS
Function Name: ZwOpenProcess
Address: F06846C2
Driver Base: F067C000
Driver End: F06A3000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS
Function Name: ZwOpenThread
Address: F0684726
Driver Base: F067C000
Driver End: F06A3000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS
Function Name: ZwQueryValueKey
Address: F0684DA6
Driver Base: F067C000
Driver End: F06A3000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS
Function Name: ZwRenameKey
Address: F068522E
Driver Base: F067C000
Driver End: F06A3000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS
Function Name: ZwRestoreKey
Address: F0684D66
Driver Base: F067C000
Driver End: F06A3000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS
Function Name: ZwSetValueKey
Address: F0684EE6
Driver Base: F067C000
Driver End: F06A3000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS
******************************************************************************************
******************************************************************************************
No Kernel Hooks found
******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\QooBox\BackEnv\AppData.folder.dat
Status: Access denied
Object: C:\QooBox\BackEnv\Cache.folder.dat
Status: Access denied
Object: C:\QooBox\BackEnv\Cookies.folder.dat
Status: Access denied
Object: C:\QooBox\BackEnv\Desktop.folder.dat
Status: Access denied
Object: C:\QooBox\BackEnv\Favorites.folder.dat
Status: Access denied
Object: C:\QooBox\BackEnv\History.folder.dat
Status: Access denied
Object: C:\QooBox\BackEnv\LocalAppData.folder.dat
Status: Access denied
Object: C:\QooBox\BackEnv\LocalSettings.folder.dat
Status: Access denied
Object: C:\QooBox\BackEnv\Music.folder.dat
Status: Access denied
Object: C:\QooBox\BackEnv\NetHood.folder.dat
Status: Access denied
Object: C:\QooBox\BackEnv\Personal.folder.dat
Status: Access denied
Object: C:\QooBox\BackEnv\Pictures.folder.dat
Status: Access denied
Object: C:\QooBox\BackEnv\PrintHood.folder.dat
Status: Access denied
Object: C:\QooBox\BackEnv\Profiles.Folder.dat
Status: Access denied
Object: C:\QooBox\BackEnv\Profiles.Folder.folder.dat
Status: Access denied
Object: C:\QooBox\BackEnv\Programs.folder.dat
Status: Access denied
Object: C:\QooBox\BackEnv\Recent.folder.dat
Status: Access denied
Object: C:\QooBox\BackEnv\SendTo.folder.dat
Status: Access denied
Object: C:\QooBox\BackEnv\SetPath.bat
Status: Access denied
Object: C:\QooBox\BackEnv\StartMenu.folder.dat
Status: Access denied
Object: C:\QooBox\BackEnv\StartUp.folder.dat
Status: Access denied
Object: C:\QooBox\BackEnv\SysPath.dat
Status: Access denied
Object: C:\QooBox\BackEnv\Templates.folder.dat
Status: Access denied
Object: C:\QooBox\BackEnv\VikPev00
Status: Access denied
-
Dave, I believe I have done as instructed. Not real sure about "Open the text file and copy/paste the log here
" (Sysprot.exe)
I did copy the file and paste for you to see. Please let me know what is next. Seems like things are running a little better. Thanks
-
Ok. Let's try one more scan.
I'd like to scan your machine with ESET OnlineScan
•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan (http://eset.com/onlinescan)
•Click the (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetOnline.png) button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
- Click on (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstall.png) to download the ESET Smart Installer. Save it to your desktop.
- Double click on the (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstallDesktopIcon.png) icon on your desktop.
•Check (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetAcceptTerms.png)
•Click the (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetStart.png) button.
•Accept any security warnings from your browser.
•Check (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetScanArchives.png)
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png)
•Push (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png), and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetBack.png) button.
•Push (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetFinish.png)
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt
-
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\17\47b9e491-5cd80ec8 a variant of Java/TrojanDownloader.OpenStream.NAS trojan deleted - quarantined
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\58\2606caba-2b0bc1c3 multiple threats deleted - quarantined
C:\Documents and Settings\Owner\Shared\monking bird.mp3 WMA/TrojanDownloader.GetCodec.C trojan cleaned by deleting - quarantined
C:\Documents and Settings\Owner\Shared\yael naim-ima new soul.mp3 WMA/TrojanDownloader.GetCodec.C trojan cleaned by deleting - quarantined
C:\QooBox\Quarantine\MBR_HardDisk0.mbr Win32/Olmarik.ADA trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{C289E17B-7714-4E43-B22E-77069D407D7C}\RP1508\A0135460.DLL Win32/Toolbar.AskSBar application cleaned by deleting - quarantined
C:\System Volume Information\_restore{C289E17B-7714-4E43-B22E-77069D407D7C}\RP1531\A0138914.exe a variant of Win32/Kryptik.INB trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{C289E17B-7714-4E43-B22E-77069D407D7C}\RP1531\A0138918.exe a variant of Win32/Kryptik.INB trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{C289E17B-7714-4E43-B22E-77069D407D7C}\RP1532\A0155017.exe Win32/Spy.Zbot.YW trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{C289E17B-7714-4E43-B22E-77069D407D7C}\RP1532\A0155018.dll Win32/Cimag.DU trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{C289E17B-7714-4E43-B22E-77069D407D7C}\RP1532\A0155019.exe Win32/Cimag.DU trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{C289E17B-7714-4E43-B22E-77069D407D7C}\RP1532\A0155020.exe Win32/Adware.FakeAntiSpy.Q application cleaned by deleting - quarantined
C:\System Volume Information\_restore{C289E17B-7714-4E43-B22E-77069D407D7C}\RP1532\A0155021.exe Win32/Cimag.DU trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{C289E17B-7714-4E43-B22E-77069D407D7C}\RP1532\A0155022.exe Win32/Adware.FakeAntiSpy.Q application cleaned by deleting - quarantined
C:\System Volume Information\_restore{C289E17B-7714-4E43-B22E-77069D407D7C}\RP1532\A0155023.exe Win32/Cimag.DU trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{C289E17B-7714-4E43-B22E-77069D407D7C}\RP1532\A0155024.exe Win32/Adware.FakeAntiSpy.Q application cleaned by deleting - quarantined
C:\System Volume Information\_restore{C289E17B-7714-4E43-B22E-77069D407D7C}\RP1532\A0155026.DLL a variant of Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined
C:\System Volume Information\_restore{C289E17B-7714-4E43-B22E-77069D407D7C}\RP1532\A0155028.exe a variant of Win32/Kryptik.INB trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{C289E17B-7714-4E43-B22E-77069D407D7C}\RP1538\A0164538.dll a variant of Win32/Cimag.EV trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{C289E17B-7714-4E43-B22E-77069D407D7C}\RP1538\A0166597.exe a variant of Win32/Kryptik.INB trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{C289E17B-7714-4E43-B22E-77069D407D7C}\RP1538\A0166598.exe a variant of Win32/Kryptik.INB trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{C289E17B-7714-4E43-B22E-77069D407D7C}\RP1538\A0166599.exe a variant of Win32/Olmarik.AJE trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{C289E17B-7714-4E43-B22E-77069D407D7C}\RP1538\A0166601.exe a variant of Win32/Kryptik.INB trojan cleaned by deleting - quarantined
-
Dave, ESET OnlineScan results are complete. Please let me know what is next. Thanks
-
Dave, I still have AVG on my computer. My windows security alert says it is "turned off" should it be removed completely?
You gave a link to remove it but I'm not sure which one to use.
Should I run:
AVG remover (32bit) etc....
AVG remover (64bit) etc....
or any of the other options.
I continue to have a "AVG Secure Search" bar on my machine. Thanks
-
You gave a link to remove it but I'm not sure which one to use.
Should I run:
AVG remover (32bit) etc....
AVG remover (64bit) etc....
or any of the other options.
Your computer is 32 bit.
How's your computer running now?
-
Dave, Computer running much better. Tried to uninstall AVG again and computer just kinda "sits there" and states that the program is not installed. Did one of the programs you had me run uninstall AVG? The "windows security alert" icon hasen't popped up with AVG on it like normal. I still have a red shield and yellow shield in the lower right side of my screen. Is this normal? and should I update whenever the yellow shield tells me there are updates?
Thanks.
-
Please try running this again.
Download Security Check by screen317 from one of the following links and save it to your desktop.
Link 1 (http://screen317.spywareinfoforum.org/SecurityCheck.exe)
Link 2 (http://screen317.changelog.fr/SecurityCheck.exe)
* Unzip SecurityCheck.zip and a folder named Security Check should appear.
* Open the Security Check folder and double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.
Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.
-
Dave, sorry it's been a few days, but this is the last instructions you gave me to do. Thanks. Please let me know what is next.
Results of screen317's Security Check version 0.99.8
Windows XP Service Pack 2
Out of date service pack!! (http://windows.microsoft.com/en-us/windows/help/learn-how-to-install-windows-xp-service-pack-3-sp3)
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!
avast! Free Antivirus
ESET Online Scanner v3
McAfee Security Scan Plus
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
CCleaner
Java(TM) 6 Update 22
Out of date Java installed!
Adobe Flash Player
Adobe Reader X
````````````````````````````````
Process Check:
objlist.exe by Laurent
Alwil Software Avast5 AvastSvc.exe
Alwil Software Avast5 avastUI.exe
``````````End of Log````````````
-
Did one of the programs you had me run uninstall AVG?
Yes. Here it is again.
AVG Antivirus - AVG Antivirus Remover utility (http://www.avg.com/download-tools)
Please let me know if it removes AVG.
-
Dave, from what I can see, It looks like AVG is uninstalled. The program you had me run the black screen with white lettering all shows things like "AVGAdmin Server is not installed", "AVG ID sf i l terw7x is not installed" among other jarga, or "param empty" Does this lead you to believe it is uninstalled?
Machine is working much better.
-
Let's do some cleanup.
* Click START then RUN - Vista users press the Windows Key and the R keys together for the Run box.
* Now type commy /uninstall in the runbox
* Make sure there's a space between commy and /Uninstall
* Then hit Enter
* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.
If you have problems doing the above, please try this:
Delete the Combo-Fix.exe file, C:\Combo-Fix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, C:\combo-fix.txt and C:\Combo-Fix-quarantined-files.txt
Please let me know which method works for you.
Clean out your temporary internet files and temp files.
Download TFC by OldTimer (http://oldtimer.geekstogo.com/TFC.exe) to your desktop.
Double-click TFC.exe to run it.
Note: If you are running on Vista, right-click on the file and choose Run As Administrator
TFC will close all programs when run, so make sure you have saved all your work before you begin.
* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.
Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.
*******************************************
Use the Secunia Software Inspector (http://secunia.com/software_inspector) to check for out of date software.
•Click Start Now
•Check the box next to Enable thorough system inspection.
•Click Start
•Allow the scan to finish and scroll down to see if any updates are needed.
•Update anything listed.
.
----------
Go to Microsoft Windows Update (http://windowsupdate.microsoft.com/) and get all critical updates.
----------
I suggest using WOT - Web of Trust (http://www.mywot.com/). WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.
SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html)- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer (http://www.bleepingcomputer.com/forums/tutorial49.html) from Spyware and Malware
* If you don't know what ActiveX controls are, see here (http://www.webopedia.com/TERM/A/ActiveX_control.html)
Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. (http://www.safer-networking.org/en/spybotsd/index.html) Guide: Use Spybot's Immunize Feature (http://www.bleepingcomputer.com/tutorials/tutorial43.html#immunize) to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ (http://www.safer-networking.org/en/faq/index.html)
Check out Keeping Yourself Safe On The Web (http://evilfantasy.wordpress.com/2008/05/20/keeping-yourself-safe-on-the-web/) for tips and free tools to help keep you safe in the future.
Also see Slow Computer? It may not be Malware (http://evilfantasy.wordpress.com/2008/05/24/slow-computer-it-may-not-be-malware/) for free cleaning/maintenance tools to help keep your computer running smoothly.
Safe Surfing!
-
Dave,
The "Start then Run" option did not work for me. I had to Delete "Combo-Fix.exe file....etc
All other instructions are complete and machine seems to be running fine. I have to let it sit when I power it up for several minutes. Is it because Avast is updating? If I try to access the web, it just sits and tries to connect then after a while it will connect.
What programs can I uninstall and what programs do you "recommend" I continue to run and how frequently.
Thanks
-
Ok. Do this:
To turn off Windows XP System Restore:
NOTE: These instructions assume that you are using the default Windows XP Start Menu and have not changed to the Classic Start menu. To re-enable the default menu, right-click Start, click Properties, click Start menu (not Classic) and then click OK.
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore" or "Turn off System Restore on all drives"
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
8. Restart the computer and follow the instructions in the next section to turn on System Restore.
To turn on Windows XP System Restore:
1. Click Start.
2. Right-click My Computer, and then click Properties.
3. Click the System Restore tab.
4. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives."
5. Click Apply, and then click OK.
This will give you a new, clean Restore Point.
********************************************
Is it because Avast is updating? If I try to access the web, it just sits and tries to connect then after a while it will connect.
Yes, my computer does the same thing. I usually try to let it warm up for about 10 mins. so that it can get all the updates. That's the price we have to pay for added security.
The only ones you should keep are SAS and MBAM. Update them and run them on a regular basis.Anything else can be deleted or uninstalled.
-
Dave,
The above instructions are complete.
Just to be sure, you recommend I keep SUPERAntiSpyware and Malwarebtyes Anti-Malware and run them frequently? Is this correct?
Do I also keep Avast?
And one last thing. When I power up my computer, I get a popup window in the lower right hand side from a Red shield with a little white "x" that state
"Your computer might be at risk
AVG Firewall is turned off
Click this balloon to fix this problem"
Is this something I want to do? I though we got rid of AVG
Thanks
-
Just to be sure, you recommend I keep SUPERAntiSpyware and Malwarebtyes Anti-Malware and run them frequently? Is this correct?
Do I also keep Avast?
Yes. Run them about once a week. You will see that SAS will pick up some tracking cookies, some good, some bad and MBAM will usually come up clean.
You need to keep Avast because that is your Anti-Virus program. The others are to keep malware, spyware etc out.
"Your computer might be at risk
AVG Firewall is turned off
Click this balloon to fix this problem"
Is this something I want to do? I though we got rid of AVG
If you ran the AVG Removal Tool, it should be gone. You can try running it again. You should turn on your Windows firewall or download and install one of the free ones below.
If it still gives you that error after you run the tool again, please do this:
•Start HijackThis
•Click on the Misc Tools button
•Click on the Open Uninstall Manager button.
•Click on the Save list... button and specify where you would like to save this file. When you press Save button a Notepad will open with the contents of that file. Save the file to your desktop.
Copy and paste this file in your next reply.
***********************************************
Firewalls protect against hackers and malicious intruders. You need to download a free firewall from one of these reliable vendors.
Remember only install ONE firewall
1) Comodo Personal Firewall (http://www.majorgeeks.com/Comodo_Personal_Firewall_d5033.html) (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" and uncheck any HopSurf and/or Ask.com options if you choose this one)
2) Online Armor (http://www.majorgeeks.com/Online_Armor_Free_d4872.html)
3) Agnitum Outpost (http://www.majorgeeks.com/Outpost_Firewall_Free_d1056.html)
4) PC Tools Firewall Plus (http://www.majorgeeks.com/PC_Tools_Firewall_Plus_d5470.html)
If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.