Computer Hope
Software => Computer viruses and spyware => Topic started by: millee81 on September 13, 2010, 04:07:45 PM
-
Help! I was using my laptop fine until this morning and then after I start it up from hibernate at work, I realize that there is a pop up saying "Application cannot be executed. The file wuauclt.exe is infected. Do you want to activate your antivirus or not?" I thought it was from my avg free (since the icon colors were the same) and clicked yes but a different "antivirus" scanner popped up and now it won't let me open anything. A message opens up with a the options to activate my antivirus or stay unprotected and no matter what I press I can't do anything. I restarted up my laptop in safe mode and tried to run avg but anything it scanned was "locked and could not test". I loaded hijack onto a usb but then I wasn't sure and I deleted it from the usb while in safe mode. I've turned the laptop's wireless button to off.
So I guess I have two questions aside from the please help!:::
1) if there's nothing else on the usb, is it still carrying the virus? Can it plug it into my home pc?
2) Is it safe for me to turn on the wireless button in order to post onto the forum or do you recommend that I use the usb to tranfer the logs back and forth?
I appreciate any and all help I get!!!
-
the reason I ask #1 is because before I started the laptop up in safe mode it wouldn't open the hijack saying that it was infected. but then I started up in safe mode, installed it, and then deleted it off of the usb. So is my usb a "safe" mode of transferring information again?
-
Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer. I am working under the guidance of one of the specialist of this forum so it may take a bit longer to process your logs.
1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.
Please don't use your usb memory stick until we get this cleaned up. Follow the directions below.
If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
Save Rkill to your desktop.
There are 4 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click Rkill and choose Run as Administrator
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.
* Rkill.exe (http://download.bleepingcomputer.com/grinler/rkill.exe)
* Rkill.com (http://download.bleepingcomputer.com/grinler/rkill.com)
* Rkill.scr (http://download.bleepingcomputer.com/grinler/rkill.scr)
* Rkill.pif (http://download.bleepingcomputer.com/grinler/rkill.pif)
Once you've gotten one of them to run then try to immediately run the following.
*************************************
SUPERAntiSpyware
If you already have SUPERAntiSpyware be sure to check for updates before scanning!
Download SuperAntispyware Free Edition (SAS) (http://www.superantispyware.com/download.html)
* Double-click the icon on your desktop to run the installer.
* When asked to Update the program definitions, click Yes
* If you encounter any problems while downloading the updates, manually download and unzip them from here
* Next click the Preferences button.
•Under Start-Up Options uncheck Start SUPERAntiSpyware when Windows starts
* Click the Scanning Control tab.
* Under Scanner Options make sure only the following are checked:
•Close browsers before scanning
•Scan for tracking cookies
•Terminate memory threats before quarantining
•Please leave the others unchecked
•Click the Close button to leave the control center screen.
* On the main screen click Scan your computer
* On the left check the box for the drive you are scanning.
* On the right choose Perform Complete Scan
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete a summary box will appear. Click OK
* Make sure everything in the white box has a check next to it, then click Next
* It will quarantine what it found and if it asks if you want to reboot, click Yes
•To retrieve the removal information please do the following:
•After reboot, double-click the SUPERAntiSpyware icon on your desktop.
•Click Preferences. Click the Statistics/Logs tab.
•Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
•It will open in your default text editor (preferably Notepad).
•Save the notepad file to your desktop by clicking (in notepad) File > Save As...
* Save the log somewhere you can easily find it. (normally the desktop)
* Click close and close again to exit the program.
*Copy and Paste the log in your post.
*******************************************
(http://img233.imageshack.us/img233/7729/mbamicontw5.gif) Please download Malwarebytes Anti-Malware from here (http://www.malwarebytes.org/mbam/program/mbam-setup.exe).
Double Click mbam-setup.exe to install the application.
- Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select "Perform Full Scan", then click Scan.
- The scan may take some time to finish,so please be patient.
- When the scan is complete, click OK, then Show Results to view the results.
- Make sure that everything is checked, and click Remove Selected.
- When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
- Please save the log to a location you will remember.
- The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
- Copy and paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
-
Thanks! I've got the files downloaded onto a cd-rw and now am ready to boot up my laptop again. I'm assuming I should do this in safe mode?
-
oh also!
Download SuperAntispyware Free Edition (SAS)
* Double-click the icon on your desktop to run the installer.
* When asked to Update the program definitions, click Yes
* If you encounter any problems while downloading the updates, manually download and unzip them from here
The "here" had no link!! My laptop won't connect to the internet in safe mode I guess! Please provide the link I need to unzip~
-
Reboot your computer back in Normal mode. SAS won't run in Safe Mode so you will have to wait until you're able to get back on your computer in Normal Mode.
-
But it is running and scanning in safe mode right now... for the past hour and a half and it's found 75 threats so far... one adware of unknown origin and 74 adware tracking cookies...
So then should I cancel it and reboot anyways?
-
Hi! So I spent the whole night scanning and stuff. Here are the logs for the different scans I did both in safe mode and reg mode.
I went into safe mode first and then did rkill which gave me this log:
This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as Jinju on 09/13/2010 at 20:16:59.
Services Stopped:
Processes terminated by Rkill or while it was running:
C:\Windows\system32\conime.exe
Rkill completed on 09/13/2010 at 20:17:01.
Then while in safe mode I installed the SAS but it wouldn't connect to the internet to update and your directions did not have the link for the file I was told to unzip and I checked through some other forums too to look for it to no avail so I ran an SAS scan without the update and received the following log:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 09/13/2010 at 10:39 PM
Application Version : 4.42.1000
Core Rules Database Version : 5410
Trace Rules Database Version: 3222
Scan type : Complete Scan
Total Scan Time : 02:15:46
Memory items scanned : 308
Memory threats detected : 0
Registry items scanned : 9809
Registry threats detected : 0
File items scanned : 240602
File threats detected : 75
Adware.Unknown Origin
C:\PROGRAM FILES\HEWLETT-PACKARD\HP ADVISOR\COMPSHOP\TEMPLATES\AD.HTML
Adware.Tracking Cookie
C:\Users\Jinhee\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Users\Jinhee\AppData\Roaming\Microsoft\Windows\Cookies\Low\jinhee@apmebf[1].txt
C:\Users\Jinhee\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Users\Jinhee\AppData\Roaming\Microsoft\Windows\Cookies\Low\jinhee@atwola[2].txt
C:\Users\Jinhee\AppData\Roaming\Microsoft\Windows\Cookies\Low\jinhee@collective-media[2].txt
C:\Users\Jinhee\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Users\Jinhee\AppData\Roaming\Microsoft\Windows\Cookies\Low\jinhee@statcounter[1].txt
.apmebf.com [ C:\Users\Jinhee\AppData\Roaming\Mozilla\Firefox\Profiles\zut2haxi.default\cookies.sqlite ]
.intermundomedia.com [ C:\Users\Jinhee\AppData\Roaming\Mozilla\Firefox\Profiles\zut2haxi.default\cookies.sqlite ]
.intermundomedia.com [ C:\Users\Jinhee\AppData\Roaming\Mozilla\Firefox\Profiles\zut2haxi.default\cookies.sqlite ]
.lfstmedia.com [ C:\Users\Jinhee\AppData\Roaming\Mozilla\Firefox\Profiles\zut2haxi.default\cookies.sqlite ]
.lfstmedia.com [ C:\Users\Jinhee\AppData\Roaming\Mozilla\Firefox\Profiles\zut2haxi.default\cookies.sqlite ]
.invitemedia.com [ C:\Users\Jinhee\AppData\Roaming\Mozilla\Firefox\Profiles\zut2haxi.default\cookies.sqlite ]
.invitemedia.com [ C:\Users\Jinhee\AppData\Roaming\Mozilla\Firefox\Profiles\zut2haxi.default\cookies.sqlite ]
.invitemedia.com [ C:\Users\Jinhee\AppData\Roaming\Mozilla\Firefox\Profiles\zut2haxi.default\cookies.sqlite ]
.invitemedia.com [ C:\Users\Jinhee\AppData\Roaming\Mozilla\Firefox\Profiles\zut2haxi.default\cookies.sqlite ]
.invitemedia.com [ C:\Users\Jinhee\AppData\Roaming\Mozilla\Firefox\Profiles\zut2haxi.default\cookies.sqlite ]
.invitemedia.com [ C:\Users\Jinhee\AppData\Roaming\Mozilla\Firefox\Profiles\zut2haxi.default\cookies.sqlite ]
.invitemedia.com [ C:\Users\Jinhee\AppData\Roaming\Mozilla\Firefox\Profiles\zut2haxi.default\cookies.sqlite ]
.invitemedia.com [ C:\Users\Jinhee\AppData\Roaming\Mozilla\Firefox\Profiles\zut2haxi.default\cookies.sqlite ]
files.adbrite.com [ C:\Users\Jinju\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C\Users\Jinju\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\5MSJP753 ]
C:\Users\Jinju\AppData\Local\Temp\Low\Cookies\[email protected][2].txt
C:\Users\Jinju\AppData\Local\Temp\Low\Cookies\[email protected][1].txt
C:\Users\Jinju\AppData\Local\Temp\Low\Cookies\[email protected][2].txt
C:\Users\Jinju\AppData\Local\Temp\Low\Cookies\[email protected][2].txt
C:\Users\Jinju\AppData\Local\Temp\Low\Cookies\[email protected][1].txt
C:\Users\Jinju\AppData\Local\Temp\Low\Cookies\jinju@apmebf[1].txt
C:\Users\Jinju\AppData\Local\Temp\Low\Cookies\jinju@bizrate[2].txt
C:\Users\Jinju\AppData\Local\Temp\Low\Cookies\[email protected][1].txt
C:\Users\Jinju\AppData\Local\Temp\Low\Cookies\[email protected][1].txt
C:\Users\Jinju\AppData\Local\Temp\Low\Cookies\jinju@imrworldwide[2].txt
C:\Users\Jinju\AppData\Local\Temp\Low\Cookies\jinju@insightexpressai[1].txt
C:\Users\Jinju\AppData\Local\Temp\Low\Cookies\jinju@media6degrees[1].txt
C:\Users\Jinju\AppData\Local\Temp\Low\Cookies\jinju@mixrmedia[2].txt
C:\Users\Jinju\AppData\Local\Temp\Low\Cookies\[email protected][1].txt
C:\Users\Jinju\AppData\Local\Temp\Low\Cookies\jinju@specificclick[2].txt
C:\Users\Jinju\AppData\Local\Temp\Low\Cookies\jinju@specificmedia[1].txt
C:\Users\Jinju\AppData\Local\Temp\Low\Cookies\jinju@statcounter[1].txt
a.media.abcfamily.go.com [ C:\Users\Jinju\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\5MSJP753 ]
a.media.soapnet.go.com [ C:\Users\Jinju\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\5MSJP753 ]
acvs.mediaonenetwork.net [ C:\Users\Jinju\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\5MSJP753 ]
atdmt.com [ C:\Users\Jinju\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\5MSJP753 ]
bannerfarm.ace.advertising.com [ C:\Users\Jinju\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\5MSJP753 ]
cache.specificmedia.com [ C:\Users\Jinju\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\5MSJP753 ]
cdn4.specificclick.net [ C:\Users\Jinju\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\5MSJP753 ]
content.oddcast.com [ C:\Users\Jinju\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\5MSJP753 ]
convoad.technoratimedia.com [ C:\Users\Jinju\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\5MSJP753 ]
ia.media-imdb.com [ C:\Users\Jinju\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\5MSJP753 ]
interclick.com [ C:\Users\Jinju\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\5MSJP753 ]
m.uk.2mdn.net [ C:\Users\Jinju\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\5MSJP753 ]
m1.2mdn.net [ C:\Users\Jinju\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\5MSJP753 ]
macromedia.com [ C:\Users\Jinju\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\5MSJP753 ]
media-mars.pictela.net [ C:\Users\Jinju\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\5MSJP753 ]
media.king5.com [ C:\Users\Jinju\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\5MSJP753 ]
media.mtvnservices.com [ C:\Users\Jinju\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\5MSJP753 ]
media.scanscout.com [ C:\Users\Jinju\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\5MSJP753 ]
media.socialvibe.com [ C:\Users\Jinju\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\5MSJP753 ]
media.tattomedia.com [ C:\Users\Jinju\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\5MSJP753 ]
media01.kyte.tv [ C:\Users\Jinju\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\5MSJP753 ]
media1.break.com [ C:\Users\Jinju\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\5MSJP753 ]
mediaforgews.com [ C:\Users\Jinju\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\5MSJP753 ]
msnbcmedia.msn.com [ C:\Users\Jinju\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\5MSJP753 ]
nasimg.nasmedia.co.kr [ C:\Users\Jinju\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\5MSJP753 ]
objects.tremormedia.com [ C:\Users\Jinju\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\5MSJP753 ]
s0.2mdn.net [ C:\Users\Jinju\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\5MSJP753 ]
secure-us.imrworldwide.com [ C:\Users\Jinju\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\5MSJP753 ]
serving-sys.com [ C:\Users\Jinju\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\5MSJP753 ]
speed.pointroll.com [ C:\Users\Jinju\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\5MSJP753 ]
static.2mdn.net [ C:\Users\Jinju\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\5MSJP753 ]
udn.specificclick.net [ C:\Users\Jinju\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\5MSJP753 ]
uk.2mdn.net [ C:\Users\Jinju\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\5MSJP753 ]
vhss-a.oddcast.com [ C:\Users\Jinju\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\5MSJP753 ]
video.unrulymedia.com [ C:\Users\Jinju\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\5MSJP753 ]
www.blogsmithmedia.com [ C:\Users\Jinju\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\5MSJP753 ]
Then while in safe mode ran the Mbam and received this log:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4052
Windows 6.0.6002 Service Pack 2 (Safe Mode)
Internet Explorer 7.0.6002.18005
9/14/2010 12:07:34 AM
mbam-log-2010-09-14 (00-07-34).txt
Scan type: Full scan (C:\|D:\|)
Objects scanned: 363532
Time elapsed: 1 hour(s), 9 minute(s), 3 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntiVirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1a26f07f-0d60-4835-91cf-1e1766a0ec56} (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Users\Jinju\AppData\Local\Temp\0.6806630733000587.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
Then I rebooted into regular mode, had to use rkill again since the virus was still active and got this log:
This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as Jinju on 09/14/2010 at 0:21:12.
Services Stopped:
Processes terminated by Rkill or while it was running:
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Jinju\Desktop\rkill.exe
Rkill completed on 09/14/2010 at 0:21:19.
I noticed the internet connection was up again so I tried to update the SAS, but it said there was an error. So I rechecked the firewall and added the program to be allowed through but the error showed up again so SAS has not been updated. In the meantime, I updated Mbam and rescanned my computer and received this log:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4611
Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005
9/14/2010 7:18:07 AM
mbam-log-2010-09-14 (07-18-07).txt
Scan type: Full scan (C:\|D:\|)
Objects scanned: 388129
Time elapsed: 3 hour(s), 22 minute(s), 41 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\wnxmal (Rogue.SecuritySuite) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kjekljnc (Rogue.SecuritySuite) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Users\Jinju\AppData\Roaming\urpkunejc\rkfanemuqiw.exe (Rogue.SecuritySuite) -> Quarantined and deleted successfully.
C:\Users\Jinju\AppData\Local\urpkunejc\rkfanemuqiw.exe (Rogue.SecuritySuite) -> Quarantined and deleted successfully.
I have rebooted my laptop and the malware or virus seems to be gone!! Nothing is popping up for now~ Is my laptop "cured"?? What about my usb now? Can I use it?
Thanks again!!
-
What about my usb now? Can I use it?
No. Please remind me to fix this at the end of the cleaning process.
Download Security Check by screen317 from one of the following links and save it to your desktop.
Link 1 (http://screen317.spywareinfoforum.org/SecurityCheck.exe)
Link 2 (http://screen317.changelog.fr/SecurityCheck.exe)
* Unzip SecurityCheck.zip and a folder named Security Check should appear.
* Open the Security Check folder and double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.
Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.
************************************
Please download ComboFix (http://img7.imageshack.us/img7/4930/combofix.gif) from BleepingComputer.com (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Alternate link: GeeksToGo.com (http://subs.geekstogo.com/ComboFix.exe)
Rename ComboFix.exe to commy.exe before you save it to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here (http://www.bleepingcomputer.com/forums/topic114351.html)
Click Start then copy paste the following command into the search box & hit enter: "%userprofile%\desktop\commy.exe" /stepdel
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. This will not install in Vista. Just continue scanning, and skip the console install.
When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.
If you have problems with ComboFix usage, see How to use ComboFix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
-
Help! HOw do I disable AVG Anti-Virus? I followed the directions to disable my avg 8.5 resident shield but the menu says the anti-virus and anti-spyware is still active and the link you provided does not help! I can't go any further on the combo fix until I do because combofix wants me to disable it before I click ok.
In the meantime here's the log of security check:
Results of screen317's Security Check version 0.99.5
Windows Vista Service Pack 2 (UAC is enabled)
Internet Explorer 7 Out of date!
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
AVG Free 8.5
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
HijackThis 2.0.2
Java(TM) 6 Update 18
Java(TM) SE Runtime Environment 6
Java(TM) 6 Update 4
Java(TM) 6 Update 7
Out of date Java installed!
Adobe Flash Player 10.1.82.76
Adobe Reader 8.1.2
Out of date Adobe Reader installed!
Mozilla Firefox (3.5.12) Firefox Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent
AVG avgwdsvc.exe
AVG avgtray.exe
AVG avgrsx.exe
AVG avgnsx.exe
AVG avgemc.exe
````````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)
``````````End of Log````````````
-
Okay, so I've disabled Windows Defender and the Resident shield portion of avg free 8.5. According to my Windows Security Alert it says that they're both reported off, but then when I actually go into the avg the icons for the anti-virus and anti-spyware says they're active which is what I think the combo fix is warning me against~
How do I turn those off or should I just click ok to continue combofix?
-
never mind. I uninstalled avg and started up combofix. Here's the log:
ComboFix 10-09-14.01 - Jinju 09/14/2010 22:30:09.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.958.76 [GMT -4:00]
Running from: c:\users\Jinju\Desktop\commy.exe.exe
SP: AVG Anti-Spyware *disabled* (Outdated) {48F2E28D-ED66-4646-9C11-B3055B0AF604}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
((((((((((((((((((((((((( Files Created from 2010-08-15 to 2010-09-15 )))))))))))))))))))))))))))))))
.
2010-09-15 02:50 . 2010-09-15 02:50 -------- d-----w- c:\users\Jinhee\AppData\Local\temp
2010-09-15 02:50 . 2010-09-15 02:50 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-09-14 02:53 . 2010-09-14 02:53 -------- d-----w- c:\users\Jinju\AppData\Roaming\Malwarebytes
2010-09-14 02:53 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-14 02:53 . 2010-09-14 02:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-14 02:53 . 2010-09-14 02:53 -------- d-----w- c:\programdata\Malwarebytes
2010-09-14 02:53 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-14 00:18 . 2010-09-14 00:18 -------- d-----w- c:\users\Jinju\AppData\Roaming\SUPERAntiSpyware.com
2010-09-14 00:18 . 2010-09-14 00:18 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-09-14 00:18 . 2010-09-14 04:46 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-09-13 16:15 . 2010-09-13 16:15 -------- d-----w- c:\program files\Trend Micro
2010-09-13 05:15 . 2010-09-14 11:18 -------- d-----w- c:\users\Jinju\AppData\Local\urpkunejc
2010-09-13 05:15 . 2010-09-14 07:50 -------- d-----w- c:\users\Jinju\AppData\Roaming\urpkunejc
2010-08-30 19:46 . 2010-08-30 19:46 -------- d-----w- c:\users\Jinju\AppData\Local\WinZip
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-15 02:16 . 2008-07-25 21:33 -------- d-----w- c:\users\Jinju\AppData\Roaming\OpenOffice.org2
2010-09-15 02:10 . 2007-09-05 02:36 13025 ----a-w- c:\users\Jinju\AppData\Roaming\nvModes.dat
2010-09-15 01:52 . 2008-07-08 21:07 -------- d-----w- c:\programdata\avg8
2010-09-14 04:00 . 2007-11-29 01:09 1356 ----a-w- c:\users\Jinju\AppData\Local\d3d9caps.dat
2010-09-13 13:49 . 2010-02-16 20:17 -------- d-----w- c:\program files\Microsoft Silverlight
2010-09-08 00:30 . 2009-05-28 18:37 -------- d-----w- c:\programdata\Motive
2010-08-21 07:04 . 2007-06-29 13:00 -------- d-----w- c:\programdata\Microsoft Help
2010-08-21 07:03 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-06-29 15:47 . 2010-08-12 22:11 834048 ----a-w- c:\windows\system32\wininet.dll
2010-06-28 16:13 . 2010-08-12 22:11 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-06-21 13:37 . 2010-08-12 22:10 2037760 ----a-w- c:\windows\system32\win32k.sys
2010-06-18 17:31 . 2010-08-12 22:10 36864 ----a-w- c:\windows\system32\rtutils.dll
2010-06-18 15:04 . 2010-08-12 22:10 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-18 15:04 . 2010-08-12 22:10 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"NetZero_uoltray"="c:\program files\NetZero\exec.exe" [2008-05-07 1701376]
"HPAdvisor"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2006-11-21 1474560]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-03-25 50528]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-08-25 2424560]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2006-10-18 317152]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2009-03-10 1553920]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-15 815104]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"snp2uvc"="c:\windows\vsnp2uvc.exe" [2008-08-02 675840]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-11-24 167936]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-11-06 159744]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-01-14 90191]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-01-14 81920]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-01-14 7766016]
"Mouse Suite 98 Daemon"="ICO.EXE" [2006-11-03 49152]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2006-10-18 472800]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2006-11-10 46704]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-05-14 623888]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-05-26 1468296]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2006-11-08 44128]
c:\users\Jinju\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MEMonitor.lnk - c:\program files\V CAST Music Manager\MEMonitor.exe [2007-11-2 951640]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-1-21 393216]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Connections.lnk - c:\program files\HP Connections\6811507\Program\HP Connections.exe [2007-6-29 34520]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2008-4-10 479232]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2010-4-5 494920]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
2010-09-15 c:\windows\Tasks\User_Feed_Synchronization-{90EE62B4-9066-4567-B527-472EEF2CA871}.job
- c:\windows\system32\msfeedssync.exe [2008-05-27 07:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/?src=aim
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=laptop
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:6092
uSearchURL,(Default) = hxxp://my.netzero.net/s/search?r=minisearch
IE: Display All Images with Full Quality - c:\program files\NetZero\qsacc\appres.dll/228
IE: Display Image with Full Quality - c:\program files\NetZero\qsacc\appres.dll/227
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: netzero.com
Trusted Zone: netzero.net
FF - ProfilePath - c:\users\Jinju\AppData\Roaming\Mozilla\Firefox\Profiles\w5fweigy.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\users\Jinju\AppData\Local\Yahoo!\BrowserPlus\2.9.2\Plugins\npybrowserplus_2.9.2.dll
FF - plugin: c:\users\Jinju\AppData\Roaming\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\users\Jinju\AppData\Roaming\Move Networks\plugins\npqmp071505000010.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
.
- - - - ORPHANS REMOVED - - - -
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-14 22:51
Windows 6.0.6002 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-3996722006-3211200769-4179047636-1000\¬ î*�*]
@Allowed: (Read) (RestrictedCode)
"MachineID"=hex:4c,ad,ed,b1,a9,09,b1,00
DUMPHIVE0.003 (REGF)
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'Explorer.exe'(3768)
c:\program files\Hewlett-Packard\HP Advisor\Pillars\Market\MLDeskBand.dll
c:\windows\System32\pelscrll.dll
c:\windows\System32\PELCOMM.dll
c:\windows\System32\PELHOOKS.dll
.
Completion time: 2010-09-14 23:00:43
ComboFix-quarantined-files.txt 2010-09-15 03:00
Pre-Run: 77,538,639,872 bytes free
Post-Run: 78,839,193,600 bytes free
- - End Of File - - E2FE00B5E65EC4B08886E2D57555BD7C
My usb? =)
-
You have Viewpoint installed.
Viewpoint Media Player/Manager/Toolbar is considered as Foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad".
More information:
* ViewMgr.exe - Useless (http://www.greatis.com/appdata/u/v/viewmgr.exe.htm)
* Viewpoint to Plunge Into Adware (http://www.clickz.com/news/article.php/3561546/)
It is suggested to remove the program now. Go to Start > Control Panel > Add/Remove Programs - (Vista & Win7 is Programs and Features) and remove the following programs if present.
* Viewpoint
* Viewpoint Manager
* Viewpoint Media Player
* Viewpoint Toolbar
* Viewpoint Experience Technology
******************************************
Please update your AVG to version 9.0 Please make sure that you have an AV on your computer.
Re-running ComboFix to remove infections:
- Close any open browsers.
- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Open notepad and copy/paste the text in the quotebox below into it:
KillAll::
DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:6092
Trusted Zone: netzero.com
Trusted Zone: netzero.net
Folder::
c:\users\Jinju\AppData\Local\urpkunejc
c:\users\Jinju\AppData\Roaming\urpkunejc
- Save this as CFScript.txt, in the same location as ComboFix.exe
(http://img19.imageshack.us/img19/5660/cfscriptb4.gif)
- Referring to the picture above, drag CFScript into ComboFix.exe
- When finished, it shall produce a log for you at C:\ComboFix.txt
- I don't need to see the log from this script.
*************************************
* Download the following tool: RootRepeal - Rootkit Detector (http://rootrepeal.googlepages.com/)
* Direct download link is here: RootRepeal.zip (http://rootrepeal.googlepages.com/RootRepeal.zip)
* Close all programs and temporarily disable your anti-virus, Firewall and any anti-malware real-time protection before performing a scan.
* Click this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of such programs and how to disable them.
* Extract the program file to a new folder such as C:\RootRepeal
* Run the program RootRepeal.exe and go to the REPORT tab and click on the Scan button.
* Select ALL of the checkboxes and then click OK and it will start scanning your system.
* If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
* When done, click on Save Report
* Save it to the same location where you ran it from, such as C:RootRepeal
* Save it as rootrepeal.txt
* Then open that log and select all and copy/paste it back on your next reply please.
* Close RootRepeal.
-
how long is the root repeal going to take? it's been going for since about 6pm and still not done?
-
I ran the root repeal last night went to bed, and woke up to my computer having restarted and I can't find a log. Took it to work where I ran it all day, kept it on in the car ride home only to see it restart itself and now there is a message from windows saying that it had recovered from an unexpected shutdown with the following problem detail:
Problem signature:
Problem Event Name: BlueScreen
OS Version: 6.0.6002.2.2.0.768.3
Locale ID: 1033
Additional information about the problem:
BCCode: d1
BCP1: 00000000
BCP2: 00000002
BCP3: 00000000
BCP4: 8074B395
OS Version: 6_0_6002
Service Pack: 2_0
Product: 768_1
Files that help describe the problem:
C:\Windows\Minidump\Mini091610-01.dmp
C:\Users\Jinju\AppData\Local\temp\WER-213284-0.sysdata.xml
C:\Users\Jinju\AppData\Local\temp\WER84D8.tmp.version.txt
Read our privacy statement:
http://go.microsoft.com/fwlink/?linkid=50163&clcid=0x0409
What does this mean? Should I do root repeal AGAIN?
-
Please try this one instead.
Download the GMER Rootkit Scanner (http://www.gmer.net/gmer.zip). Unzip it to your Desktop.
Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.
Double-click gmer.exe. The program will begin to run.
**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!
If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
- Click NO
- In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
- Now click the Scan button.
- Once the scan is complete, you may receive another notice about rootkit activity.
- Click OK.
- GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
- Save it where you can easily find it, such as your desktop.
-
ok so you want me to scan this? Because I double clicked and it opened the program and it's on a screen where in the Type column it says attachedDevice, in Name it says \Driver\kbdclass \Device\KeyboardClass0 and then the Value column says Wdf01000.sys (WDF Dynamic/Microsoft Corporation
A whole bunch of things checked off on the right including my c:\ drive andthen scan copy and save... buttons. So I should click Scan?
-
i wasn't asked if i wanted to perform a full scan... that's why I was wondering and I don't see anything regarding rootkits...
-
and the show all box is in grey and unchecked so I can't check it~!!
-
never mind on that last one about the show all... I misread it~ I must've read your thing a dozen timesa nd i'm confused now...
-
gmer.exe has stopped working~ windows is checking for a solution to the problem. -.-;;
-
Ok. Let's try this instead.
Copy (Ctrl +C) and paste (Ctrl +V) the text in the code box below to Notepad.
@echo off
Copy /y gmer.exe ark.exe
Start ark.exe
Save it into the gmer folder as File name: ark.cmd
Save as type: All Files
Once done, double click ark.cmd to run it.
This should start GMER, follow the steps I have outlined earlier to save a log file, then post me the contents in your next reply.
-
I did what you told me to, saved the notepad file, and then dblclicked it. Verified the checked and unchecked boxes and then clicked scan. In the middle of the scan, a blue screen appeared saying that windows is stopped to prevent the system from getting further damage and then it restarted. I started windows normally and then when the "Windows has recovered from an unexpected shutdown" screen came up, this was in the details:
Problem signature:
Problem Event Name: BlueScreen
OS Version: 6.0.6002.2.2.0.768.3
Locale ID: 1033
Additional information about the problem:
BCCode: 50
BCP1: B3C00008
BCP2: 00000000
BCP3: 9EF7B53E
BCP4: 00000002
OS Version: 6_0_6002
Service Pack: 2_0
Product: 768_1
Files that help describe the problem:
C:\Windows\Minidump\Mini091710-02.dmp
C:\Users\Jinju\AppData\Local\temp\WER-130931-0.sysdata.xml
C:\Users\Jinju\AppData\Local\temp\WERCB69.tmp.version.txt
Read our privacy statement:
http://go.microsoft.com/fwlink/?linkid=50163&clcid=0x0409
*sigh* what's going on? is this a virus or another malware that's preventing the scans to go through? Thanks for being patient with me~
-
sigh* what's going on? is this a virus or another malware that's preventing the scans to go through? Thanks for being patient with me~
I don't think so. I never could get GMER to run on my computer. Let's try another one.
Please download Rooter (http://eric71.geekstogo.com/tools/Rooter.exe) and Save it to your desktop.
- Double click it to start the tool.
- Click Scan.
- Eventually, a Notepad file containing the report will open, also found at C:\Rooter.txt. Post that log in your next reply.
-
Rooter.exe (v1.0.2) by Eric_71
.
The token does not have the SeDebugPrivilege privilege ! (error:1300)
Can not acquire SeDebugPrivilege !
Please run the tool as administrator ..
.
Windows Vista Home Edition (6.0.6002) Service Pack 2
[32_bits] - x86 Family 15 Model 72 Stepping 2, AuthenticAMD
.
Error OpenService (wscsvc) : 6
Error OpenSCManager : 5
Error OpenService (MpsSvc) : 6
Windows Defender -> Disabled !
User Account Control (UAC) -> Enabled
.
Internet Explorer 7.0.6002.18005
Mozilla Firefox 3.5.13 (en-US)
.
C:\ [Fixed-NTFS] .. ( Total:142 Go - Free:73 Go )
D:\ [Fixed-NTFS] .. ( Total:6 Go - Free:0 Go )
E:\ [CD_Rom]
.
Scan : 15:46.22
Path : C:\Users\Jinju\Desktop\Rooter.exe
User : Jinju ( Administrator -> YES )
.
----------------------\\ Processes
.
Locked [System Process] (0)
Locked System (4)
Locked smss.exe (508)
Locked csrss.exe (576)
Locked wininit.exe (628)
Locked csrss.exe (640)
Locked services.exe (672)
Locked lsass.exe (688)
Locked lsm.exe (696)
Locked winlogon.exe (800)
Locked svchost.exe (876)
Locked svchost.exe (940)
Locked svchost.exe (1084)
Locked svchost.exe (1128)
Locked svchost.exe (1140)
Locked audiodg.exe (1228)
Locked SLsvc.exe (1264)
Locked svchost.exe (1304)
Locked svchost.exe (1444)
Locked spoolsv.exe (1660)
Locked svchost.exe (1684)
Locked AppleMobileDeviceService.exe (1880)
Locked mDNSResponder.exe (1920)
Locked CLCapSvc.exe (1932)
Locked HPHC_Service.exe (1976)
Locked svchost.exe (12)
Locked LSSrvc.exe (664)
Locked McciCMService.exe (624)
Locked svchost.exe (772)
Locked svchost.exe (1324)
Locked svchost.exe (1456)
Locked svchost.exe (1472)
Locked svchost.exe (1872)
Locked SearchIndexer.exe (1220)
Locked XAudio.exe (2152)
Locked CLSched.exe (2184)
Locked hpqwmiex.exe (2212)
Locked taskeng.exe (2616)
______ C:\Windows\system32\Dwm.exe (2908)
______ C:\Windows\system32\taskeng.exe (2932)
______ C:\Windows\Explorer.EXE (2972)
______ C:\Program Files\iTunes\iTunesHelper.exe (3772)
______ C:\Program Files\Verizon\McciTrayApp.exe (3780)
______ C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (3788)
______ C:\Program Files\Common Files\Java\Java Update\jusched.exe (3796)
______ C:\Windows\vsnp2uvc.exe (3804)
______ C:\Program Files\HP\QuickPlay\QPService.exe (3816)
______ C:\Program Files\Windows Media Player\wmpnscfg.exe (1396)
______ C:\Windows\System32\ICO.EXE (1772)
______ C:\Program Files\HP\HP Software Update\hpwuSchd2.exe (2260)
______ C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe (2288)
______ C:\Program Files\Microsoft IntelliPoint\ipoint.exe (1452)
______ C:\Program Files\Windows Sidebar\sidebar.exe (2392)
______ C:\Program Files\NetZero\exec.exe (2556)
______ C:\Windows\ehome\ehtray.exe (744)
______ C:\Program Files\AIM6\aim6.exe (1076)
______ C:\Program Files\Windows Live\Messenger\msnmsgr.exe (1236)
______ C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (1436)
______ C:\Program Files\HP Connections\6811507\Program\HP Connections.exe (872)
______ C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (2660)
______ C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe (1252)
______ C:\Program Files\V CAST Music Manager\MEMonitor.exe (2712)
______ C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (2424)
Locked wmpnetwk.exe (2872)
______ C:\Program Files\OpenOffice.org 2.4\program\soffice.exe (2428)
______ C:\Windows\System32\rundll32.exe (2988)
______ C:\Windows\ehome\ehmsas.exe (1036)
______ C:\Windows\System32\Pelmiced.exe (3248)
______ C:\Program Files\NetZero\exec.exe (1068)
______ C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN (3552)
Locked iPodService.exe (676)
______ C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe (3868)
______ C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe (3204)
______ C:\Program Files\NetZero\qsacc\x1exec.exe (3660)
______ C:\Program Files\AIM6\aolsoftware.exe (2724)
______ C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe (3980)
Locked PresentationFontCache.exe (4392)
______ C:\Windows\system32\conime.exe (4736)
______ C:\Windows\system32\wuauclt.exe (5496)
Locked TrustedInstaller.exe (5580)
Locked SearchFilterHost.exe (2220)
Locked WmiPrvSE.exe (5092)
Locked SearchProtocolHost.exe (5116)
______ C:\Users\Jinju\Desktop\Rooter.exe (4992)
.
----------------------\\ Device\Harddisk0\
.
\Device\Harddisk0 [Sectors : 63 x 512 Bytes]
.
\Device\Harddisk0\Partition1 --[ MBR ]-- (Start_Offset:32256 | Length:153335637504)
\Device\Harddisk0\Partition2 (Start_Offset:153335669760 | Length:6703603200)
.
----------------------\\ Scheduled Tasks
.
C:\Windows\Tasks\SA.DAT
C:\Windows\Tasks\SCHEDLGU.TXT
C:\Windows\Tasks\User_Feed_Synchronization-{90EE62B4-9066-4567-B527-472EEF2CA871}.job
.
----------------------\\ Registry
.
.
----------------------\\ Files & Folders
.
----------------------\\ Scan completed at 15:48.53
.
C:\Rooter$\Rooter_1.txt - (18/09/2010 | 15:48.53)
That was quick! Usb? lol
-
I'd like to scan your machine with ESET OnlineScan
•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan (http://eset.com/onlinescan)
•Click the (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetOnline.png) button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
- Click on (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstall.png) to download the ESET Smart Installer. Save it to your desktop.
- Double click on the (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstallDesktopIcon.png) icon on your desktop.
•Check (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetAcceptTerms.png)
•Click the (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetStart.png) button.
•Accept any security warnings from your browser.
•Check (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetScanArchives.png)
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png)
•Push (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png), and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetBack.png) button.
•Push (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetFinish.png)
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt
-
C:\Users\Jinju\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\24\38566918-6d218ade a variant of Java/TrojanDownloader.Agent.NAN trojan deleted - quarantined
and I guess these are the same but I'm posting the C:\Program Files\ESET\ESET Online Scanner\log.txt file anyways:
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=e96da94d460a4e419f4917970917995a
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-09-19 01:28:22
# local_time=2010-09-18 09:28:22 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1024 16777215 100 0 69212177 69212177 0 0
# compatibility_mode=5892 16776638 100 100 0 121457337 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=249606
# found=1
# cleaned=1
# scan_time=9891
C:\Users\Jinju\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\24\38566918-6d218ade a variant of Java/TrojanDownloader.Agent.NAN trojan (deleted - quarantined) 00000000000000000000000000000000 C
Is my laptop clean? =) how do I clean my usb now?
-
First of all, please run a scan on your USB with your AV program. Please hold down the shift key while inserting the USB storage device for at least 10 secs. Now run the AV scan. Also scan it with SAS and MBAM. If these come out clean you should now save any important information on your storage device before running the program below.
Panda USB and AutoRun Vaccine
Insert your flash drive before we begin. Hold down the Shift key when inserting the flash drive until Windows detects it to bypass the autorun feature. This will keep the autorun.inf from executing automatically.
Download Panda USB and AutoRun Vaccine (http://majorgeeks.com/Panda_USB_and_AutoRun_Vaccine_d6029.html) and save it to your desktop.
* Extract (unzip) the file to your desktop and a folder named USBVaccine will be created.
* Open that folder and double-click on USBVaccine.exe to start the program.
* Click Run
* Click the button to Vaccinate computer.
* Insert your USB flash drive.
* When the name of the drive appears in the dialog box, click the button to Vaccinate USB drive(s).
* Exit Panda USB and AutoRun Vaccine when done.
Note: Computer AutoRun Vaccination will prevent any AutoRun file from running, regardless of whether the removable device is infected or not. USB Vaccination disables the autorun file so it cannot be read, modified or replaced by malicious code. The Panda Resarch Blog (http://research.pandasecurity.com/archive/Panda-USB-and-AutoRun-Vaccine.aspx) advises that once USB drives have been vaccinated, they cannot be reversed except with a format. If you do this, be sure to back up your data files first or they will be lost during the formatting process.
-
Thank you SuperDave!! So does this mean my laptop and my usb are clean and ready for use?
-
oh and can I delete the notepad logs from my desktop? Which programs do you recommend I keep on my computer to use regularly?
-
So does this mean my laptop and my usb are clean and ready for use?
Yes. Let's do some cleanup.
* Click START then RUN - Vista users press the Windows Key and the R keys for the Run box.
* Now type commy /uninstall in the runbox
* Make sure there's a space between commy and /Uninstall
* Then hit Enter
* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.
********************************
Download OTC by OldTimer (http://oldtimer.geekstogo.com/OTC.exe) and save it to your desktop.
1. Double-click OTC to run it.
2. Click the CleanUp! button.
3. Select Yes when the "Begin cleanup Process?" prompt appears.
4. If you are prompted to Reboot during the cleanup, select Yes
5. OTC should delete itself once it finishes, if not delete it yourself.
**************************************
Clean out your temporary internet files and temp files.
Download TFC by OldTimer (http://oldtimer.geekstogo.com/TFC.exe) to your desktop.
Double-click TFC.exe to run it.
Note: If you are running on Vista, right-click on the file and choose Run As Administrator
TFC will close all programs when run, so make sure you have saved all your work before you begin.
* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.
Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.
************************************
Looking over your log it seems you don't have any evidence of a third party firewall.
Firewalls protect against hackers and malicious intruders. You need to download a free firewall from one of these reliable vendors.
Remember only install ONE firewall
1) Comodo Personal Firewall (http://www.majorgeeks.com/Comodo_Personal_Firewall_d5033.html) (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" and uncheck any HopSurf and/or Ask.com options if you choose this one)
2) Online Armor (http://www.majorgeeks.com/Online_Armor_Free_d4872.html)
3) Agnitum Outpost (http://www.majorgeeks.com/Outpost_Firewall_Free_d1056.html)
4) PC Tools Firewall Plus (http://www.majorgeeks.com/PC_Tools_Firewall_Plus_d5470.html)
If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.
********************************
Use the Secunia Software Inspector (http://secunia.com/software_inspector) to check for out of date software.
•Click Start Now
•Check the box next to Enable thorough system inspection.
•Click Start
•Allow the scan to finish and scroll down to see if any updates are needed.
•Update anything listed.
.
----------
Go to Microsoft Windows Update (http://windowsupdate.microsoft.com/) and get all critical updates.
----------
I suggest using WOT - Web of Trust (http://www.mywot.com/). WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.
SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html)- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer (http://www.bleepingcomputer.com/forums/tutorial49.html) from Spyware and Malware
* If you don't know what ActiveX controls are, see here (http://www.webopedia.com/TERM/A/ActiveX_control.html)
Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. (http://www.safer-networking.org/en/spybotsd/index.html) Guide: Use Spybot's Immunize Feature (http://www.bleepingcomputer.com/tutorials/tutorial43.html#immunize) to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ (http://www.safer-networking.org/en/faq/index.html)
Check out Keeping Yourself Safe On The Web (http://evilfantasy.wordpress.com/2008/05/20/keeping-yourself-safe-on-the-web/) for tips and free tools to help keep you safe in the future.
Also see Slow Computer? It may not be Malware (http://evilfantasy.wordpress.com/2008/05/24/slow-computer-it-may-not-be-malware/) for free cleaning/maintenance tools to help keep your computer running smoothly.
Safe Surfing!
-
I typed in commy /uninstall but a message popped up saying that Windows cannot find it, make sure I typed the name in correctly and to try again. I tried commy.exe /uninstall and the same message popped up. Should I uninstall it through add/remove programs?
-
You won't find in there in Control Panel, Add/Remove. Use this.
Delete the Combo-Fix.exe file, C:\Combo-Fix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, C:\combo-fix.txt and C:\Combo-Fix-quarantined-files.txt
To turn off Windows XP System Restore:
NOTE: These instructions assume that you are using the default Windows XP Start Menu and have not changed to the Classic Start menu. To re-enable the default menu, right-click Start, click Properties, click Start menu (not Classic) and then click OK.
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore" or "Turn off System Restore on all drives"
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
8. Restart the computer and follow the instructions in the next section to turn on System Restore.
To turn on Windows XP System Restore:
1. Click Start.
2. Right-click My Computer, and then click Properties.
3. Click the System Restore tab.
4. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives."
5. Click Apply, and then click OK.
-
I deleted the combofix/commy files and then dled and started the OTC program. It restarted the computer but stayed on the black screen before fully starting up for about ten minutes... so I manually shut it down (by holding down the power button) and then started it up again and then windows is doing a startup repair and apparently I can't cancel this operation~ Do you know how long this might take? Are my pictures and documents safe?
-
okay so it finally stopped and it actually said that windows couldn't repair the system so it restarted and it looks like OTC did it's job! all those programs (including SAS and MBAM) you had told to dl are gone but the txt files are still on my desktop. Should I delete those too? Also I noticed that my AVG was reverted to the 8.0v instead of the 9.0 that I had just installed. I should just reinstall that, SAS, Panda, and MBAM right? Thanks for your help!!
-
ummm okay so I also notice my firefox wasn't working I'm trying to download a new one through IE and then I also noticed that Viewpoint Media Player reappeared on my programs and features. I also had to retype my pw for my wireless~ Is it possible that "bad" files or programs might've been reinstalled?
-
I looked into the program features more closely and noticed that the last thing it says that was installed was on 9/14/2008. so basically anything that I update or installed after that date was deleted.... *argh* windows update is also telling me that there are 89 updates available which I'm dling right now. Mozilla firefox won't dl whether I go into IE or safari. it closes and so I'm hoping that updating windows will help.. AVG 8.0 won't open at all... should I just uninstall and then try to dl the 9.0 after I update windows? What do you recommend? Also my computer is sloooow again~ It was so fast when we were done before so you can imagine my frustration right now...
-
It also reverted my microsoft word 2010 to 2007!!
-
Also I noticed that my AVG was reverted to the 8.0v instead of the 9.0 that I had just installed. I should just reinstall that, SAS, Panda, and MBAM right?
It sounds like your system was restored back to an earlier time. I really don't know how that happened as all the previous restore points were deleted. You should update your AVG immediately. You can download SAS and MBAM. Keep them updated and run them every so often.
Viewpoint Media Player reappeared on my programs and features. I also had to retype my pw for my wireless~ Is it possible that "bad" files or programs might've been reinstalled?
Go ahead and uninstall ViewPoint Media Player. You had to retype your password because that particular cookie was deleted. Just to be on the safe side, run the SAS and MBAM scans again. Post them here if anything shows up.
AVG 8.0 won't open at all
You can uninstall it or download and install MSE which, in my opinion, is a better AV program. If you do decide to change AV's download and install the new one before uninstalling the old one. You will also have to re-install MicroSoft Word.
Microsoft Security Essentials for Windows Vista\Windows 7 (http://majorgeeks.com/Microsoft_Security_Essentials_for_Windows_VistaWindows_7_d6242.html) - 64 bit Download (http://majorgeeks.com/downloadget.php?id=6242&file=5&evp=9112d44b71f157fc5d7fcd7724b088ca)
Microsoft Security Essentials for Windows XP (http://majorgeeks.com/Microsoft_Security_Essentials_for_Windows_XP_d6243.html)
Also my computer is sloooow again~ It was so fast when we were done before so you can imagine my frustration right now...
We'll have to wait until everything gets updated again and see if it's still slow. Sorry.
-
Click Start, point to All Programs, point to Accessories, point to System Tools, and then click System Restore. System Restore starts.
On the Welcome to System Restore page, click Restore my computer to an earlier time (if it is not already selected), and then click Next.
On the Select a Restore Point page, check to see if there are any dates closer to today's date. Please let me know.
-
the only date that showed up was 9/21/10 7:36:01 AM which is after the computer restored itself... I was able to finally download AVG 9.0 and install it, (it's running right now) but that was before I saw your recommendation for MSE. I will be posting logs soon as they finish... Thanks for your patience! I'm starting to lose my sanity~~ :'(
-
I'm going to have to scan SAS again because I forgot to:
Under Start-Up Options uncheck Start SUPERAntiSpyware when Windows starts
* Click the Scanning Control tab.
* Under Scanner Options make sure only the following are checked:
•Close browsers before scanning
•Scan for tracking cookies
•Terminate memory threats before quarantining
•Please leave the others unchecked
but here's my MBAM log:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4667
Windows 6.0.6001 Service Pack 1
Internet Explorer 7.0.6001.18000
9/23/2010 12:07:13 AM
mbam-log-2010-09-23 (00-07-13).txt
Scan type: Full scan (C:\|D:\|)
Objects scanned: 392954
Time elapsed: 2 hour(s), 24 minute(s), 9 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntiVirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1a26f07f-0d60-4835-91cf-1e1766a0ec56} (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
-
SAS log:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 09/23/2010 at 03:18 AM
Application Version : 4.43.1000
Core Rules Database Version : 5556
Trace Rules Database Version: 3368
Scan type : Complete Scan
Total Scan Time : 03:02:13
Memory items scanned : 698
Memory threats detected : 0
Registry items scanned : 8887
Registry threats detected : 0
File items scanned : 248555
File threats detected : 0
-
Please delete your copy of ComboFix, download a new one and run another scan. Also, please run another HJT and post the log.
Download ComboFix by sUBs from one of the below links.
Important! You MUST save ComboFix to your desktop
link # 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link # 2 (http://subs.geekstogo.com/ComboFix.exe)
Temporarily disable your Anti-virus and any Antispyware real time protection before performing a scan. Click this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of security programs that should be disabled and how to disable them.
Double click on ComboFix.exe & follow the prompts.
Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)
Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
When the scan completes it will open a text window.
Post the contents of that log in your next reply.
Remember to re-enable your Anti-virus and Antispyware protection when ComboFix is complete.
-
I looked through the C:\ drive and didn't find combofix or commy.exe or any of the other files... Did the scans say that it was still on my laptop?
-
If ComboFix is still on your computer you should find it on your desktop. If you can't find, please download and install another one and run another scan and post the log.
-
ComboFix 10-09-29.01 - Jinju 09/29/2010 18:12:08.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.958.437 [GMT -4:00]
Running from: c:\users\Jinju\Desktop\ComboFix.exe
SP: AVG Anti-Spyware *disabled* (Outdated) {48F2E28D-ED66-4646-9C11-B3055B0AF604}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2010-08-28 to 2010-09-29 )))))))))))))))))))))))))))))))
.
2010-09-29 22:28 . 2010-09-29 22:28 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-09-29 22:28 . 2010-09-29 22:28 -------- d-----w- c:\users\Jinhee\AppData\Local\temp
2010-09-29 22:28 . 2010-09-29 22:28 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-09-29 22:07 . 2010-09-29 22:08 -------- d-----w- C:\32788R22FWJFW
2010-09-28 20:44 . 2010-06-22 12:57 2048 ----a-w- c:\windows\system32\tzres.dll
2010-09-23 20:19 . 2010-09-23 20:19 1377632 ----a-w- c:\programdata\avg9\update\backup\avgssff.dll
2010-09-23 20:19 . 2010-09-23 20:19 598368 ----a-w- c:\programdata\avg9\update\backup\avgsrmx.dll
2010-09-23 20:19 . 2010-09-23 20:19 942432 ----a-w- c:\programdata\avg9\update\backup\avgcfgx.dll
2010-09-23 20:19 . 2010-09-23 20:19 4371296 ----a-w- c:\programdata\avg9\update\backup\avgcorex.dll
2010-09-23 20:19 . 2010-09-23 20:19 300896 ----a-w- c:\programdata\avg9\update\backup\avgchclx.dll
2010-09-23 20:15 . 2010-09-23 20:15 1690952 ----a-w- c:\programdata\avg9\update\backup\avgupd.dll
2010-09-23 07:21 . 2010-04-14 17:47 293376 ----a-w- c:\windows\system32\psisdecd.dll
2010-09-23 07:21 . 2010-04-14 17:46 428544 ----a-w- c:\windows\system32\EncDec.dll
2010-09-23 07:18 . 2009-11-08 14:55 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-09-23 07:18 . 2009-11-08 14:55 49472 ----a-w- c:\windows\system32\netfxperf.dll
2010-09-23 07:18 . 2009-11-08 14:55 297808 ----a-w- c:\windows\system32\mscoree.dll
2010-09-23 07:18 . 2009-11-08 14:55 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2010-09-23 07:18 . 2009-11-08 14:55 1130824 ----a-w- c:\windows\system32\dfshim.dll
2010-09-23 00:17 . 2010-06-11 15:31 274432 ----a-w- c:\windows\system32\schannel.dll
2010-09-23 00:17 . 2008-08-02 01:01 625152 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2010-09-23 00:17 . 2008-06-26 03:29 565248 ----a-w- c:\windows\system32\emdmgmt.dll
2010-09-23 00:17 . 2008-08-02 03:26 36864 ----a-w- c:\windows\system32\cdd.dll
2010-09-23 00:17 . 2008-06-26 03:29 45056 ----a-w- c:\windows\system32\dataclen.dll
2010-09-23 00:17 . 2008-05-20 02:07 148480 ----a-w- c:\windows\system32\drivers\nwifi.sys
2010-09-23 00:17 . 2010-05-27 19:16 81920 ----a-w- c:\windows\system32\iccvid.dll
2010-09-23 00:17 . 2009-08-24 12:16 378368 ----a-w- c:\windows\system32\winhttp.dll
2010-09-23 00:17 . 2010-04-05 16:07 67072 ----a-w- c:\windows\system32\asycfilt.dll
2010-09-23 00:17 . 2010-06-21 13:18 2036736 ----a-w- c:\windows\system32\win32k.sys
2010-09-23 00:08 . 2010-06-08 17:00 3598216 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-09-23 00:08 . 2010-06-08 17:00 3545992 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-09-23 00:07 . 2010-04-16 16:10 1314816 ----a-w- c:\windows\system32\quartz.dll
2010-09-23 00:07 . 2010-06-11 15:30 1257472 ----a-w- c:\windows\system32\msxml3.dll
2010-09-23 00:07 . 2008-09-18 04:56 125952 ----a-w- c:\windows\system32\wersvc.dll
2010-09-23 00:07 . 2008-09-18 04:56 147456 ----a-w- c:\windows\system32\Faultrep.dll
2010-09-23 00:07 . 2010-06-18 14:43 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2010-09-23 00:07 . 2010-06-18 14:43 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-09-23 00:07 . 2008-05-08 21:59 90112 ----a-w- c:\windows\system32\wshext.dll
2010-09-23 00:07 . 2008-05-08 21:59 155648 ----a-w- c:\windows\system32\wscript.exe
2010-09-23 00:07 . 2008-05-08 21:59 180224 ----a-w- c:\windows\system32\scrobj.dll
2010-09-23 00:07 . 2008-05-08 21:59 172032 ----a-w- c:\windows\system32\scrrun.dll
2010-09-23 00:07 . 2008-05-08 21:58 135168 ----a-w- c:\windows\system32\cscript.exe
2010-09-23 00:03 . 2008-04-05 03:34 15360 ----a-w- c:\windows\system32\pacerprf.dll
2010-09-23 00:03 . 2008-04-05 01:21 72192 ----a-w- c:\windows\system32\drivers\pacer.sys
2010-09-23 00:03 . 2010-04-16 16:05 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-09-23 00:03 . 2010-04-16 14:17 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-09-23 00:02 . 2010-06-18 16:43 36352 ----a-w- c:\windows\system32\rtutils.dll
2010-09-23 00:02 . 2010-05-26 14:25 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-09-23 00:02 . 2009-10-19 14:24 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-09-23 00:02 . 2010-05-26 16:16 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-09-23 00:02 . 2009-06-15 15:20 10240 ----a-w- c:\windows\system32\dciman32.dll
2010-09-23 00:00 . 2010-06-16 15:59 898952 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-09-22 23:51 . 2010-08-17 13:32 126464 ----a-w- c:\windows\system32\spoolsv.exe
2010-09-22 23:40 . 2010-04-16 16:10 501760 ----a-w- c:\windows\system32\usp10.dll
2010-09-22 23:34 . 2010-04-05 16:08 317952 ----a-w- c:\windows\system32\MP4SDECD.DLL
2010-09-22 23:26 . 2010-05-27 19:16 738816 ----a-w- c:\windows\system32\inetcomm.dll
2010-09-22 23:25 . 2009-10-19 14:27 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-09-22 23:25 . 2010-02-23 11:32 105984 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-09-22 23:25 . 2010-02-23 11:32 78848 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-09-22 23:25 . 2010-02-23 11:32 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-09-22 23:24 . 2009-07-11 19:32 513024 ----a-w- c:\windows\system32\wlansvc.dll
2010-09-22 23:24 . 2009-07-11 19:32 302592 ----a-w- c:\windows\system32\wlansec.dll
2010-09-22 23:24 . 2009-07-11 19:32 293376 ----a-w- c:\windows\system32\wlanmsm.dll
2010-09-22 23:24 . 2009-07-11 19:29 127488 ----a-w- c:\windows\system32\L2SecHC.dll
2010-09-22 23:22 . 2009-08-14 14:16 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2010-09-22 23:22 . 2009-08-14 14:16 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2010-09-22 23:22 . 2009-08-14 14:16 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2010-09-22 23:21 . 2009-08-14 16:29 104960 ----a-w- c:\windows\system32\netiohlp.dll
2010-09-22 23:21 . 2009-08-14 14:16 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2010-09-22 23:21 . 2009-08-14 14:16 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2010-09-22 23:21 . 2009-08-14 14:16 10240 ----a-w- c:\windows\system32\finger.exe
2010-09-22 23:21 . 2009-08-14 14:16 19968 ----a-w- c:\windows\system32\ARP.EXE
2010-09-22 23:21 . 2009-08-14 16:29 17920 ----a-w- c:\windows\system32\netevent.dll
2010-09-22 23:19 . 2009-09-10 17:30 213504 ----a-w- c:\windows\system32\msv1_0.dll
2010-09-22 23:09 . 2008-10-22 03:57 241152 ----a-w- c:\windows\system32\PortableDeviceApi.dll
2010-09-22 04:34 . 2008-06-20 01:14 97800 ----a-w- c:\windows\system32\infocardapi.dll
2010-09-22 04:34 . 2008-06-20 01:14 105016 ----a-w- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2010-09-22 04:34 . 2008-06-20 01:14 11264 ----a-w- c:\windows\system32\icardres.dll
2010-09-22 04:34 . 2008-06-20 01:14 622080 ----a-w- c:\windows\system32\icardagt.exe
2010-09-22 04:34 . 2008-06-20 01:14 781344 ----a-w- c:\windows\system32\PresentationNative_v0300.dll
2010-09-22 04:25 . 2008-07-27 18:03 158720 ----a-w- c:\windows\system32\mscorier.dll
2010-09-22 04:25 . 2008-07-27 18:03 83968 ----a-w- c:\windows\system32\mscories.dll
2010-09-22 04:22 . 2010-02-20 23:39 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-09-22 04:22 . 2010-02-20 23:37 31232 ----a-w- c:\windows\system32\httpapi.dll
2010-09-22 04:22 . 2010-02-20 21:18 411136 ----a-w- c:\windows\system32\drivers\http.sys
2010-09-22 03:59 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-22 03:59 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-22 03:40 . 2010-09-22 03:40 52224 ----a-w- c:\users\Jinju\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-09-22 03:40 . 2010-09-22 03:40 63488 ----a-w- c:\users\Jinju\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-09-22 03:40 . 2010-09-22 03:40 117760 ----a-w- c:\users\Jinju\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-09-21 22:00 . 2010-09-21 22:00 165632 ---ha-w- c:\windows\system32\mlfcache.dat
2010-09-21 22:00 . 2010-09-21 22:00 2788816 ----a-w- c:\users\Jinju\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
2010-09-21 11:56 . 2010-09-21 11:56 658184 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-09-21 11:28 . 2010-09-21 11:28 -------- d-----w- c:\programdata\Office Genuine Advantage
2010-09-21 05:37 . 2010-09-21 05:37 2384752 ----a-w- c:\programdata\WildTangent\My HP Game Console\Downloads\en-us\Installers\SetupGamesClient.exe
2010-09-21 05:28 . 2010-09-21 05:29 20519176 ----a-w- c:\programdata\WildTangent\My HP Game Console\Downloads\Installers\SetupGamesClient.exe
2010-09-21 05:08 . 2008-01-19 07:36 1541120 ----a-w- c:\windows\system32\onex.dll
2010-09-21 05:08 . 2008-01-19 07:33 2623488 ----a-w- c:\windows\system32\SLsvc.exe
2010-09-21 05:06 . 2008-01-19 07:36 1013760 ----a-w- c:\windows\system32\wevtsvc.dll
2010-09-21 05:04 . 2008-01-19 07:35 216064 ----a-w- c:\windows\system32\ntprint.dll
2010-09-21 05:03 . 2008-01-19 07:36 242688 ----a-w- c:\windows\system32\pdh.dll
2010-09-21 05:02 . 2008-01-19 07:34 394240 ----a-w- c:\windows\system32\dsquery.dll
2010-09-21 05:01 . 2008-01-19 07:37 1329152 ----a-w- c:\windows\system32\WMSPDMOE.DLL
2010-09-21 05:00 . 2008-01-19 07:33 31744 ----a-w- c:\windows\system32\bitsigd.dll
2010-09-21 04:59 . 2008-01-19 07:33 17408 ----a-w- c:\windows\system32\cfgmgr32.dll
2010-09-21 04:58 . 2008-01-19 07:33 599552 ----a-w- c:\windows\system32\vsp1cln.exe
2010-09-21 04:57 . 2008-01-19 07:34 102400 ----a-w- c:\windows\system32\wbem\mofinstall.dll
2010-09-21 04:57 . 2008-01-19 07:36 83968 ----a-w- c:\windows\system32\wbem\wmiutils.dll
2010-09-21 04:57 . 2008-01-19 07:36 742912 ----a-w- c:\windows\system32\wbem\wbemcore.dll
2010-09-21 04:57 . 2008-01-19 07:36 30208 ----a-w- c:\windows\system32\wbem\wbemprox.dll
2010-09-21 04:57 . 2008-01-19 07:36 357888 ----a-w- c:\windows\system32\wbemcomn.dll
2010-09-21 04:57 . 2008-01-19 07:36 264704 ----a-w- c:\windows\system32\wbem\repdrvfs.dll
2010-09-21 04:57 . 2008-01-19 07:34 191488 ----a-w- c:\windows\system32\wbem\mofd.dll
2010-09-21 04:57 . 2008-01-19 07:34 263168 ----a-w- c:\windows\system32\wbem\esscli.dll
2010-09-21 04:56 . 2008-01-19 07:36 139264 ----a-w- c:\windows\system32\SmiInstaller.dll
2010-09-21 04:56 . 2008-01-19 07:36 704512 ----a-w- c:\windows\system32\SmiEngine.dll
2010-09-21 04:56 . 2008-01-19 07:36 218624 ----a-w- c:\windows\system32\wdscore.dll
2010-09-21 04:56 . 2008-01-19 07:33 130560 ----a-w- c:\windows\system32\PkgMgr.exe
2010-09-21 04:54 . 2008-01-19 07:34 246784 ----a-w- c:\windows\system32\drvstore.dll
2010-09-21 04:54 . 2008-01-19 07:35 35328 ----a-w- c:\windows\system32\mspatcha.dll
2010-09-21 04:54 . 2008-01-19 07:34 305152 ----a-w- c:\windows\system32\msdelta.dll
2010-09-21 04:54 . 2008-01-19 07:34 258560 ----a-w- c:\windows\system32\dpx.dll
2010-09-21 04:52 . 2008-10-21 05:25 1645568 ----a-w- c:\windows\system32\connect.dll
2010-09-21 04:51 . 2010-01-25 08:34 511488 ----a-w- c:\windows\system32\RMActivate.exe
2010-09-21 04:51 . 2010-01-25 08:35 523776 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-09-21 04:51 . 2010-01-25 12:48 472576 ----a-w- c:\windows\system32\secproc_isv.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-23 22:55 . 2010-09-23 22:55 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2010-09-23 20:30 . 2008-07-25 21:33 -------- d-----w- c:\users\Jinju\AppData\Roaming\OpenOffice.org2
2010-09-23 07:54 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-09-23 07:26 . 2007-06-29 13:00 -------- d-----w- c:\programdata\Microsoft Help
2010-09-22 00:25 . 2007-09-05 00:50 97936 ----a-w- c:\users\Jinju\AppData\Local\GDIPFONTCACHEV1.DAT
2010-09-22 00:16 . 2006-11-02 10:25 86016 ----a-w- c:\windows\Inf\infstor.dat
2010-09-22 00:16 . 2006-11-02 10:25 51200 ----a-w- c:\windows\Inf\infpub.dat
2010-09-22 00:16 . 2006-11-02 10:25 143360 ----a-w- c:\windows\Inf\infstrng.dat
2010-09-22 00:07 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2010-09-22 00:07 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2010-09-22 00:07 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2010-09-22 00:07 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2010-09-22 00:07 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2010-09-22 00:07 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2010-09-22 00:01 . 2006-11-02 10:25 665600 ----a-w- c:\windows\Inf\drvindex.dat
2010-09-21 23:14 . 2006-11-02 10:32 101888 ----a-w- c:\windows\system32\ifxcardm.dll
2010-09-21 23:13 . 2006-11-02 10:32 82432 ----a-w- c:\windows\system32\axaltocm.dll
2010-09-21 06:42 . 2007-06-29 12:58 -------- d-----w- c:\program files\Microsoft Works
2010-09-21 06:32 . 2008-08-07 02:45 -------- d-----w- c:\programdata\WildTangent
2010-09-21 06:32 . 2008-03-29 02:28 -------- d-----w- c:\program files\Safari
2010-09-21 06:32 . 2008-08-11 03:25 -------- d-----w- c:\program files\QuickTime
2010-09-21 06:32 . 2007-09-10 01:12 -------- d-----w- c:\program files\NetZero
2010-09-21 06:32 . 2008-08-11 03:29 -------- d-----w- c:\program files\iTunes
2010-09-21 06:32 . 2006-11-30 22:49 -------- d-----w- c:\program files\HP Games
2010-09-21 06:32 . 2008-08-11 03:27 -------- d-----w- c:\program files\Bonjour
2010-09-21 06:29 . 2007-10-22 07:00 -------- d-----w- c:\users\Jinju\AppData\Roaming\Move Networks
2010-09-21 06:29 . 2007-09-10 01:19 -------- d-----w- c:\program files\iPod
2010-09-21 06:29 . 2007-06-29 13:05 -------- d-----w- c:\program files\HP
2010-09-21 03:49 . 2007-09-05 02:36 13025 ----a-w- c:\users\Jinju\AppData\Roaming\nvModes.dat
2010-09-21 03:25 . 2007-10-03 03:09 -------- d-----w- c:\programdata\Viewpoint
2010-09-19 22:45 . 2008-07-08 21:07 -------- d-----w- c:\program files\AVG
2010-09-15 22:51 . 2010-06-27 19:43 -------- d-----w- c:\programdata\WinZip
2010-09-14 04:00 . 2007-11-29 01:09 1356 ----a-w- c:\users\Jinju\AppData\Local\d3d9caps.dat
2010-09-13 13:49 . 2010-02-16 20:17 -------- d-----w- c:\program files\Microsoft Silverlight
2010-09-08 00:30 . 2009-05-28 18:37 -------- d-----w- c:\programdata\Motive
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"NetZero_uoltray"="c:\program files\NetZero\exec.exe" [2007-03-07 1629184]
"HPAdvisor"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2006-11-21 1474560]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-03-25 50528]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-11-24 167936]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-11-06 159744]
"Mouse Suite 98 Daemon"="ICO.EXE" [2006-11-03 49152]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-15 815104]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2006-10-18 317152]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2006-10-18 472800]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-23 116040]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2006-11-10 46704]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2006-11-18 90191]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-11-18 7753728]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-11-18 81920]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2006-11-08 44128]
c:\users\Jinju\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MEMonitor.lnk - c:\program files\V CAST Music Manager\MEMonitor.exe [2007-11-2 951640]
OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-1-21 393216]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Connections.lnk - c:\program files\HP Connections\6811507\Program\HP Connections.exe [2007-6-29 34520]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
S4 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\Drivers\avgtdix.sys
--- Other Services/Drivers In Memory ---
*Deregistered* - AvgLdx86
.
Contents of the 'Scheduled Tasks' folder
2010-09-29 c:\windows\Tasks\User_Feed_Synchronization-{90EE62B4-9066-4567-B527-472EEF2CA871}.job
- c:\windows\system32\msfeedssync.exe [2010-09-21 07:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/?src=aim
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://my.netzero.net/s/search?r=minisearch
IE: Display All Images with Full Quality - c:\program files\NetZero\qsacc\appres.dll/228
IE: Display Image with Full Quality - c:\program files\NetZero\qsacc\appres.dll/227
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: netzero.com
Trusted Zone: netzero.net
FF - ProfilePath - c:\users\Jinju\AppData\Roaming\Mozilla\Firefox\Profiles\w5fweigy.default\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-29 18:28
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-09-29 18:33:46
ComboFix-quarantined-files.txt 2010-09-29 22:33
Pre-Run: 73,712,840,704 bytes free
Post-Run: 73,612,976,128 bytes free
- - End Of File - - BAAE23D9312E5BAE78E43F64E6E7ED60
-
oh and what is an HJT? You've never told me to run it before and I have no idea what that is...
-
Re-running ComboFix to remove infections:
- Close any open browsers.
- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Open notepad and copy/paste the text in the quotebox below into it:
KillAll::
DDS::
Trusted Zone: netzero.com
Trusted Zone: netzero.net
- Save this as CFScript.txt, in the same location as ComboFix.exe
(http://img19.imageshack.us/img19/5660/cfscriptb4.gif)
- Referring to the picture above, drag CFScript into ComboFix.exe
- When finished, it shall produce a log for you at C:\ComboFix.txt
- I do not need to see the log from this action.
oh and what is an HJT? You've never told me to run it before and I have no idea what that is...
Sorry.Here it is.
Please download: HiJackThis (http://go.trendmicro.com/free-tools/hijackthis/HijackThisInstaller.exe) to your Desktop.
- Double Click the HijackThis icon, located on your Desktop.
- By Default, it will install to: C:\Program Files\Trend Micro\HijackThis
- Accept the license agreement.
- Click the Open the Misc Tools section button.
- Place a checkmark beside Calculate MD5 of files if possible. Then, click Back.
- Click Do a System Scan and Save a Logfile. Or, if you see a white screen, click Scan.
- Please post the log in your next reply.
-
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:49:34 PM, on 9/29/2010
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18498)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Windows\System32\ICO.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\NetZero\exec.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
C:\Program Files\V CAST Music Manager\MEMonitor.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\Windows\System32\rundll32.exe
C:\Windows\System32\Pelmiced.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\NetZero\qsacc\x1exec.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\sdclt.exe
C:\Windows\Explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NetZero\SearchEnh1.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (filesize 62080 bytes, MD5 C11F6A1F61481E24BE3FDC06EA6F7D2A)
O2 - BHO: Pop-up Blocker - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\X1IEBHO.dll (filesize 211720 bytes, MD5 E194E3DF6BA5487F2B67FFAED9CF4D49)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (filesize 509328 bytes, MD5 F921D875A1CBD69A6A462BA2514BC831)
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll (filesize 297456 bytes, MD5 F65776B8C0C9DF600BC6FBD73796F5D3)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime (filesize 413696 bytes, MD5 F34EB5D4F145ED5FE50033CA3A41ED24)
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" (filesize 289064 bytes, MD5 4CED92963F453EB8DCFE67FD4248D657)
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe" (filesize 167936 bytes, MD5 F4810C2DC4F2E92E1B5EBCA2173DBBCE)
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE (filesize 49152 bytes, MD5 EDE74971B94F39238817BD0362FA171A)
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" (filesize 39792 bytes, MD5 8B9145D229D4E89D15ACB820D4A3A90F)
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" (filesize 144784 bytes, MD5 6AB4C021FBD36DC6764924C312428D97)
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exeC:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [HP Health Check Scheduler] C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exeC:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart (filesize 44544 bytes, MD5 4B555106290BD117334E9A08761C035A)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup (filesize 44544 bytes, MD5 4B555106290BD117334E9A08761C035A)
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit (filesize 44544 bytes, MD5 4B555106290BD117334E9A08761C035A)
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (filesize 1233920 bytes, MD5 FD278E51A7D6F52D22FCE6C67E037AD6)
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun (filesize 1629184 bytes, MD5 105BCCEF090AE7DA70046E3FB0EC10C8)
O4 - HKCU\..\Run: [HPAdvisor] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exeC:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exeC:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp (filesize 50528 bytes, MD5 A29F21DC5C28D85592E84CFCAD3ED52B)
O4 - Startup: MEMonitor.lnk = C:\Program Files\V CAST Music Manager\MEMonitor.exe (filesize 951640 bytes, MD5 C1EEFC1FC617ED9CC1808C20F5E801A3)
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe (filesize 393216 bytes, MD5 F5CECCFE0CF964B209DCAB226D4C1DE3)
O4 - Global Startup: HP Connections.lnk = C:\Program Files\HP Connections\6811507\Program\HP Connections.exe (filesize 34520 bytes, MD5 3754F4C688BFD04BC886112BD6566A9B)
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/227
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll (filesize 509328 bytes, MD5 F921D875A1CBD69A6A462BA2514BC831)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll (filesize 509328 bytes, MD5 F921D875A1CBD69A6A462BA2514BC831)
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll (filesize 603040 bytes, MD5 79F7DB36E67B9E8365FA824AD96DF400)
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll (filesize 603040 bytes, MD5 79F7DB36E67B9E8365FA824AD96DF400)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL (filesize 39464 bytes, MD5 AEF204E782BFA2C8448CB43A58960744)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jdk/6u7/jinstall-6u7-windows-i586-jc.cab?e=1217560870556&h=abf1acf1380dd4d78c5840bafbfae17d/&filename=jinstall-6u7-windows-i586-jc.cab
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exeC:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exeC:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exeC:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exeC:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exeC:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exeC:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeC:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeC:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exeC:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exeC:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exeC:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exeC:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 11542 bytes
-
The logs look clean. Please go ahead with the cleanup listed in Reply #30
-
Thanks SuperDave!
Okay so just to clarify before I commence clean up, when TFC restarts my computer and if I need to manually restart my computer, what do you mean by that? because last time it restarted and then gave me a choice of restarting normally and then a recommended choice of restarting with the restore because the laptop thought that there was damage which I did and then screwed everything up again.
-
Just skip the TFC. You can do a disk cleanup yourself. Just click on My Computer, right-click on your C drive, click Properties and select Disk cleanup.
-
I don't see disk cleanup. Is that the same as format?
-
No. Not the same as format. After you click Properties, Select General at the top left. Disk Cleanup is just below the pie chart of your C drive to the right.
-
I did it!!! Thank you, SuperDave!!!! It took a bit longer than expected because of the unexpected bump we encountered but I really appreciate all your advice and patience!!
-
You're welcome. Stay safe.
-
You can uninstall it or download and install MSE which, in my opinion, is a better AV program. If you do decide to change AV's download and install the new one before uninstalling the old one. You will also have to re-install MicroSoft Word.
Microsoft Security Essentials for Windows Vista\Windows 7 - 64 bit Download
Microsoft Security Essentials for Windows XP
The link on the Microsoft Security Essentials for Windows Vista\Windows 7 downloaded a program that wouldn't install saying it wasn't compatible with my system and then the 64 bit Download downloaded SPYWARE DOCTOR WITH ANTIVIRUS. Should I have both on here? I have Vista.
-
Try this site (http://www.microsoft.com/security_essentials/) for the download. You can select the one for Vista and you can also keep Spyware Doctor, if you wish.