Computer Hope
Software => Computer viruses and spyware => Virus and spyware removal => Topic started by: Libera on August 17, 2010, 04:42:38 PM
-
When I checked my inbox today it told me that I had 31 new messages. This is very unusual! I looked and they are all postmaster delivery failures. I also got an email from my sister, saying that apparently emails are being sent from my address, that I did not send!
Can this be a virus? I use hotmail, so it is internet based. I changed the password, but I'm afraid it might not be enough?
I hope someone can help me!
TIA :D
-
start reading and following the instructions from this post here (http://www.computerhope.com/forum/index.php/topic,46313.0.html)
then a malware specialist can help you faster with your issues.
-
Sorry I did not know.
I went and followed all the steps, up to running HiJackThis, it won't let me run as administrator... Only gives me the option to open it. Any way around this? Anyways, here are the other logs, hope that's a start!
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4442
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18943
8/17/2010 11:20:06 PM
mbam-log-2010-08-17 (23-20-06).txt
Scan type: Quick scan
Objects scanned: 162891
Time elapsed: 9 minute(s), 8 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 08/17/2010 at 08:54 PM
Application Version : 4.41.1000
Core Rules Database Version : 5372
Trace Rules Database Version: 3184
Scan type : Complete Scan
Total Scan Time : 02:13:11
Memory items scanned : 803
Memory threats detected : 0
Registry items scanned : 9274
Registry threats detected : 1
File items scanned : 188536
File threats detected : 138
Adware.MyWebSearch/FunWebProducts
HKU\S-1-5-21-2649331228-3696308728-864307741-1002\SOFTWARE\FunWebProducts
Adware.Tracking Cookie
ads1.msn.com [ C:\Users\andy.andy-PC\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\DW68WWCK ]
bannerfarm.ace.advertising.com [ C:\Users\andy.andy-PC\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\DW68WWCK ]
flvplayer2.hardsextube.com [ C:\Users\andy.andy-PC\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\DW68WWCK ]
hottraffic.nl [ C:\Users\andy.andy-PC\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\DW68WWCK ]
media.scanscout.com [ C:\Users\andy.andy-PC\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\DW68WWCK ]
msntest.serving-sys.com [ C:\Users\andy.andy-PC\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\DW68WWCK ]
naiadsystems.com [ C:\Users\andy.andy-PC\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\DW68WWCK ]
vidii.hardsextube.com [ C:\Users\andy.andy-PC\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\DW68WWCK ]
www.naiadsystems.com [ C:\Users\andy.andy-PC\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\DW68WWCK ]
www.pornhub.com [ C:\Users\andy.andy-PC\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\DW68WWCK ]
C:\Users\andy.andy-PC\AppData\Roaming\Microsoft\Windows\Cookies\andy@atdmt[2].txt
C:\Users\andy.andy-PC\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
C:\Users\andy.andy-PC\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
C:\Users\andy.andy-PC\AppData\Roaming\Microsoft\Windows\Cookies\andy@weborama[1].txt
C:\Users\andy.andy-PC\AppData\Roaming\Microsoft\Windows\Cookies\Low\andy@2o7[1].txt
C:\Users\andy.andy-PC\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Users\andy.andy-PC\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Users\andy.andy-PC\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Users\andy.andy-PC\AppData\Roaming\Microsoft\Windows\Cookies\Low\andy@adbrite[2].txt
C:\Users\andy.andy-PC\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
C:\Users\andy.andy-PC\AppData\Roaming\Microsoft\Windows\Cookies\Low\andy@adprotraffic[2].txt
C:\Users\andy.andy-PC\AppData\Roaming\Microsoft\Windows\Cookies\Low\andy@adrevolver[2].txt
C:\Users\andy.andy-PC\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Users\andy.andy-PC\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
C:\Users\andy.andy-PC\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
C:\Users\andy.andy-PC\AppData\Roaming\Microsoft\Windows\Cookies\Low\andy@adultadworld[1].txt
C:\Users\andy.andy-PC\AppData\Roaming\Microsoft\Windows\Cookies\Low\andy@advertising[1].txt
C:\Users\andy.andy-PC\AppData\Roaming\Microsoft\Windows\Cookies\Low\andy@apmebf[1].txt
C:\Users\andy.andy-PC\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
C:\Users\andy.andy-PC\AppData\Roaming\Microsoft\Windows\Cookies\Low\andy@atdmt[1].txt
C:\Users\andy.andy-PC\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
C:\Users\andy.andy-PC\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
C:\Users\andy.andy-PC\AppData\Roaming\Microsoft\Windows\Cookies\Low\andy@casalemedia[1].txt
C:\Users\andy.andy-PC\AppData\Roaming\Microsoft\Windows\Cookies\Low\andy@collective-media[1].txt
C:\Users\andy.andy-PC\AppData\Roaming\Microsoft\Windows\Cookies\Low\andy@doubleclick[1].txt
C:\Users\andy.andy-PC\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
C:\Users\andy.andy-PC\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
C:\Users\andy.andy-PC\AppData\Roaming\Microsoft\Windows\Cookies\Low\andy@fastclick[1].txt
C:\Users\andy.andy-PC\AppData\Roaming\Microsoft\Windows\Cookies\Low\andy@free-sexy-clips[2].txt
C:\Users\andy.andy-PC\AppData\Roaming\Microsoft\Windows\Cookies\Low\andy@hitbox[2].txt
C:\Users\andy.andy-PC\AppData\Roaming\Microsoft\Windows\Cookies\Low\andy@hotsexdump[2].txt
C:\Users\andy.andy-PC\AppData\Roaming\Microsoft\Windows\Cookies\Low\andy@imrworldwide[2].txt
C:\Users\andy.andy-PC\AppData\Roaming\Microsoft\Windows\Cookies\Low\andy@insightexpressai[1].txt
C:\Users\andy.andy-PC\AppData\Roaming\Microsoft\Windows\Cookies\Low\andy@interclick[1].txt
C:\Users\andy.andy-PC\AppData\Roaming\Microsoft\Windows\Cookies\Low\andy@kontera[1].txt
C:\Users\andy.andy-PC\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Users\andy.andy-PC\AppData\Roaming\Microsoft\Windows\Cookies\Low\andy@media6degrees[1].txt
C:\Users\andy.andy-PC\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Users\andy.andy-PC\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Users\andy.andy-PC\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Users\andy.andy-PC\AppData\Roaming\Microsoft\Windows\Cookies\Low\andy@naiadsystems[1].txt
C:\Users\andy.andy-PC\AppData\Roaming\Microsoft\Windows\Cookies\Low\andy@pornfuze[2].txt
C:\Users\andy.andy-PC\AppData\Roaming\Microsoft\Windows\Cookies\Low\andy@pornhub[1].txt
C:\Users\andy.andy-PC\AppData\Roaming\Microsoft\Windows\Cookies\Low\andy@questionmarket[2].txt
C:\Users\andy.andy-PC\AppData\Roaming\Microsoft\Windows\Cookies\Low\andy@realaporn[2].txt
C:\Users\andy.andy-PC\AppData\Roaming\Microsoft\Windows\Cookies\Low\andy@revsci[2].txt
C:\Users\andy.andy-PC\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
C:\Users\andy.andy-PC\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][3].txt
C:\Users\andy.andy-PC\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][4].txt
C:\Users\andy.andy-PC\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][5].txt
C:\Users\andy.andy-PC\AppData\Roaming\Microsoft\Windows\Cookies\Low\andy@serving-sys[2].txt
C:\Users\andy.andy-PC\AppData\Roaming\Microsoft\Windows\Cookies\Low\andy@sexyclips[2].txt
C:\Users\andy.andy-PC\AppData\Roaming\Microsoft\Windows\Cookies\Low\andy@socialmedia[1].txt
C:\Users\andy.andy-PC\AppData\Roaming\Microsoft\Windows\Cookies\Low\andy@specificclick[2].txt
C:\Users\andy.andy-PC\AppData\Roaming\Microsoft\Windows\Cookies\Low\andy@specificmedia[1].txt
C:\Users\andy.andy-PC\AppData\Roaming\Microsoft\Windows\Cookies\Low\andy@statcounter[1].txt
C:\Users\andy.andy-PC\AppData\Roaming\Microsoft\Windows\Cookies\Low\andy@tacoda[1].txt
C:\Users\andy.andy-PC\AppData\Roaming\Microsoft\Windows\Cookies\Low\andy@trafficmp[2].txt
C:\Users\andy.andy-PC\AppData\Roaming\Microsoft\Windows\Cookies\Low\andy@tribalfusion[2].txt
C:\Users\andy.andy-PC\AppData\Roaming\Microsoft\Windows\Cookies\Low\andy@videos-xxx-*censored*[1].txt
C:\Users\andy.andy-PC\AppData\Roaming\Microsoft\Windows\Cookies\Low\andy@weborama[1].txt
C:\Users\andy.andy-PC\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Users\andy.andy-PC\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Users\andy.andy-PC\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
C:\Users\andy.andy-PC\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Users\andy.andy-PC\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Users\andy.andy-PC\AppData\Roaming\Microsoft\Windows\Cookies\Low\andy@xporntube[2].txt
C:\Users\andy.andy-PC\AppData\Roaming\Microsoft\Windows\Cookies\Low\andy@zedo[1].txt
.msnportal.112.2o7.net [ C:\Users\andy.andy-PC\AppData\Roaming\Mozilla\Firefox\Profiles\it6pvbu3.default\cookies.sqlite ]
.atdmt.com [ C:\Users\andy.andy-PC\AppData\Roaming\Mozilla\Firefox\Profiles\it6pvbu3.default\cookies.sqlite ]
.questionmarket.com [ C:\Users\andy.andy-PC\AppData\Roaming\Mozilla\Firefox\Profiles\it6pvbu3.default\cookies.sqlite ]
.questionmarket.com [ C:\Users\andy.andy-PC\AppData\Roaming\Mozilla\Firefox\Profiles\it6pvbu3.default\cookies.sqlite ]
.atdmt.com [ C:\Users\andy.andy-PC\AppData\Roaming\Mozilla\Firefox\Profiles\it6pvbu3.default\cookies.sqlite ]
.advertising.com [ C:\Users\andy.andy-PC\AppData\Roaming\Mozilla\Firefox\Profiles\it6pvbu3.default\cookies.sqlite ]
.advertising.com [ C:\Users\andy.andy-PC\AppData\Roaming\Mozilla\Firefox\Profiles\it6pvbu3.default\cookies.sqlite ]
.advertising.com [ C:\Users\andy.andy-PC\AppData\Roaming\Mozilla\Firefox\Profiles\it6pvbu3.default\cookies.sqlite ]
.advertising.com [ C:\Users\andy.andy-PC\AppData\Roaming\Mozilla\Firefox\Profiles\it6pvbu3.default\cookies.sqlite ]
ads.adultadvertising.net [ C:\Users\andy.andy-PC\AppData\Roaming\Mozilla\Firefox\Profiles\it6pvbu3.default\cookies.sqlite ]
rts.pgmediaserve.com [ C:\Users\andy.andy-PC\AppData\Roaming\Mozilla\Firefox\Profiles\it6pvbu3.default\cookies.sqlite ]
statse.webtrendslive.com [ C:\Users\andy.andy-PC\AppData\Roaming\Mozilla\Firefox\Profiles\it6pvbu3.default\cookies.sqlite ]
.*adult URL* [ C:\Users\andy.andy-PC\AppData\Roaming\Mozilla\Firefox\Profiles\it6pvbu3.default\cookies.sqlite ]
.*adult URL* [ C:\Users\andy.andy-PC\AppData\Roaming\Mozilla\Firefox\Profiles\it6pvbu3.default\cookies.sqlite ]
.*adult URL* [ C:\Users\andy.andy-PC\AppData\Roaming\Mozilla\Firefox\Profiles\it6pvbu3.default\cookies.sqlite ]
.*adult URL* [ C:\Users\andy.andy-PC\AppData\Roaming\Mozilla\Firefox\Profiles\it6pvbu3.default\cookies.sqlite ]
.*adult URL* [ C:\Users\andy.andy-PC\AppData\Roaming\Mozilla\Firefox\Profiles\it6pvbu3.default\cookies.sqlite ]
.banners.facebookofsex.com [ C:\Users\andy.andy-PC\AppData\Roaming\Mozilla\Firefox\Profiles\it6pvbu3.default\cookies.sqlite ]
.banners.facebookofsex.com [ C:\Users\andy.andy-PC\AppData\Roaming\Mozilla\Firefox\Profiles\it6pvbu3.default\cookies.sqlite ]
.banners.facebookofsex.com [ C:\Users\andy.andy-PC\AppData\Roaming\Mozilla\Firefox\Profiles\it6pvbu3.default\cookies.sqlite ]
.banners.facebookofsex.com [ C:\Users\andy.andy-PC\AppData\Roaming\Mozilla\Firefox\Profiles\it6pvbu3.default\cookies.sqlite ]
.banners.facebookofsex.com [ C:\Users\andy.andy-PC\AppData\Roaming\Mozilla\Firefox\Profiles\it6pvbu3.default\cookies.sqlite ]
pornayo.com [ C:\Users\andy.andy-PC\AppData\Roaming\Mozilla\Firefox\Profiles\it6pvbu3.default\cookies.sqlite ]
pornayo.com [ C:\Users\andy.andy-PC\AppData\Roaming\Mozilla\Firefox\Profiles\it6pvbu3.default\cookies.sqlite ]
pornayo.com [ C:\Users\andy.andy-PC\AppData\Roaming\Mozilla\Firefox\Profiles\it6pvbu3.default\cookies.sqlite ]
pornayo.com [ C:\Users\andy.andy-PC\AppData\Roaming\Mozilla\Firefox\Profiles\it6pvbu3.default\cookies.sqlite ]
pornayo.com [ C:\Users\andy.andy-PC\AppData\Roaming\Mozilla\Firefox\Profiles\it6pvbu3.default\cookies.sqlite ]
pornayo.com [ C:\Users\andy.andy-PC\AppData\Roaming\Mozilla\Firefox\Profiles\it6pvbu3.default\cookies.sqlite ]
.*adult URL* [ C:\Users\andy.andy-PC\AppData\Roaming\Mozilla\Firefox\Profiles\it6pvbu3.default\cookies.sqlite ]
.*adult URL* [ C:\Users\andy.andy-PC\AppData\Roaming\Mozilla\Firefox\Profiles\it6pvbu3.default\cookies.sqlite ]
.adxpansion.com [ C:\Users\andy.andy-PC\AppData\Roaming\Mozilla\Firefox\Profiles\it6pvbu3.default\cookies.sqlite ]
.facebookofsex.com [ C:\Users\andy.andy-PC\AppData\Roaming\Mozilla\Firefox\Profiles\it6pvbu3.default\cookies.sqlite ]
.facebookofsex.com [ C:\Users\andy.andy-PC\AppData\Roaming\Mozilla\Firefox\Profiles\it6pvbu3.default\cookies.sqlite ]
pornayo.com [ C:\Users\andy.andy-PC\AppData\Roaming\Mozilla\Firefox\Profiles\it6pvbu3.default\cookies.sqlite ]
.pornayo.com [ C:\Users\andy.andy-PC\AppData\Roaming\Mozilla\Firefox\Profiles\it6pvbu3.default\cookies.sqlite ]
.pornayo.com [ C:\Users\andy.andy-PC\AppData\Roaming\Mozilla\Firefox\Profiles\it6pvbu3.default\cookies.sqlite ]
.*adult URL* [ C:\Users\andy.andy-PC\AppData\Roaming\Mozilla\Firefox\Profiles\it6pvbu3.default\cookies.sqlite ]
.*adult URL* [ C:\Users\andy.andy-PC\AppData\Roaming\Mozilla\Firefox\Profiles\it6pvbu3.default\cookies.sqlite ]
.ero-advertising.com [ C:\Users\andy.andy-PC\AppData\Roaming\Mozilla\Firefox\Profiles\it6pvbu3.default\cookies.sqlite ]
.ero-advertising.com [ C:\Users\andy.andy-PC\AppData\Roaming\Mozilla\Firefox\Profiles\it6pvbu3.default\cookies.sqlite ]
.naiadsystems.com [ C:\Users\andy.andy-PC\AppData\Roaming\Mozilla\Firefox\Profiles\it6pvbu3.default\cookies.sqlite ]
.naiadsystems.com [ C:\Users\andy.andy-PC\AppData\Roaming\Mozilla\Firefox\Profiles\it6pvbu3.default\cookies.sqlite ]
.bannerbobber.com [ C:\Users\andy.andy-PC\AppData\Roaming\Mozilla\Firefox\Profiles\it6pvbu3.default\cookies.sqlite ]
.bannerbobber.com [ C:\Users\andy.andy-PC\AppData\Roaming\Mozilla\Firefox\Profiles\it6pvbu3.default\cookies.sqlite ]
.myroitracking.com [ C:\Users\andy.andy-PC\AppData\Roaming\Mozilla\Firefox\Profiles\it6pvbu3.default\cookies.sqlite ]
.clicksor.com [ C:\Users\andy.andy-PC\AppData\Roaming\Mozilla\Firefox\Profiles\it6pvbu3.default\cookies.sqlite ]
.clicksor.com [ C:\Users\andy.andy-PC\AppData\Roaming\Mozilla\Firefox\Profiles\it6pvbu3.default\cookies.sqlite ]
.clicksor.com [ C:\Users\andy.andy-PC\AppData\Roaming\Mozilla\Firefox\Profiles\it6pvbu3.default\cookies.sqlite ]
.clicksor.com [ C:\Users\andy.andy-PC\AppData\Roaming\Mozilla\Firefox\Profiles\it6pvbu3.default\cookies.sqlite ]
.clicksor.com [ C:\Users\andy.andy-PC\AppData\Roaming\Mozilla\Firefox\Profiles\it6pvbu3.default\cookies.sqlite ]
.clicksor.com [ C:\Users\andy.andy-PC\AppData\Roaming\Mozilla\Firefox\Profiles\it6pvbu3.default\cookies.sqlite ]
.media6degrees.com [ C:\Users\andy.andy-PC\AppData\Roaming\Mozilla\Firefox\Profiles\it6pvbu3.default\cookies.sqlite ]
.media6degrees.com [ C:\Users\andy.andy-PC\AppData\Roaming\Mozilla\Firefox\Profiles\it6pvbu3.default\cookies.sqlite ]
.ero-advertising.com [ C:\Users\andy.andy-PC\AppData\Roaming\Mozilla\Firefox\Profiles\it6pvbu3.default\cookies.sqlite ]
.doubleclick.net [ C:\Users\andy.andy-PC\AppData\Roaming\Mozilla\Firefox\Profiles\it6pvbu3.default\cookies.sqlite ]
.sexcouple.info [ C:\Users\andy.andy-PC\AppData\Roaming\Mozilla\Firefox\Profiles\it6pvbu3.default\cookies.sqlite ]
.sexcouple.info [ C:\Users\andy.andy-PC\AppData\Roaming\Mozilla\Firefox\Profiles\it6pvbu3.default\cookies.sqlite ]
.sexcouple.info [ C:\Users\andy.andy-PC\AppData\Roaming\Mozilla\Firefox\Profiles\it6pvbu3.default\cookies.sqlite ]
.statcounter.com [ C:\Users\andy.andy-PC\AppData\Roaming\Mozilla\Firefox\Profiles\it6pvbu3.default\cookies.sqlite ]
Trojan.Agent/Gen-Nullo[Short]
C:\USERS\SANNA\DOWNLOADS\V11_ADOBE_FLASH.EXE
-
Oh, Andy!
-
???
-
???
C:\Users\andy.andy-PC\AppData\Roaming\Microsoft\Windows\Cookies\Low\andy@free-sexy-clips[2].txt
C:\Users\andy.andy-PC\AppData\Roaming\Microsoft\Windows\Cookies\Low\andy@hitbox[2].txt
C:\Users\andy.andy-PC\AppData\Roaming\Microsoft\Windows\Cookies\Low\andy@hotsexdump[2].txt
Those cookies...
-
Those cookies...
[email protected][2].txt
[email protected][1].txt
andy@pornhub[1].txt
andy@xporntube[2].txt
[email protected][2].txt
andy@adultadworld[1].txt
[email protected][2].txt
*adult URL*
*adult URL*
*adult URL*
*adult URL*
*adult URL*
sexcouple.info
sexcouple.info
sexcouple.info
banners.facebookofsex.com
banners.facebookofsex.com
banners.facebookofsex.com
banners.facebookofsex.com
banners.facebookofsex.com
-
That's probably how my computer got messed up yes. But pointing that out won't help me fix it, and I am not the one visiting those sites. My dear brother in law has already had his *censored* chewed over it, now I just need help fixing it.... :(
-
I tried running HiJack again, but it will not let me run it as administrator!!
Trying to re download it now, maybe that will fix it?
-
Here is the log I got, without running it as administrator:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 7:04:49 PM, on 8/18/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18943)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\sttray.exe
C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe
C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpWareSE4.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Windows\System32\igfxtray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\System32\hkcmd.exe
C:\Program Files\CyberLink\PCM4Everio\EverioService.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Intel\IntelDH\CCU\CCU_Engine.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.live.com/login.srf?id=2&svc=mail&cbid=24325&msppjph=1&tw=900&fs=1&lc=1033&_lang=EN
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5428
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5428
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\google\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [CCUTRAYICON] C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe
O4 - HKLM\..\Run: [NMSSupport] "C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" /startup
O4 - HKLM\..\Run: [McAfeeUpdate] "C:\Program Files\McAfee\MSC\McUpdUtl.exe" /RunKey
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [UpdatePPShortCut] "C:\Program Files\CyberLink\PowerProducer\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\PowerProducer" update "Software\CyberLink\PowerProducer\4.0"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [EverioService] "C:\Program Files\CyberLink\PCM4Everio\EverioService.exe"
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O15 - Trusted Zone: http://mvooren.hyves.net
O15 - Trusted Zone: *.hyves.nl
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Intel(R) Alert Service (AlertService) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
O23 - Service: DQLWinService - Unknown owner - C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: Intel(R) Software Services Manager (ISSM) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
O23 - Service: Intel(R) Viiv(TM) Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
O23 - Service: Intel(R) Application Tracker (MCLServiceATL) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel(R) Remoting Service (Remote UI Service) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
--
End of file - 11142 bytes
-
Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer. I am working under the guidance of one of the specialist of this forum so it may take a bit longer to process your logs.
1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.
Open HijackThis and select Do a system scan only
Place a check mark next to the following entries: (if there)
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe (file missing)
Internet Explorer's security is based upon a set of zones. Each zone has different security in terms of what scripts and applications can be run from a site that is in that zone. There is a security zone called the Trusted Zone. This zone has the lowest security and allows scripts and applications from sites in this zone to run without your knowledge. It is therefore a popular setting for malware sites to use so that future infections can be easily done on your computer without your knowledge as these sites will be in the Trusted Zone. Therefore, I recommend that nothing be allowed in the trusted zone. If you agree, please do the following.Please place a check mark next to this/these line/lines.
O15 - Trusted Zone: http://mvooren.hyves.net
O15 - Trusted Zone: *.hyves.nl
Important: Close all open windows except for HijackThis and then click Fix checked.
Once completed, exit HijackThis.
***************************************
Download Security Check by screen317 from one of the following links and save it to your desktop.
Link 1 (http://screen317.spywareinfoforum.org/SecurityCheck.exe)
Link 2 (http://screen317.changelog.fr/SecurityCheck.exe)
* Unzip SecurityCheck.zip and a folder named Security Check should appear.
* Open the Security Check folder and double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.
Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.
********************************************
Download ComboFix by sUBs from one of the below links.
Important! You MUST save ComboFix to your desktop
link # 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link # 2 (http://subs.geekstogo.com/ComboFix.exe)
Temporarily disable your Anti-virus and any Antispyware real time protection before performing a scan. Click this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of security programs that should be disabled and how to disable them.
Double click on ComboFix.exe & follow the prompts.
Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)
Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
When the scan completes it will open a text window.
Post the contents of that log in your next reply.
Remember to re-enable your Anti-virus and Antispyware protection when ComboFix is complete.
-
Thank you for your reply, I am sorry for not getting back here sooner. I went on vacation... But now I'm ready to fix my computer!
I followed all your instructions on fixing the lines in HiJackThis and running Security Check, but it will not let me download Combofix!! When I try, I get a McAfee pop-up telling me that it blocked and removed a Trojan... (something "Artemis") So I couldn't run that one. Am I doing it wrong?? I tried saving it to the desktop.
Here is the SC file:
Results of screen317's Security Check version 0.99.5
Windows Vista Service Pack 2 (UAC is enabled)
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
McAfee SecurityCenter
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
CCleaner
Java(TM) 6 Update 21
Adobe Flash Player 10.0.32.18
Adobe Reader 9.1
Out of date Adobe Reader installed!
Mozilla Firefox (3.6.8)
````````````````````````````````
Process Check:
objlist.exe by Laurent
McAfee VIRUSS~1 mcshield.exe
McAfee VIRUSS~1 mcsysmon.exe
mcafee VIRUSS~1 mcvsshld.exe
mcafee VIRUSS~1 mcvsmap.exe
````````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)
``````````End of Log````````````
-
you should get the latest version of adobe reader with all the latest updates. dave will help you with your other issues, good luck.
-
Please download the newest version of Adobe Acrobat Reader from Adobe.com (http://www.adobe.com/products/acrobat/readstep2.html)
Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs.
Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.
Once old versions are gone, please install the newest version.
**********************************
Please download ComboFix on another computer and transfer it to your computer using this method. If your AV blocks ComboFix from running, please disable it. ( make sure you physically disconnect your computer from the internet while your AV is disabled.)
If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
-
I downloaded the new Acrobat Reader. My internet connection is fine, it somehow just won't let me download the Combfix tool. But I will try to use a different computer and get it that way!
-
Ok I tried again, it says the source file cannot be read? Tried again, then it says an unknown error occurred.
From McAfee I get this pop-up:
About this Trojan
Detected: Artemis!270F22429B2F (Trojan), Artemis!270F22429B2F (Trojan)
Location: C:\Users\Sanna\AppData\Local\Mozilla\Firefox\Profiles\vs32t4xs.default\Cache\1EF26877d01
Trojans appear as legitimate programs but can damage valuable files, disrupt performance, and allow unauthorized access to your computer.
I will try to get it on a different computer asap
ETA:
I disabled McAfee, after which it let me download Combofix. As soon as Mc Afee came back on, it removed Combofix, automatically! But I got the log, here it is:
ComboFix 10-09-01.04 - Sanna 09/02/2010 20:59:39.3.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2037.935 [GMT -7:00]
Running from: c:\users\Sanna\Desktop\ComboFix.exe
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
((((((((((((((((((((((((( Files Created from 2010-08-03 to 2010-09-03 )))))))))))))))))))))))))))))))
.
2010-09-03 04:08 . 2010-09-03 04:08 -------- d-----w- c:\users\Sanna\AppData\Local\temp
2010-09-03 04:08 . 2010-09-03 04:08 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-09-03 04:08 . 2010-09-03 04:08 -------- d-----w- c:\users\Mcx1\AppData\Local\temp
2010-09-03 04:08 . 2010-09-03 04:08 -------- d-----w- c:\users\IUSR_NMPR\AppData\Local\temp
2010-09-03 04:08 . 2010-09-03 04:08 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-09-03 04:08 . 2010-09-03 04:08 -------- d-----w- c:\users\andy\AppData\Local\temp
2010-09-03 04:08 . 2010-09-03 04:08 -------- d-----w- c:\users\andy.andy-PC\AppData\Local\temp
2010-09-02 23:23 . 2010-09-02 23:24 -------- d-----w- c:\program files\QuickTime
2010-09-02 23:23 . 2010-09-02 23:23 -------- d-----w- c:\programdata\Apple Computer
2010-08-26 00:08 . 2010-08-26 00:08 -------- d-----w- c:\windows\Sun
2010-08-19 01:59 . 2010-08-19 01:59 388096 ----a-r- c:\users\Sanna\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-08-18 06:31 . 2010-08-18 06:31 -------- d-----w- c:\program files\Trend Micro
2010-08-18 06:25 . 2010-07-17 12:00 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-18 01:34 . 2010-08-18 01:34 63488 ----a-w- c:\users\Sanna\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-08-18 01:34 . 2010-08-18 01:34 52224 ----a-w- c:\users\Sanna\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-08-18 01:34 . 2010-08-18 01:34 117760 ----a-w- c:\users\Sanna\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-08-18 01:34 . 2010-08-18 01:34 -------- d-----w- c:\users\Sanna\AppData\Roaming\SUPERAntiSpyware.com
2010-08-18 01:34 . 2010-08-18 01:34 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-08-18 01:34 . 2010-08-18 01:34 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-08-18 01:25 . 2010-08-18 01:25 -------- d-----w- c:\programdata\Yahoo! Companion
2010-08-18 01:25 . 2010-08-18 01:25 -------- d-----w- c:\program files\CCleaner
2010-08-12 23:54 . 2010-06-08 17:35 3600768 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-08-12 23:54 . 2010-06-08 17:35 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-08-12 23:54 . 2010-06-11 16:15 1248768 ----a-w- c:\windows\system32\msxml3.dll
2010-08-12 23:54 . 2010-06-18 15:04 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-12 23:54 . 2010-06-18 15:04 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-08-12 23:54 . 2010-06-16 16:04 905088 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-08-09 00:18 . 2010-08-09 00:19 -------- d-----w- c:\users\Sanna\AppData\Roaming\Ipswitch
2010-08-09 00:17 . 2010-08-09 00:17 -------- d-----w- c:\programdata\Ipswitch
2010-08-09 00:17 . 2010-08-09 00:17 -------- d-----w- c:\program files\Ipswitch
2010-08-09 00:16 . 2010-08-09 00:16 -------- d-----w- c:\users\Sanna\AppData\Roaming\InstallShield
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-03 03:16 . 2008-04-07 16:53 -------- d-----w- c:\program files\Common Files\Adobe
2010-08-26 02:22 . 2007-06-14 06:08 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-08-26 00:58 . 2009-08-26 05:18 -------- d-----w- c:\users\Sanna\AppData\Roaming\gtk-2.0
2010-08-20 17:42 . 2007-02-26 16:32 -------- d-----w- c:\programdata\WildTangent
2010-08-18 06:25 . 2007-02-26 16:40 -------- d-----w- c:\program files\Common Files\Java
2010-08-18 06:25 . 2007-02-26 16:40 -------- d-----w- c:\program files\Java
2010-08-18 01:25 . 2007-06-20 05:11 -------- d-----w- c:\program files\Yahoo!
2010-08-13 10:02 . 2007-02-26 16:37 -------- d-----w- c:\programdata\Microsoft Help
2010-08-13 10:01 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-08-09 00:17 . 2007-02-26 16:28 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-20 02:30 . 2007-07-02 22:01 2314 ----a-w- c:\users\Sanna\AppData\Roaming\wklnhst.dat
2010-06-28 04:22 . 2010-06-28 04:22 501936 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtbDBA2.tmp.exe
2010-06-26 06:05 . 2010-08-12 23:55 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-26 06:02 . 2010-08-12 23:55 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-06-26 06:02 . 2010-08-12 23:55 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-06-26 04:25 . 2010-08-12 23:55 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-06-25 21:34 . 2010-06-25 21:34 690952 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-06-21 13:37 . 2010-08-12 23:55 2037760 ----a-w- c:\windows\system32\win32k.sys
2010-06-18 17:31 . 2010-08-12 23:55 36864 ----a-w- c:\windows\system32\rtutils.dll
2010-06-11 16:16 . 2010-08-12 23:55 274944 ----a-w- c:\windows\system32\schannel.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-16 39408]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="sttray.exe" [2006-11-02 303104]
"CCUTRAYICON"="c:\program files\Intel\IntelDH\CCU\CCU_TrayIcon.exe" [2006-11-18 182744]
"NMSSupport"="c:\program files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" [2006-09-26 423424]
"McAfeeUpdate"="c:\program files\McAfee\MSC\McUpdUtl.exe" [2010-02-11 300352]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"UpdatePPShortCut"="c:\program files\CyberLink\PowerProducer\MUITransfer\MUIStartMenu.exe" [2008-02-22 222504]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2008-01-22 81920]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-12-12 81920]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 75304]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-10-11 62760]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-12-12 98304]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-11-16 151552]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-12-12 106496]
"EverioService"="c:\program files\CyberLink\PCM4Everio\EverioService.exe" [2008-05-22 151552]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2006-10-17 1197648]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-08-10 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
c:\users\Sanna\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):27,02,49,61,61,48,ca,01
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2649331228-3696308728-864307741-1001]
"EnableNotificationsRef"=dword:00000002
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2649331228-3696308728-864307741-500]
"EnableNotificationsRef"=dword:00000002
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-18 135664]
R3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys [2007-11-02 18176]
R3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys [2007-01-23 7680]
R3 motport;Motorola USB Diagnostic Port;c:\windows\system32\DRIVERS\motport.sys [2007-06-18 23680]
R3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\DRIVERS\NETw2v32.sys [2006-11-02 2589184]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [2008-08-20 716272]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
S2 DQLWinService;DQLWinService;c:\program files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe [2006-10-29 208896]
S2 nmsgopro;GoProto Protocol Driver for NMS;c:\windows\system32\DRIVERS\nmsgopro.sys [2006-09-28 28672]
S2 nmsunidr;UniDriver for NMS;c:\windows\system32\DRIVERS\nmsunidr.sys [2006-10-19 7424]
S3 IntelDH;IntelDH Driver;c:\windows\system32\Drivers\IntelDH.sys [2007-02-26 5504]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
2010-09-03 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 19:20]
2010-09-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-18 16:54]
2010-09-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-18 16:54]
2010-08-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-11-10 20:22]
2010-09-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-11-10 20:22]
2010-09-03 c:\windows\Tasks\Norton Security Scan for Sanna.job
- c:\program files\Norton Security Scan\Engine\2.7.0.52\Nss.exe [2010-02-18 14:31]
2010-08-11 c:\windows\Tasks\TASK20100810204837.job
- c:\program files\Ipswitch\WS_FTP 12\wsftppro.exe [2010-08-09 16:49]
2010-08-11 c:\windows\Tasks\TASK20100810204956.job
- c:\program files\Ipswitch\WS_FTP 12\wsftppro.exe [2010-08-09 16:49]
2010-08-11 c:\windows\Tasks\TASK20100810205032.job
- c:\program files\Ipswitch\WS_FTP 12\wsftppro.exe [2010-08-09 16:49]
2010-08-11 c:\windows\Tasks\TASK20100810212436.job
- c:\program files\Ipswitch\WS_FTP 12\wsftppro.exe [2010-08-09 16:49]
2010-08-11 c:\windows\Tasks\TASK20100810212448.job
- c:\program files\Ipswitch\WS_FTP 12\wsftppro.exe [2010-08-09 16:49]
2010-08-11 c:\windows\Tasks\TASK20100810212457.job
- c:\program files\Ipswitch\WS_FTP 12\wsftppro.exe [2010-08-09 16:49]
2010-08-11 c:\windows\Tasks\TASK20100810212507.job
- c:\program files\Ipswitch\WS_FTP 12\wsftppro.exe [2010-08-09 16:49]
2010-08-11 c:\windows\Tasks\TASK20100810212514.job
- c:\program files\Ipswitch\WS_FTP 12\wsftppro.exe [2010-08-09 16:49]
2010-08-11 c:\windows\Tasks\TASK20100810213336.job
- c:\program files\Ipswitch\WS_FTP 12\wsftppro.exe [2010-08-09 16:49]
2010-08-11 c:\windows\Tasks\TASK20100810214229.job
- c:\program files\Ipswitch\WS_FTP 12\wsftppro.exe [2010-08-09 16:49]
2010-08-11 c:\windows\Tasks\TASK20100810214240.job
- c:\program files\Ipswitch\WS_FTP 12\wsftppro.exe [2010-08-09 16:49]
2010-08-11 c:\windows\Tasks\TASK20100810214247.job
- c:\program files\Ipswitch\WS_FTP 12\wsftppro.exe [2010-08-09 16:49]
2010-08-11 c:\windows\Tasks\TASK20100810214301.job
- c:\program files\Ipswitch\WS_FTP 12\wsftppro.exe [2010-08-09 16:49]
2010-08-11 c:\windows\Tasks\TASK20100810214351.job
- c:\program files\Ipswitch\WS_FTP 12\wsftppro.exe [2010-08-09 16:49]
2010-08-11 c:\windows\Tasks\TASK20100810214359.job
- c:\program files\Ipswitch\WS_FTP 12\wsftppro.exe [2010-08-09 16:49]
2010-08-11 c:\windows\Tasks\TASK20100810214424.job
- c:\program files\Ipswitch\WS_FTP 12\wsftppro.exe [2010-08-09 16:49]
2010-08-11 c:\windows\Tasks\TASK20100810214433.job
- c:\program files\Ipswitch\WS_FTP 12\wsftppro.exe [2010-08-09 16:49]
2010-08-11 c:\windows\Tasks\TASK20100810214802.job
- c:\program files\Ipswitch\WS_FTP 12\wsftppro.exe [2010-08-09 16:49]
2010-08-11 c:\windows\Tasks\TASK20100810214815.job
- c:\program files\Ipswitch\WS_FTP 12\wsftppro.exe [2010-08-09 16:49]
2010-08-11 c:\windows\Tasks\TASK20100810214824.job
- c:\program files\Ipswitch\WS_FTP 12\wsftppro.exe [2010-08-09 16:49]
2010-08-11 c:\windows\Tasks\TASK20100810214832.job
- c:\program files\Ipswitch\WS_FTP 12\wsftppro.exe [2010-08-09 16:49]
2010-08-11 c:\windows\Tasks\TASK20100810214841.job
- c:\program files\Ipswitch\WS_FTP 12\wsftppro.exe [2010-08-09 16:49]
2010-08-13 c:\windows\Tasks\TASK20100811154011.job
- c:\program files\Ipswitch\WS_FTP 12\wsftppro.exe [2010-08-09 16:49]
2010-08-13 c:\windows\Tasks\TASK20100811154254.job
- c:\program files\Ipswitch\WS_FTP 12\wsftppro.exe [2010-08-09 16:49]
2010-08-13 c:\windows\Tasks\TASK20100811155208.job
- c:\program files\Ipswitch\WS_FTP 12\wsftppro.exe [2010-08-09 16:49]
2010-08-11 c:\windows\Tasks\TASK20100811155426.job
- c:\program files\Ipswitch\WS_FTP 12\wsftppro.exe [2010-08-09 16:49]
2010-08-13 c:\windows\Tasks\TASK20100811155619.job
- c:\program files\Ipswitch\WS_FTP 12\wsftppro.exe [2010-08-09 16:49]
2010-08-13 c:\windows\Tasks\TASK20100811161118.job
- c:\program files\Ipswitch\WS_FTP 12\wsftppro.exe [2010-08-09 16:49]
2010-08-13 c:\windows\Tasks\TASK20100811161456.job
- c:\program files\Ipswitch\WS_FTP 12\wsftppro.exe [2010-08-09 16:49]
2010-08-13 c:\windows\Tasks\TASK20100811194013.job
- c:\program files\Ipswitch\WS_FTP 12\wsftppro.exe [2010-08-09 16:49]
2010-08-12 c:\windows\Tasks\TASK20100811194152.job
- c:\program files\Ipswitch\WS_FTP 12\wsftppro.exe [2010-08-09 16:49]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://login.live.com/login.srf?id=2&svc=mail&cbid=24325&msppjph=1&tw=900&fs=1&lc=1033&_lang=EN
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5428
uInternet Settings,ProxyOverride = <local>
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
LSP: c:\windows\system32\wpclsp.dll
FF - ProfilePath - c:\users\Sanna\AppData\Roaming\Mozilla\Firefox\Profiles\vs32t4xs.default\
FF - prefs.js: browser.startup.homepage - hxxp://login.live.com/login.srf?id=2&svc=mail&cbid=24325&msppjph=1&tw=900&fs=1&lc=1033&_lang=EN
FF - component: c:\users\Sanna\AppData\Roaming\Mozilla\Firefox\Profiles\vs32t4xs.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
FF - component: c:\users\Sanna\AppData\Roaming\Mozilla\Firefox\Profiles\vs32t4xs.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\users\Sanna\AppData\Roaming\Mozilla\Firefox\Profiles\vs32t4xs.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
**************************************************************************
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files:
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{95808DC4-FA4A-4C74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-2649331228-3696308728-864307741-1002\Software\SecuROM\License information*]
"datasecu"=hex:0c,4a,79,53,57,5b,17,b2,93,c1,9b,d3,d2,ba,37,ca,1e,1a,ed,5a,80,
5d,03,0f,2c,62,a9,34,5a,90,d1,1d,8e,18,1a,24,58,85,c5,ea,4a,66,05,ff,d4,03,\
"rkeysecu"=hex:c6,84,0b,26,f1,a9,ea,d9,28,51,48,fe,38,e9,69,1d
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-09-02 21:13:37
ComboFix-quarantined-files.txt 2010-09-03 04:13
ComboFix2.txt 2010-08-20 16:06
Pre-Run: 84,794,810,368 bytes free
Post-Run: 84,803,801,088 bytes free
- - End Of File - - 3291FF7215808E2B812A6A53CF2F39AB
-
Please read here for more information about WildTangent (http://it.toolbox.com/blogs/enterprise-solutions/question-of-the-week-is-wildtanget-actually-spyware-6472). Your choice if you want to remove it or not.
If you choose to follow my advice, please follow these instructions.
Go to Start > Control Panel > Add/Remove Programs and remove the following programs.
•WildTangent Web Driver or anything related to WildTangent.
********************************
Download the GMER Rootkit Scanner (http://www.gmer.net/gmer.zip). Unzip it to your Desktop.
Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.
Double-click gmer.exe. The program will begin to run.
**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!
If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
- Click NO
- In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
- Now click the Scan button.
- Once the scan is complete, you may receive another notice about rootkit activity.
- Click OK.
- GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
- Save it where you can easily find it, such as your desktop.
-
OK, so it took me a while to figure the gmer rootkit thingy out. Everytime I ran it, windows would shut down immediately afterwards (blue screen), so I wasn't able to save the log. But now I got it.
Also, I tried to find the WildTangent thing, but it is not in my programlist, how do I find it and uninstall it?
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-09-06 17:13:35
Windows 6.0.6002 Service Pack 2
Running: gmer.exe; Driver: C:\Users\Sanna\AppData\Local\Temp\kxldrpob.sys
---- System - GMER 1.0.15 ----
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0x8DCC879E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0x8DCC8738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0x8DCC874C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x8DCC87DC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0x8DCC881F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0x8DCC8710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0x8DCC8724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0x8DCC87B2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0x8DCC8847]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0x8DCC8833]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0x8DCC878A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0x8DCC8776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0x8DCC880B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x8DCC87F2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0x8DCC87C8]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateUserProcess [0x8DCC8762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!ZwYieldExecution 81E3D9D2 5 Bytes JMP 8DCC87CC \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwNotifyChangeKey 81FD15B5 5 Bytes JMP 8DCC8823 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateUserProcess 81FDBB82 5 Bytes JMP 8DCC8766 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 82002DA3 5 Bytes JMP 8DCC880F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 820224FA 7 Bytes JMP 8DCC87E0 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 820227BD 5 Bytes JMP 8DCC87F6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 82026528 5 Bytes JMP 8DCC877A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 8202BF3D 7 Bytes JMP 8DCC87B6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 8202E15A 5 Bytes JMP 8DCC8728 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 82032C08 5 Bytes JMP 8DCC8714 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 82053E5B 5 Bytes JMP 8DCC87A2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRestoreKey 820648D2 5 Bytes JMP 8DCC8837 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwReplaceKey 82065AD6 5 Bytes JMP 8DCC884B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 820A38BF 5 Bytes JMP 8DCC873C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 820A390A 7 Bytes JMP 8DCC8750 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 820A43C7 5 Bytes JMP 8DCC878E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
C:\Program Files\CyberLink\PowerDVD\000.fcl entry point in "" section [0xAB81F000]
.clc C:\Program Files\CyberLink\PowerDVD\000.fcl unknown last section [0xAB820000, 0x1000, 0x00000000]
---- User code sections - GMER 1.0.15 ----
.text C:\Windows\system32\services.exe[660] kernel32.dll!GetStartupInfoW 75CD1929 5 Bytes JMP 00060F3A
.text C:\Windows\system32\services.exe[660] kernel32.dll!GetStartupInfoA 75CD19C9 5 Bytes JMP 00060080
.text C:\Windows\system32\services.exe[660] kernel32.dll!CreateProcessW 75CD1BF3 5 Bytes JMP 000600BD
.text C:\Windows\system32\services.exe[660] kernel32.dll!CreateProcessA 75CD1C28 5 Bytes JMP 000600AC
.text C:\Windows\system32\services.exe[660] kernel32.dll!VirtualProtect 75CD1DC3 5 Bytes JMP 00060F5C
.text C:\Windows\system32\services.exe[660] kernel32.dll!CreateNamedPipeA 75CD2EF5 5 Bytes JMP 00060FD4
.text C:\Windows\system32\services.exe[660] kernel32.dll!CreateNamedPipeW 75CD5C0C 5 Bytes JMP 00060025
.text C:\Windows\system32\services.exe[660] kernel32.dll!CreatePipe 75CF8E6E 5 Bytes JMP 00060F4B
.text C:\Windows\system32\services.exe[660] kernel32.dll!LoadLibraryExW 75CF9109 5 Bytes JMP 00060F6D
.text C:\Windows\system32\services.exe[660] kernel32.dll!LoadLibraryW 75CF9362 5 Bytes JMP 00060FAF
.text C:\Windows\system32\services.exe[660] kernel32.dll!LoadLibraryExA 75CF94B4 5 Bytes JMP 00060F8A
.text C:\Windows\system32\services.exe[660] kernel32.dll!LoadLibraryA 75CF94DC 5 Bytes JMP 00060036
.text C:\Windows\system32\services.exe[660] kernel32.dll!VirtualProtectEx 75CFDBDA 5 Bytes JMP 0006005B
.text C:\Windows\system32\services.exe[660] kernel32.dll!GetProcAddress 75D1903B 5 Bytes JMP 00060F0B
.text C:\Windows\system32\services.exe[660] kernel32.dll!CreateFileW 75D1AECB 5 Bytes JMP 0006000A
.text C:\Windows\system32\services.exe[660] kernel32.dll!CreateFileA 75D1CE5F 5 Bytes JMP 00060FEF
.text C:\Windows\system32\services.exe[660] kernel32.dll!WinExec 75D65CF7 5 Bytes JMP 00060091
.text C:\Windows\system32\services.exe[660] ADVAPI32.dll!RegCreateKeyExA 773C39AB 5 Bytes JMP 00870F97
.text C:\Windows\system32\services.exe[660] ADVAPI32.dll!RegCreateKeyA 773C3BA9 5 Bytes JMP 00870FB9
.text C:\Windows\system32\services.exe[660] ADVAPI32.dll!RegOpenKeyA 773C89C7 5 Bytes JMP 00870000
.text C:\Windows\system32\services.exe[660] ADVAPI32.dll!RegCreateKeyW 773D391E 5 Bytes JMP 00870FA8
.text C:\Windows\system32\services.exe[660] ADVAPI32.dll!RegCreateKeyExW 773D41F1 5 Bytes JMP 00870054
.text C:\Windows\system32\services.exe[660] ADVAPI32.dll!RegOpenKeyExA 773D7C42 5 Bytes JMP 0087001B
.text C:\Windows\system32\services.exe[660] ADVAPI32.dll!RegOpenKeyW 773DE2B5 5 Bytes JMP 00870FEF
.text C:\Windows\system32\services.exe[660] ADVAPI32.dll!RegOpenKeyExW 773E7BA1 5 Bytes JMP 00870FCA
.text C:\Windows\system32\services.exe[660] msvcrt.dll!_wsystem 761B7F2F 5 Bytes JMP 00850FAD
.text C:\Windows\system32\services.exe[660] msvcrt.dll!system 761B804B 5 Bytes JMP 00850FBE
.text C:\Windows\system32\services.exe[660] msvcrt.dll!_creat 761BBBE1 5 Bytes JMP 0085001D
.text C:\Windows\system32\services.exe[660] msvcrt.dll!_open 761BD106 5 Bytes JMP 00850FEF
.text C:\Windows\system32\services.exe[660] msvcrt.dll!_wcreat 761BD326 5 Bytes JMP 0085002E
.text C:\Windows\system32\services.exe[660] msvcrt.dll!_wopen 761BD501 5 Bytes JMP 0085000C
.text C:\Windows\system32\services.exe[660] WS2_32.dll!socket 762B36D1 5 Bytes JMP 00860000
.text C:\Windows\system32\lsass.exe[692] kernel32.dll!GetStartupInfoW 75CD1929 5 Bytes JMP 00190F91
.text C:\Windows\system32\lsass.exe[692] kernel32.dll!GetStartupInfoA 75CD19C9 1 Byte [E9]
.text C:\Windows\system32\lsass.exe[692] kernel32.dll!GetStartupInfoA 75CD19C9 5 Bytes JMP 001900CD
.text C:\Windows\system32\lsass.exe[692] kernel32.dll!CreateProcessW 75CD1BF3 5 Bytes JMP 0019010D
.text C:\Windows\system32\lsass.exe[692] kernel32.dll!CreateProcessA 75CD1C28 5 Bytes JMP 00190F6C
.text C:\Windows\system32\lsass.exe[692] kernel32.dll!VirtualProtect 75CD1DC3 5 Bytes JMP 001900AB
.text C:\Windows\system32\lsass.exe[692] kernel32.dll!CreateNamedPipeA 75CD2EF5 5 Bytes JMP 0019002C
.text C:\Windows\system32\lsass.exe[692] kernel32.dll!CreateNamedPipeW 75CD5C0C 5 Bytes JMP 00190047
.text C:\Windows\system32\lsass.exe[692] kernel32.dll!CreatePipe 75CF8E6E 5 Bytes JMP 00190FAC
.text C:\Windows\system32\lsass.exe[692] kernel32.dll!LoadLibraryExW 75CF9109 5 Bytes JMP 00190084
.text C:\Windows\system32\lsass.exe[692] kernel32.dll!LoadLibraryW 75CF9362 5 Bytes JMP 00190062
.text C:\Windows\system32\lsass.exe[692] kernel32.dll!LoadLibraryExA 75CF94B4 5 Bytes JMP 00190073
.text C:\Windows\system32\lsass.exe[692] kernel32.dll!LoadLibraryA 75CF94DC 5 Bytes JMP 00190FD1
.text C:\Windows\system32\lsass.exe[692] kernel32.dll!VirtualProtectEx 75CFDBDA 5 Bytes JMP 001900BC
.text C:\Windows\system32\lsass.exe[692] kernel32.dll!GetProcAddress 75D1903B 5 Bytes JMP 00190128
.text C:\Windows\system32\lsass.exe[692] kernel32.dll!CreateFileW 75D1AECB 5 Bytes JMP 0019001B
.text C:\Windows\system32\lsass.exe[692] kernel32.dll!CreateFileA 75D1CE5F 5 Bytes JMP 00190000
.text C:\Windows\system32\lsass.exe[692] kernel32.dll!WinExec 75D65CF7 5 Bytes JMP 001900E8
.text C:\Windows\system32\lsass.exe[692] ADVAPI32.dll!RegCreateKeyExA 773C39AB 5 Bytes JMP 004E0F8D
.text C:\Windows\system32\lsass.exe[692] ADVAPI32.dll!RegCreateKeyA 773C3BA9 5 Bytes JMP 004E0025
.text C:\Windows\system32\lsass.exe[692] ADVAPI32.dll!RegOpenKeyA 773C89C7 5 Bytes JMP 004E000A
.text C:\Windows\system32\lsass.exe[692] ADVAPI32.dll!RegCreateKeyW 773D391E 5 Bytes JMP 004E0FA8
.text C:\Windows\system32\lsass.exe[692] ADVAPI32.dll!RegCreateKeyExW 773D41F1 5 Bytes JMP 004E004A
.text C:\Windows\system32\lsass.exe[692] ADVAPI32.dll!RegOpenKeyExA 773D7C42 5 Bytes JMP 004E0FD4
.text C:\Windows\system32\lsass.exe[692] ADVAPI32.dll!RegOpenKeyW 773DE2B5 5 Bytes JMP 004E0FEF
.text C:\Windows\system32\lsass.exe[692] ADVAPI32.dll!RegOpenKeyExW 773E7BA1 5 Bytes JMP 004E0FC3
.text C:\Windows\system32\lsass.exe[692] msvcrt.dll!_wsystem 761B7F2F 5 Bytes JMP 001A0F7A
.text C:\Windows\system32\lsass.exe[692] msvcrt.dll!system 761B804B 5 Bytes JMP 001A0F95
.text C:\Windows\system32\lsass.exe[692] msvcrt.dll!_creat 761BBBE1 5 Bytes JMP 001A0FB7
.text C:\Windows\system32\lsass.exe[692] msvcrt.dll!_open 761BD106 5 Bytes JMP 001A0FEF
.text C:\Windows\system32\lsass.exe[692] msvcrt.dll!_wcreat 761BD326 5 Bytes JMP 001A0FA6
.text C:\Windows\system32\lsass.exe[692] msvcrt.dll!_wopen 761BD501 5 Bytes JMP 001A0FDE
.text C:\Windows\system32\lsass.exe[692] WS2_32.dll!socket 762B36D1 5 Bytes JMP 001B0FEF
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!GetStartupInfoW 75CD1929 5 Bytes JMP 004B00B1
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!GetStartupInfoA 75CD19C9 5 Bytes JMP 004B0F61
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!CreateProcessW 75CD1BF3 5 Bytes JMP 004B00DD
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!CreateProcessA 75CD1C28 5 Bytes JMP 004B0F46
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!VirtualProtect 75CD1DC3 5 Bytes JMP 004B0056
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!CreateNamedPipeA 75CD2EF5 5 Bytes JMP 004B0FB9
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!CreateNamedPipeW 75CD5C0C 5 Bytes JMP 004B0014
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!CreatePipe 75CF8E6E 5 Bytes JMP 004B0082
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!LoadLibraryExW 75CF9109 5 Bytes JMP 004B0F7C
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!LoadLibraryW 75CF9362 5 Bytes JMP 004B0F97
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!LoadLibraryExA 75CF94B4 5 Bytes JMP 004B0039
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!LoadLibraryA 75CF94DC 5 Bytes JMP 004B0FA8
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!VirtualProtectEx 75CFDBDA 5 Bytes JMP 004B0071
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!GetProcAddress 75D1903B 5 Bytes JMP 004B0F2B
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!CreateFileW 75D1AECB 5 Bytes JMP 004B0FCA
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!CreateFileA 75D1CE5F 5 Bytes JMP 004B0FE5
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!WinExec 75D65CF7 5 Bytes JMP 004B00C2
.text C:\Windows\system32\svchost.exe[880] msvcrt.dll!_wsystem 761B7F2F 1 Byte [E9]
.text C:\Windows\system32\svchost.exe[880] msvcrt.dll!_wsystem 761B7F2F 5 Bytes JMP 004C0033
.text C:\Windows\system32\svchost.exe[880] msvcrt.dll!system 761B804B 5 Bytes JMP 004C0FA8
.text C:\Windows\system32\svchost.exe[880] msvcrt.dll!_creat 761BBBE1 5 Bytes JMP 004C0FD4
.text C:\Windows\system32\svchost.exe[880] msvcrt.dll!_open 761BD106 5 Bytes JMP 004C000C
.text C:\Windows\system32\svchost.exe[880] msvcrt.dll!_wcreat 761BD326 5 Bytes JMP 004C0FC3
.text C:\Windows\system32\svchost.exe[880] msvcrt.dll!_wopen 761BD501 5 Bytes JMP 004C0FEF
.text C:\Windows\system32\svchost.exe[880] ADVAPI32.dll!RegCreateKeyExA 773C39AB 5 Bytes JMP 00520F83
.text C:\Windows\system32\svchost.exe[880] ADVAPI32.dll!RegCreateKeyA 773C3BA9 5 Bytes JMP 00520FAF
.text C:\Windows\system32\svchost.exe[880] ADVAPI32.dll!RegOpenKeyA 773C89C7 5 Bytes JMP 00520FE5
.text C:\Windows\system32\svchost.exe[880] ADVAPI32.dll!RegCreateKeyW 773D391E 5 Bytes JMP 00520F9E
.text C:\Windows\system32\svchost.exe[880] ADVAPI32.dll!RegCreateKeyExW 773D41F1 5 Bytes JMP 00520040
.text C:\Windows\system32\svchost.exe[880] ADVAPI32.dll!RegOpenKeyExA 773D7C42 5 Bytes JMP 00520000
.text C:\Windows\system32\svchost.exe[880] ADVAPI32.dll!RegOpenKeyW 773DE2B5 5 Bytes JMP 00520FCA
.text C:\Windows\system32\svchost.exe[880] ADVAPI32.dll!RegOpenKeyExW 773E7BA1 5 Bytes JMP 00520011
.text C:\Windows\system32\svchost.exe[880] WS2_32.dll!socket 762B36D1 5 Bytes JMP 00510000
.text C:\Windows\system32\svchost.exe[940] kernel32.dll!GetStartupInfoW &nb
-
You could try searching for it this way.
Delete An Uninstall Entry
•Start HijackThis
•Click on the Open the Misc Tools section
•Click on the Open Uninstall Manager button.
•Highlight the entry you want to remove. WildTangent
•Click Delete this entry
**************************************
I'd like to scan your machine with ESET OnlineScan
•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan (http://eset.com/onlinescan)
•Click the (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetOnline.png) button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
- Click on (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstall.png) to download the ESET Smart Installer. Save it to your desktop.
- Double click on the (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstallDesktopIcon.png) icon on your desktop.
•Check (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetAcceptTerms.png)
•Click the (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetStart.png) button.
•Accept any security warnings from your browser.
•Check (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetScanArchives.png)
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png)
•Push (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png), and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetBack.png) button.
•Push (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetFinish.png)
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt
-
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=f9a6e9326aee944993376a399242ae6a
# end=stopped
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-09-07 01:47:12
# local_time=2010-09-06 06:47:12 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 789324 789324 0 0
# compatibility_mode=3584 16777215 100 0 0 0 0 0
# compatibility_mode=5121 16776573 100 96 11575405 36657156 0 0
# compatibility_mode=5892 16776573 100 100 0 120431560 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=19
# found=0
# cleaned=0
# scan_time=0
ESETSmartInstaller@High as downloader log:
all ok
esets_scanner_update returned -1 esets_gle=53251
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=f9a6e9326aee944993376a399242ae6a
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-09-07 04:15:47
# local_time=2010-09-06 09:15:47 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 789456 789456 0 0
# compatibility_mode=3584 16777215 100 0 0 0 0 0
# compatibility_mode=5121 16776573 100 96 11575537 36657288 0 0
# compatibility_mode=5892 16776573 100 100 0 120431692 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=197483
# found=3
# cleaned=3
# scan_time=8782
C:\Users\Sanna\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\20\7bb99554-596ef2e2 probably a variant of Win32/Agent.DYXWUMY trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Users\Sanna\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\29\7adbb65d-4a3b7957 multiple threats (deleted - quarantined) 00000000000000000000000000000000 C
C:\Users\Sanna\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\37\549f6065-54daa004 multiple threats (deleted - quarantined) 00000000000000000000000000000000 C
And the other one:
C:\Users\Sanna\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\20\7bb99554-596ef2e2 probably a variant of Win32/Agent.DYXWUMY trojan deleted - quarantined
C:\Users\Sanna\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\29\7adbb65d-4a3b7957 multiple threats deleted - quarantined
C:\Users\Sanna\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\37\549f6065-54daa004 multiple threats deleted - quarantined
-
That looks good. If there are no other issues, it's time for some cleanup.
* Click START then RUN - Vista users press the Windows Key and the R keys for the Run box.
* Now type Combofix /uninstall in the runbox
* Make sure there's a space between Combofix and /Uninstall
* Then hit Enter
* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.
*******************************
Download OTC by OldTimer (http://oldtimer.geekstogo.com/OTC.exe) and save it to your desktop.
1. Double-click OTC to run it.
2. Click the CleanUp! button.
3. Select Yes when the "Begin cleanup Process?" prompt appears.
4. If you are prompted to Reboot during the cleanup, select Yes
5. OTC should delete itself once it finishes, if not delete it yourself.
*********************************
Clean out your temporary internet files and temp files.
Download TFC by OldTimer (http://oldtimer.geekstogo.com/TFC.exe) to your desktop.
Double-click TFC.exe to run it.
Note: If you are running on Vista, right-click on the file and choose Run As Administrator
TFC will close all programs when run, so make sure you have saved all your work before you begin.
* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.
Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.
**************************************
Looking over your log it seems you don't have any evidence of a third party firewall.
Firewalls protect against hackers and malicious intruders. You need to download a free firewall from one of these reliable vendors.
Remember only install ONE firewall
1) Comodo Personal Firewall (http://www.majorgeeks.com/Comodo_Personal_Firewall_d5033.html) (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" and uncheck any HopSurf and/or Ask.com options if you choose this one)
2) Online Armor (http://www.majorgeeks.com/Online_Armor_Free_d4872.html)
3) Agnitum Outpost (http://www.majorgeeks.com/Outpost_Firewall_Free_d1056.html)
4) PC Tools Firewall Plus (http://www.majorgeeks.com/PC_Tools_Firewall_Plus_d5470.html)
If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.
**********************************
Use the Secunia Software Inspector (http://secunia.com/software_inspector) to check for out of date software.
•Click Start Now
•Check the box next to Enable thorough system inspection.
•Click Start
•Allow the scan to finish and scroll down to see if any updates are needed.
•Update anything listed.
.
----------
Go to Microsoft Windows Update (http://windowsupdate.microsoft.com/) and get all critical updates.
----------
I suggest using WOT - Web of Trust (http://www.mywot.com/). WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.
SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html)- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer (http://www.bleepingcomputer.com/forums/tutorial49.html) from Spyware and Malware
* If you don't know what ActiveX controls are, see here (http://www.webopedia.com/TERM/A/ActiveX_control.html)
Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. (http://www.safer-networking.org/en/spybotsd/index.html) Guide: Use Spybot's Immunize Feature (http://www.bleepingcomputer.com/tutorials/tutorial43.html#immunize) to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ (http://www.safer-networking.org/en/faq/index.html)
Check out Keeping Yourself Safe On The Web (http://evilfantasy.wordpress.com/2008/05/20/keeping-yourself-safe-on-the-web/) for tips and free tools to help keep you safe in the future.
Also see Slow Computer? It may not be Malware (http://evilfantasy.wordpress.com/2008/05/24/slow-computer-it-may-not-be-malware/) for free cleaning/maintenance tools to help keep your computer running smoothly.
Safe Surfing!
-
I did all of the above,
No more problems!
Thank you so much for all of your help!