Computer Hope
Software => Computer viruses and spyware => Topic started by: slafa23 on December 20, 2008, 06:41:12 PM
-
My sister is having lots of problems with her Dell Laptop. It is occasionally not booting up all the way after reboots and she says she is getting "virus protection" messages. Also, her Windows Automatic Updates are set on off, and I can't turn them on. Even when I do it manually, it won't change.
Is there a good anti-virus software I could download? Or maybe some sort of error checking software to see what the heck is wrong with this machine?
Thanks.
-
More about the "virus" messages-
Apparently, an internet explorer box pops up and shows it is "running virus scans" and when it finishes, it gives a link to purchase the program.
-
So it clearly has a virus. When I tired to google and download Spybot, it went right to "StopZilla."
Any advice?
Also, should I post this in another area of the forums?
-
Actually she has most likely somehow contracted a form of virus we refer to here as "Scumware"...
This is a small program that runs alleged scans and says the only way to fix your issues is to send them $39.95 and all will be right with the World...
Clik Here (http://www.computerhope.com/forum/index.php/topic,46313.0.html) and follow the instructions for posting your logs and one of our Malware Removal Specialists will be along to assist.
I'll move this to the proper section.
-
Ok I am starting to work on this but I am going to need some help. There's Mcafee on the system so I am running a virus scan.
In the add or remove programs window, there's a program called "Advertisment Service", which sounds kind of sketchy to me.
Any advice?
-
I don't see that exact term in the unwanted list but there are some that are abbreviated with the same name. I would remove it. http://www.bleepingcomputer.com/uninstall/Cat-A.html
-
That link didn't work.
-
When using Mozilla Friefox, I would use Google to search something. When I click on a link, I get "hijacked" and brought to the website that has the "virus scan." I really don't know where to start with this.,
-
Click Start > Control Panel > System > Hardware > Device Manager > View > Show Hidden Devices.
- Scroll down to “Non-plug and Play Drivers” and click the plus icon to open those drivers.
- Then search for TDSSserv.sys
- Let me know if you find this or not.
- If you do find it, right click on it, and select “Disable”. Do not try to uninstall it.
- Also if this is found and you disable it.
- Now reboot and see if you can run the other scans that would not run.
-
I did have the TSDserv on there. It had an "!" on it. I disabled it and rebooted.
A lot of things keep happening, among them:
An error message for an "invalid picture" and MSN just tried to install something without me pressing anything...
-
The first error message I just talked about is...
"Rendll32.exe-Bad Image. The application or DLL C:\WINDOWS\system32\sawubiyi.dll is not a valid Windows image. Please check this against your installation diskette."
also, I get a...
"Error loading C:\WINDOWS\system32\sawubiyi.dll %1 is not a valid Win32 application"
-
Those are all part of the virus. Do this.
Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.
Link #1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link #2 (http://subs.geekstogo.com/ComboFix.exe)
**Note: It is important that it is saved directly to your Desktop
Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.
Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of security programs that should be disabled and how to disable them.
Double click combofix.exe & follow the prompts.
For Windows XP Systems install the Recovery Console:
- If you are using Windows XP and do not already have the Recovery Console installed, please ensure your Internet connection is active (if possible) and click Yes.
- If for some reason your Internet is not working click No.
- If you are not using Windows XP, you will not be prompted.
- When prompted to accept the EULA click OK.
- Accept Microsoft's EULA (Click Yes).
- When you are told that the RC is installed correctly click YES to continue scanning for malware.
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.
Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.
Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.
-
Will this repair the error messages?
-
This is usually a multiple step process. Each step we take will get you closer to being malware free.
-
Ok. Out of curiosity, what is the TDSS thing. Becuase it appeared as a "problem" on a Spybot search.
-
It is a rootkit and spybot isn't powerful enough to remove it. It takes specialized tools like ComboFix.
-
Should I fix that selected problem?
-
Please just follow the directions I posted here http://www.computerhope.com/forum/index.php/topic,72640.msg474754.html#msg474754
If you start doing other things it will just make the whole process more difficult and time consuming :)
-
Yes, I am about to. I was just finishing the scan and it appeared.
-
ComboFix 08-12-21.04 - localadmin 2008-12-21 22:56:21.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.526 [GMT -5:00]
Running from: c:\documents and settings\localadmin\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\localadmin\Local Settings\Temporary Internet Files\fbk.sts
c:\windows\system\oeminfo.ini
c:\windows\system32\AutoRun.inf
c:\windows\system32\ddcCRLFx.dll
c:\windows\system32\I775B4lw.exe.a_a
c:\windows\system32\isukitil.ini
c:\windows\system32\nnnllKBR.dll
c:\windows\system32\nwplti.dll
c:\windows\system32\oqmutk.dll
c:\windows\system32\ovubuluw.ini
c:\windows\system32\pezatehe.dll
c:\windows\system32\pmxhmdgg.ini
c:\windows\system32\prunnet.exe
c:\windows\system32\qkckhnaq.dll
c:\windows\system32\rljgwouo.dll
c:\windows\system32\roblvvkg.ini
c:\windows\system32\sawubiyi.dll
c:\windows\system32\tagusoka.dll
c:\windows\system32\TDSSbukt.dat
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_TDSSSERV.SYS
-------\Service_TDSSserv.sys
((((((((((((((((((((((((( Files Created from 2008-11-22 to 2008-12-22 )))))))))))))))))))))))))))))))
.
2008-12-21 22:52 . 2008-12-21 22:53 <DIR> d-------- C:\32788R22FWJFW
2008-12-21 13:22 . 2008-12-21 13:22 <DIR> d-------- c:\program files\Alwil Software
2008-12-21 03:23 . 2008-12-21 03:31 1,393 --a------ c:\windows\imsins.BAK
2008-12-21 03:22 . 2008-12-21 03:32 2,973 --a------ c:\windows\system32\spupdsvc.inf
2008-12-21 03:16 . 2006-12-29 00:31 19,569 --a------ c:\windows\000001_.tmp
2008-12-21 01:04 . 2008-12-21 01:07 <DIR> d-------- C:\267e3c904bc660664a57bf439b109f
2008-12-19 22:20 . 2008-12-19 22:20 <DIR> d-------- c:\documents and settings\localadmin\Application Data\VirusRemover2008
2008-12-19 22:10 . 2008-12-21 12:59 2,710 --a------ c:\windows\system32\TDSSnnpa.dll
2008-12-15 11:40 . 2008-04-13 22:57 79,872 -----c--- c:\windows\system32\dllcache\msxml6r.dll
2008-12-15 11:40 . 2008-04-14 00:15 46,592 --------- c:\windows\system32\drivers\irbus.sys
2008-12-15 11:40 . 2008-04-14 05:42 10,752 --a------ c:\windows\system32\smtpapi.dll
2008-12-15 11:40 . 2008-04-14 05:42 9,728 --a------ c:\windows\system32\rwnh.dll
2008-12-15 11:40 . 2008-04-14 00:13 9,728 --a------ c:\windows\system32\comsdupd.exe
2008-12-15 11:36 . 2008-12-15 11:40 <DIR> d-------- c:\windows\ServicePackFiles
2008-12-15 11:30 . 2006-12-29 00:31 19,569 --a------ c:\windows\003044_.tmp
2008-12-15 10:38 . 2008-12-15 11:08 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-15 10:38 . 2008-12-21 14:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-15 10:37 . 2008-12-15 10:37 <DIR> d-------- c:\program files\CCleaner
2008-12-15 10:18 . 2008-06-10 02:32 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-14 17:12 . 2008-12-14 17:13 <DIR> d-------- c:\program files\iTunes
2008-12-14 17:12 . 2008-12-14 17:12 <DIR> d-------- c:\program files\iPod
2008-12-14 17:12 . 2008-12-14 17:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-14 17:10 . 2008-12-14 17:10 <DIR> d-------- c:\program files\QuickTime
2008-12-01 23:25 . 2008-12-01 23:25 998 --a------ c:\windows\system32\SiteList.xml
2008-11-28 12:43 . 2001-08-17 22:36 324,608 --a------ c:\windows\system32\hpojwia.dll
2008-11-28 12:43 . 2001-08-17 22:36 324,608 --a--c--- c:\windows\system32\dllcache\hpojwia.dll
2008-11-28 12:43 . 2001-07-21 20:27 18,411 --a------ c:\windows\system32\hpo5500a.aio
2008-11-28 12:43 . 2001-07-21 20:27 18,411 --a------ c:\windows\system32\hpo5400a.aio
2008-11-28 12:43 . 2001-07-21 20:27 18,411 --a------ c:\windows\system32\hpo5300a.aio
2008-11-28 12:43 . 2001-08-17 13:47 12,928 --a------ c:\windows\system32\drivers\Dot4Prt.sys
2008-11-28 12:43 . 2001-08-17 13:47 12,928 --a--c--- c:\windows\system32\dllcache\dot4prt.sys
2008-11-28 12:43 . 2001-08-17 13:47 8,704 --a------ c:\windows\system32\drivers\Dot4scan.sys
2008-11-28 12:43 . 2001-08-17 13:47 8,704 --a--c--- c:\windows\system32\dllcache\dot4scan.sys
2008-11-28 12:42 . 2008-04-14 00:09 206,976 --a------ c:\windows\system32\drivers\dot4.sys
2008-11-28 12:42 . 2001-08-17 13:47 23,808 --a------ c:\windows\system32\drivers\Dot4usb.sys
2008-11-28 12:42 . 2001-08-17 13:47 23,808 --a--c--- c:\windows\system32\dllcache\dot4usb.sys
2008-11-25 19:35 . 2008-11-29 20:32 <DIR> d-------- c:\documents and settings\localadmin\Application Data\LimeWire
2008-11-25 15:14 . 2008-11-25 15:14 <DIR> d--hs---- c:\windows\ftpcache
2008-11-24 17:01 . 2008-11-25 15:27 <DIR> d-------- c:\documents and settings\localadmin\Application Data\Skype
2008-11-24 16:58 . 2008-11-24 16:58 <DIR> d-------- c:\program files\Skype
2008-11-24 16:58 . 2008-11-24 16:58 <DIR> d-------- c:\program files\Common Files\Skype
2008-11-24 16:58 . 2008-11-24 16:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\Skype
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-21 22:24 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-12-15 15:27 --------- d-----w c:\program files\Viewpoint
2008-12-15 15:27 --------- d-----w c:\documents and settings\localadmin\Application Data\Viewpoint
2008-12-15 15:17 --------- d-----w c:\program files\Java
2008-12-14 22:12 --------- d-----w c:\program files\Common Files\Apple
2008-12-09 19:03 --------- d-----w c:\documents and settings\localadmin\Application Data\goombah
2008-12-09 16:25 --------- d-----w c:\documents and settings\localadmin\Application Data\Ruckus Network
2008-12-09 03:40 --------- d--h--w c:\documents and settings\localadmin\Application Data\Move Networks
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\udaterui.exe" [2008-03-14 136512]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-05-12 111952]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Ruckus Player\\Ruckus.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-12-21 111184]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-12-21 20560]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\DRIVERS\eacfilt.sys [2006-07-20 24521]
S3 ExtranetAccess;Contivity VPN Service;"c:\program files\Nortel Networks\Extranet_serv.exe" [2006-07-20 811008]
S3 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\DRIVERS\ipsecw2k.sys [2006-07-20 155184]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
2008-12-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
2008-12-21 c:\windows\Tasks\At1.job
- c:\windows\system32\I775B4lw.exe []
2008-12-20 c:\windows\Tasks\At10.job
- c:\windows\system32\I775B4lw.exe []
2008-12-19 c:\windows\Tasks\At11.job
- c:\windows\system32\I775B4lw.exe []
2008-12-19 c:\windows\Tasks\At12.job
- c:\windows\system32\I775B4lw.exe []
2008-12-19 c:\windows\Tasks\At13.job
- c:\windows\system32\I775B4lw.exe []
2008-12-21 c:\windows\Tasks\At14.job
- c:\windows\system32\I775B4lw.exe []
2008-12-21 c:\windows\Tasks\At15.job
- c:\windows\system32\I775B4lw.exe []
2008-12-21 c:\windows\Tasks\At16.job
- c:\windows\system32\I775B4lw.exe []
2008-12-21 c:\windows\Tasks\At17.job
- c:\windows\system32\I775B4lw.exe []
2008-12-21 c:\windows\Tasks\At18.job
- c:\windows\system32\I775B4lw.exe []
2008-12-21 c:\windows\Tasks\At19.job
- c:\windows\system32\I775B4lw.exe []
2008-12-21 c:\windows\Tasks\At2.job
- c:\windows\system32\I775B4lw.exe []
2008-12-22 c:\windows\Tasks\At20.job
- c:\windows\system32\I775B4lw.exe []
2008-12-22 c:\windows\Tasks\At21.job
- c:\windows\system32\I775B4lw.exe []
2008-12-22 c:\windows\Tasks\At22.job
- c:\windows\system32\I775B4lw.exe []
2008-12-22 c:\windows\Tasks\At23.job
- c:\windows\system32\I775B4lw.exe []
2008-12-21 c:\windows\Tasks\At24.job
- c:\windows\system32\I775B4lw.exe []
2008-12-21 c:\windows\Tasks\At3.job
- c:\windows\system32\I775B4lw.exe []
2008-12-21 c:\windows\Tasks\At4.job
- c:\windows\system32\I775B4lw.exe []
2008-12-21 c:\windows\Tasks\At5.job
- c:\windows\system32\I775B4lw.exe []
-
The bottom of the log is cut off. I need all of it.
-
2008-12-21 c:\windows\Tasks\At6.job
- c:\windows\system32\I775B4lw.exe []
2008-12-21 c:\windows\Tasks\At7.job
- c:\windows\system32\I775B4lw.exe []
2008-12-21 c:\windows\Tasks\At8.job
- c:\windows\system32\I775B4lw.exe []
2008-12-21 c:\windows\Tasks\At9.job
- c:\windows\system32\I775B4lw.exe []
2008-12-22 c:\windows\Tasks\ujwctinm.job
- c:\windows\system32\rundll32.exe [2008-04-14 05:42]
.
- - - - ORPHANS REMOVED - - - -
BHO-{31e238aa-a2d4-4f9b-b4e4-70ddd27581b7} - c:\windows\system32\tagusoka.dll
BHO-{386A2108-507B-40A6-BEAF-E1AF6E04974F} - c:\windows\system32\ddcCRLFx.dll
BHO-{80b152d3-bb8d-4385-943c-6ea4029929a0} - c:\windows\system32\oqmutk.dll
HKCU-Run-Aim6 - (no file)
HKLM-Run-kuyesizadi - c:\windows\system32\sawubiyi.dll
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.unh.edu/
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: *.amaena.com
Trusted Zone: *.avsystemcare.com
Trusted Zone: *.onerateld.com
Trusted Zone: *.safetydownload.com
Trusted Zone: *.trustedantivirus.com
Trusted Zone: *.virusremover2008.com
Trusted Zone: *.virusschlacht.com
Trusted Zone: *.amaena.com
Trusted Zone: *.avsystemcare.com
Trusted Zone: *.onerateld.com
Trusted Zone: *.safetydownload.com
Trusted Zone: *.trustedantivirus.com
Trusted Zone: *.virusremover2008.com
Trusted Zone: *.virusschlacht.com
FF - ProfilePath - c:\documents and settings\localadmin\Application Data\Mozilla\Firefox\Profiles\zfe0ojw5.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-twc&p=
FF - prefs.js: browser.search.selectedEngine - AIM Search
FF - prefs.js: browser.startup.homepage - hxxp://www.unh.edu/
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&query=
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\localadmin\Application Data\Mozilla\Firefox\Profiles\zfe0ojw5.default\extensions\[email protected]\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npnul32.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\NPOFFICE.DLL
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npqtplugin.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npqtplugin2.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npqtplugin3.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npqtplugin4.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npqtplugin5.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npqtplugin6.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npqtplugin7.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
ATTENTION: FIREFOX POLICES IS IN FORCE
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("general.useragent.vendorComment", "ax");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("security.xpconnect.activex.global.hosti ng_flags", 9);
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("security.classID.allowByDefault", false);
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID6B F52A52-394A-11D3-B153-00C04F79FAA6", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID22 D6F312-B0F6-11D0-94AB-0080C74C7E95", "AllAccess");
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-21 23:05:36
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files:
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Network Associates\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\vstskmgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Network Associates\Common Framework\naPrdMgr.exe
c:\program files\Network Associates\Common Framework\Mctray.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-12-21 23:09:09 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-22 04:09:02
Pre-Run: 17,969,004,544 bytes free
Post-Run: 17,763,332,096 bytes free
277 --- E O F --- 2008-12-16 17:01:15
-
Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system
Delete these files/folders, as follows:
1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C
KillAll::
Driver::
-------\Legacy_TDSSSERV.SYS
-------\Service_TDSSserv.sys
File::
c:\windows\000001_.tmp
c:\windows\system32\TDSSnnpa.dll
c:\windows\003044_.tmp
c:\windows\Tasks\At1.job
c:\windows\system32\I775B4lw.exe
2008-12-20 c:\windows\Tasks\At10.job
2008-12-19 c:\windows\Tasks\At11.job
2008-12-19 c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
c:\windows\Tasks\ujwctinm.job
Folder::
c:\documents and settings\localadmin\Application Data\VirusRemover2008
3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!
(http://i154.photobucket.com/albums/s258/evilfantasy69/CFScript-1.gif)
ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.
Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze
----------
After posting the ComboFix log.
Download Malwarebytes' Anti-Malware (MBAM) (http://www.besttechie.net/tools/mbam-setup.exe)
- Double-click mbam-setup.exe and follow the prompts to install the program.
- At the end, be sure a checkmark is placed next to the following:
- Update Malwarebytes' Anti-Malware
- Launch Malwarebytes' Anti-Malware
- Then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select Perform quick scan, then click Scan.
- When the scan is complete, click OK, then Show Results to view the results.
- Be sure that everything is checked, and click Remove Selected.
- When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
- The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
- Copy and Paste the entire report in your next reply.
Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.
----------
Download TrendMicro HijackThis.exe (http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe) (HJT) to the Desktop.
- Double-click on HJTInstall.
- Click on the Install button.
- It will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe.
- Upon install, HijackThis should open for you.
- Click on the Do a system scan and save a log file button
- HijackThis will scan and then a log will open in notepad.
- Copy and then paste the entire contents of the log in your post.
- Do not have HijackThis fix anything yet. Most of what it finds will be harmless or even required.
-
I was doing the first part and I got an error message- "Were you trying to run CFScript? The name, CFScript appears to be incorrectly spelt."
-
I'm assuming I just press Ok...
-
I did then the ComboFix screen went away.
-
Do this instead please.
Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system
Now download The Avenger (http://swandog46.geekstogo.com/avenger.zip) by Swandog46 and save it to your Desktop.
- Extract avenger.exe from the Zip file and save it to your Desktop
- Run avenger.exe by double-clicking on it.
- Do not change any check box options!!
- Copy everything in the Code box below, and paste it into the Input script here window:
Comment:
Files to delete:
c:\windows\000001_.tmp
c:\windows\system32\TDSSnnpa.dll
c:\windows\003044_.tmp
c:\windows\Tasks\At1.job
c:\windows\system32\I775B4lw.exe
2008-12-20 c:\windows\Tasks\At10.job
2008-12-19 c:\windows\Tasks\At11.job
2008-12-19 c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
c:\windows\Tasks\ujwctinm.job
Folders to delete:
c:\documents and settings\localadmin\Application Data\VirusRemover2008
Drivers to delete:
TDSSSERV
TDSSserv
- Now click the Execute button.
- Click Yes to the prompt to confirm you want to execute.
- Click Yes to the "Reboot now?" question that will appear when Avenger finishes running.
- Your PC should reboot, if not, reboot it yourself.
- A log file from Avenger will be produced at C:\avenger.txt and it will pop-up for you to view when you login after reboot.
- Add the Avenger log in your next post.
-
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com
Platform: Windows XP
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Rootkit scan active.
No rootkits found!
File "c:\windows\000001_.tmp" deleted successfully.
File "c:\windows\system32\TDSSnnpa.dll" deleted successfully.
File "c:\windows\003044_.tmp" deleted successfully.
File "c:\windows\Tasks\At1.job" deleted successfully.
Error: file "c:\windows\system32\I775B4lw.exe" not found!
Deletion of file "c:\windows\system32\I775B4lw.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: could not open file "2008-12-20 c:\windows\Tasks\At10.job"
Deletion of file "2008-12-20 c:\windows\Tasks\At10.job" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist
Error: could not open file "2008-12-19 c:\windows\Tasks\At11.job"
Deletion of file "2008-12-19 c:\windows\Tasks\At11.job" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist
Error: could not open file "2008-12-19 c:\windows\Tasks\At12.job"
Deletion of file "2008-12-19 c:\windows\Tasks\At12.job" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist
File "c:\windows\Tasks\At13.job" deleted successfully.
File "c:\windows\Tasks\At14.job" deleted successfully.
File "c:\windows\Tasks\At15.job" deleted successfully.
File "c:\windows\Tasks\At16.job" deleted successfully.
File "c:\windows\Tasks\At17.job" deleted successfully.
File "c:\windows\Tasks\At18.job" deleted successfully.
File "c:\windows\Tasks\At19.job" deleted successfully.
File "c:\windows\Tasks\At2.job" deleted successfully.
File "c:\windows\Tasks\At20.job" deleted successfully.
File "c:\windows\Tasks\At21.job" deleted successfully.
File "c:\windows\Tasks\At22.job" deleted successfully.
File "c:\windows\Tasks\At23.job" deleted successfully.
File "c:\windows\Tasks\At24.job" deleted successfully.
File "c:\windows\Tasks\At3.job" deleted successfully.
File "c:\windows\Tasks\At4.job" deleted successfully.
File "c:\windows\Tasks\At5.job" deleted successfully.
File "c:\windows\Tasks\At6.job" deleted successfully.
File "c:\windows\Tasks\At7.job" deleted successfully.
File "c:\windows\Tasks\At8.job" deleted successfully.
File "c:\windows\Tasks\At9.job" deleted successfully.
File "c:\windows\Tasks\ujwctinm.job" deleted successfully.
Folder "c:\documents and settings\localadmin\Application Data\VirusRemover2008" deleted successfully.
Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\TDSSSERV" not found!
Deletion of driver "TDSSSERV" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\TDSSserv" not found!
Deletion of driver "TDSSserv" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Completed script processing.
*******************
Finished! Terminate.
-
We are getting closer, it missed a few files.
Download the OTMoveIt3 (http://oldtimer.geekstogo.com/OTMoveIt3.exe) by OldTimer
Note: If you are running on Vista, right-click on OTMoveIt3.exe and choose Run As Administrator.
* Save it to your Desktop.
* Double-click OTMoveIt3.exe to run it.
* Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy)
:Processes
explorer.exe
:services
:reg
:files
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
* Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
* Click the red Moveit! button.
* Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt3
Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. If not, reboot anyway.
-
========== PROCESSES ==========
Process explorer.exe killed successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
c:\windows\Tasks\At10.job moved successfully.
c:\windows\Tasks\At11.job moved successfully.
c:\windows\Tasks\At12.job moved successfully.
========== COMMANDS ==========
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\_avast4_\Webshlock.txt scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_7a8.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\WFV1.tmp scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully
OTMoveIt3 by OldTimer - Version 1.0.7.2 log created on 12222008_000416
Files moved on Reboot...
File C:\WINDOWS\temp\_avast4_\Webshlock.txt not found!
C:\WINDOWS\temp\Perflib_Perfdata_7a8.dat moved successfully.
File C:\WINDOWS\temp\WFV1.tmp not found!
-
OK that worked.
Please go through with the Malwarebytes and HijackThis instructions.
-
I'm sorry, but where is that?
-
Here ya go.
Download Malwarebytes' Anti-Malware (MBAM) (http://www.besttechie.net/tools/mbam-setup.exe)
- Double-click mbam-setup.exe and follow the prompts to install the program.
- At the end, be sure a checkmark is placed next to the following:
- Update Malwarebytes' Anti-Malware
- Launch Malwarebytes' Anti-Malware
- Then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select Perform quick scan, then click Scan.
- When the scan is complete, click OK, then Show Results to view the results.
- Be sure that everything is checked, and click Remove Selected.
- When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
- The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
- Copy and Paste the entire report in your next reply.
Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.
----------
Download TrendMicro HijackThis.exe (http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe) (HJT) to the Desktop.
- Double-click on HJTInstall.
- Click on the Install button.
- It will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe.
- Upon install, HijackThis should open for you.
- Click on the Do a system scan and save a log file button
- HijackThis will scan and then a log will open in notepad.
- Copy and then paste the entire contents of the log in your post.
- Do not have HijackThis fix anything yet. Most of what it finds will be harmless or even required.
-
Thank you so much for all of your help by the way. The Malwarebytes scan is running now...
-
Malwarebytes' Anti-Malware 1.31
Database version: 1528
Windows 5.1.2600 Service Pack 3
12/22/2008 12:34:54 AM
mbam-log-2008-12-22 (00-34-54).txt
Scan type: Quick Scan
Objects scanned: 49059
Time elapsed: 6 minute(s), 32 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6fd31ed6-7c94-4bbc-8e95-f927f4d3a949} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Weather Services (Adware.Hotbar) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cpls\wxfw.dll (Adware.Hotbar) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
-
Edit:
cont.-
Files Infected:
C:\WINDOWS\system32\litikusi.dll_old (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wulubuvo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
-
Hijack this log--
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:38:05 AM, on 12/22/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Network Associates\Common Framework\udaterui.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Smart Web Printing\hpswp_clipbook.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.unh.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\udaterui.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusremover2008.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusremover2008.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O16 - DPF: {CAFEEFAC-0014-0001-0004-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_04) -
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
--
End of file - 7649 bytes
-
Should I do anything else with the Hijack? Or just reboot?
Am I done?
-
Am I done?
Not yet. Still a few more steps.
Thank you so much for all of your help by the way. The Malwarebytes scan is running now...
Your welcome.
The real-time protection of two antivirus programs may conflict with each other and cause the following:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) Conflicts: Your system may lock up due to both products attempting to access the same file at the same time.
3) Performance: More that one antivirus will cause your PC to become slow and it may even crash or blue screen.
Please uninstall one antivirus, either McAfee or Avast. Two actually leaves you less protected.
----------
Open HijackThis and select Do a system scan only.
Place a check mark next to the following entries: (if there)
- O15 - Trusted Zone: *.amaena.com
- O15 - Trusted Zone: *.avsystemcare.com
- O15 - Trusted Zone: *.onerateld.com
- O15 - Trusted Zone: *.safetydownload.com
- O15 - Trusted Zone: *.trustedantivirus.com
- O15 - Trusted Zone: *.virusremover2008.com
- O15 - Trusted Zone: *.virusschlacht.com
- O15 - Trusted Zone: *.amaena.com (HKLM)
- O15 - Trusted Zone: *.avsystemcare.com (HKLM)
- O15 - Trusted Zone: *.onerateld.com (HKLM)
- O15 - Trusted Zone: *.safetydownload.com (HKLM)
- O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
- O15 - Trusted Zone: *.virusremover2008.com (HKLM)
- O15 - Trusted Zone: *.virusschlacht.com (HKLM)
.
Important: Close all windows except for HijackThis and then click Fix checked.
Exit HijackThis.
----------
Your Java is out of date.
Older versions have vulnerabilities that malicious sites can use to infect your system.
First install the new Sun Java Runtime Environment (http://www.majorgeeks.com/Sun_Java_Runtime_Environment_d4648.html)
Be sure to close all browser windows before beginning the install.
Remove the old version(s)
Download JavaRa (http://www.majorgeeks.com/JavaRa_d5967.html)
- Unzip the file and open the JavaRa.exe
- Click Remove Older Versions
- JavaRa will search for and remove any outdated version of Java and remove any that are found.
- Click Additional Tasks
- Place a check next to Remove Useless JRE Files and click Go
- Exit JavaRa
- Delete the JavaRa files from the Desktop
.
----------
How is the computer running now?
-
Ok, to remove Avast, should I just Add or Remove program?
-
Yes. There should be just one entry to uninstall. Be sure to restart the computer after uninstalling it.
-
Ok, I did the uninstall and reboot. I did the Hijackthis and fixed all of the O15s.
Now I am about to do the Java.
-
OK, some cleanup and then a (hopefully) final scan.
- Click START then RUN
- Now type Combofix /u in the runbox
- Make sure there's a space between Combofix and /u
- Then hit Enter.
.
- The above procedure will:
- Delete the following:
- ComboFix and its associated files and folders.
- Reset the clock settings.
- Hide file extensions, if required.
- Hide System/Hidden files, if required.
- Set a new, clean Restore Point.
.
----------
Download
OTCleanIt.exe (http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe) and save it to your Desktop.
- Double-click OTCleanIt.exe.
- Click the CleanUp! button.
- Select Yes when the "Begin cleanup Process?" prompt appears.
- If you are prompted to Reboot during the cleanup, select Yes.
- The tool will delete itself once it finishes, if not delete it yourself.
.
Run CCleaner.
Important: Restart the computer before continuing.
----------
Run the Kaspersky Online Scanner (http://www.kaspersky.com/virusscanner)
In Microsoft Windows Vista, you must open the Web browser using the Run as Administrator command. From the Desktop right click the icon to open the browser and choose Run as Administrator.
- Click on SCAN NOW
- Click Accept.
- The program will then begin downloading the latest definition files.
- Once the files have been downloaded locate the Scan Settings and have it scan My Computer.
- The scan will take a while, so be patient and let it finish.
When the scan is done, in the Scan is complete window, any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.
To obtain the report:
Click on: Save Report As- Next, in the Save as prompt, Save in area, select: Desktop.
- In the File name area use KScan, or something similar.
- In Save as type: click the drop arrow and select: Text file [*.txt]
- Then, click: Save
(http://i154.photobucket.com/albums/s258/evilfantasy69/Kas-Savetxt.gif)
Copy and paste the Kaspersky Online Scanner Report in your next reply.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.
-
Before that, both times I tried running JavaRa, it had to close because it encountered an error. The first time it deleted a lot of stuff before showing the message, the second time it was right after I opened it. What should I do?
-
It worked the next time I tried. Would you like to see the log?
-
I am supposed to run CCleaner? Because I did and it deleted a lot of stuff. Was that what I was supposed to do?
-
No I don't need the JavaRA log. Yes running CCleaner is always good. You can run it daily to clean up unwanted junk on your hard drive.
-
Generally, how long does the Kaspersky scan take?
-
It will take at least an hour, possibly more. It does take a while.
-
The Kaspersky scan didn't have anything in the Scan Report. It was blank.
I think that's a good thing...
-
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, December 22, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, December 22, 2008 11:04:03
Records in database: 1499780
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
C:\
D:\
Scan statistics:
Files scanned: 58597
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 01:28:08
No malware has been detected. The scan area is clean.
The selected area was scanned.
-
Looks good.
How is the computer running now?
Use the Secunia Software Inspector (http://secunia.com/software_inspector) to check for out of date software.
- Click Start Now
- Check the box next to Enable thorough system inspection.
- Click Start
- Allow the scan to finish and scroll down to see if any updates are needed.
- Update anything listed.
.
----------
Go to Microsoft Windows Update (http://windowsupdate.microsoft.com/) and get all critical updates.
----------
Here are some great FREE tools to help you keep from getting infected again. These tools use little or no resources so won't slow down your PC.
Concerned about Browser Security? Consider using Mozilla Firefox 3.0 (http://www.spreadfirefox.com/node&id=224248&t=324) with Adblock Plus (https://addons.mozilla.org/en-US/firefox/addon/1865) and NoScript (http://noscript.net/)
To prevent unknown applications from being installed on your computer install WinPatrol 2008 (http://www.winpatrol.com/winpatrol.html)
* Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)
I suggest using SiteAdvisor (http://www.siteadvisor.com/). SiteAdvisor rates sites on business practices and spam. Safety ratings from McAfee SiteAdvisor are based on automated safety tests of Web sites.
SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html) - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* (http://www.bleepingcomputer.com/tutorials/tutorial49.html)Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/forums/tutorial49.html)
* If you don't know what ActiveX controls are, see here (http://www.webopedia.com/TERM/A/ActiveX_control.html)
Check out Keeping Yourself Safe On The Web (http://evilspages.blogspot.com/2008/05/keeping-yourself-safe-on-web.html) for tips and free tools to help keep you safe in the future.
Also see Slow Computer? It May Not Be Malware (http://evilspages.blogspot.com/2008/05/slow-computer-it-may-not-be-malware.html) for free cleaning/maintenance tools to help keep your computer running smooth.
-
The computer is running well now. I will try those things. Also, what can I delete and what should I keep of the things I've downloaded over the past 2+ days? Everything is saved to the desktop.
-
Keep MBAM and SAS. Update and run them now and again to make sure nothing strange has found it's way in.
Keep CCleaner, run it daily to keep the HD clean.
You can uninstall or delete anything else.
-
Ok thank you.
I did the OSI scan and I have red "X"s next to...
AOL Instant Messenger 5.x (though AIM 6.x is installed)
Adobe Reader 8.X
All of my old Adobe Flash players, I have 10.x
Should I follow the instructions to download the updates?
-
Which is SAS?
-
Which is SAS?
SUPERAntiSpyware.
---
Check in your add/remove programs for old versions of AIM and uninstall them if found.
Do this to remove all unstable older versions of Flash.
Download the Flash Player Uninstaller (http://www.adobe.com/shockwave/download/alternates/) and save it to your desktop.
Run the uninstaller program and then reboot your computer to complete the uninstall.
Download and install the latest version of Flash Player (http://www.adobe.com/go/getflashplayer)
-
In my Add or Remove programs, there is...
Adobe Flash Player 10 ActiveX
Adobe Flash Player plugin
Adobe Reader 8.1.2
Adobe Shockwave Player
Which should I delete?
-
Those are all OK. If you run the uninstaller from above then install the new version you should be OK.
-
Ok will do! Thanks so much for all of your help!