Computer Hope
Software => Computer viruses and spyware => Topic started by: sjn2009 on August 08, 2008, 02:16:37 PM
-
Lately without warning I have been having issues where my computer gets a little slower. If I am playing an online game my latency skyrockets to the high 800's and sometimes low 1000. Then later I could be doing anything and suddenly my computer freezes and not knowing what to do I will press my "Turbo Reset" button located on the front of my tower. After the computer completely reboots I will notice my cursor "skips", just as a record does when scratched or warped, and it won't go away for awhile. Soon after that issue the cycle restarts and my computer freezes or on rare occasion it will restart itself but not without alerting me with a black screen that covers the screen.
-Following Step 1 of the "Malware Removal Steps", I looked through and saw a few programs I am familiar with and the rest I haven't a clue what they are. Here are two screen shots of the list, perhaps someone can help me identify them and determine if they are needed/malicious.
http://i211.photobucket.com/albums/bb221/sjn2009/AoRP1.jpg (http://i211.photobucket.com/albums/bb221/sjn2009/AoRP1.jpg)
http://i211.photobucket.com/albums/bb221/sjn2009/AoRP2.jpg (http://i211.photobucket.com/albums/bb221/sjn2009/AoRP2.jpg)
-I completed Step 2 without any problems.
-I completed Step 3 without any problems, it did find some files and removed them.
-I completed Step 4 and had a few problems. While it was running AVG kept giving me threat pop-ups about different keyloggers found such as "msni.exe" and some .delf thing. However MBAM did not detect anything.
-I completed Step 5 and my Java is the most recent.
-I completed Step 6 and have begun my own forum post. :)
SAS Log:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 08/08/2008 at 01:38 PM
Application Version : 4.15.1000
Core Rules Database Version : 3530
Trace Rules Database Version: 1520
Scan type : Complete Scan
Total Scan Time : 01:08:51
Memory items scanned : 402
Memory threats detected : 0
Registry items scanned : 4906
Registry threats detected : 18
File items scanned : 48094
File threats detected : 2
Trojan.Media-Codec
HKU\S-1-5-21-117609710-492894223-1957994488-1003\Software\Internet Security
Malware.AntiVermins
HKCR\CLSID\{663DE629-4FFD-A944-6F0A-64F98E925B62}
HKCR\CLSID\{663DE629-4FFD-A944-6F0A-64F98E925B62}\aknDdscbo
HKCR\CLSID\{663DE629-4FFD-A944-6F0A-64F98E925B62}\bYjgwbahhrqi
HKCR\CLSID\{663DE629-4FFD-A944-6F0A-64F98E925B62}\cvttim
HKCR\CLSID\{663DE629-4FFD-A944-6F0A-64F98E925B62}\eyqjtbFqHs
HKCR\CLSID\{663DE629-4FFD-A944-6F0A-64F98E925B62}\HdNY
HKCR\CLSID\{663DE629-4FFD-A944-6F0A-64F98E925B62}\HpreavpflQXOj
HKCR\CLSID\{663DE629-4FFD-A944-6F0A-64F98E925B62}\InprocServer32
HKCR\CLSID\{663DE629-4FFD-A944-6F0A-64F98E925B62}\InprocServer32#ThreadingModel
HKCR\CLSID\{663DE629-4FFD-A944-6F0A-64F98E925B62}\jdqjcJgUclo
HKCR\CLSID\{663DE629-4FFD-A944-6F0A-64F98E925B62}\jttrLkEhnc
HKCR\CLSID\{663DE629-4FFD-A944-6F0A-64F98E925B62}\mdjtbncn
HKCR\CLSID\{663DE629-4FFD-A944-6F0A-64F98E925B62}\nyezeiA
HKCR\CLSID\{663DE629-4FFD-A944-6F0A-64F98E925B62}\qizBNmisxuqRd
HKCR\CLSID\{663DE629-4FFD-A944-6F0A-64F98E925B62}\uaLpi
HKCR\CLSID\{663DE629-4FFD-A944-6F0A-64F98E925B62}\vgummv
HKCR\CLSID\{663DE629-4FFD-A944-6F0A-64F98E925B62}\WczkzdtL
Adware.Tracking Cookie
C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt
Trojan.Downloader-Gen/Suspicious
C:\PROGRAM FILES\WINRAR\SETUP&CABPACKER\FEWIZARD.EXE
MBAM log:
Malwarebytes' Anti-Malware 1.24
Database version: 1012
Windows 5.1.2600 Service Pack 2
3:01:22 PM 8/8/2008
mbam-log-8-8-2008 (15-01-22).txt
Scan type: Quick Scan
Objects scanned: 44073
Time elapsed: 16 minute(s), 13 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:09:14 PM, on 8/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\D-Link\D-Link DWA-552 Xtreme N Desktop Adapter\wirelesscm.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Wireless Connection Manager.lnk = C:\Program Files\D-Link\D-Link DWA-552 Xtreme N Desktop Adapter\wirelesscm.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: Fly - smart.dll (file missing)
O20 - Winlogon Notify: Love - LoveFly.dll (file missing)
O23 - Service: Atheros Configuration Service (ACS) - Atheros - C:\Program Files\D-Link\D-Link DWA-552 Xtreme N Desktop Adapter\acs.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
--
End of file - 6750 bytes
[recovering disk space -- attachment deleted by admin]
-
After having my computer on for a few hours while doing the scans, cleaning up some old picutres/music and such I noticed my computer hadn't froze once... So I thought I could try to play my game but to my demise 4 minutes into the game my computer froze.
So it seems I only have the freezing problem when playing games, so perhaps malware isn't causing it but I don't want to rule that out until I get some help. Because it's apparent I have something on my computer or AVG wouldn't keep detecting things randomly.
-
I'm assuming World of Warcraft is the one giving you the most trouble? One of your infections was designed to try to steal account information from WoW players. It should be gone, according to HJT, let's err on the side of caution here.
There are a few things that I want you to do...
1. Once we start, you won't have access to this post anymore, so I recommend that you print out this post or save it to a Notepad file. Open HijackThis and scan again. Check the following entries, but don't do anything to them yet...
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O20 - Winlogon Notify: Fly - smart.dll (file missing)
O20 - Winlogon Notify: Love - LoveFly.dll (file missing)
Now, close all windows (including this one) besides HijackThis, then click Fix Checked. Close HijackThis and reboot into Safe Mode (http://www.computerhope.com/issues/chsafe.htm) and enable hidden files and folders (http://www.computerhope.com/issues/ch000516.htm).
Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following (if present)...
Java(TM) 6 Update 5
Java(TM) 6 Update 3
Java(TM) SE Runtime Environment 6
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 8
J2SE Runtime Environment 5.0 Update 9
Note: These programs are safe, but old versions of Java should be deleted, as they may cause a security risk and they take up a lot of space. Do not remove Java(TM) 6 Update 7!
Navigate to and delete the following file(s) if present...
C:\WINDOWS\system32\smart.dll
C:\WINDOWS\system32\LoveFly.dll
Once you've done all of this, reboot into Normal Mode and follow the next step...
2. Download Dr.Web CureIt! (http://ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe) & save it to your desktop.
- Double-click on cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
- Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
- Once the short scan has finished, Click Options > Change settings
- Choose the "Scan tab" and UNcheck "Heuristic analysis"
- Back at the main window, click "Custom Scan", then "Select drives" (a red dot will show which drives have been chosen).
- Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
- When done, a message will be displayed at the bottom advising if any viruses were found.
- Click "Yes to all" if it asks if you want to cure/move the file.
- When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
(This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
- Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
- Save the DrWeb.csv report to your desktop.
- Exit Dr.Web Cureit when done.
- Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
You can use Notepad to open the DrWeb.cvs report by right clicking it and selecting Open with > Notepad
(Courtesy of evilfantasy.)
3. Download ComboFix (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) and save it to your desktop. Run the program and read its disclaimer (it's fairly short) and make sure you really pay attention to what it says. Follow the prompts and when finished, it will produce a log at C:\ComboFix.txt. Go ahead and post that here. Note: Don't click on the window while it's running; this may cause stalls.
In your next post, I would like to see the logs from ComboFix and Dr. Web Cureit, along with a fresh new HijackThis log.
-
Just a quick update and a side issue I'll need help with after I get these problems taken care of... The reason my computer "Freezes" during game play is because the fan on my graphics card isnt moving. So the card just overheats because of all the advanced graphics in the game. I assume this is very dangerous for me to play anything without repairing. So if someone could help me figure out that issue later that would be great.
The Dr.Web thing is taking forever but I will have the log soon.
-
Ok finished all steps you have given me. Here are the logs.
DrWeb Log:
aolconnfix.exe;C:\;Trojan.PWS.Gamania.origin;Incurable.Moved.;
A0286869.exe;C:\ErdUndoCache\rp336;Program.mIRC.621;Moved.;
SpWizard.exe;C:\Program Files\WinRAR\Setup&CabPacker;Trojan.Click.17167;Deleted.;
ComboFix Log:
ComboFix 08-08-09.03 - Dianne 2008-08-09 20:11:41.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.208 [GMT -5:00]
Running from: C:\Documents and Settings\Dianne\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Dianne\Application Data\inst.exe
C:\Documents and Settings\Dianne\Application Data\macromedia\Flash Player\#SharedObjects\8WYGXRH4\interclick.com
C:\Documents and Settings\Dianne\Application Data\macromedia\Flash Player\#SharedObjects\8WYGXRH4\interclick.com\ud.sol
C:\Documents and Settings\Dianne\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Dianne\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\system32\_000004_.tmp.dll
C:\WINDOWS\system32\disk.dll
.
((((((((((((((((((((((((( Files Created from 2008-07-10 to 2008-08-10 )))))))))))))))))))))))))))))))
.
2008-08-09 06:41 . 2008-08-09 06:58 <DIR> d-------- C:\Documents and Settings\Dianne\DoctorWeb
2008-08-08 12:24 . 2008-08-08 12:24 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-08-08 12:24 . 2008-08-08 12:24 <DIR> d-------- C:\Documents and Settings\Dianne\Application Data\SUPERAntiSpyware.com
2008-08-08 12:24 . 2008-08-08 12:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-06 09:37 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-25 21:44 . 2008-07-25 21:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\vsosdk
2008-07-25 21:42 . 2008-07-25 21:42 <DIR> d-------- C:\Program Files\VSO
2008-07-25 21:42 . 2004-05-04 12:53 1,645,320 --a------ C:\WINDOWS\gdiplus.dll
2008-07-25 21:42 . 2006-05-20 17:16 1,184,984 --a------ C:\WINDOWS\system32\wvc1dmod.dll
2008-07-25 21:42 . 2006-05-11 20:21 626,688 --a------ C:\WINDOWS\system32\vp7vfw.dll
2008-07-25 21:42 . 2006-09-29 13:24 217,127 --a------ C:\WINDOWS\system32\drv43260.dll
2008-07-25 21:42 . 2006-09-29 13:25 208,935 --a------ C:\WINDOWS\system32\drv33260.dll
2008-07-25 21:42 . 2006-09-29 13:26 176,165 --a------ C:\WINDOWS\system32\drv23260.dll
2008-07-25 21:42 . 2007-03-18 21:37 65,602 --a------ C:\WINDOWS\system32\cook3260.dll
2008-07-25 19:04 . 2008-07-25 19:04 <DIR> d-------- C:\WINDOWS\WinAVI Video Converter 9.0
2008-07-25 19:04 . 2008-07-25 19:05 <DIR> d-------- C:\Program Files\WinAVI Video Converter 9.0
2008-07-25 18:14 . 2008-07-25 21:03 <DIR> d-------- C:\Program Files\Common Files\Nero
2008-07-24 20:23 . 2004-03-09 00:00 212,240 --a------ C:\WINDOWS\system32\richtx32.ocx
2008-07-24 20:23 . 2000-05-19 17:56 81,920 --a------ C:\WINDOWS\system32\mbmouse.ocx
2008-07-24 20:23 . 2007-08-31 18:36 36,864 --a------ C:\WINDOWS\system32\trayicon_handler.ocx
2008-07-23 16:31 . 2008-07-23 16:31 <DIR> d-------- C:\Program Files\Bonjour
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-10 01:10 --------- d-----w C:\Program Files\Trillian
2008-08-09 11:35 --------- d-----w C:\Program Files\Java
2008-08-08 17:23 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-08-08 15:18 --------- d-----w C:\Documents and Settings\Dianne\Application Data\Vso
2008-08-08 15:02 --------- d-----w C:\Program Files\World of Warcraft
2008-08-06 14:41 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-07-31 01:07 17,144 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
2008-07-26 02:42 47,360 ----a-w C:\WINDOWS\system32\drivers\pcouffin.sys
2008-07-26 02:42 47,360 ----a-w C:\Documents and Settings\Dianne\Application Data\pcouffin.sys
2008-07-23 21:33 --------- d-----w C:\Program Files\iTunes
2008-07-23 21:32 --------- d-----w C:\Program Files\iPod
2008-07-23 21:30 --------- d-----w C:\Program Files\QuickTime
2008-07-12 18:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg8
2008-07-09 03:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-07-07 05:37 --------- d-----w C:\Documents and Settings\Dianne\Application Data\mIRC
2008-07-03 14:54 76,040 ----a-w C:\WINDOWS\system32\drivers\avgtdix.sys
2008-07-03 14:53 96,520 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys
2008-07-03 14:53 10,520 ----a-w C:\WINDOWS\system32\avgrsstx.dll
2008-06-28 04:30 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-06-28 04:30 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2008-06-28 04:24 --------- d-----w C:\Program Files\Common Files\LogiShared
2008-06-28 04:24 --------- d-----w C:\Documents and Settings\Dianne\Application Data\Logitech
2008-06-28 04:22 --------- d-----w C:\Program Files\Common Files\Logitech
2008-06-28 04:21 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-28 04:21 --------- d-----w C:\Program Files\Logitech
2008-06-28 04:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logitech
2008-06-28 04:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\LogiShrd
2008-06-25 16:11 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-03 00:56 41,296 ----a-w C:\WINDOWS\system32\xfcodec.dll
2008-05-27 02:33 7,680 ----a-w C:\WINDOWS\system32\ff_vfw.dll
2008-05-27 02:33 60,273 ----a-w C:\WINDOWS\system32\pthreadGC2.dll
2008-05-13 01:49 161,096 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DLBTCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll" [2004-11-09 16:41 69632]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 02:41 8523776]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-03 09:54 1232152]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 09:47 116040]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-10 10:51 289064]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"nwiz"="nwiz.exe" [2007-12-05 02:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 15:32 56080 C:\WINDOWS\KHALMNPR.Exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 09:01 437160]
C:\Documents and Settings\Dianne\Start Menu\Programs\Startup\
Trillian.lnk - C:\Program Files\Trillian\trillian.exe [2007-12-11 1222144]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-06-27 23:22:05 692224]
Wireless Connection Manager.lnk - C:\Program Files\D-Link\D-Link DWA-552 Xtreme N Desktop Adapter\wirelesscm.exe [2008-06-03 12:19:10 20525056]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="C:\\Documents and Settings\\All Users\\Application Data\\TuneUp Software\\TuneUp Utilities\\WinStyler\\tu_logonui.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll
"VIDC.XFR1"= xfcodec.dll
"aux1"= ctwdm32.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL Companion.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AOL Companion.lnk
backup=C:\WINDOWS\pss\AOL Companion.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^traywc.exe]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\traywc.exe
backup=C:\WINDOWS\pss\traywc.exeCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gnetmous]
--a------ 2002-11-26 15:30 153600 C:\Program Files\COMPAQ\Scroll Mouse\gnetmous.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-07-10 10:51 289064 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-12-05 02:41 8523776 C:\WINDOWS\system32\nvcpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-12-05 02:41 81920 C:\WINDOWS\system32\nvmctray.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2006-10-12 04:10 49263 C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-12-05 02:41 1626112 C:\WINDOWS\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WANMiniportService"=2 (0x2)
"NVSvc"=2 (0x2)
"iPod Service"=3 (0x3)
"IDriverT"=3 (0x3)
"dlbt_device"=3 (0x3)
"AOL ACS"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Dell Photo AIO Printer 922"="C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" -atboottime
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe"
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" -hide
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"C:\\Program Files\\World of Warcraft\\Repair.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\Trillian\\trillian.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-03 09:53]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-07-03 09:54]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-03 09:53]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-03 09:54]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 02:56]
R3 JSWSCIMD;jswscimd Service;C:\WINDOWS\system32\DRIVERS\jswscimd.sys [2007-07-06 16:30]
S3 IlvMoneyDRIVER53;IlvMoneyDRIVER53;C:\Documents and Settings\Dianne\Desktop\misc\sex\IlvMoney1148.sys []
S3 rpqkfx;rpqkfx;C:\Documents and Settings\Dianne\Desktop\The Stuff\MMOGlider\rpqkfx.sys []
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-04-19 09:56]
S3 WSIMD;wsimd Service;C:\WINDOWS\system32\DRIVERS\wsimd.sys [2007-07-03 11:46]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ sysagent
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{30AC43C3-9F9B-C710-092B-0316EF1F69E4}]
C:\WINDOWS\system32\smsss.exe s
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{D58F39FF-953E-4F45-898F-59F243B9A523}]
RUNDLL32 advpack.dll,LaunchINFSection Sidebar.inf,Register
.
Contents of the 'Scheduled Tasks' folder
2008-08-10 C:\WINDOWS\Tasks\1-Click Maintenance.job
- C:\Program Files\TuneUp Utilities 2008\OneClickStarter.exe [2008-02-29 14:24]
2008-08-03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
2008-08-10 C:\WINDOWS\Tasks\MP Scheduled Scan.job
- C:\Program Files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
- - - - ORPHANS REMOVED - - - -
MSConfigStartUp-MSMSGS - C:\Program Files\Messenger\msmsgs.exe
MSConfigStartUp-RealTray - C:\Program Files\Real\RealPlayer\RealPlay.exe
MSConfigStartUp-Steam - C:\Program Files\Steam\Steam.exe
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Dianne\Application Data\Mozilla\Firefox\Profiles\rkgflapl.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=
FireFox -: prefs.js - STARTUP.HOMEPAGE - www.google.com
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-09 20:15:46
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLBTCATS = rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
scanning hidden files ...
C:\WINDOWS\TEMP\b4cd3ab5-2b8a-4c86-995a-1bfd140f0f28.tmp 0 bytes
scan completed successfully
hidden files: 1
**************************************************************************
.
Completion time: 2008-08-09 20:18:49
ComboFix-quarantined-files.txt 2008-08-10 01:18:20
Pre-Run: 18,452,893,696 bytes free
Post-Run: 18,448,756,736 bytes free
233 --- E O F --- 2008-08-05 18:00:14
[recovering disk space -- attachment deleted by admin]
-
Also my brother gave me an unopened "Vcool" from Antec fan that fits where 2 normal PCI slots go so I'm hoping putting that in can help my over heat issue. However im still looking for ideas on how to fix the Graphics card built in fan. I went to a local computer store and they said they didnt have much to over for a "nVidia GeForce 6600 GT" other than a DIY Cooling system which to me looked like something I made in a welding class once.
Any thoughts there? But ofc the computers safety is priority to my game playing.
-
Those scans should've helped. Go ahead and post a final HijackThis log so I can make sure you're clean.
As for your hardware issue, this is definitely a problem and you should resolve it as fast as you can. Installing that other fan should help out quite a bit. It may be possible to find the necessary parts on eBay, so you can also fix the fan for your graphics card. Unfortunately, my specialty is malware removal...I'm not much of a hardware wizard. You should go ahead and post about this in the Hardware section of our forum, and I'm sure somebody will be able to give you the help/advice you need.
-
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:28:14 AM, on 8/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\TuneUp Utilities 2008\RegistryCleaner.exe
C:\Program Files\Trillian\trillian.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Wireless Connection Manager.lnk = C:\Program Files\D-Link\D-Link DWA-552 Xtreme N Desktop Adapter\wirelesscm.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Atheros Configuration Service (ACS) - Atheros - C:\Program Files\D-Link\D-Link DWA-552 Xtreme N Desktop Adapter\acs.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
--
End of file - 6034 bytes
I unplugged my computer to install the new fan and when I came back AVG now says Anti-Virus and Anti-Spyware are out of date... So I tried to update and it said there are no new updates. Any idea whats wrong there?
[recovering disk space -- attachment deleted by admin]
-
Your log looks clean...however, there is something that I just noticed. Before I give you the clean bill of health, I want to check for a CoolWebSearch infection...
Download CWShredder here (http://cwshredder.net/bin/CWShredder.exe) to its own folder.
Update CWShredder
- Open CWShredder and click I Agree
- Click Check For Updates
- Close CWShredder
Boot into Safe Mode:
Restart your computer and as soon as it starts booting up again, continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.
Now run CWShredder. Click I Agree, then Fix, and then Next. Let it fix everything it asks about. Reboot your computer back into Normal Mode.
Let me know how that goes and post yet another log (sorry, but I need to make sure). As for AVG, it's hard to say what the problem might be because the new AVG has a lot of issues. Do you have AVG 8 and AVG Anti-Spyware, or do you simply have the Anti-Spyware that comes bundled with AVG 8? If you have the two programs installed separately, that can cause a lot of problems. If that's not the case, then there's no telling what the problem might be. I would suggest stopping by the AVG forum (http://freeforum.avg.com) to ask about that because they would have a better idea of what might be going on.
-
The CWShredder link doesn't seem to be working. But I got it off http://www.intermute.com/products/cwshredder.html
But the AVG issue solved when I restarted my computer. I think it might have been due to the fact that the clock was an hour behind in the year 2088.
-
I pressed Check for Update and it resulted with this in the text box above:
"Checking for a new version of CWShredder from Trend Micro.
Unable to check for updates."
--
So I did the rest of the steps anyways and heres the resulting log (It said no CoolWebSearch found):
**** Run Keys ****
RUN: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16
RUN: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
RUN: [nwiz] nwiz.exe /install
RUN: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
RUN: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
RUN: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
RUN: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
RUN: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
RUN: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
RUN: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
RUN: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
**** Browser Helper Objects ****
BHO: [Adobe PDF Reader Link Helper] C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
BHO: [AVG Safe Search] C:\Program Files\AVG\AVG8\avgssie.dll
BHO: [SSVHelper Class] C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
**** IE Toolbars ****
**** IE Extensions ****
IEExt: []
IEExt: [Research]
**** Hosts File Entries ****
HOSTS: 127.0.0.1 localhost
HOSTS: 127.0.0.1 localhost
**** IE Settings ****
Default Page: http://go.microsoft.com/fwlink/?LinkId=69157
Default Search: http://go.microsoft.com/fwlink/?LinkId=54896
Local Page: C:\WINDOWS\system32\blank.htm
Search Page: http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
**** IE Context Menu (Right click) ****
**** Layered Service Providers ****
LSP: MSAFD Tcpip [TCP/IP]
LSP: MSAFD Tcpip [UDP/IP]
LSP: RSVP UDP Service Provider
LSP: RSVP TCP Service Provider
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{3022AA27-72BA-479E-8D38-CF7DC5BE32DD}] SEQPACKET 7
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{3022AA27-72BA-479E-8D38-CF7DC5BE32DD}] DATAGRAM 7
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A3E322ED-51B9-4CFA-BA13-D3960FB219DA}] SEQPACKET 6
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A3E322ED-51B9-4CFA-BA13-D3960FB219DA}] DATAGRAM 6
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{52C33D97-83FB-4B51-AF87-B1E3804A163A}] SEQPACKET 0
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{52C33D97-83FB-4B51-AF87-B1E3804A163A}] DATAGRAM 0
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{58B9E5FB-7425-4BEA-86B5-9A965B09BFD8}] SEQPACKET 5
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{58B9E5FB-7425-4BEA-86B5-9A965B09BFD8}] DATAGRAM 5
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{48705128-C97E-408F-B353-99BAEB681403}] SEQPACKET 1
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{48705128-C97E-408F-B353-99BAEB681403}] DATAGRAM 1
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{CB3C7EBC-10FF-4032-8D6E-2A24C646477B}] SEQPACKET 2
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{CB3C7EBC-10FF-4032-8D6E-2A24C646477B}] DATAGRAM 2
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{678844D3-0E3D-468E-804B-F88B29400ABD}] SEQPACKET 3
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{678844D3-0E3D-468E-804B-F88B29400ABD}] DATAGRAM 3
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{F255E76C-879A-4D16-8AE4-3B2D23BBD775}] SEQPACKET 4
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{F255E76C-879A-4D16-8AE4-3B2D23BBD775}] DATAGRAM 4
**** Blocked Control Panel Items ****
BLOCKED: [ncpa.cpl] No
BLOCKED: [odbccp32.cpl] No
**** Downloaded Program Files ****
{05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} [http://go.microsoft.com/fwlink/?linkid=67633] C:\WINDOWS\system32\OGACheckControl.DLL
{166B1BCA-3F9C-11CF-8075-444553540000} [http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab]
{17492023-C23A-453E-A040-C7C580BBF700} [http://go.microsoft.com/fwlink/?linkid=39204]
{30528230-99f7-4bb4-88d8-fa1d4f56a2ab} [C:\Program Files\Yahoo!\Common\yinsthelper.dll]
{67DABFBF-D0AB-41FA-9C46-CC0F21721616} [http://go.divx.com/plugin/DivXBrowserPlugin.cab]
{8AD9C840-044E-11D1-B3E9-00805F499D93} [http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab]
{A4639D2F-774E-11D3-A490-00C04F6843FB} [http://download.microsoft.com/download/PowerPoint2002/Install/10.0.2609/WIN98MeXP/EN-US/msorun.cab]
{CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} [http://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab]
{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} [http://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab]
{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} [http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab]
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab]
{D27CDB6E-AE6D-11CF-96B8-444553540000} [http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab]
**** Windows Services ****
[ACS] C:\Program Files\D-Link\D-Link DWA-552 Xtreme N Desktop Adapter\acs.exe
[Alerter] %SystemRoot%\System32\svchost.exe -k LocalService
[ALG] %SystemRoot%\System32\alg.exe
[Apple Mobile Device] "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"
[AppMgmt] %SystemRoot%\system32\svchost.exe -k netsvcs
[aspnet_state] %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
[AudioSrv] %SystemRoot%\System32\svchost.exe -k netsvcs
[BITS] %SystemRoot%\System32\svchost.exe -k netsvcs
[Browser] %SystemRoot%\System32\svchost.exe -k netsvcs
[cisvc] C:\WINDOWS\System32\cisvc.exe
[ClipSrv] %SystemRoot%\system32\clipsrv.exe
[clr_optimization_v2.0.50727_32] C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
[COMSysApp] C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
[CryptSvc] %SystemRoot%\system32\svchost.exe -k netsvcs
[DcomLaunch] %SystemRoot%\system32\svchost -k DcomLaunch
[Dhcp] %SystemRoot%\System32\svchost.exe -k netsvcs
[dlbt_device] C:\WINDOWS\system32\dlbtcoms.exe -service
[dmadmin] %SystemRoot%\System32\dmadmin.exe /com
[dmserver] %SystemRoot%\System32\svchost.exe -k netsvcs
[Dnscache] %SystemRoot%\System32\svchost.exe -k NetworkService
[ERSvc] %SystemRoot%\System32\svchost.exe -k netsvcs
[Eventlog] %SystemRoot%\system32\services.exe
[EventSystem] C:\WINDOWS\System32\svchost.exe -k netsvcs
[FastUserSwitchingCompatibility] %SystemRoot%\System32\svchost.exe -k netsvcs
[FontCache3.0.0.0] C:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
[helpsvc] %SystemRoot%\System32\svchost.exe -k netsvcs
[HidServ] %SystemRoot%\System32\svchost.exe -k netsvcs
[HTTPFilter] %SystemRoot%\System32\svchost.exe -k HTTPFilter
[IDriverT] "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe"
[idsvc] "C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe"
[ImapiService] C:\WINDOWS\System32\imapi.exe
[iPod Service] "C:\Program Files\iPod\bin\iPodService.exe"
[lanmanserver] %SystemRoot%\System32\svchost.exe -k netsvcs
[lanmanworkstation] %SystemRoot%\System32\svchost.exe -k netsvcs
[LmHosts] %SystemRoot%\System32\svchost.exe -k LocalService
[Messenger] %SystemRoot%\System32\svchost.exe -k netsvcs
[mnmsrvc] C:\WINDOWS\System32\mnmsrvc.exe
[MSDTC] C:\WINDOWS\System32\msdtc.exe
[MSIServer] C:\WINDOWS\system32\msiexec.exe /V
[NetDDE] %SystemRoot%\system32\netdde.exe
[NetDDEdsdm] %SystemRoot%\system32\netdde.exe
[Netlogon] %SystemRoot%\System32\lsass.exe
[Netman] %SystemRoot%\System32\svchost.exe -k netsvcs
[NetTcpPortSharing] "C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe"
[Nla] %SystemRoot%\System32\svchost.exe -k netsvcs
[NtLmSsp] %SystemRoot%\System32\lsass.exe
[NtmsSvc] %SystemRoot%\system32\svchost.exe -k netsvcs
[NVSvc] %SystemRoot%\system32\nvsvc32.exe
[PlugPlay] %SystemRoot%\system32\services.exe
[PnkBstrA] C:\WINDOWS\system32\PnkBstrA.exe
[PolicyAgent] %SystemRoot%\System32\lsass.exe
[ProtectedStorage] %SystemRoot%\system32\lsass.exe
[RasAuto] %SystemRoot%\System32\svchost.exe -k netsvcs
[RasMan] %SystemRoot%\System32\svchost.exe -k netsvcs
[RDSessMgr] C:\WINDOWS\system32\sessmgr.exe
[RemoteAccess] %SystemRoot%\System32\svchost.exe -k netsvcs
[RemoteRegistry] %SystemRoot%\system32\svchost.exe -k LocalService
[RpcLocator] %SystemRoot%\System32\locator.exe
[RpcSs] %SystemRoot%\system32\svchost -k rpcss
[RSVP] %SystemRoot%\System32\rsvp.exe
[SamSs] %SystemRoot%\system32\lsass.exe
[SCardSvr] %SystemRoot%\System32\SCardSvr.exe
[Schedule] %SystemRoot%\System32\svchost.exe -k netsvcs
[seclogon] %SystemRoot%\System32\svchost.exe -k netsvcs
[SENS] %SystemRoot%\system32\svchost.exe -k netsvcs
[SharedAccess] %SystemRoot%\System32\svchost.exe -k netsvcs
[ShellHWDetection] %SystemRoot%\System32\svchost.exe -k netsvcs
[Spooler] %SystemRoot%\system32\spoolsv.exe
[srservice] %SystemRoot%\System32\svchost.exe -k netsvcs
[SSDPSRV] %SystemRoot%\System32\svchost.exe -k LocalService
[stisvc] %SystemRoot%\System32\svchost.exe -k imgsvc
[SwPrv] C:\WINDOWS\System32\dllhost.exe /Processid:{4E077276-404A-4FFD-893B-12574A08FB76}
[SysmonLog] %SystemRoot%\system32\smlogsvc.exe
[TapiSrv] %SystemRoot%\System32\svchost.exe -k netsvcs
[TermService] %SystemRoot%\System32\svchost -k DComLaunch
[Themes] %SystemRoot%\System32\svchost.exe -k netsvcs
[TlntSvr] C:\WINDOWS\System32\tlntsvr.exe
[trkWks] %SystemRoot%\system32\svchost.exe -k netsvcs
[TuneUp.Defrag] %SystemRoot%\System32\TuneUpDefragService.exe
[upnphost] %SystemRoot%\System32\svchost.exe -k LocalService
[UPS] %SystemRoot%\System32\ups.exe
[usprserv] %SystemRoot%\System32\svchost.exe -k netsvcs
[UxTuneUp] %SystemRoot%\System32\svchost.exe -k netsvcs
[VSS] %SystemRoot%\System32\vssvc.exe
[W32Time] %SystemRoot%\System32\svchost.exe -k netsvcs
[WebClient] %SystemRoot%\System32\svchost.exe -k LocalService
[WinDefend] "C:\Program Files\Windows Defender\MsMpEng.exe"
[winmgmt] %systemroot%\system32\svchost.exe -k netsvcs
[WmdmPmSN] %SystemRoot%\System32\svchost.exe -k netsvcs
[Wmi] %SystemRoot%\System32\svchost.exe -k netsvcs
[WmiApSrv] C:\WINDOWS\System32\wbem\wmiapsrv.exe
[WMPNetworkSvc] "C:\Program Files\Windows Media Player\WMPNetwk.exe"
[wscsvc] %SystemRoot%\System32\svchost.exe -k netsvcs
[wuauserv] %SystemRoot%\system32\svchost.exe -k netsvcs
[WudfSvc] %SystemRoot%\system32\svchost.exe -k WudfServiceGroup
[WZCSVC] %SystemRoot%\System32\svchost.exe -k netsvcs
[xmlprov] %SystemRoot%\System32\svchost.exe -k netsvcs
**** Custom IE Search Items ****
SEARCH: [SearchAssistant] http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
SEARCH: [CustomizeSearch] http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
SEARCH: [Default_Search_URL] http://www.google.com/ie
SEARCH: [CustomSearch] http://us.rd.yahoo.com/customize/ie/defaults/cs/msgr8/*http://www.yahoo.com/ext/search/search.html
**** Complete IE Options ****
IEOPT: [NoUpdateCheck]
IEOPT: [NoJITSetup]
IEOPT: [Disable Script Debugger] yes
IEOPT: [Show_ChannelBand] No
IEOPT: [Anchor Underline] yes
IEOPT: [Cache_Update_Frequency] Once_Per_Session
IEOPT: [Display Inline Images] yes
IEOPT: [Do404Search]
IEOPT: [Local Page] C:\WINDOWS\system32\blank.htm
IEOPT: [Save_Session_History_On_Exit] no
IEOPT: [Show_FullURL] no
IEOPT: [Show_StatusBar] yes
IEOPT: [Show_ToolBar] yes
IEOPT: [Show_URLinStatusBar] yes
IEOPT: [Show_URLToolBar] yes
IEOPT: [Start Page] http://www.google.com/
IEOPT: [Use_DlgBox_Colors] yes
IEOPT: [Search Page] http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
IEOPT: [Check_Associations] No
IEOPT: [FullScreen] no
IEOPT: [NotifyDownloadComplete] no
IEOPT: [Window_Placement] ,
IEOPT: [Error Dlg Displayed On Every Error] no
IEOPT: [Use FormSuggest] no
IEOPT: [AddToFavoritesExpanded]
IEOPT: [FormSuggest PW Ask] no
IEOPT: [Use Search Asst] no
IEOPT: [Enable Browser Extensions] yes
IEOPT: [FormSuggest Passwords] yes
IEOPT: [Use Custom Search URL]
IEOPT: [AutoSearch]
IEOPT: [ShowedCheckBrowser] Yes
IEOPT: [Default_Page_URL] http://go.microsoft.com/fwlink/?LinkId=69157
IEOPT: [Default_Search_URL] http://go.microsoft.com/fwlink/?LinkId=54896
IEOPT: [Search Page] http://go.microsoft.com/fwlink/?LinkId=54896
IEOPT: [Enable_Disk_Cache] yes
IEOPT: [Cache_Percent_of_Disk]
IEOPT: [Delete_Temp_Files_On_Exit] yes
IEOPT: [Local Page] %SystemRoot%\system32\blank.htm
IEOPT: [Anchor_Visitation_Horizon]
IEOPT: [Use_Async_DNS] yes
IEOPT: [Placeholder_Width]
IEOPT: [Placeholder_Height]
IEOPT: [Start Page] http://www.yahoo.com/
IEOPT: [CompanyName] Microsoft Corporation
IEOPT: [Custom_Key] MICROSO
IEOPT: [Wizard_Version] 6.0.2600.0000
IEOPT: [FullScreen] no
IEOPT: [Search Bar] http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
-
The CWShredder link doesn't seem to be working. But I got it off http://www.intermute.com/products/cwshredder.html
Sorry, I haven't had to use that program in quite awhile. Looks like I'll have to update my link!
But the AVG issue solved when I restarted my computer. I think it might have been due to the fact that the clock was an hour behind in the year 2088.
Ah, yes, although incorrect dates are easy to spot, incorrect times can slip by because I'm not viewing the logs live, so I really don't know if the times are right or not. In any case, you are right about that being the problem; AVG is very picky about your clock having the correct settings. If it's off by a certain amount, AVG is unable to update like it should.
As for the log...everything seems fairly normal. I'm just concerned because of this line of your HJT log: MSIE: Unable to get Internet Explorer version! In every case I have seen this, it has been related to CoolWebSearch. You don't show any other symptoms, however, and your log is clean. So, I have to admit that I'm not quite sure what could be causing this to happen.
I have heard that it can sometimes be related to Messenger Plus. You have MSN Messenger, but I don't see Messenger Plus anywhere on your computer. You can check your Add/Remove Programs, though, and if it's there, try uninstalling it and posting a new HJT log. If it's not there, then simply skip this.
It's also possible that your IE has managed to become corrupted and needs to be repaired...
http://support.microsoft.com/kb/318378
I would try performing a repair install and then posting a new HJT log to see if that issue has been fixed. But as far as actual infections, your computer looks clean. However, you're vulnerable without a decent firewall, so you should look into getting either ZoneAlarm (http://www.zonelabs.com/store/content/catalog/products/sku_list_za.jsp?lid=dbtopnav_za), Kerio Personal Firewall (http://www.sunbelt-software.com/Kerio.cfm), or Comodo (http://www.personalfirewall.comodo.com). They're all good free firewalls. Just be sure you only have one installed at a time! Download the firewall of your choice, disconnect from the internet, disable Windows Firewall, and install your new firewall.