Welcome guest. Before posting on our computer help forum, you must register. Click here it's easy and free.

Author Topic: Requesting help to clean PC  (Read 11033 times)

0 Members and 1 Guest are viewing this topic.

UnderAttack

    Topic Starter


    Rookie
    • Experience: Experienced
    • OS: Linux variant
    Requesting help to clean PC
    « on: January 03, 2011, 03:55:18 AM »
    Hi,

    I am hoping you will help me clean a PC given to me to fix.  I have followed the steps for this forum before posting, but slightly out of order as I started trying to clean it before coming here.

    The original symptoms were fake anti-virus popups.  The pre-post instructions have got rid of those symptoms.  I believe there is still something nasty on here, the only symptom I can currently see is detailed below related to AVG.

    Initially I did not connect the machine to my network and ran a full scan with the already installed, slightly out of date, AVG which found PSU.Delf.FPM.  I then connected it to the Internet, updated AVG and installed, updated and ran Malwarebytes.  Malwarebytes found some nasties and AVG plucked some to it's virus vault.

    The version of AVG on the system is 8.5.449, although the actual GUI looks like the latest version and it is not complaining about being out of date.  When I used to use Windows I recall that AVG needed reinstalling with the next version each year, so after (thinking) I had cleaned the PC I tried to uninstall this AVG to install the latest version.  When I do this I get an ugly message:

    Local machine: installation failed
        Initialization:
            Error: Connecting to item registry root HKCU (f**kyou) failed.
                Error 0x80070005

    THe message wasn't starred out on the system btw.  This is the only symptom I am able to see on the system at the moment and is stil present after following the full pre-post instructions.

    I then started following all your pre-post instructions in order, including running Malwarebytes again, which came up clean, so I included the earlier log instead.  This is a multiuser machine and SuperAntiSpyware found cookies from other places, including an old backup of the system.  I deleted references to cookies out of the log files because they were so long.  If this is wrong please let me know because I have the original log files still.
     
    I also turned off the system restore so that would get deleted, I don't recall exactly at what stage I did that.  Sorry this post was so verbose, I wasn't sure which information was important.

    UnderAttack

      Topic Starter


      Rookie
      • Experience: Experienced
      • OS: Linux variant
      Re: Requesting help to clean PC
      « Reply #1 on: January 03, 2011, 03:55:43 AM »
      Malwarebytes' Anti-Malware 1.50.1.1100
      www.malwarebytes.org

      Database version: 5443

      Windows 5.1.2600 Service Pack 3
      Internet Explorer 6.0.2900.5512

      02/01/2011 18:38:46
      mbam-log-2011-01-02 (18-38-46).txt

      Scan type: Quick scan
      Objects scanned: 192822
      Time elapsed: 12 minute(s), 22 second(s)

      Memory Processes Infected: 0
      Memory Modules Infected: 0
      Registry Keys Infected: 0
      Registry Values Infected: 0
      Registry Data Items Infected: 1
      Folders Infected: 0
      Files Infected: 6

      Memory Processes Infected:
      (No malicious items detected)

      Memory Modules Infected:
      (No malicious items detected)

      Registry Keys Infected:
      (No malicious items detected)

      Registry Values Infected:
      (No malicious items detected)

      Registry Data Items Infected:
      HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

      Folders Infected:
      (No malicious items detected)

      Files Infected:
      c:\WINDOWS\system32\dll.dll (Trojan.Agent) -> Quarantined and deleted successfully.
      c:\documents and settings\David\local settings\Temp\msitcm.cpl (Trojan.Downloader) -> Quarantined and deleted successfully.
      c:\documents and settings\David\local settings\Temp\_32.tmp (Trojan.FakeAV) -> Quarantined and deleted successfully.
      c:\documents and settings\David\local settings\Temp\_33.tmp (Trojan.FakeAV.Gen) -> Quarantined and deleted successfully.
      c:\documents and settings\David\local settings\Temp\libmhcklq\aialimuaffm.exe (Trojan.FakeAV.Gen) -> Quarantined and deleted successfully.
      c:\WINDOWS\system32\crt.dat (Malware.Trace) -> Quarantined and deleted successfully.

      UnderAttack

        Topic Starter


        Rookie
        • Experience: Experienced
        • OS: Linux variant
        Re: Requesting help to clean PC
        « Reply #2 on: January 03, 2011, 03:56:01 AM »
        SUPERAntiSpyware Scan Log
        http://www.superantispyware.com

        Generated 01/03/2011 at 01:11 AM

        Application Version : 4.47.1000

        Core Rules Database Version : 6114
        Trace Rules Database Version: 3926

        Scan type       : Complete Scan
        Total Scan Time : 03:00:48

        Memory items scanned      : 421
        Memory threats detected   : 0
        Registry items scanned    : 6622
        Registry threats detected : 0
        File items scanned        : 154410
        File threats detected     : 880

        Adware.Tracking Cookie
           **** Nearly 900 lines of cookies were here, removed but saved if needed ****
           
           
        Trojan.Agent/Gen-Krpytik
           C:\PROGRAM FILES\WINRAR\FORMATS\ACE.FMT
           C:\PROGRAM FILES\WINRAR\FORMATS\ARJ.FMT
           C:\PROGRAM FILES\WINRAR\FORMATS\CAB.FMT
           C:\PROGRAM FILES\WINRAR\FORMATS\GZ.FMT
           C:\PROGRAM FILES\WINRAR\FORMATS\LZH.FMT
           C:\PROGRAM FILES\WINRAR\FORMATS\TAR.FMT
           C:\PROGRAM FILES\WINRAR\FORMATS\UUE.FMT
           C:\PROGRAM FILES\WINRAR\WINCON.SFX

        BearShare File Sharing Client
           D:\#BACKUP\C_DRIVE_27022008\PROGRAM FILES\BEARSHARE\BEARSHARE.EXE

        UnderAttack

          Topic Starter


          Rookie
          • Experience: Experienced
          • OS: Linux variant
          Re: Requesting help to clean PC
          « Reply #3 on: January 03, 2011, 03:56:18 AM »
          Logfile of Trend Micro HijackThis v2.0.4
          Scan saved at 01:45:29, on 03/01/2011
          Platform: Windows XP SP3 (WinNT 5.01.2600)
          MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
          Boot mode: Normal

          Running processes:
          C:\WINDOWS\System32\smss.exe
          C:\WINDOWS\system32\winlogon.exe
          C:\WINDOWS\system32\services.exe
          C:\WINDOWS\system32\lsass.exe
          C:\WINDOWS\system32\svchost.exe
          C:\WINDOWS\System32\svchost.exe
          C:\WINDOWS\system32\spoolsv.exe
          C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
          C:\Program Files\Java\jre6\bin\jqs.exe
          C:\WINDOWS\system32\nvsvc32.exe
          C:\WINDOWS\system32\HPZipm12.exe
          C:\Program Files\RealVNC\VNC4\WinVNC4.exe
          C:\PROGRA~1\AVG\AVG8\avgemc.exe
          C:\PROGRA~1\AVG\AVG8\avgrsx.exe
          C:\Program Files\AVG\AVG8\avgcsrvx.exe
          C:\WINDOWS\Explorer.EXE
          C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
          C:\PROGRA~1\AVG\AVG8\avgtray.exe
          C:\Program Files\Common Files\Java\Java Update\jusched.exe
          C:\Program Files\Messenger\msmsgs.exe
          C:\Program Files\OpenOffice.org 3\program\soffice.exe
          C:\Program Files\OpenOffice.org 3\program\soffice.bin
          C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
          C:\Program Files\Mozilla Firefox\firefox.exe
          C:\Program Files\HJT\sniper.exe

          R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
          R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
          O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
          O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
          O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
          O4 - HKLM\..\Run: [NvMixerTray] C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
          O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
          O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
          O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
          O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
          O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
          O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
          O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
          O4 - Startup: OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
          O4 - Global Startup: OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
          O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
          O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
          O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
          O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
          O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
          O17 - HKLM\System\CCS\Services\Tcpip\..\{03099802-BE23-40CC-AED5-66231B4EE118}: NameServer = 192.168.1.254
          O17 - HKLM\System\CS1\Services\Tcpip\..\{03099802-BE23-40CC-AED5-66231B4EE118}: NameServer = 192.168.1.254
          O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
          O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
          O20 - Winlogon Notify: cryptnet32 - cryptnet32.dll (file missing)
          O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
          O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
          O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
          O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
          O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
          O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
          O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
          O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
          O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
          O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

          --
          End of file - 4828 bytes

          SuperDave

          • Malware Removal Specialist


          • Genius
          • Thanked: 1020
          • Certifications: List
          • Experience: Expert
          • OS: Windows 10
          Re: Requesting help to clean PC
          « Reply #4 on: January 03, 2011, 01:34:10 PM »
            Hello and welcome to
          Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

          1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
          2. The fixes are specific to your problem and should only be used for this issue on this machine.
          3. If you don't know or understand something, please don't hesitate to ask.
          4. Please DO NOT run any other tools or scans while I am helping you.
          5. It is important that you reply to this thread. Do not start a new topic.
          6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
          7. Absence of symptoms does not mean that everything is clear.

          Please turn on your System Restore. An infected Restore Point is better than none.

          You have BearShare in your backup drive. It should be removed from the backup drive as well as the C drive.
          D:\#BACKUP\C_DRIVE_27022008\PROGRAM FILES\BEARSHARE

          Download Disable/Remove Windows Messenger to the desktop to remove Windows Messenger.

          Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

          Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.

          Exit out of MessengerDisable then delete the two files that were put on the desktop.
          ******************************************
          This next scan will not run while AVG is on your computer. Please download a new Anti-Virus program from the list below and install it. I would recommend MicroSoft Security Essentials. Next, please remove AVG by running the AVG Removal Tool below.

          Remember to only install one antivirus!
           
          1) Avast! Home Edition
          2) AVG Free Edition
          3) Avira AntiVir Personal
          4) Microsoft Security Essentials for Windows Vista\Windows 7 - 64 bit Download
          4-a) Microsoft Security Essentials for Windows XP
          5) Comodo Antivirus (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" if you choose this one)
          6) PC Tools AntiVirus Free Edition

          It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts. If you choose to install more than one antivirus program on your computer, then only one of them should be active in memory at a time.
          **********************************************
          AVG Antivirus - AVG Antivirus Remover utility

          Please download ComboFix from BleepingComputer.com

          Alternate link: GeeksToGo.com

          Rename ComboFix.exe to commy.exe before you save it to your Desktop
          Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
          Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
          As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
          Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console[/list]

          Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

          Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


          Click on Yes, to continue scanning for malware.
          When finished, it shall produce a log for you.  Please include the contents of C:\ComboFix.txt in your next reply.

          If you have problems with ComboFix usage, see How to use ComboFix
          Windows 8 and Windows 10 dual boot with two SSD's

          UnderAttack

            Topic Starter


            Rookie
            • Experience: Experienced
            • OS: Linux variant
            Re: Requesting help to clean PC
            « Reply #5 on: January 03, 2011, 05:21:40 PM »
            Hi Dave,

            Thanks for your time so far.  Are you by any chance the SuperDave from the diabloii.net forums?

            Here is what I have done, and the requested log file follows.

            I re-enabled the system restore.

            I deleted the bearshare folder from the backup location (one of the tools had already removed the exe file), it is not present on the C: drive.  The backup is actually a backup of an old hard disk from before a re-install.

            I ran the Remove Windows Messenger tool as instructed, no problems.

            I installed Avast which went fine, then ran the AVG removal tool.  After a reboot and a bit more work from the AVG tool I was back at the desktop, but Avast no longer worked.  Clicking the 'Fix' button in the Avast interface did nothing.  As the next step was to disable AV products before running combofix anyway, I proceeded with combofix.

            Afer running combofix Avast still doesn't work.  Can I reinstall AVG now combofix is done?
            « Last Edit: January 03, 2011, 05:31:41 PM by UnderAttack »

            UnderAttack

              Topic Starter


              Rookie
              • Experience: Experienced
              • OS: Linux variant
              Re: Requesting help to clean PC
              « Reply #6 on: January 03, 2011, 05:22:05 PM »
              ComboFix 11-01-03.01 - General 03/01/2011  23:55:24.1.1 - x86
              Microsoft Windows XP Professional  5.1.2600.3.1252.44.1033.18.479.163 [GMT 0:00]
              Running from: c:\documents and settings\General\desktop\commy.exe
              Command switches used :: /stepdel
              FW: Online Armor Firewall *Enabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}
              .

              (((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
              .

              c:\windows\AutoRun.ini
              c:\windows\system32\arp.exe
              c:\windows\system32\install.exe
              c:\windows\system32\SCardSvr.exe
              c:\windows\system32\shimg.dll
              d:\documents\david\rdplus.net.DUN

              .
              (((((((((((((((((((((((((   Files Created from 2010-12-04 to 2011-01-04  )))))))))))))))))))))))))))))))
              .

              2011-01-03 22:45 . 2010-12-31 20:00   293968   ----a-w-   c:\windows\system32\drivers\aswSP.sys
              2011-01-03 22:45 . 2010-12-31 19:59   47440   ----a-w-   c:\windows\system32\drivers\aswTdi.sys
              2011-01-03 22:45 . 2010-12-31 19:56   17744   ----a-w-   c:\windows\system32\drivers\aswFsBlk.sys
              2011-01-03 22:43 . 2010-12-31 20:06   38848   ----a-w-   c:\windows\avastSS.scr
              2011-01-03 22:43 . 2010-12-31 20:06   188216   ----a-w-   c:\windows\system32\aswBoot.exe
              2011-01-03 22:29 . 2010-12-31 19:56   23632   ----a-w-   c:\windows\system32\drivers\aswRdr.sys
              2011-01-03 22:27 . 2010-12-31 19:59   100176   ----a-w-   c:\windows\system32\drivers\aswmon2.sys
              2011-01-03 22:27 . 2010-12-31 19:59   94544   ----a-w-   c:\windows\system32\drivers\aswmon.sys
              2011-01-03 22:26 . 2010-12-31 19:56   29264   ----a-w-   c:\windows\system32\drivers\aavmker4.sys
              2011-01-03 22:23 . 2011-01-03 22:43   --------   d-----w-   c:\program files\Alwil Software
              2011-01-03 22:23 . 2011-01-03 22:43   --------   d-----w-   c:\documents and settings\All Users\Application Data\Alwil Software
              2011-01-03 10:23 . 2011-01-03 10:23   --------   d-----w-   c:\documents and settings\General\Local Settings\Application Data\Help
              2011-01-03 09:50 . 2011-01-03 10:41   --------   d-----w-   c:\documents and settings\All Users\Application Data\OnlineArmor
              2011-01-03 09:50 . 2011-01-03 09:50   --------   d-----w-   c:\documents and settings\General\Application Data\OnlineArmor
              2011-01-03 09:50 . 2010-07-07 12:25   22600   ----a-w-   c:\windows\system32\drivers\OAmon.sys
              2011-01-03 09:50 . 2010-07-07 12:25   28232   ----a-w-   c:\windows\system32\drivers\OAnet.sys
              2011-01-03 09:50 . 2010-07-07 12:25   236104   ----a-w-   c:\windows\system32\drivers\OADriver.sys
              2011-01-03 09:50 . 2011-01-03 09:50   --------   d-----w-   c:\program files\Emsisoft
              2011-01-03 01:33 . 2011-01-03 01:33   388096   ----a-r-   c:\documents and settings\General\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
              2011-01-03 01:33 . 2011-01-03 01:45   --------   d-----w-   c:\program files\HJT
              2011-01-02 22:27 . 2010-11-12 18:53   472808   ----a-w-   c:\windows\system32\deployJava1.dll
              2011-01-02 22:27 . 2010-11-12 18:53   472808   ----a-w-   c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
              2011-01-02 22:03 . 2011-01-02 22:03   --------   d-----w-   c:\documents and settings\General\Application Data\SUPERAntiSpyware.com
              2011-01-02 22:03 . 2011-01-02 22:03   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
              2011-01-02 22:02 . 2011-01-02 22:03   --------   d-----w-   c:\program files\SUPERAntiSpyware
              2011-01-02 21:48 . 2011-01-02 21:48   --------   d-----w-   c:\program files\CCleaner
              2011-01-02 18:43 . 2011-01-02 18:43   --------   d-----w-   c:\documents and settings\All Users\Application Data\MFAData
              2011-01-02 18:08 . 2011-01-02 18:08   --------   d-----w-   c:\documents and settings\General\Application Data\Malwarebytes
              2011-01-02 18:08 . 2011-01-02 18:44   --------   d-----w-   c:\documents and settings\General\Application Data\VMware
              2011-01-02 18:07 . 2010-12-20 18:09   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
              2011-01-02 18:07 . 2011-01-02 18:07   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
              2011-01-02 18:07 . 2011-01-02 18:08   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
              2011-01-02 18:07 . 2010-12-20 18:08   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
              2010-12-16 16:41 . 2010-11-02 15:17   40960   -c----w-   c:\windows\system32\dllcache\ndproxy.sys
              2010-12-16 16:40 . 2010-10-11 14:59   45568   -c----w-   c:\windows\system32\dllcache\wab.exe

              .
              ((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
              .
              2010-11-18 18:12 . 2009-01-22 11:24   81920   ----a-w-   c:\windows\system32\isign32.dll
              2010-11-12 16:34 . 2008-02-27 18:44   73728   ----a-w-   c:\windows\system32\javacpl.cpl
              2010-11-05 05:05 . 2009-01-22 11:23   667136   ----a-w-   c:\windows\system32\wininet.dll
              2010-11-02 15:17 . 2009-01-22 11:23   40960   ----a-w-   c:\windows\system32\drivers\ndproxy.sys
              2010-10-28 13:13 . 2009-01-22 11:24   290048   ----a-w-   c:\windows\system32\atmfd.dll
              2010-10-26 13:25 . 2009-01-22 11:23   1853312   ----a-w-   c:\windows\system32\win32k.sys
              .

              (((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
              .
              .
              *Note* empty entries & legit default entries are not shown
              REGEDIT4

              [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
              "NvMixerTray"="c:\program files\NVIDIA Corporation\NvMixer\NvMixerTray.exe" [2004-03-03 131072]
              "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2006-01-12 155648]
              "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
              "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-01-10 4263936]
              "nwiz"="nwiz.exe" [2003-01-10 315392]
              "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
              "@OnlineArmor GUI"="c:\program files\Emsisoft\Online Armor\oaui.exe" [2010-07-07 6854984]
              "avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-12-31 3395600]

              c:\documents and settings\All Users\Start Menu\Programs\Startup\
              OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]

              [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
              "{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Qualcomm\Eudora\EuShlExt.dll" [2006-08-17 86016]
              "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
              "{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\Emsisoft\ONLINE~1\oaevent.dll" [2010-07-07 924488]

              [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
              2009-09-03 22:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL

              [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
              "EnableFirewall"= 0 (0x0)

              [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
              "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
              "c:\\Program Files\\RealVNC\\VNC4\\winvnc4.exe"=
              "c:\\WINDOWS\\system32\\sessmgr.exe"=
              "d:\\music\\LimeWire\\LimeWire.exe"=
              "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
              "%windir%\\system32\\sessmgr.exe"=

              R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [03/01/2011 22:45 293968]
              R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [03/01/2011 09:50 236104]
              R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [03/01/2011 09:50 22600]
              R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [03/01/2011 09:50 28232]
              R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 18:25 12872]
              R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/05/2010 18:41 67656]
              R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [03/01/2011 22:45 17744]
              R2 OAcat;Online Armor Helper Service;c:\program files\Emsisoft\Online Armor\oacat.exe [03/01/2011 09:50 1283400]
              R2 SvcOnlineArmor;Online Armor;c:\program files\Emsisoft\Online Armor\oasrv.exe [03/01/2011 09:50 3364680]
              .
              Contents of the 'Scheduled Tasks' folder
              .
              .
              ------- Supplementary Scan -------
              .
              uStart Page = about:blank
              uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
              TCP: {03099802-BE23-40CC-AED5-66231B4EE118} = 192.168.1.254
              FF - ProfilePath - c:\documents and settings\General\Application Data\Mozilla\Firefox\Profiles\26jafrot.default\
              FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
              FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
              FF - Ext: Java Quick Starter: [email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff
              FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
              FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
              .
              .
              ------- File Associations -------
              .
              .txt=UltraEdit.txt
              .
              - - - - ORPHANS REMOVED - - - -

              Notify-avgrsstarter - avgrsstx.dll



              **************************************************************************

              catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
              Rootkit scan 2011-01-04 00:10
              Windows 5.1.2600 Service Pack 3 NTFS

              scanning hidden processes ... 

              scanning hidden autostart entries ...

              scanning hidden files ... 

              scan completed successfully
              hidden files: 0

              **************************************************************************
              .
              --------------------- DLLs Loaded Under Running Processes ---------------------

              - - - - - - - > 'winlogon.exe'(492)
              c:\program files\SUPERAntiSpyware\SASWINLO.DLL
              .
              Completion time: 2011-01-04  00:15:25
              ComboFix-quarantined-files.txt  2011-01-04 00:15

              Pre-Run: 1,833,848,832 bytes free
              Post-Run: 3,556,343,808 bytes free

              WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
              [boot loader]
              timeout=2
              default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
              [operating systems]
              c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
              UnsupportedDebug="do not select this" /debug
              multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

              - - End Of File - - CE11369B949B2414924CBE44388B9D19

              SuperDave

              • Malware Removal Specialist


              • Genius
              • Thanked: 1020
              • Certifications: List
              • Experience: Expert
              • OS: Windows 10
              Re: Requesting help to clean PC
              « Reply #7 on: January 04, 2011, 04:51:51 PM »
              Quote
              Are you by any chance the SuperDave from the diabloii.net forums?
              Not me!
              Quote
              Can I reinstall AVG now combofix is done?
              I would recommend MicroSoft Security Essentials. Very good and less of a hassle.

              SysProt Antirootkit

              Download
              SysProt Antirootkit from the link below (you will find it at the bottom
              of the page under attachments, or you can get it from one of the
              mirrors).

              http://sites.google.com/site/sysprotantirootkit/

              Unzip it into a folder on your desktop.
              • Double click Sysprot.exe to start the program.
              • Click on the Log tab.
              • In the Write to log box select the following items.
                • Process << Selected
                • Kernel Modules << Selected
                • SSDT << Selected
                • Kernel Hooks << Selected
                • IRP Hooks << NOT Selected
                • Ports << NOT Selected
                • Hidden Files << Selected
              • At the bottom of the page
                • Hidden Objects Only << Selected
              • Click on the Create Log button on the bottom right.
              • After a few seconds a new window should appear.
              • Select Scan Root Drive. Click on the Start button.
              • When it is complete a new window will appear to indicate that the scan is finished.
              • The

              log will be saved automatically in the same folder Sysprot.exe was
              extracted to. Open the text file and copy/paste the log here.
              [/list].
              Windows 8 and Windows 10 dual boot with two SSD's

              UnderAttack

                Topic Starter


                Rookie
                • Experience: Experienced
                • OS: Linux variant
                Re: Requesting help to clean PC
                « Reply #8 on: January 06, 2011, 09:34:47 AM »
                Hi, thanks for your continued help.  I tried to reinstall AVG while Avast was still installed (but still not working), but the installer refused to run while Avast was installed.  I uninstalled Avast and rebooted, but was unable to install AVG.  It got to the end and came up with this message (copied from Windows event log):

                Product: AVG 2011 -- Error 27046. CA_Error 27046: DriverInstallationFun: Driver installation failed: 0x00000000

                I'm kind of tempted to make a decontamination PC and add the hard disk from this infected PC so I can do and offline scan of the disk.  Would this help in finding rootkit type stuff?

                Requested log from SysProt follows.

                UnderAttack

                  Topic Starter


                  Rookie
                  • Experience: Experienced
                  • OS: Linux variant
                  Re: Requesting help to clean PC
                  « Reply #9 on: January 06, 2011, 09:35:09 AM »
                  SysProt AntiRootkit v1.0.1.0
                  by swatkat

                  ******************************************************************************************
                  ******************************************************************************************

                  No Hidden Processes found

                  ******************************************************************************************
                  ******************************************************************************************
                  Kernel Modules:
                  Module Name: \SystemRoot\System32\Drivers\dump_nvatabus.sys
                  Service Name: ---
                  Module Base: A9F58000
                  Module End: A9F6C000
                  Hidden: Yes

                  Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
                  Service Name: ---
                  Module Base: F79B5000
                  Module End: F79B7000
                  Hidden: Yes

                  ******************************************************************************************
                  ******************************************************************************************
                  SSDT:
                  Function Name: ZwAllocateVirtualMemory
                  Address: B24D5ED0
                  Driver Base: B24B7000
                  Driver End: B2505000
                  Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

                  Function Name: ZwAssignProcessToJobObject
                  Address: B24D6700
                  Driver Base: B24B7000
                  Driver End: B2505000
                  Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

                  Function Name: ZwConnectPort
                  Address: B24D3DA0
                  Driver Base: B24B7000
                  Driver End: B2505000
                  Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

                  Function Name: ZwCreateFile
                  Address: B24E39C0
                  Driver Base: B24B7000
                  Driver End: B2505000
                  Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

                  Function Name: ZwCreatePort
                  Address: B24D38E0
                  Driver Base: B24B7000
                  Driver End: B2505000
                  Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

                  Function Name: ZwCreateProcess
                  Address: B24D0620
                  Driver Base: B24B7000
                  Driver End: B2505000
                  Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

                  Function Name: ZwCreateProcessEx
                  Address: B24D0A30
                  Driver Base: B24B7000
                  Driver End: B2505000
                  Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

                  Function Name: ZwCreateSection
                  Address: B24CFEF0
                  Driver Base: B24B7000
                  Driver End: B2505000
                  Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

                  Function Name: ZwCreateThread
                  Address: B24D1F20
                  Driver Base: B24B7000
                  Driver End: B2505000
                  Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

                  Function Name: ZwDebugActiveProcess
                  Address: B24D2B90
                  Driver Base: B24B7000
                  Driver End: B2505000
                  Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

                  Function Name: ZwDuplicateObject
                  Address: B24D36F0
                  Driver Base: B24B7000
                  Driver End: B2505000
                  Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

                  Function Name: ZwLoadDriver
                  Address: B24D5490
                  Driver Base: B24B7000
                  Driver End: B2505000
                  Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

                  Function Name: ZwOpenFile
                  Address: B24E4040
                  Driver Base: B24B7000
                  Driver End: B2505000
                  Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

                  Function Name: ZwOpenProcess
                  Address: B24D1A20
                  Driver Base: B24B7000
                  Driver End: B2505000
                  Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

                  Function Name: ZwOpenSection
                  Address: B24D0310
                  Driver Base: B24B7000
                  Driver End: B2505000
                  Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

                  Function Name: ZwOpenThread
                  Address: B24D2420
                  Driver Base: B24B7000
                  Driver End: B2505000
                  Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

                  Function Name: ZwProtectVirtualMemory
                  Address: B24D6350
                  Driver Base: B24B7000
                  Driver End: B2505000
                  Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

                  Function Name: ZwQueryDirectoryFile
                  Address: B24D5A70
                  Driver Base: B24B7000
                  Driver End: B2505000
                  Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

                  Function Name: ZwQueueApcThread
                  Address: B24D68A0
                  Driver Base: B24B7000
                  Driver End: B2505000
                  Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

                  Function Name: ZwRequestPort
                  Address: B24D49A0
                  Driver Base: B24B7000
                  Driver End: B2505000
                  Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

                  Function Name: ZwRequestWaitReplyPort
                  Address: B24D4F90
                  Driver Base: B24B7000
                  Driver End: B2505000
                  Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

                  Function Name: ZwRestoreKey
                  Address: B24E3550
                  Driver Base: B24B7000
                  Driver End: B2505000
                  Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

                  Function Name: ZwResumeThread
                  Address: B24D3340
                  Driver Base: B24B7000
                  Driver End: B2505000
                  Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

                  Function Name: ZwSecureConnectPort
                  Address: B24D4190
                  Driver Base: B24B7000
                  Driver End: B2505000
                  Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

                  Function Name: ZwSetContextThread
                  Address: B24D2970
                  Driver Base: B24B7000
                  Driver End: B2505000
                  Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

                  Function Name: ZwSetSystemInformation
                  Address: B24D2D30
                  Driver Base: B24B7000
                  Driver End: B2505000
                  Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

                  Function Name: ZwShutdownSystem
                  Address: B24D5370
                  Driver Base: B24B7000
                  Driver End: B2505000
                  Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

                  Function Name: ZwSuspendProcess
                  Address: B24D3520
                  Driver Base: B24B7000
                  Driver End: B2505000
                  Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

                  Function Name: ZwSuspendThread
                  Address: B24D3130
                  Driver Base: B24B7000
                  Driver End: B2505000
                  Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

                  Function Name: ZwSystemDebugControl
                  Address: B24D2F40
                  Driver Base: B24B7000
                  Driver End: B2505000
                  Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

                  Function Name: ZwTerminateProcess
                  Address: B24D1C80
                  Driver Base: B24B7000
                  Driver End: B2505000
                  Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

                  Function Name: ZwTerminateThread
                  Address: B24D2760
                  Driver Base: B24B7000
                  Driver End: B2505000
                  Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

                  Function Name: ZwUnloadDriver
                  Address: B24D5780
                  Driver Base: B24B7000
                  Driver End: B2505000
                  Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

                  Function Name: ZwWriteVirtualMemory
                  Address: B24D6520
                  Driver Base: B24B7000
                  Driver End: B2505000
                  Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

                  ******************************************************************************************
                  ******************************************************************************************
                  No Kernel Hooks found

                  ******************************************************************************************
                  ******************************************************************************************
                  Hidden files/folders:
                  Object: C:\Qoobox\BackEnv\AppData.folder.dat
                  Status: Access denied

                  Object: C:\Qoobox\BackEnv\Cache.folder.dat
                  Status: Access denied

                  Object: C:\Qoobox\BackEnv\Cookies.folder.dat
                  Status: Access denied

                  Object: C:\Qoobox\BackEnv\Desktop.folder.dat
                  Status: Access denied

                  Object: C:\Qoobox\BackEnv\Favorites.folder.dat
                  Status: Access denied

                  Object: C:\Qoobox\BackEnv\History.folder.dat
                  Status: Access denied

                  Object: C:\Qoobox\BackEnv\LocalAppData.folder.dat
                  Status: Access denied

                  Object: C:\Qoobox\BackEnv\LocalSettings.folder.dat
                  Status: Access denied

                  Object: C:\Qoobox\BackEnv\Music.folder.dat
                  Status: Access denied

                  Object: C:\Qoobox\BackEnv\NetHood.folder.dat
                  Status: Access denied

                  Object: C:\Qoobox\BackEnv\Personal.folder.dat
                  Status: Access denied

                  Object: C:\Qoobox\BackEnv\Pictures.folder.dat
                  Status: Access denied

                  Object: C:\Qoobox\BackEnv\PrintHood.folder.dat
                  Status: Access denied

                  Object: C:\Qoobox\BackEnv\Profiles.Folder.dat
                  Status: Access denied

                  Object: C:\Qoobox\BackEnv\Profiles.Folder.folder.dat
                  Status: Access denied

                  Object: C:\Qoobox\BackEnv\Programs.folder.dat
                  Status: Access denied

                  Object: C:\Qoobox\BackEnv\Recent.folder.dat
                  Status: Access denied

                  Object: C:\Qoobox\BackEnv\SendTo.folder.dat
                  Status: Access denied

                  Object: C:\Qoobox\BackEnv\SetPath.bat
                  Status: Access denied

                  Object: C:\Qoobox\BackEnv\StartMenu.folder.dat
                  Status: Access denied

                  Object: C:\Qoobox\BackEnv\StartUp.folder.dat
                  Status: Access denied

                  Object: C:\Qoobox\BackEnv\SysPath.dat
                  Status: Access denied

                  Object: C:\Qoobox\BackEnv\Templates.folder.dat
                  Status: Access denied

                  Object: C:\Qoobox\BackEnv\VikPev00
                  Status: Access denied


                  SuperDave

                  • Malware Removal Specialist


                  • Genius
                  • Thanked: 1020
                  • Certifications: List
                  • Experience: Expert
                  • OS: Windows 10
                  Re: Requesting help to clean PC
                  « Reply #10 on: January 06, 2011, 12:33:14 PM »
                  Quote
                  I'm kind of tempted to make a decontamination PC and add the hard disk from this infected PC so I can do and offline scan of the disk.  Would this help in finding rootkit type stuff?
                  No. There's no need to do that. I'm not finding anything in these logs.

                  Quote
                  tried to reinstall AVG while Avast was still installed (but still not working), but the installer refused to run while Avast was installed.  I uninstalled Avast and rebooted, but was unable to install AVG.  It got to the end and came up with this message (copied from Windows event log):
                  Please download and install MicroSoft Security Essentials and then run these tools to get rid of AVG and Avast.

                  AVG Antivirus - AVG Antivirus Remover utility

                  Avira antivirus - Instructions for manual uninstallation of Avira

                  I'd like to scan your machine with ESET OnlineScan

                  •Hold down Control and click on the following link to open ESET OnlineScan in a new window.
                  ESET OnlineScan
                  •Click the button.
                  •For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
                  • Click on to download the ESET Smart Installer. Save it to your desktop.
                  • Double click on the icon on your desktop.
                  •Check
                  •Click the button.
                  •Accept any security warnings from your browser.
                  •Check
                  •Push the Start button.
                  •ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
                  •When the scan completes, push
                  •Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
                  •Push the button.
                  •Push
                  A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt
                  Windows 8 and Windows 10 dual boot with two SSD's

                  UnderAttack

                    Topic Starter


                    Rookie
                    • Experience: Experienced
                    • OS: Linux variant
                    Re: Requesting help to clean PC
                    « Reply #11 on: January 09, 2011, 10:36:05 AM »
                    Hi,

                    Sorry for the long delay in my reply, I've been ill.  Unfortunately I messed up when following your instructions and I didn't save the log from ESET.  I ran it again to see if that would help but there was no save log option.

                    When it ran the first time it did find 1 threat, which it called:

                    Win32/Toolbar.AskSBar

                    I looked in the quarantine and this was the path to the file:

                    D:\iso\Nero-6.6.1.1c_wch.exe

                    Thanks

                    SuperDave

                    • Malware Removal Specialist


                    • Genius
                    • Thanked: 1020
                    • Certifications: List
                    • Experience: Expert
                    • OS: Windows 10
                    Re: Requesting help to clean PC
                    « Reply #12 on: January 09, 2011, 07:24:33 PM »
                    I hope you're feeling better. How's your computer working now? Any other issues?
                    Windows 8 and Windows 10 dual boot with two SSD's

                    UnderAttack

                      Topic Starter


                      Rookie
                      • Experience: Experienced
                      • OS: Linux variant
                      Re: Requesting help to clean PC
                      « Reply #13 on: January 12, 2011, 02:45:48 PM »
                      Hi,

                      Thanks, I'm mostly better.  Sorry for the slow update, have had to catch up on my work after being ill.

                      The computer seems generally ok.  After it has been logged in for a few minutes it comes up with an error about jusched.exe, with the Windows error reporting window.  I don't know if it was doing this before or not, but I did follow the Java clean/update instructions so hopefully it would be a fresh install.

                      This is a multi user system and I've been using a mostly un-used user account to do these scans.  I logged in with one of the main accounts, where the problems first surfaced, and ran a malware bytes scan only, log follows.  I also ran that scan on the other main user account but it was clean.

                      Other than that it seems to be behaving itself - thank you so much :)

                      UnderAttack

                        Topic Starter


                        Rookie
                        • Experience: Experienced
                        • OS: Linux variant
                        Re: Requesting help to clean PC
                        « Reply #14 on: January 12, 2011, 02:46:31 PM »
                        Malwarebytes' Anti-Malware 1.50.1.1100
                        www.malwarebytes.org

                        Database version: 5499

                        Windows 5.1.2600 Service Pack 3
                        Internet Explorer 6.0.2900.5512

                        10/01/2011 22:25:10
                        mbam-log-2011-01-10 (22-25-01).txt

                        Scan type: Quick scan
                        Objects scanned: 175546
                        Time elapsed: 4 minute(s), 58 second(s)

                        Memory Processes Infected: 0
                        Memory Modules Infected: 0
                        Registry Keys Infected: 1
                        Registry Values Infected: 1
                        Registry Data Items Infected: 1
                        Folders Infected: 0
                        Files Infected: 0

                        Memory Processes Infected:
                        (No malicious items detected)

                        Memory Modules Infected:
                        (No malicious items detected)

                        Registry Keys Infected:
                        HKEY_CURRENT_USER\SOFTWARE\qnpn7rjv93lf (Trojan.FakeAlert) -> No action taken.

                        Registry Values Infected:
                        HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nifvaksn (Trojan.FakeAlert.Gen) -> Value: nifvaksn -> No action taken.

                        Registry Data Items Infected:
                        HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.

                        Folders Infected:
                        (No malicious items detected)

                        Files Infected:
                        (No malicious items detected)