Computer Hope
Software => Computer viruses and spyware => Topic started by: tajv2005 on April 08, 2009, 01:10:01 PM
-
http://www.computerhope.com:80/forum/index.php/topic,80898.0.html
This post moved from above liink.
tajv2005
Topic Starter
Greenhorn
Posts: 8
Thanked: 0
OS: Windows XP
Experience: Familiar
trojan problems
« on: Today at 07:54:29 AM »
--------------------------------------------------------------------------------
I apologize if I am repeating but I am not seeing other threads about Trojans and I got 3 between Monday and Tuesday this week.
Monday AVG found this Trojan and removed it:Trojan Horse Downloader Agent 2 ARZ
I failed to copy the location of this Trojan.
On Tuesday it found the same plus
Trojan Horse Dropper JOC
And removed both.
Today, Wed April 8, 2009
AVG found no Trojan.
How do I know for sure they are gone?
Also: are the locations of the Tuesday Trojans are related to system restore?
C: System Volume Information\_restore(3831AAFO-62E3-409FBF5F-89C8CCC4C01A)\RP238\A0074986.exe
and
C: System Volume Information\_restore(3831AAFO-62E3-409FBF5F-89C8CCC4C01A)\RP49\A0008115.exe
I have no idea if listing the locations as AVG listed them will help you.
How I got it/them:
I tried using TUCOWS which I believed to be safe and never caused me a problem before. I downloaded a software from holersoft.net which if for getting TV channels on a computer
PC stats:
Windows XP Pro OEM
Service pack 3
AMD Sempron 3000+ 1.6Gig
2.0 Gig RAM DDR-2
two 80 Gig hard drives by Western Digital
AVG 8.0 anti-virus free
windows firewall
internet explorer 7.0
----
Over a year ago, I got Trojans and was using McAfee which is free with Comcast.
It did not block them. It did not remove them.
AVG removed them, as I uninstalled McAfee and re-installed AVG free.
But I don't remember what kind of Trojan it was and it kept duplicating itself and I saw that it would do that in a microsoft data base article.
So what I finally did was use system mechanic drive scrubber to wipe the hard drive and start all over again.
-----
I am avoiding doing this again !!
==============================================
MALWARE BYTES LOG
Malwarebytes' Anti-Malware 1.36
Database version: 1951
Windows 5.1.2600 Service Pack 3
4/8/2009 9:59:34 AM
mbam-log-2009-04-08 (09-59-34).txt
Scan type: Quick Scan
Objects scanned: 74751
Time elapsed: 6 minute(s), 8 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 1
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{bd4f7a6d-0107-4bdf-b72b-021b717b06ce} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
==========================================
HIJACK THIS LOG
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:57:37 PM, on 4/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Common Files\AOL\1218857325\ee\AOLSoftware.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe
C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\AOL 9.5\waol.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\CPSHelpRunner10.exe
C:\Program Files\AOL 9.5\shellmon.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.net/toolbar2.0/search/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R3 - URLSearchHook: (no name) - {9EEDA970-CF59-49a1-845B-60B664694E5C} - C:\Program Files\MusicBar\SrchAstt\1.bin\MZSRCAS.DLL
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: MusicToolbar BHO - {371C1609-EB05-4333-A09E-C607DB6BA749} - C:\Program Files\MusicBar\bar\1.bin\MUSICBAR.DLL
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: (no name) - {9EEDA966-CF59-49a1-845B-60B664694E5C} - C:\Program Files\MusicBar\SrchAstt\1.bin\MZSRCAS.DLL
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Music Toolbar - {371C160B-EB05-4333-A09E-C607DB6BA749} - C:\Program Files\MusicBar\bar\1.bin\MUSICBAR.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1218857325\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe"
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [MusicBar Plugin] rundll32 C:\PROGRA~1\MusicBar\bar\1.bin\M2PLUGIN.DLL,UPF
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.5\AOL.EXE" -b
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {C5D6B2AD-7C33-4AA5-A482-7DD116607625} - http://ak.exe.imgfarm.com/images/nocache/musictoolbar/ei/MusicBarInitialSetup1.0.1.1.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553552100} - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Update Service (gupdate1c993c493f3db38) (gupdate1c993c493f3db38) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: Music Bar Service (MusicBarService) - MusicBar - C:\PROGRA~1\MusicBar\bar\1.bin\mzsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Roxio UPnP Renderer 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUpnpService10.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe
O23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 10 (RoxWatch10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
--
End of file - 11066 bytes
=========================================
-
I had no log for superantispyware free so I am scanning again.
The first time it found threats connected to adaware which confuses me. I thought adaware was safe. I don't understand why adaware has threats in it.
I removed the threats from quarantine.
this time it is finding adaware threats again.
notes from the first scan:
adaware tracking cookie (13) as file items
and adaware my web search/funwebproducts (5)
as threats !! (18 total ) as registry items
---------------
-
remove adware , remove anything you security scans bring up , harry
-
I saved screen shots this second scan with superantispyware but cannot put them in here?
It found 9 adaware threats in the files section of the scan.
That is all I can do?
-
remove adware , harry
Please tell me what is wrong with adaware. :)
-
http://www.computerhope.com/jargon/a/adware.htm
go to the above , harry
-
What's wrong with "Ad-Ware? "That is like asking
What's Wrong with "Spy ware?"
Read the answer given by Janet Attard (http://www.businessknowhow.com/internet/what_spyware_does.htm).
I would agree with her. And say that Ad-ware is nearly the same thing.
Both are invasions of personal privacy. 8)
-
http://www.computerhope.com/jargon/a/adware.htm
go to the above , harry
OK Thanks, Harry, I promptly removed adaware even though I asked.
Now, I am going to this link.
-
I am talking about lavasoft AdaWare:
http://www.lavasoft.com/
http://lavasoft.com/products/ad_aware_free.php
I understand what is wrong with adware and spyware, and malware: "everything" like you say ! hahaha
-
I keep getting a message that says windows cannot find the active desktop html file. This file is needed for your active desktop. to turn off active desktop, click OK.
I have clicked OK all week long since the first trojan on Monday.
I think I have something in my computer that is not being found by all the scans I have made today.
Is there such a thing as an active desktop html file???
-
Yes, there is......
http://support.microsoft.com/kb/171437
-
ok now you know not to leave anything in that comes up in the scans
i think the active decktop is a nuisance , harry
-
Thank you, but I have IE 7 .
-
I am running superantispyware a third time and finding MORE tracking cookies !!
and it says adware, not adaware (it was my mistake) !
However, Adaware is a good anti spyware tool, I think, and is by Lavasoft.
-
Ad-Aware by Lavasoft is what I find on Google.
The product is found on more that just the official site.
They are no way calling it AdWare!
-
I know ! :)
-
whaat about the logs I had to post? I thought someone was going to interpret them?
Harry, your replies do not make sense . You are not replying to what I said. I did not say I wanted another anti-spyware.
With all due respect and appreciation for your help.
-
Hello tajv2005.
PLease everyone but tajv2005 stop posting in this topic so we can finish this up without confusion.
Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.
Link #1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link #2 (http://subs.geekstogo.com/ComboFix.exe)
**Note: It is important that it is saved directly to your Desktop
Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.
Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of security programs that should be disabled and how to disable them.
Double click combofix.exe & follow the prompts.
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.
Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.
Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.
If you have problems with ComboFix usage, see How to use ComboFix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
-
Thank you evilfantasy. I appreciate the comments and the combo fix. I will do it.
-
evilfantasy
Am I going to be installing a new windows XP Pro?
Is that part of using combfix ?
(I have been reading the instructions)http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Once the Windows Registry has finished being backed up, ComboFix will attempt to detect if you have the Windows Recovery Console installed. If you already have it installed, you can skip to this section and continue reading. Otherwise you will see the following message as shown below:
OK the recovery console is just a precaution.
So the next question is:
do I download from windows and instead of making 6 floppies, combofix installs recovery console from the download ??? Is that right?
I have read all the instructions, and it still seems that I will be losing my data on my hard drive and installing a new copy of windows XP Pro. ???
I am going to sleep finally ! (2:12AM)
-
Installing the Recovery Console is up to you. It is usually not needed.
-
Thank you. Now I need to know is combofix a removal tool? Will it tell me if I really have removed all signs of the trojan(s)?
This post is a re-statement of the original post and question" The conditions and background to the question, which is: how does one know for sure when a trojan is removed completeley?
I understand trojans to be worms which make it easy for hackers to invade a computer, to install spyware or to steal identities...etc.
Last year, the trojan that invaded my computer, I looked up in microsoft and it said it can multiply.
The removal tools that microsoft listed were not for that specific trojan.
That is why I wiped the hard drive with system mechanic drive scrubber.
It kept coming back and showing up in AVG free and in AdAWare and in spybot search & destroy. So I wiped the hard drive.
Now, I am trying not to do that. I would have to reinstall a whole list of programs and utilities.
I do not understand what combo fix will do for me. And what will come of the log? I posted logs and no one has yet to tell me about them.
I spent all day yesterday and I never fell asleep tonight/this morning. Now it is 5:15 AM and I have reached my limits long ago (like at about 7:00 PM Wednesday).
After I followed the procedures very faithfully, I ended up with no answer to my question: how do I know for sure I removed all of the trojan(s)?
I used SAS three times yesterday. I used HJT twice. And malware bytes twice. ON the second time, last night, it hung up my computer when I tried to opt out of the screen saver ("press any key").
So I uninstalled all of the three utilities. And I installed AdAWare again. I know what it does and can do and have trusted it for 5 or 6 years.
I have trusted AVG that long too. I tried McAfee last year and it allowed the trojan in and could not remove it. That too is why I ended up wiping my hard drive last year.
The year before that, 2006, AVG stopped a virus from coming in. It trapped it, then removed it. Nothing was lost.
Right now this computer is working. AVG is scanning. So far it has found only tracking cookies.
Is it not possible to remove a trojan horse? Again: how does one know for sure it is gone !!!!
This AVG scan showed only tracking cookies.
I am not goint to use combo fix for now.
Thank you for your help.
-
I posted logs and no one has yet to tell me about them.
Nobody replying until me has been a member of the CH Malware Removal team and I normally don't tell you about them, rather I diagnose them and decide from them what needs to be done next, if anything. There are many types of malware. Search Google for the definitions.
I am not trying to be rude but this process includes posting logs and letting me diagnose them to see if any malware still remains and in turn what we need to do to remove it.
Is it not possible to remove a trojan horse? Again: how does one know for sure it is gone !!!!
I don't mind answering some questions, it's your computer and I want you to be comfortable, but if I have to explain the how, when, why and where of the infection we will never get anywhere. Remember I am volunteering my time. You either accept the help or not. Your choice.
If you are interested in ComboFix just click the link I provided in the instructions to run the tool. How to use ComboFix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix).
Note: AVG may still show as running when you start ComboFix. Just ignore the warnings and continue on. That's if you decide to continue. If not then please let me know so I can close this topic and start helping someone else.
-
SORRY for trying to help
-
evilfantasy, I will run combo fix.
thank you.
Harry don't be insulted. I hae been at it (working on this problem) all day and all night.
-
dont question ( to much ) what you are being told by an expert you are with 1 of the best
i had both avg and mcafee took them both out and got avast and it seems to be much better , but wait to see what evil says about that
-
ComboFix 09-04-04.01 - Administrator 2009-04-09 10:41:53.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1531 [GMT -4:00]
Running from: d:\backup of c drive aprl 6 2009\Documents and Settings\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2009-03-09 to 2009-04-09 )))))))))))))))))))))))))))))))
.
2009-04-08 14:47 . 2009-04-08 14:47 <DIR> d-------- c:\program files\Trend Micro
2009-04-08 13:25 . 2009-04-08 13:25 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Viewpoint
2009-04-08 12:00 . 2009-04-08 20:32 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-04-08 12:00 . 2009-04-08 12:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-08 12:00 . 2009-04-08 20:32 <DIR> d-------- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-04-08 11:41 . 2009-04-08 11:41 <DIR> d-------- c:\program files\CCleaner
2009-04-08 09:30 . 2009-04-08 09:30 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-08 09:30 . 2009-04-08 09:30 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-04-07 14:04 . 2009-04-07 14:04 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Roxio
2009-04-07 14:03 . 2009-04-07 14:03 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Logitech
2009-04-07 14:03 . 2009-04-07 14:03 <DIR> d-------- c:\documents and settings\Administrator\Application Data\InstallShield
2009-04-07 14:03 . 2009-04-08 13:25 <DIR> d-------- c:\documents and settings\Administrator\Application Data\AOL
2009-04-07 10:57 . 2009-04-09 10:25 <DIR> d-------- c:\documents and settings\Administrator\Application Data\COMCASTTOOLBAR
2009-04-07 10:57 . 2009-04-07 10:57 <DIR> d-------- c:\documents and settings\Administrator\Application Data\AVGTOOLBAR
2009-04-06 12:54 . 2009-04-06 12:54 <DIR> d-------- c:\program files\Common Files\SureThing Shared
2009-04-06 07:36 . 2009-04-06 07:36 <DIR> d-------- c:\program files\NOTE HP above is for my mouse
2009-04-01 06:23 . 2009-04-01 06:23 <DIR> d--h----- c:\windows\system32\GroupPolicy
2009-03-25 18:40 . 2009-03-25 18:40 <DIR> d-------- c:\program files\Photo Story 3 for Windows
2009-03-25 03:54 . 2009-03-25 10:46 <DIR> d-------- c:\program files\MusicBar
2009-03-11 01:43 . 2004-08-03 19:56 221,184 --a------ c:\windows\system32\wmpns.dll
2009-03-11 01:06 . 2008-12-05 02:54 144,896 -----c--- c:\windows\system32\dllcache\schannel.dll
2009-03-09 16:12 . 2008-05-02 02:38 301,656 --a------ c:\windows\system32\BtCoreIf.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-09 14:18 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-04-08 18:45 --------- d-----w c:\program files\Java
2009-04-06 16:54 --------- d-----w c:\program files\Roxio
2009-04-06 16:54 --------- d-----w c:\program files\Common Files\Sonic Shared
2009-04-06 16:54 --------- d-----w c:\program files\Common Files\Roxio Shared
2009-04-06 16:50 --------- d-----w c:\documents and settings\All Users\Application Data\Roxio
2009-04-06 14:12 --------- d-----w c:\program files\Common Files\Real
2009-04-05 16:17 --------- d-----w c:\program files\Google
2009-04-05 16:13 --------- d-----w c:\program files\RegScrubXP
2009-04-05 16:08 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-31 22:08 --------- d-----w c:\program files\Creative
2009-03-19 11:52 --------- d-----w c:\program files\Common Files\Adobe
2009-03-09 20:12 --------- d-----w c:\program files\Common Files\Logitech
2009-03-09 20:11 --------- d-----w c:\program files\Common Files\Logishrd
2009-03-09 09:19 410,984 ----a-w c:\windows\system32\deploytk.dll
2009-03-01 16:13 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee.com
2009-02-17 15:11 --------- d-----w c:\program files\AOL 9.5
2009-02-17 13:59 --------- d-----w c:\program files\Common Files\AOL
2009-02-17 13:58 --------- d-----w c:\program files\Common Files\aolshare
2009-02-17 13:58 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2009-02-17 13:43 --------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads
2009-02-12 00:50 --------- d-----w c:\program files\AOL 9.1
2009-02-11 16:25 499,712 ----a-w c:\windows\system32\msvcp71.dll
2009-02-11 16:25 348,160 ----a-w c:\windows\system32\msvcr71.dll
2009-02-11 06:38 --------- d-----w c:\program files\service pack 3 overview downloads
2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
2009-01-30 22:01 10,520 ----a-w c:\windows\system32\avgrsstx.dll
2008-11-24 17:07 2,217 ----a-w c:\program files\devicetable.log
2008-11-12 15:58 93,696 ----a-w c:\program files\Freebie - Mary Stafford - How I use EFT with Kids.ppt
2008-11-10 05:17 379,392 ----a-w c:\program files\subinacl.msi
2008-11-10 05:15 208,144 ----a-w c:\program files\uninstall_flash_player.exe
2008-09-05 18:01 267,056 ----a-w c:\program files\utorrent.exe
2008-08-25 17:05 930 ----a-w c:\program files\reset_minimal.zip
2008-08-23 20:10 19,153,264 ----a-w c:\program files\aaw2008.exe
2008-08-22 21:46 15,083,520 ----a-w c:\program files\spybotsd160.exe
2008-08-21 10:17 25,740,144 ----a-w c:\program files\wmp11-windowsxp-x86-enu.exe
2008-08-19 11:52 632,265 ----a-w c:\program files\0pop-popup-killer-and-surf-washer.exe
2008-08-17 12:50 76 ----a-w c:\program files\DVDPATH.TXT
2008-08-17 03:42 15,452,536 ----a-w c:\program files\IE7-WindowsXP-x86-enu.exe
2008-08-16 22:56 24,049 ----a-w c:\program files\System Mechanic_ Boost PC speed with new Tri-Active Registry Optimization.eml
2008-08-16 03:45 4,189,808 ----a-w c:\program files\ComcastToolbar2_2.exe
2008-09-04 10:53 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090420080905\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{9EEDA970-CF59-49a1-845B-60B664694E5C}"= "c:\program files\MusicBar\SrchAstt\1.bin\MZSRCAS.DLL" [2009-03-25 61440]
[HKEY_CLASSES_ROOT\clsid\{9eeda970-cf59-49a1-845b-60b664694e5c}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{371C1609-EB05-4333-A09E-C607DB6BA749}]
2009-03-25 03:54 266240 --a------ c:\program files\MusicBar\bar\1.bin\MUSICBAR.DLL
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9EEDA966-CF59-49a1-845B-60B664694E5C}]
2009-03-25 03:54 61440 --a------ c:\program files\MusicBar\SrchAstt\1.bin\MZSRCAS.DLL
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{371C160B-EB05-4333-A09E-C607DB6BA749}"= "c:\program files\MusicBar\bar\1.bin\MUSICBAR.DLL" [2009-03-25 266240]
[HKEY_CLASSES_ROOT\clsid\{371c160b-eb05-4333-a09e-c607db6ba749}]
[HKEY_CLASSES_ROOT\TypeLib\{371C1608-EB05-4333-A09E-C607DB6BA749}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{371C160B-EB05-4333-A09E-C607DB6BA749}"= "c:\program files\MusicBar\bar\1.bin\MUSICBAR.DLL" [2009-03-25 266240]
[HKEY_CLASSES_ROOT\clsid\{371c160b-eb05-4333-a09e-c607db6ba749}]
[HKEY_CLASSES_ROOT\TypeLib\{371C1608-EB05-4333-A09E-C607DB6BA749}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-19 7700480]
"HostManager"="c:\program files\Common Files\AOL\1218857325\ee\AOLSoftware.exe" [2008-11-06 41264]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-08-15 98304]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-30 1601304]
"Sunkist2k"="c:\program files\Multimedia Card Reader\shwicon2k.exe" [2005-05-27 135168]
"Omnipage"="c:\program files\ScanSoft\OmniPageSE\opware32.exe" [2002-06-03 49152]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2006-10-16 1197648]
"CTSysVol"="c:\program files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe" [2007-08-24 240112]
"DMXLauncher"="c:\program files\Roxio\CinePlayer\DMXLauncher.exe" [2007-08-14 113136]
"AdaptecDirectCD"="c:\program files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2008-08-16 684032]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216]
"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-11-15 1121016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"MusicBar Plugin"="c:\progra~1\MusicBar\bar\1.bin\M2PLUGIN.DLL" [2009-03-25 49152]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"nwiz"="nwiz.exe" [2007-04-19 c:\windows\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2007-04-19 c:\windows\system32\nvmctray.dll]
"RTHDCPL"="RTHDCPL.EXE" [2005-09-22 c:\windows\RTHDCPL.EXE]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-01-23 c:\windows\KHALMNPR.Exe]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-02-06 805392]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 02:42 72208 c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-01-30 18:01 10520 c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1218857325\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\America Online 9.0b\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\1218857325\\EE\\aolsoftware.exe"=
"c:\\Program Files\\AOL 9.1\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Roxio\\Digital Home 10\\RoxioUPnPRenderer10.exe"=
"c:\\Program Files\\Roxio\\Creator Classic 10\\Creator10.exe"=
"c:\\Program Files\\Roxio\\Digital Home 10\\RoxioUpnpService10.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\ScanSoft\\OmniPageSE\\EregEng\\NAVBrowser.exe"=
"c:\\Program Files\\AOL 9.5\\waol.exe"=
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-08-16 325128]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-08-16 107272]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-08-16 903960]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-08-16 298264]
R3 HidMouse;HidMouse;c:\windows\system32\drivers\HidMouse.sys [2008-08-15 29184]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S2 gupdate1c993c493f3db38;Google Update Service (gupdate1c993c493f3db38);c:\program files\Google\Update\GoogleUpdate.exe [2009-02-20 133104]
S2 MusicBarService;Music Bar Service;c:\progra~1\MusicBar\bar\1.bin\mzsvc.exe [2009-03-25 28758]
S2 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\Roxio\Digital Home 10\RoxioUpnpService10.exe [2007-08-24 362992]
S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [2007-08-24 309744]
S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [2007-08-24 166384]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe [2007-08-24 72176]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [2007-08-24 1083888]
.
Contents of the 'Scheduled Tasks' folder
2009-04-09 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe []
2009-01-30 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\system32\cleanmgr.exe [2008-04-13 20:12]
2009-04-09 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-20 21:34]
2009-04-09 c:\windows\Tasks\User_Feed_Synchronization-{2490DAE9-5585-4789-B671-5653F94D9032}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 18:36]
.
- - - - ORPHANS REMOVED - - - -
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
.
------- Supplementary Scan -------
.
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
Trusted Zone: aol.com\free
DPF: {C5D6B2AD-7C33-4AA5-A482-7DD116607625} - hxxp://ak.exe.imgfarm.com/images/nocache/musictoolbar/ei/MusicBarInitialSetup1.0.1.1.cab
.
**************************************************************************
catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-09 10:42:54
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(740)
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll
.
Completion time: 2009-04-09 10:44:23
ComboFix-quarantined-files.txt 2009-04-09 14:44:15
Pre-Run: 18,059,862,016 bytes free
Post-Run: 18,079,199,232 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
215 --- E O F --- 2009-04-06 20:44:28
-
evilfantasy, there is the log from combo fix.
thank you very much ! I am very happy I ran combo fix !!
Everything went very smoothly.
-
evilfantasy
If it is of value to you, I uninstalled long ago:
system mechanic
utorrent
regedit
top speed
spybot S&D
-
Your welcome.
There are a few more things to do to finish the cleanup.
evilfantasy
If it is of value to you, I uninstalled long ago:
system mechanic
utorrent
regedit
top speed
spybot S&D
I don't see anything running from those programs so it looks as if they were removed correctly. I am a bit skeptical about the Music Toolbar. Is that something you use?
You have Viewpoint installed.
Viewpoint Media Player/Manager/Toolbar is considered as Foistware (http://en.wikipedia.org/wiki/Foistware) instead of malware since it is installed without users approval but doesn't spy or do anything "bad".
More information: - ViewMgr.exe - Useless (http://www.greatis.com/appdata/u/v/viewmgr.exe.htm)
- Viewpoint to Plunge Into Adware (http://www.clickz.com/news/article.php/3561546/)
It is suggested to remove the program now.
Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.- Viewpoint
- Viewpoint Manager
- Viewpoint Media Player
- Viewpoint Toolbar
- Viewpoint Experience Technology
.
----------
Delete these files/folders, as follows:
1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C
KillAll::
Folder::
c:\documents and settings\Administrator\Application Data\Viewpoint
Registry::
[-HKEY_CLASSES_ROOT\clsid\{9eeda970-cf59-49a1-845b-60b664694e5c}]
[-HKEY_CLASSES_ROOT\clsid\{371c160b-eb05-4333-a09e-c607db6ba749}]
[-HKEY_CLASSES_ROOT\TypeLib\{371C1608-EB05-4333-A09E-C607DB6BA749}]
[-HKEY_CLASSES_ROOT\clsid\{371c160b-eb05-4333-a09e-c607db6ba749}]
[-HKEY_CLASSES_ROOT\TypeLib\{371C1608-EB05-4333-A09E-C607DB6BA749}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"=-
3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!
(http://i154.photobucket.com/albums/s258/evilfantasy69/CFScript-1.gif)
ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.
Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze
-
ComboFix 09-04-04.01 - Administrator 2009-04-09 13:01:32.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1489 [GMT -4:00]
Running from: d:\backup of c drive aprl 6 2009\Documents and Settings\Desktop\ComboFix.exe
Command switches used :: d:\backup of c drive aprl 6 2009\Documents and Settings\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2009-03-09 to 2009-04-09 )))))))))))))))))))))))))))))))
.
2009-04-09 11:15 . 2009-03-09 15:06 64,160 --a------ c:\windows\system32\drivers\Lbd.sys
2009-04-09 11:13 . 2009-04-09 11:13 <DIR> d-------- c:\program files\Lavasoft
2009-04-09 11:13 . 2009-04-09 11:13 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-04-08 14:47 . 2009-04-08 14:47 <DIR> d-------- c:\program files\Trend Micro
2009-04-08 13:25 . 2009-04-08 13:25 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Viewpoint
2009-04-08 12:00 . 2009-04-08 20:32 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-04-08 12:00 . 2009-04-08 12:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-08 12:00 . 2009-04-08 20:32 <DIR> d-------- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-04-08 11:41 . 2009-04-08 11:41 <DIR> d-------- c:\program files\CCleaner
2009-04-08 09:30 . 2009-04-08 09:30 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-08 09:30 . 2009-04-08 09:30 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-04-07 14:04 . 2009-04-07 14:04 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Roxio
2009-04-07 14:03 . 2009-04-07 14:03 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Logitech
2009-04-07 14:03 . 2009-04-07 14:03 <DIR> d-------- c:\documents and settings\Administrator\Application Data\InstallShield
2009-04-07 14:03 . 2009-04-08 13:25 <DIR> d-------- c:\documents and settings\Administrator\Application Data\AOL
2009-04-07 10:57 . 2009-04-09 12:56 <DIR> d-------- c:\documents and settings\Administrator\Application Data\COMCASTTOOLBAR
2009-04-07 10:57 . 2009-04-07 10:57 <DIR> d-------- c:\documents and settings\Administrator\Application Data\AVGTOOLBAR
2009-04-06 12:54 . 2009-04-06 12:54 <DIR> d-------- c:\program files\Common Files\SureThing Shared
2009-04-06 07:36 . 2009-04-06 07:36 <DIR> d-------- c:\program files\NOTE HP above is for my mouse
2009-04-01 06:23 . 2009-04-01 06:23 <DIR> d--h----- c:\windows\system32\GroupPolicy
2009-03-25 18:40 . 2009-03-25 18:40 <DIR> d-------- c:\program files\Photo Story 3 for Windows
2009-03-25 03:54 . 2009-03-25 10:46 <DIR> d-------- c:\program files\MusicBar
2009-03-11 01:43 . 2004-08-03 19:56 221,184 --a------ c:\windows\system32\wmpns.dll
2009-03-11 01:06 . 2008-12-05 02:54 144,896 -----c--- c:\windows\system32\dllcache\schannel.dll
2009-03-09 16:12 . 2008-05-02 02:38 301,656 --a------ c:\windows\system32\BtCoreIf.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-09 15:13 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-04-08 18:45 --------- d-----w c:\program files\Java
2009-04-06 16:54 --------- d-----w c:\program files\Roxio
2009-04-06 16:54 --------- d-----w c:\program files\Common Files\Sonic Shared
2009-04-06 16:54 --------- d-----w c:\program files\Common Files\Roxio Shared
2009-04-06 16:50 --------- d-----w c:\documents and settings\All Users\Application Data\Roxio
2009-04-06 14:12 --------- d-----w c:\program files\Common Files\Real
2009-04-05 16:17 --------- d-----w c:\program files\Google
2009-04-05 16:13 --------- d-----w c:\program files\RegScrubXP
2009-04-05 16:08 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-31 22:08 --------- d-----w c:\program files\Creative
2009-03-19 11:52 --------- d-----w c:\program files\Common Files\Adobe
2009-03-09 20:12 --------- d-----w c:\program files\Common Files\Logitech
2009-03-09 20:11 --------- d-----w c:\program files\Common Files\Logishrd
2009-03-01 16:13 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee.com
2009-02-17 15:11 --------- d-----w c:\program files\AOL 9.5
2009-02-17 13:59 --------- d-----w c:\program files\Common Files\AOL
2009-02-17 13:58 --------- d-----w c:\program files\Common Files\aolshare
2009-02-17 13:58 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2009-02-17 13:43 --------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads
2009-02-12 00:50 --------- d-----w c:\program files\AOL 9.1
2009-02-11 06:38 --------- d-----w c:\program files\service pack 3 overview downloads
2008-11-24 17:07 2,217 ----a-w c:\program files\devicetable.log
2008-11-12 15:58 93,696 ----a-w c:\program files\Freebie - Mary Stafford - How I use EFT with Kids.ppt
2008-11-10 05:17 379,392 ----a-w c:\program files\subinacl.msi
2008-11-10 05:15 208,144 ----a-w c:\program files\uninstall_flash_player.exe
2008-09-05 18:01 267,056 ----a-w c:\program files\utorrent.exe
2008-08-25 17:05 930 ----a-w c:\program files\reset_minimal.zip
2008-08-23 20:10 19,153,264 ----a-w c:\program files\aaw2008.exe
2008-08-22 21:46 15,083,520 ----a-w c:\program files\spybotsd160.exe
2008-08-21 10:17 25,740,144 ----a-w c:\program files\wmp11-windowsxp-x86-enu.exe
2008-08-19 11:52 632,265 ----a-w c:\program files\0pop-popup-killer-and-surf-washer.exe
2008-08-17 12:50 76 ----a-w c:\program files\DVDPATH.TXT
2008-08-17 03:42 15,452,536 ----a-w c:\program files\IE7-WindowsXP-x86-enu.exe
2008-08-16 22:56 24,049 ----a-w c:\program files\System Mechanic_ Boost PC speed with new Tri-Active Registry Optimization.eml
2008-08-16 03:45 4,189,808 ----a-w c:\program files\ComcastToolbar2_2.exe
2008-09-04 10:53 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090420080905\index.dat
.
((((((((((((((((((((((((((((( SnapShot@2009-04-09_10.43.13.23 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-03-09 19:06:56 64,160 -c--a-w c:\windows\system32\DRVSTORE\lbd_1D149FE61E2CD0936E43877117FE3EF0674B9944\Lbd.sys
+ 2009-04-09 17:04:43 16,384 ----atw c:\windows\temp\Perflib_Perfdata_1e8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{371C1609-EB05-4333-A09E-C607DB6BA749}]
2009-03-25 03:54 266240 --a------ c:\program files\MusicBar\bar\1.bin\MUSICBAR.DLL
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9EEDA966-CF59-49a1-845B-60B664694E5C}]
2009-03-25 03:54 61440 --a------ c:\program files\MusicBar\SrchAstt\1.bin\MZSRCAS.DLL
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-19 7700480]
"HostManager"="c:\program files\Common Files\AOL\1218857325\ee\AOLSoftware.exe" [2008-11-06 41264]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-08-15 98304]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-30 1601304]
"Sunkist2k"="c:\program files\Multimedia Card Reader\shwicon2k.exe" [2005-05-27 135168]
"Omnipage"="c:\program files\ScanSoft\OmniPageSE\opware32.exe" [2002-06-03 49152]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2006-10-16 1197648]
"CTSysVol"="c:\program files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe" [2007-08-24 240112]
"DMXLauncher"="c:\program files\Roxio\CinePlayer\DMXLauncher.exe" [2007-08-14 113136]
"AdaptecDirectCD"="c:\program files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2008-08-16 684032]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216]
"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-11-15 1121016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"MusicBar Plugin"="c:\progra~1\MusicBar\bar\1.bin\M2PLUGIN.DLL" [2009-03-25 49152]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416]
"nwiz"="nwiz.exe" [2007-04-19 c:\windows\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2007-04-19 c:\windows\system32\nvmctray.dll]
"RTHDCPL"="RTHDCPL.EXE" [2005-09-22 c:\windows\RTHDCPL.EXE]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-01-23 c:\windows\KHALMNPR.Exe]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-02-06 805392]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 02:42 72208 c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-01-30 18:01 10520 c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1218857325\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\America Online 9.0b\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\1218857325\\EE\\aolsoftware.exe"=
"c:\\Program Files\\AOL 9.1\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Roxio\\Digital Home 10\\RoxioUPnPRenderer10.exe"=
"c:\\Program Files\\Roxio\\Creator Classic 10\\Creator10.exe"=
"c:\\Program Files\\Roxio\\Digital Home 10\\RoxioUpnpService10.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\ScanSoft\\OmniPageSE\\EregEng\\NAVBrowser.exe"=
"c:\\Program Files\\AOL 9.5\\waol.exe"=
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-04-09 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-08-16 325128]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-08-16 107272]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-08-16 903960]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-08-16 298264]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-09 951632]
R3 HidMouse;HidMouse;c:\windows\system32\drivers\HidMouse.sys [2008-08-15 29184]
S2 gupdate1c993c493f3db38;Google Update Service (gupdate1c993c493f3db38);c:\program files\Google\Update\GoogleUpdate.exe [2009-02-20 133104]
S2 MusicBarService;Music Bar Service;c:\progra~1\MusicBar\bar\1.bin\mzsvc.exe [2009-03-25 28758]
S2 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\Roxio\Digital Home 10\RoxioUpnpService10.exe [2007-08-24 362992]
S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [2007-08-24 309744]
S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [2007-08-24 166384]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe [2007-08-24 72176]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [2007-08-24 1083888]
.
Contents of the 'Scheduled Tasks' folder
2009-04-09 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 15:06]
2009-01-30 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\system32\cleanmgr.exe [2008-04-13 20:12]
2009-04-09 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-20 21:34]
2009-04-09 c:\windows\Tasks\User_Feed_Synchronization-{2490DAE9-5585-4789-B671-5653F94D9032}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 18:36]
.
- - - - ORPHANS REMOVED - - - -
URLSearchHooks-{9EEDA970-CF59-49a1-845B-60B664694E5C} - (no file)
Toolbar-{371C160B-EB05-4333-A09E-C607DB6BA749} - (no file)
WebBrowser-{371C160B-EB05-4333-A09E-C607DB6BA749} - (no file)
.
------- Supplementary Scan -------
.
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
Trusted Zone: aol.com\free
DPF: {C5D6B2AD-7C33-4AA5-A482-7DD116607625} - hxxp://ak.exe.imgfarm.com/images/nocache/musictoolbar/ei/MusicBarInitialSetup1.0.1.1.cab
.
**************************************************************************
catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-09 13:05:00
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(740)
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WgaTray.exe
c:\program files\Common Files\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\MsPMSPSv.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\CPSHelpRunner10.exe
.
**************************************************************************
.
Completion time: 2009-04-09 13:09:23 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-09 17:09:19
ComboFix2.txt 2009-04-09 14:44:25
Pre-Run: 17,909,145,600 bytes free
Post-Run: 17,940,643,840 bytes free
227 --- E O F --- 2009-04-06 20:44:28
-
I only had viewpoint media player
all of a sudden my valid windows XP Pro is not valid !!!!! ???
my monitor is black !! and I am labeled !!
Windows XP Genuine Validation Results
This copy of Windows did not pass genuine validation.
The product key found on this computer was not assigned by Microsoft. View details
The Windows product key installed on this computer was not assigned by Microsoft. You may be a victim of counterfeit software. Learn more about getting genuine with the options below.
-
We didn't remove anything that has to do with validation. Is this a legal copy of Windows?
Can you do a System Restore?
-
We didn't remove anything that has to do with validation. Is this a legal copy of Windows?
Can you do a System Restore?
like I said YES it is legal and always passes validation .
oh, yes, I can do system restore .
-
OK if you need to then do a restore.
Or...
Go to How to Tell (http://www.microsoft.com/genuine/default.aspx?displaylang=en&PartnerID=4) (Microsoft website) using Internet Explorer (not Firefox or any other browser as they won't work)
- In the upper left corner click the Validate Windows button.
- Be patient while the ActiveX loads, do not click on any links.
- Read the instructions on this page while it's loading. You will be prompted to install - click YES.
- Enter your product key then click continue
- When it says "Validation Complete" please click Continue to return to your previous activity
.
How is it now?
-
evilfantasy, the restore pints available were the ones created by combofix.
I used the first one. It did not restore my validation.
So I reversed it just now.
I will right now do the steps you outlined .
-
It won't let me use my product key
!!
???Windows XP Genuine Validation Results
This copy of Windows did not pass genuine validation.
The product key found on this computer was not assigned by Microsoft
That is what I get !!
---
I found a place to put in my product key.
It says I have a corporate version and is blocked because it is for companies etc.
Some friend gave me a valid corporate disc. It always passes validation.
Why now? why now? why now? why now? what did combofix do???
I forgot I used it last year. My good disc is supposedly scratched. I remember, when installing the OS, some files could not be loaded. It is supposed to be valid !!!
-
I am under the impression because that is what this "friend" told me: all corporate discs can be used multiple times and on multiple machines.
This is what page I am on now. It will decide if files have been tampered with. Does that apply to combofix or any of the anti-malware tools and anti-virus tools?
Windows Product Key Update Tool Instructions
The steps below will help you use the Windows Product Key Update Tool to change your product key. Before running the Windows Product Key update tool, read all instructions to ensure that you understand how the tool works and what information is sent to Microsoft as a result of the update process. You may also wish to print this page before starting the update process.
Microsoft recommends creating a system restore point before any operating system changes.
The Windows Product Key Update Tool:
What it does
The Windows Product Key Update Tool will make changes to your Windows installation to update your product key. In addition, the product key update tool will scan a number of key Windows files to determine if they have been tampered with. If tampered files are discovered the product key update tool will alert you before continuing.
Information collected
Using the product key update tool results in information being sent to Microsoft. The information collected will not be used to identify or contact you. The information sent is standard Windows validation information as well as information related to the file tampering scan.
I understand this tool will send the above information to Microsoft.
Download To update your product key, follow these steps:
:
-
it refused my good product key.
was I uspposed to use the corporate key?
I tried both keys. Now I am on a chat with microsoft.
this is very enraging.
-
I took me until just now to resolve the validation issue.
I think something changed when combofix ran because now AVG told me it could not recognise my license number and I had AVG free installed. Now I have to install that again. It idid not say AVG free. But AVG free does get a license number. anyway, it must have been corrupted.
Microsoft took care of me ! So I am happy again but I was right to be afraid to install and use combo fix. It did something to my computer. I am not yellling or accusing. Before combo fix, my computer was valid and AVG was ok. After combo fix, it was not valid and AVG was affected too.
I do not understand.
-
I am under the impression because that is what this "friend" told me: all corporate discs can be used multiple times and on multiple machines.
This is not true. You were using a pirated key but told me it was legit. You assumed and you were wrong! Not me.
I was right to be afraid to install and use combo fix. It did something to my computer.
Yes. It set your security settings back to the default and therefore tripped the validation tool. ComboFix was not the problem, your license key was. Many companies are making it harder and harder to run their software on pirated Windows installs. That's not my, ComboFix or Computer Hopes fault. It's yours!
Is that enough explanation? And here is a tip. Buy your software and that will never happen.
Sorry you deleted your account without waiting for a response. A thank you would have been nice but since we seem to be illegitimate in computer issues then I suppose you didn't think it necessary.
Good luck and safe surfing...
As this issue appears to be resolved this topic is closed. If you need it reopened then send me or another moderator a PM.
-
Use the Kaspersky Lab Online Scanner (http://www.kaspersky.com/virusscanner)
In Microsoft Windows Vista, you must open the Web browser using the Run as Administrator command. From the Desktop right click the icon to open the browser and choose Run as Administrator.
- Click on SCAN NOW
- Click Accept.
- The program will then begin downloading the latest definition files.
- Once the files have been downloaded locate the Scan Settings and have it scan My Computer.
- The scan will take a while, so be patient and let it finish.
When the scan is done, in the Scan is complete window, any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.
To obtain the report:
Click on: Save Report As- Next, in the Save as prompt, Save in area, select: Desktop.
- In the File name area use KScan, or something similar.
- In Save as type: click the drop arrow and select: Text file [*.txt]
- Then, click: Save
(http://i154.photobucket.com/albums/s258/evilfantasy69/Kas-Savetxt.gif)
Copy and paste the Kaspersky Online Scanner Report in your next reply.
Note for Internet Explorer 7 and 8 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.
If needed, this animation (http://img505.imageshack.us/my.php?image=kassm9.gif) will guide you through the process.
-
He did say that AVG was not functioning anymore, due to an invalid key. However, he was using AVG Free edition (as indicated by the log at the top of this page).
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
Therefore the only way his key could be invalid would be if they had gotten damaged or erased, because AVG free does use a product key, but it's automatically entered by the installer when you install the software.
In addition, if he used ComboFix incorrectly, he may have interrupted the cleaning process while it was accessing one of the windows files; I had this exact problem when I deleted some windows files several years back to "see what would happen." My valid windows key would not validate, the Microsoft employees decided I was using an illegal copy and ignored me. I ended up having to format the computer and make a fresh install, at which point the software did validate.
Unless he was lying, I'm thinking he just used the program improperly and managed to either delete his product keys and/or damage the validation software.
-
thankyou BaRR and I was not lying. My computer was always valid. It is a matter of pride. Microsoft knows what I did and they took care of me.
I used that corporate disc because I was told it was legal/valid and I believed that because windows always validated me and sent me automatic updates. I even installed SP3.
I also used it because my good OEM disc supposedly is scratched and when installing from it, I get messages saying such and such files can't be loaded.
Plus, the key microsoft had listed for me is not the key for either disc.
What you said is right.
-
Out of the ??thousands?? of times I have had users run ComboFix this is only the second time it caused an issue. While it is reliable there is a chance of failure when running ANY software.
We don't need to get into the key issue any more. If I thought you were lying I do have ways of finding out if it is legit or not. I didn't do that so I must believe you. I'm sure a raise of hands in the forums would show that a high percentage of users have had to re-validate Windows at least once. It's really not that uncommon.
Malware holds endless possibilities as to what it might do. Some is easy to fix and others take some time, trial and error...
-
"Malware holds endless possibilities as to what it might do. Some is easy to fix and others take some time, trial and error..."
'
EXACTLY
and the key issue is settled--by microsoft. It is done!
Kaspersky is running.
oh,and microsoft said combofix took out all infected files. So it took out some validation files for windows and for AVG. I also lost my address book and google earth.
I am not a comuter expert. I either made mistakes with combofix like BaRR said or it took out files like microsoft said.
evilfantasy,I am sure you are a good person, but I do not want you
doing this; "If I thought you were lying I do have ways of finding out if it is legit or not. I didn't do that so I must believe you."
That is a violation . So, thank you for not doing it without me knowing.
-
BaRR I appreciated your post. It helped me alot.
evilfantasy, I appreciate you helping meget rid of those trojans.
-
oh,and microsoft said combofix took out all infected files. So it took out some validation files for windows and for AVG. I also lost my address book and google earth.
This is utter nonsense.
-
KASPERSKY ONLINE SCANNER 7.0 REPORT
Saturday, April 11, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Saturday, April 11, 2009 20:29:03
Records in database: 2035043
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
A:\
B:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
Scan statistics
Files scanned 81583
Threat name 0
Infected objects 0
Suspicious objects 0
Duration of the scan 01:31:20
No malware has been detected. The scan area is clean.
The selected area was scanned.
-
You appear to be free of any malware.
Set a New Restore Point to prevent possible reinfection from an old one
Setting a new restore point AFTER cleaning your system will enable your computer to roll-back to a clean working state if needed.
- Go to Start > Programs > Accessories > System Tools and click System Restore
- Choose the radio button marked Create a Restore Point on the first screen then click Next Give the Restore Point a name then click Create.
- The new restore point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
- Next go to Start > Run and type Cleanmgr
- Click OK
- Click the More Options Tab.
- Click Clean Up in the System Restore section to remove all previous restore points except the newly created clean one.
You can find instructions on how to enable and re-enable system restore here:
Windows XP System Restore Guide (http://www.bleepingcomputer.com/forums/tutorial56.html) or Windows Vista System Restore Guide (http://www.bleepingcomputer.com/tutorials/tutorial143.html)
.
----------
Use the Secunia Software Inspector (http://secunia.com/software_inspector) to check for out of date software.
- Click Start Now
- Check the box next to Enable thorough system inspection.
- Click Start
- Allow the scan to finish and scroll down to see if any updates are needed.
- Update anything listed.
.
----------
Go to Microsoft Windows Update (http://windowsupdate.microsoft.com/) and get all critical updates.
----------
I suggest using WOT - Web of Trust (http://www.mywot.com/). WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.
SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html) - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* (http://www.bleepingcomputer.com/tutorials/tutorial49.html)Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/forums/tutorial49.html)
* If you don't know what ActiveX controls are, see here (http://www.webopedia.com/TERM/A/ActiveX_control.html)
Check out Keeping Yourself Safe On The Web (http://evilfantasy.wordpress.com/2008/05/20/keeping-yourself-safe-on-the-web/) for tips and free tools to help keep you safe in the future.
Also see Slow Computer? It May Not Be Malware (http://evilfantasy.wordpress.com/2008/05/24/slow-computer-it-may-not-be-malware/) for free cleaning/maintenance tools to help keep your computer running smooth.
-
Thank you evilfantasy, evidently the problem is solved now.
If you agree, you can lock this thread.
-
Yes it looks like you are in the clear as far as malware is concerned.