Computer Hope
Software => Computer viruses and spyware => Topic started by: Zippy2 on January 21, 2010, 08:58:45 PM
-
Hello all, first time poster on this forum. I've read many of the previous posts regarding this wonderful situation I have found myself in. While I believe I may be 'out of the woods' by following the necessary steps, as directed by this forum, to remove the malware, I am still posting my logs in an attempt to ensure that everything is as it seems.
First, some background. I began to get the annoying pop up windows indicating the System Security 2009 breach. After choosing to ignore the alerts to download the necessary software, I was greeted with various porn sites popping up all over my screen. Via FireFox, I was still able to browse the web, but I was unable to run any .exe file other than FireFox. I restarted in SAFE MODE and was able to run SUPERAntiSPYWARE which located and removed 45 threats. At this point I was able to restart XP normally and open the .exe files, but wasn't able to update Malwarebytes Anti-Malware or SUPERAntiSPYWARE. After further research, I learned I needed to make some changes to my IE internet option settings. After the changes I made the necessary updates and downloaded HJT.
Everything functions as it did before the infection, but I would just like to be sure that I removed all that I should have to keep this from further damaging my system.
THANK YOU!!!
Trever
[Saving space, attachment deleted by admin]
-
Hello Zippy2 and welcome to Computer Hope Forum. My name is Superdave but you can just call me SD. I will be helping you out with your particular problem on your computer. I am working under the guidance of one of the specialist of this forum so it may take a bit longer to process your logs.
1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.
-------------------------------------------------------------------------
It appears that you're running two Anti-Virus programs on your computer which is a no-no. One will have to be uninstalled. If you have problems with the uninstall, please let me know and I'll send you a tool to remove it.
-------------------------------------------------------------------------
Add or Remove Programs
1. Click on the Windows Start button and click on the Control Panel
2. In the Control Panel window, double-click Add or Remove Programs icon.
3. When the Add or Remove Programs window has fully populated, check for iWin Games and uninstall it.
------------------------------------------------------------------------------
Open HijackThis and select Do a system scan only
Place a check mark next to the following entries: (if there)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: iWin Desktop Alerts.lnk = C:\Documents and Settings\All Users\Application Data\iWin Games\DesktopAlerts\DesktopAlerts.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] \"C:\Program Files\Common Files\Java\Java Update\jusched.exe\"
(Description: Sun Java update scheduler. Checks for updates. Not necessary. Removing this entry will free up a small amount of system resources.)
Important: Close all open windows except for HijackThis and then click Fix checked.
Once completed, exit HijackThis.
---------------------------------------------------------------------------------
Download ComboFix by sUBs from one of the below links. Be sure to save it to the Desktop.
link # 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
link #2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Close any open web browsers (Firefox, Internet Explorer, etc) before starting ComboFix.
Temporarily disable your anti-virus, and any anti-spyware real-time protection before performing a scan. Click this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of security programs that should be disabled and how to disable them.
Vista users Right-click combofix.exe and select Run as Administrator and follow the prompts.
Double-click combofix.exe and follow the prompts.
When finished, ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.
NOTE: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.
Remember to re-enable your anti-virus and anti-spyware protection when ComboFix is complete.
-
Thanks SD!
I'm looking forward to getting this situation figured out!
As for the antivirus, I had uninstalled McAfee a few months ago (or so I thought) If there is any trail left on the HD, I am unaware of it, as it doen's appear in the add/remove programs window.
Was this one of the two AV programs you saw?
-
http://service.mcafee.com/FAQDocument.aspx?id=TS100507&lc=1033
save dave time looking for it ;D
-
Disregard my last post. I took Harry's advice to remove the old McAfee files. The rest went well, and I have posted the logs below.
Trev
[Saving space, attachment deleted by admin]
-
sorry , do as dave says he is the expert
-
DON'T RUN THIS FIX. THERE'S A PROBLEM WITH COMBOFIX.
1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C
KillAll::
File::
c:\documents and settings\Trever Good\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
c:\documents and settings\Trever Good\Start Menu\Programs\Startup\iWin Desktop Alerts.lnk
c:\windows\pss\iWin Desktop Alerts.lnkStartup
MIA::
c:\windows\system32\DRIVERS\atapi.sys
Folder::
c:\program files\iWin.com
c:\program files\iWin Games
c:\documents and settings\All Users\Application Data\iWin Games
c:\documents and settings\Trever Good\Local Settings\Application Data\vjfxrc
3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!
(http://i154.photobucket.com/albums/s258/evilfantasy69/CFScript-1.gif)
ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.
Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze
-
Got the note to not run last post this morning, after having run it yesterday afternoon. Desktop wiped clean, "start"/all programs wiped clean" Most data gone. HELP!!!
-
Hello Zippy2.
We need you to follow the instructions in the following link to get your computer back to normal. http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/455388-combofix-issue-resolution.html
Let us know when that is complete and how the computer is running.
-
As per the NEW INSTRUCTIONS from Virus/Trojan/Spyware Removal Help from techsupportforum
DDS (Ver_09-12-01.01) - NTFSx86
Run by Trever Good at 16:50:38.67 on Mon 01/25/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2303.1677 [GMT -5:00]
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Trever Good\Desktop\dds.scr
============== Pseudo HJT Report ===============
uSearchMigratedDefaultURL = 687474703a2f2f7777772e676f6f676c652e636 f6d2f
uStart Page = https://www6.glic.com/gol/homepage/login.aspx
uInternet Connection Wizard,ShellNext = hxxp://www.dellnet.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/ymj/*http://www.yahoo.com
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"
uRun: [PhotoShow Deluxe Media Manager] c:\progra~1\nero\data\xtras\mssysmgr.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SetDefPrt] c:\program files\brother\brmfl06a\BrStDvPt.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
DPF: {15B782AF-55D8-11D1-B477-006097098764} - hxxps://www6.glic.com/gol/Virtual%20University/cab/awswaxm.cab
DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} - hxxps://www6.glic.com/gol/common/scripts/smsx.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
DPF: {21D817CE-B22E-11D2-B514-00C04F930B5E} - hxxps://www6.glic.com/gol/Common/Scripts/GuardianDownload.CAB
DPF: {2E764AF3-8311-11D2-B4EC-00C04F930B5E} - hxxps://www6.glic.com/gol/GuardianHelp/Scripts/ctlDownloadHelp_2.CAB
DPF: {2F01ABF9-0799-11D2-B771-00C04F930B5E} - hxxps://www6.glic.com/gol/GuardianHelp/scripts/ctlshowHelp_3.CAB
DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} - hxxps://www6.glic.com/srvlw1/iNotes6W.cab
DPF: {3E755E01-BB38-11D4-B44C-00105A0D610A} - hxxps://www6.glic.com/gol/Common/Cabs/ctlCommonControls.CAB
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}
DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} - hxxp://www.gamehouse.com/realarcade-webgames/dinerdash2/DinerDash2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9E4A8277-58D1-11D4-8E62-00C04F6F3010} - hxxps://www6.glic.com/gol/Common/Cabs/GDL_VbRuntime.CAB
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} - hxxp://www.gamehouse.com/realarcade-webgames/dinerdashfloonthego/DinerDashFloGo.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,19/mcgdmgr.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E03EEB49-B0CB-46A3-A84B-BA758243A7B0} - hxxp://www.shockwave.com/content/thwartpoker/sis/OrbitalLauncher-2.0.15.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\trever~1\applic~1\mozilla\firefox\profiles\71xjct53.default\
FF - prefs.js: browser.search.selectedEngine - GoogleCOM
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/|http://www.weather.com/weather/local/17569?lswe=17569&lwsa=WeatherLocalUndeclared&from=searchbox|http://sections.lancasteronline.com/local/1/9
FF - prefs.js: keyword.URL - hxxp://www.ffsearching.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - GoogleCOM
FF - user.js: keyword.URL - hxxp://www.ffsearching.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
============= SERVICES / DRIVERS ===============
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-1-21 333192]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-1-21 28424]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-1-21 360584]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-3-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-3-23 74480]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-1-21 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-1-21 285392]
R2 mrtRate;mrtRate;c:\windows\system32\drivers\MrtRate.sys [2003-10-14 34712]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2009-8-27 92008]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-3-23 7408]
S3 fsbl;F-Secure BlackLight Engine Driver;\??\c:\documents and settings\trever good\desktop\f-downadup\fsbldrv.sys --> c:\documents and settings\trever good\desktop\f-downadup\fsbldrv.sys [?]
S3 ICDUSB2;Sony IC Recorder (P);c:\windows\system32\drivers\IcdUsb2.sys [2009-3-16 39048]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\11b.tmp --> c:\windows\system32\11B.tmp [?]
=============== Created Last 30 ================
2010-01-25 21:31:31 0 d-----w- c:\docume~1\trever~1\applic~1\Zen Puzzle Garden
2010-01-25 21:31:25 0 d-----w- c:\docume~1\trever~1\applic~1\yoclient
2010-01-25 21:31:25 0 d-----w- c:\docume~1\trever~1\applic~1\Wildfire
2010-01-25 21:31:25 0 d-----w- c:\docume~1\trever~1\applic~1\ViquaSoft
2010-01-25 21:31:25 0 d-----w- c:\docume~1\trever~1\applic~1\Valusoft
2010-01-25 21:31:25 0 d-----w- c:\docume~1\trever~1\applic~1\URSE Games
2010-01-25 21:31:25 0 d-----w- c:\docume~1\trever~1\applic~1\Uniblue
2010-01-25 21:31:20 0 d-----w- c:\docume~1\trever~1\applic~1\TomTom
2010-01-25 21:31:11 0 d-----w- c:\docume~1\trever~1\applic~1\Super-Cow
2010-01-25 21:30:35 0 d-----w- c:\docume~1\trever~1\applic~1\Simple Star
2010-01-25 21:30:31 0 d-----w- c:\docume~1\trever~1\applic~1\Raptisoft
2010-01-25 21:30:19 0 d-----w- c:\docume~1\trever~1\applic~1\quickhit.football.QHFootball.4D5206CA741FBF5FD6AAD1A97F5076E917382B34.1
2010-01-25 21:30:19 0 d-----w- c:\docume~1\trever~1\applic~1\Pogo Games
2010-01-25 21:30:16 0 d-----w- c:\docume~1\trever~1\applic~1\PDF reDirect
2010-01-25 21:30:16 0 d-----w- c:\docume~1\trever~1\applic~1\PCF-VLC
2010-01-25 21:30:16 0 d-----w- c:\docume~1\trever~1\applic~1\PC-FAX TX
2010-01-25 21:29:55 0 d-----w- c:\docume~1\trever~1\applic~1\Participatory Culture Foundation
2010-01-25 21:29:47 0 d-----w- c:\docume~1\trever~1\applic~1\OpenOffice.org
2010-01-25 21:29:46 0 d-----w- c:\docume~1\trever~1\applic~1\Ludia
2010-01-25 21:29:46 0 d-----w- c:\docume~1\trever~1\applic~1\Kontiki
2010-01-25 21:29:46 0 d-----w- c:\docume~1\trever~1\applic~1\Jane s Hotel
2010-01-25 21:29:46 0 d-----w- c:\docume~1\trever~1\applic~1\iWinArcade
2010-01-25 21:29:46 0 d-----w- c:\docume~1\trever~1\applic~1\iWin_DressUpRush
2010-01-25 21:29:46 0 d-----w- c:\docume~1\trever~1\applic~1\Intuit
2010-01-25 21:29:41 0 d-----w- c:\docume~1\trever~1\applic~1\Home Sweet Home
2010-01-25 21:29:30 0 d-----w- c:\docume~1\trever~1\applic~1\Gamelab
2010-01-25 21:29:29 0 d-----w- c:\docume~1\trever~1\applic~1\GameInvest
2010-01-25 21:29:29 0 d-----w- c:\docume~1\trever~1\applic~1\Gaijin Ent
2010-01-25 21:29:29 0 d-----w- c:\docume~1\trever~1\applic~1\funkitron
2010-01-25 21:29:29 0 d-----w- c:\docume~1\trever~1\applic~1\Free Sound Recorder
2010-01-25 21:29:29 0 d-----w- c:\docume~1\trever~1\applic~1\FlowPlay
2010-01-25 21:29:29 0 d-----w- c:\docume~1\trever~1\applic~1\EleFun Games
2010-01-25 21:29:20 0 d-----w- c:\docume~1\trever~1\applic~1\Digital Album Organizer
2010-01-25 21:29:17 0 d-----w- c:\docume~1\trever~1\applic~1\CoffeeCup Software
2010-01-25 21:29:17 0 d-----w- c:\docume~1\trever~1\applic~1\Boolat Games
2010-01-25 21:27:35 0 d-----w- c:\docume~1\trever~1\applic~1\bang
2010-01-25 21:27:34 0 d-----w- c:\docume~1\trever~1\applic~1\Alawar
2010-01-25 21:27:34 0 d-----w- c:\docume~1\trever~1\applic~1\AlauxSoft
2010-01-25 21:26:20 146 ----a-w- c:\docume~1\trever~1\applic~1\_$_hpcst$_.hpc.zip
2010-01-25 21:26:12 5632 ----a-w- c:\documents and settings\trever good\Thumbs.db
2010-01-25 21:26:12 4 ----a-w- c:\documents and settings\trever good\win_rhtdo53x4
2010-01-25 21:26:12 30 ----a-w- c:\documents and settings\trever good\jagex_runescape_preferences.dat
2010-01-25 21:26:12 187749 ----a-w- c:\documents and settings\trever good\~
2010-01-25 21:26:12 0 d-----w- c:\documents and settings\trever good\.housecall6.6
2010-01-25 21:26:11 125 ----a-w- c:\documents and settings\trever good\BritannicaReadyReferencePrefs
2010-01-25 21:21:27 0 d-----w- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2010-01-25 21:21:26 0 d-----w- c:\docume~1\alluse~1\applic~1\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-01-25 21:21:26 0 d-----w- c:\docume~1\alluse~1\applic~1\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2010-01-25 21:21:25 0 d-----w- c:\docume~1\alluse~1\applic~1\VirtualFarm
2010-01-25 21:21:24 0 d-----w- c:\docume~1\alluse~1\applic~1\Viewpoint
2010-01-25 21:21:23 0 d-----w- c:\docume~1\alluse~1\applic~1\Trymedia
2010-01-25 21:21:18 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-01-25 21:21:18 0 d-----w- c:\docume~1\alluse~1\applic~1\Sony Corporation
2010-01-25 21:21:18 0 d-----w- c:\docume~1\alluse~1\applic~1\SBSI
2010-01-25 21:21:17 0 d-----w- c:\docume~1\alluse~1\applic~1\Sandlot Games
2010-01-25 21:21:17 0 d-----w- c:\docume~1\alluse~1\applic~1\PlayPond
2010-01-25 21:21:16 0 d-----w- c:\docume~1\alluse~1\applic~1\NeoEdge Networks
2010-01-25 21:21:16 0 d-----w- c:\docume~1\alluse~1\applic~1\Napster
2010-01-25 21:21:15 0 d-----w- c:\docume~1\alluse~1\applic~1\JollyBear
2010-01-25 21:21:14 0 d-----w- c:\docume~1\alluse~1\applic~1\iWin Games
2010-01-25 21:20:05 0 d-----w- c:\docume~1\alluse~1\applic~1\Intuit
2010-01-25 21:20:05 0 d-----w- c:\docume~1\alluse~1\applic~1\HipSoft
2010-01-25 21:19:58 0 d-----w- c:\docume~1\alluse~1\applic~1\Grisoft
2010-01-25 21:19:58 0 d-----w- c:\docume~1\alluse~1\applic~1\Gogii
2010-01-25 21:19:56 0 d-----w- c:\docume~1\alluse~1\applic~1\GameHouse
2010-01-25 21:19:47 0 d-----w- c:\docume~1\alluse~1\applic~1\Fugazo
2010-01-25 21:19:47 0 d-----w- c:\docume~1\alluse~1\applic~1\FreshGames
2010-01-25 21:19:47 0 d-----w- c:\docume~1\alluse~1\applic~1\FarmFrenzy2
2010-01-25 21:19:47 0 d-----w- c:\docume~1\alluse~1\applic~1\FarmFrenzy-PizzaParty
2010-01-25 21:19:44 0 d-----w- c:\docume~1\alluse~1\applic~1\COMMON FILES
2010-01-25 21:19:43 0 d-----w- c:\docume~1\alluse~1\applic~1\Brother
2010-01-25 21:19:43 0 d-----w- c:\docume~1\alluse~1\applic~1\Awem
2010-01-25 21:19:25 0 d-----w- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2010-01-25 21:18:34 32 ----a-w- c:\documents and settings\all users\hash.dat
2010-01-25 21:18:34 0 d-----w- c:\docume~1\alluse~1\applic~1\3 Blokes Studios
2010-01-25 16:05:26 0 d-----w- c:\docume~1\trever~1\applic~1\Malwarebytes
2010-01-25 16:05:26 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-25 14:57:55 0 d-sh--w- c:\documents and settings\all users\DRM
2010-01-25 11:43:12 178 ----a-w- c:\documents and settings\trever good\ntuser.ini
2010-01-25 11:14:30 0 d-----w- c:\docume~1\trever~1\applic~1\SUPERAntiSpyware.com
2010-01-25 11:14:30 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-01-23 20:37:02 0 d-sha-r- C:\cmdcons
2010-01-23 20:35:09 77312 ----a-w- c:\windows\MBR.exe
2010-01-23 20:35:09 261632 ----a-w- c:\windows\PEV.exe
2010-01-23 20:35:08 98816 ----a-w- c:\windows\sed.exe
2010-01-23 20:35:08 161792 ----a-w- c:\windows\SWREG.exe
2010-01-22 02:41:02 0 d-----w- C:\$AVG
2010-01-22 02:40:11 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-01-22 02:40:09 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-01-22 02:40:07 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-01-22 02:40:05 0 d-----w- c:\windows\system32\drivers\Avg
2010-01-22 02:39:12 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2010-01-22 02:38:35 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-22 02:38:33 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-13 12:29:53 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-09 16:13:24 0 d-----w- c:\windows\system32\Runningman
2010-01-09 16:13:24 0 d-----w- c:\program files\Runningman
==================== Find3M ====================
2010-01-22 03:40:17 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-05 10:00:29 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00:21 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00:20 17408 ----a-w- c:\windows\system32\corpol.dll
2009-11-16 12:13:51 109016 -c--a-w- c:\docume~1\trever~1\applic~1\GDIPFONTCACHEV1.DAT
2008-09-13 16:27:48 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091320080914\index.dat
============= FINISH: 16:51:59.12 ===============
[Saving space, attachment deleted by admin]
-
Also, my HD had about 10 GB available space before all of this took place, but now it has 400MB available. Any ideas as to why or what might be causing this?
-
Also, my HD had about 10 GB available space before all of this took place, but now it has 400MB available. Any ideas as to why or what might be causing this?
Not sure unless CCleaner removed a bunch of junk.
Download JavaRa (http://majorgeeks.com/JavaRA_d5982.html)
* Unzip the file and open the JavaRa.exe
* Click Remove Older Versions
* JavaRa will search for and remove any outdated version of Java and remove any that are found.
* Click Additional Tasks
* Place a check next to Remove Useless JRE Files and click Go
* Exit JavaRa
* Delete the JavaRa files from the desktop
----------
If you already have ComboFix be sure to delete it and download a new copy.
Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.
Link #1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link #2 (http://www.forospyware.com/sUBs/ComboFix.exe)
**Note: It is important that it is saved directly to your Desktop
DO NOT run it yet!
Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system
Delete these files/folders, as follows:
1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C
KillAll::
DDS::
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}
3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!
(http://i154.photobucket.com/albums/s258/evilfantasy69/CFScript-1.gif)
ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.
Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze
-
Evil, combofix.txt log is attached. Regarding the space available on my HD, I didn't gain space, I lost available space, from 10GB to 400MB.
Thanks for all your help!
Trev
[Saving space, attachment deleted by admin]
-
Download TreeSize Free. http://www.jam-software.com/freeware/index.shtml
Run TreeSize and see if you can tell what is taking up all of the disk space.
-
Thanks Evil,
Ran TreeSize, and dicovered a folder on my C drive with a little over 13GB in it. C:\QooBox\Quarantine\C\Documents and Settings. Any recommendations on how to handle it?
Everything appears to be back to how it was before the first ComboFix incident where my desktop was wiped clean. The only thing I am still missing is all of the email messages that were stored within Outlook Express.
Thanks,
Zippy2
-
Okay, I was afraid of that. We need to restore some files that are in Qoobox.
Delete ComboFix if it is still on your desktop.
Download the new version of combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) and save it to your desktop. DO NOT RUN IT YET!!! Just make sure you have the new version downloaded and saved.
Now download this file > http://download.bleepingcomputer.com/sUBs/CFDQ-UsrPrf.exe
Now run the CFDQ-UsrPrf.exe program by double clicking on it.
- Immediately after you run it, YOU MUST NOT reboot your PC. Don't do anything else but continue on with the below..
- Now immediately run the new version of ComboFix that you saved to your desktop earlier. This should cause a reboot of your PC after running if malware was detected and removed.
- After reboot post the new ComboFix log.
-
Downloaded new combofix, downloaded and ran CFDQ-Usrprf. Ran ComboFix and got error message indicating that it is only compatible with certain OS's, (mine is XP home and was listed as compatible) when I clicked OK, IE closed and the ComboFix file is no longer on desktop.
Do I re-download and re-run ComboFix?
-
Yes try a new download.
-
Downloaded and ran ComboFix again. Did not automatically restart, and I attached the ComboFix log. What's next?
Thanks
Zippy2
[Saving space, attachment deleted by admin]
-
1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C
KillAll::
DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5555
3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!
(http://i154.photobucket.com/albums/s258/evilfantasy69/CFScript-1.gif)
ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.
Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze
-
Thanks again!
Everything went well in response to your last post. Attached is the ComboFix log from the actions you recommended. Please advise on any further steps.
Thanks!
Zippy2
[Saving space, attachment deleted by admin]
-
Okay, finally. I was wondering if we were going to get rid of that without using brute force!
* Click START then RUN - Vista users press the Windows Key and the R keys for the Run box.
* Now type Combofix /Uninstall in the runbox
* Make sure there's a space between Combofix and /Uninstall
* Then hit Enter
* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.
----------
Clean out your temporary internet files and temp files.
Download TFC by OldTimer (http://oldtimer.geekstogo.com/TFC.exe) to your desktop.
Double-click TFC.exe to run it.
Note: If you are running on Vista, right-click on the file and choose Run As Administrator
TFC will close all programs when run, so make sure you have saved all your work before you begin.
* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.
Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.
----------
ESET Online Scan
Scan your computer with the ESET FREE Online Virus Scan (http://eset.com/onlinescan)
* Click the ESET Online Scanner button.
* For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
* Click on the esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop
* Double click on the esetsmartinstaller_enu.exe icon on your desktop.
* Place a check mark next to YES, I accept the Terms of Use.
* Click the Start button.
* Accept any security warnings from your browser.
* Leave the check mark next to Remove found threats and place a check next to Scan archives.
* Click the Start button.
* ESET will then download updates, install, and begin scanning your computer. Please be patient as this can take some time.
* When the scan completes, click List of found threats.
* Next click Export to text file and save the file to your desktop using a name such as ESETScan. Include the contents of this report in your next reply.
* Click the <<Back button then click Finish.
In your next reply please include the ESET Online Scan Log
-
Thanks Evil,
The instructions went well. Attached is the ESETScan log.
Thanks,
Zippy2
[Saving space, attachment deleted by admin]
-
Looks good. Is the computer running good now?
Use the Secunia Software Inspector (http://secunia.com/software_inspector) to check for out of date software.
- Click Start Now
- Check the box next to Enable thorough system inspection.
- Click Start
- Allow the scan to finish and scroll down to see if any updates are needed.
- Update anything listed.
.
----------
Go to Microsoft Windows Update (http://windowsupdate.microsoft.com/) and get all critical updates.
----------
I recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no realtime protection so will not interfere with each other. They do not use any significant amount of resources (except a little disk space) until you run a scan.
I suggest using WOT - Web of Trust (http://www.mywot.com/). WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.
SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html) - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* (http://www.bleepingcomputer.com/tutorials/tutorial49.html)Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/forums/tutorial49.html)
* If you don't know what ActiveX controls are, see here (http://www.webopedia.com/TERM/A/ActiveX_control.html)
Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy (http://www.safer-networking.org/en/spybotsd/index.html). Guide: Use Spybot's Immunize Feature (http://www.bleepingcomputer.com/tutorials/tutorial43.html#immunize) to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ (http://www.safer-networking.org/en/faq/index.html)
Check out Keeping Yourself Safe On The Web (http://evilfantasy.wordpress.com/2008/05/20/keeping-yourself-safe-on-the-web/) for tips and free tools to help keep you safe in the future.
Also see Slow Computer? It May Not Be Malware (http://evilfantasy.wordpress.com/2008/05/24/slow-computer-it-may-not-be-malware/) for free cleaning/maintenance tools to help keep your computer running smooth.
-
Everyth8ing appears to be running well, except for all of the emai lmessages in Outlook Express that are still missing. I guess they are gone for good,
I am having trouble running Secunia Software Inspector. It is giving me an error message about JAVA not being installed. I have gone through all of the verifying steps to ensure that JAVA is indeed installed and working properly. As a result, I was not able to complete the Secunia Software Inspector scan.
Zippy2
-
I am having trouble running Secunia Software Inspector.
Are you using Internet Explorer?
What images in your email?
-
Yep, using IE 7
I am missing all of my email messages. Those stored within Outlook Express folders before the infection.
-
I'm not sure about the email You might ask in the Software Forum if anyone knows of a good free recovery program.
Here are a few you can try. From here http://www.computerhope.com/forum/index.php/topic,66522.0.html
Free recovery software.
- PC INSPECTOR File Recovery (http://www.pcinspector.de/Sites/file_recovery/info.htm?language=1)
- Recuva (http://www.recuva.com/)
- Undelete Plus (http://www.undelete-plus.com/)
.
Commercial recovery software will increase the chances of recovering important data. It's not free but can be well worth the price.
- Active@ UNDELETE (http://www.active-undelete.com/) - Has great reviews with demo results before you buy
- DiskInternals Mail Recovery (http://www.diskinternals.com/mail-recovery/) - Recover and repair Windows email! (Demo)
- OfficeRecovery.com (http://www.officerecovery.com/) - Data recovery software for email, databases and office productivity
-
The email issue is not a big deal for me. I'm just happy to have access to the files/pics/programs on my desktop than anything else.
I uninstalled JAVA, then resintalled. Secunia Software Inspector worked! SSI showed two necessary updates: one to Adobe Flash Player (completed without issues) and Adobe reader. During the reader update, I am prompted with an error message. Rather than type it verbatim, I have included a JPEG. When I click OK, the installation rolls back and ceases installing. Is this related to the previous issues?
[Saving space, attachment deleted by admin]
-
Try using Revo to uninstall Adobe Reader. Be sure to restart the computer before installing the new version.
Download Revo Uninstaller (http://majorgeeks.com/Revo_Uninstaller_d5706.html)
* Open Revo and let the list populate (can take several seconds to finish).
* Right click what you want to uninstall and choose Uninstall
* Next choose Advanced then click Next
* This will (try to) launch the programs built in uninstaller and go through the normal uninstall process.
* If the uninstaller fails just continue on with the Revo instructions.
* Once complete: In Revo Uninstaller click Next and Revo will scan the registry for leftovers.
* This scan can take several seconds.
* Once the results are shown look at each one to ensure they are all related to the program that was uninstalled.
* Choose Select All then click Delete
* Click Next and Revo will scan for any files or folders that were not removed.
* If any files/folders are found choose Select all > Delete
New version. http://get.adobe.com/reader/
Note! Be sure to uncheck Free McAfee Security Scan Plus (optional) before starting the download.
-
Turns out that the error message I receive when updating to reader 8.2 is the same one I receive when attempting to uninstall reader 8.1.1. If I "OK" out of it and let the rest of the uninstall continue, I get 395 leftover files and REG entries. Is it possible to need to uninstall this many entries???
-
If you use Revo it should get all of the leftovers.
-
Things are looking pretty good here on my end.
Evil, I want to thank you for all of your dilligent work on this issue. I sincerely appreciate the time and effort you put into helping me resolve this!
You are FANTASTIC!
Yours,
Zippy2
-
Your welcome.
Safe surfing..