Author Topic: Help with System Tools virus (Read 36639 times)

hazel312001a · « **on:** January 12, 2011, 06:08:18 PM »

First of all let me say Thank you to all of you who donate your time and talents to this site to help the less computer literate in the world! (Like myself)

My issue: The day after Christmas my daughter reported a strange occurrence on her brand new Compaq Netbook Computer CQ10-405DX Intel Atom Windows XP SP3 machine. I knew right away it was a fake program an deeply rooted to be able to block applications and change the background.

I reviewed this site and proceeded as instructed on http://www.computerhope.com/forum/index.php/topic,46313.0.html. However, I ran into trouble on Step 5 :Update Your Java (JRE). Since I was unable to access the internet in Normal mode I used safe mode with networking to do the first 4 steps. But when I got to the Java update the system told me I didn't have the correct permissions.

I started in normal mode and tried to update my Java version but now it is giving me an install error. So I stopped since the instructions said to do the steps in order. Any ideas on how I can get the Java updated and proceed?

Thanx again for all you do!

Gina

geek hoodlum · « **Reply #1 on:** January 12, 2011, 06:21:57 PM »

Hi,

How is your computer running after you did steps 1-4? Can you please post here all the logs so that our experts may analyze and help you.

In updating your Java, can you please try this and see what will happen:
Go to Control Panel > Java Plug-in > Update tab > click Update Now
Then click Java Update in your system tray > click Download > click again Java Update in your system tray > click Install

[recovering disk space - old attachment deleted by admin]

hazel312001a · « **Reply #2 on:** January 12, 2011, 07:30:18 PM »

Quote from: geek hoodlum on January 12, 2011, 06:21:57 PM

Hi,

How is your computer running after you did steps 1-4? Can you please post here all the logs so that our experts may analyze and help you.

In updating your Java, can you please try this and see what will happen:
Go to Control Panel > Java Plug-in > Update tab > click Update Now
Then click Java Update in your system tray > click Download > click again Java Update in your system tray > click Install

My computer is running better but really slow. The "System Tools" icon and take over has stopped and I can now work in Normal mode.

I tried what you said about Java but I got this error:
The system can not find the registry key specified:
HKEY_LOCAL_MACHINE\SOFTWARE\Javasoft\Java Runtime Environment\1.6.0_18

Here are the logs from Mbam and SAS

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5505

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

1/11/2011 3:45:32 PM
mbam-log-2011-01-11 (15-45-32).txt

Scan type: Quick scan
Objects scanned: 148861
Time elapsed: 2 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSN Messanger (Worm.AutoRun) -> Value: MSN Messanger -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogoff (PUM.Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\System.exe (Worm.AutoRun) -> Quarantined and deleted successfully.
c:\documents and settings\jocey\Desktop\system tool 2011.lnk (Rogue.SystemTool) -> Quarantined and deleted successfully.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/11/2011 at 03:21 PM

Application Version : 4.47.1000

Core Rules Database Version : 6175
Trace Rules Database Version: 3987

Scan type : Complete Scan
Total Scan Time : 00:56:13

Memory items scanned : 284
Memory threats detected : 0
Registry items scanned : 6467
Registry threats detected : 1
File items scanned : 66725
File threats detected : 8

Trojan.Agent/Gen-FakeSoft
   [fPhCc06305] C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\FPHCC06305\FPHCC06305.EXE
   C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\FPHCC06305\FPHCC06305.EXE

Adware.Tracking Cookie
   C:\Documents and Settings\jocey\Cookies\jocey@atdmt[2].txt
   C:\Documents and Settings\jocey\Cookies\[email protected][2].txt
   C:\Documents and Settings\jocey\Cookies\jocey@doubleclick[1].txt
   C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt
   C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
   C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt

Thanx for your help!

geek hoodlum · « **Reply #3 on:** January 12, 2011, 08:10:49 PM »

It seems we did already what we know to update your Java, but failed.

Let's wait for any CH experts before proceeding Step 6.

Btw, you may do personal testing again while waiting for advise. You may repeat Steps 2-4, but this time, just save the logs on your desktop, you'll need it if necessary.

harry 48 · « **Reply #4 on:** January 13, 2011, 05:33:55 AM »

please proceed with step 6 an expert needs that log , dont do steps 2 to 4 one day after posting them

SuperDave · « **Reply #5 on:** January 13, 2011, 08:49:00 AM »

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.

Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1
Link 2

* Unzip SecurityCheck.zip and a folder named Security Check should appear.
* Open the Security Check folder and double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.
********************************************
Download DDS from HERE or HERE and save it to your desktop.

Vista users right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)

* XP users Double click on dds to run it.
* If your antivirus or firewall try to block DDS then please allow it to run.
* When finished DDS will open two (2) logs.

1) DDS.txt
2) Attach.txt

* Save both logs to your desktop.
* Please copy and paste the entire contents of both logs in your next reply.

Note: DDS will instruct you to post the Attach.txt log as an attachment.
Please just post it as you would any other log by copy and pasting it into the reply.

hazel312001a · « **Reply #6 on:** January 14, 2011, 05:16:49 AM »

Per your instructions my captain:

Results of screen317's Security Check version 0.99.8
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!
Online Armor 4.5
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
CCleaner
Java(TM) 6 Update 18
Out of date Java installed!
Adobe Flash Player
Adobe Reader 9.3 MUI
Out of date Adobe Reader installed!
````````````````````````````````
Process Check:
objlist.exe by Laurent
Norton ccSvcHst.exe
Tall Emu Online Armor OAcat.exe
Tall Emu Online Armor oasrv.exe
Tall Emu Online Armor oaui.exe
Tall Emu Online Armor OAhlp.exe
``````````End of Log````````````

DDS (Ver_10-12-12.02) - NTFSx86
Run by jocey at 6:08:01.39 on Fri 01/14/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1012.336 [GMT -6:00]

AV: Norton Internet Security Netbook Edition *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Online Armor Firewall *Enabled*
FW: Norton Internet Security Netbook Edition *Disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Roxio\BackOnTrack\Instant Restore\BOTService.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Online Armor\OAcat.exe
C:\Program Files\Online Armor\oasrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\program files\idt\wdm\STacSV.exe
C:\Program Files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\SWSetup\QuickWeb\QW.SYS\config\DVMExportService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton Internet Security\Engine\17.0.0.136\ccSvcHst.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Skyhook Wireless\XPS\xpssvc.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Norton Internet Security\Engine\17.0.0.136\ccSvcHst.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Skyhook Wireless\XPS\xpscontrolpanel.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\MSN Toolbar\Platform\4.0.0369.0\mswinext.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Online Armor\oaui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Online Armor\OAhlp.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe
C:\Program Files\Roxio\BackOnTrack\Main\Backup_Central10.exe
C:\Documents and Settings\jocey\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.bing.com
uSearch Bar = hxxp://www.bing.com/sphome.aspx?mkt={SUB_RFC1766}
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.bing.com/sphome.aspx?mkt={SUB_RFC1766}
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\17.0.0.136\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\17.0.0.136\IPSBHO.DLL
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: MSN Toolbar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\4.0.0369.0\npwinext.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\17.0.0.136\coIEPlg.dll
TB: MSN Toolbar: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\4.0.0369.0\npwinext.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [HPWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\delayedappstarter.exe 120 c:\program files\hewlett-packard\hp wireless assistant\HPWA_Main.exe /hidden
mRun: [ZumoDrive] "c:\program files\hewlett-packard\hp clouddrive\ZumoLauncher.lnk"
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Skyhook Wireless XPS Service] c:\program files\skyhook wireless\xps\xpscontrolpanel.exe --no-info
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [MSN Toolbar] "c:\program files\msn toolbar\platform\4.0.0369.0\mswinext.exe"
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [@OnlineArmor GUI] "c:\program files\online armor\oaui.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpmedi~1.lnk - c:\program files\hewlett-packard\hp media suite\home\ArcStart.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SEH: OA Shell Helper: {4f07da45-8170-4859-9b5f-037ef2970034} - c:\progra~1\online~2\oaevent.dll
mASetup: {4FB2AA7C-C8E4-BBC8-BB1C-FAAB2EF5914B} - c:\program files\hewlett-packard\hp media suite\home\quicklaunch.exe "c:\program files\hewlett-packard\hp media suite\home\HPMediaSuite.lnk" 2

============= SERVICES / DRIVERS ===============

R0 SahdIa32;HDD Filter Driver;c:\windows\system32\drivers\SahdIa32.sys [2010-8-26 21488]
R0 SaibIa32;Volume Filter Driver;c:\windows\system32\drivers\SaibIa32.sys [2010-8-26 15856]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1100000.088\SymDS.sys [2010-8-26 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1100000.088\SymEFA.sys [2010-8-26 169008]
R0 SysCow;SysCow;c:\windows\system32\drivers\syscow32x.sys [2009-12-28 106096]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\bashdefs\20101123.003\BHDrvx86.sys [2010-11-23 691248]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1100000.088\ccHPx86.sys [2010-8-26 501888]
R1 DVMIO;DeviceVM IO Service;c:\windows\system32\drivers\dvmio.sys [2009-11-11 18136]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2011-1-11 202064]
R1 oahlpXX;Online Armor helper driver;c:\windows\system32\drivers\oahlp32.sys [2011-1-11 38856]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2011-1-11 25000]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2011-1-11 29272]
R1 SaibVd32;Virtual Disk Driver;c:\windows\system32\drivers\SaibVd32.sys [2010-8-26 25584]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1100000.088\Ironx86.sys [2010-8-26 114736]
R2 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269;Roxio SAIB Service;c:\program files\roxio\backontrack\disaster recovery\SaibSVC.exe [2009-6-2 457200]
R2 BOTService;BOTService;c:\program files\roxio\backontrack\instant restore\BOTService.exe [2010-2-4 211440]
R2 DvmMDES;DeviceVM Meta Data Export Service;c:\swsetup\quickweb\qw.sys\config\DVMExportService.exe [2010-4-12 338168]
R2 HP Wireless Assistant Service;HP Wireless Assistant Service;c:\program files\hewlett-packard\hp wireless assistant\HPWA_Service.exe [2010-4-5 103992]
R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\17.0.0.136\ccSvcHst.exe [2010-8-26 126392]
R2 OAcat;Online Armor Helper Service;c:\program files\online armor\oacat.exe [2011-1-11 380784]
R2 SvcOnlineArmor;Online Armor;c:\program files\online armor\oasrv.exe [2011-1-11 3652696]
R2 xpssvc;Skyhook Wireless XPS Service;c:\program files\skyhook wireless\xps\xpssvc.exe [2010-4-1 699720]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2010-8-26 113664]
R3 Cam3820;Cam3820 PC Camera Driver;c:\windows\system32\drivers\cam3820a.sys [2010-12-25 363904]
R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2010-8-26 227896]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-1-12 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\ipsdefs\20110113.001\IDSXpx86.sys [2011-1-14 341944]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\virusdefs\20110113.036\NAVENG.SYS [2011-1-14 86008]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\virusdefs\20110113.036\NAVEX15.SYS [2011-1-14 1360760]
R3 RSPCIESTOR;Realtek PCIE CardReader Driver;c:\windows\system32\drivers\RtsPStor.sys [2010-8-26 230944]
R3 RT80x86;Ralink 802.11n Wireless Driver;c:\windows\system32\drivers\rt2860.sys [2010-12-25 1323296]
R3 XPSVCOM;XPSVCOM;c:\windows\system32\drivers\XPSVCOM.sys [2010-2-4 12416]

=============== Created Last 30 ================

2011-01-13 03:22:12   471552   ------w-   c:\windows\system32\dllcache\aclayers.dll
2011-01-13 02:22:57   339504   ----a-w-   c:\windows\system32\drivers\nis\1107000.00c\symtdiv.sys
2011-01-13 02:22:56   43696   ----a-w-   c:\windows\system32\drivers\nis\1107000.00c\srtspx.sys
2011-01-13 02:22:56   361904   ----a-w-   c:\windows\system32\drivers\nis\1107000.00c\symtdi.sys
2011-01-13 02:22:56   328752   ----a-r-   c:\windows\system32\drivers\nis\1107000.00c\symds.sys
2011-01-13 02:22:56   173104   ----a-w-   c:\windows\system32\drivers\nis\1107000.00c\symefa.sys
2011-01-13 02:22:55   501888   ----a-w-   c:\windows\system32\drivers\nis\1107000.00c\cchpx86.sys
2011-01-13 02:22:55   325680   ----a-w-   c:\windows\system32\drivers\nis\1107000.00c\srtsp.sys
2011-01-13 02:22:55   116784   ----a-w-   c:\windows\system32\drivers\nis\1107000.00c\ironx86.sys
2011-01-13 02:22:18   --------   d-----w-   c:\windows\system32\drivers\nis\1107000.00C
2011-01-12 01:32:43   --------   d-sh--w-   C:\found.000
2011-01-12 01:03:10   --------   d-----w-   c:\windows\system32\PreInstall
2011-01-12 01:03:07   --------   d--h--w-   c:\windows\$hf_mig$
2011-01-11 23:16:50   3558912   ----a-w-   c:\program files\movie maker\moviemk.exe
2011-01-11 23:16:50   3558912   ------w-   c:\windows\system32\dllcache\moviemk.exe
2011-01-11 21:40:09   --------   d-----w-   c:\docume~1\jocey\applic~1\Malwarebytes
2011-01-11 21:40:04   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-11 21:40:02   --------   d-----w-   c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-01-11 21:39:59   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2011-01-11 21:39:59   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2011-01-11 20:20:03   --------   d-----w-   c:\docume~1\jocey\applic~1\SUPERAntiSpyware.com
2011-01-11 20:20:03   --------   d-----w-   c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2011-01-11 20:19:50   --------   d-----w-   c:\program files\SUPERAntiSpyware
2011-01-11 19:54:54   --------   d-----w-   c:\program files\CCleaner
2011-01-11 19:47:52   --------   d-----w-   c:\docume~1\jocey\applic~1\OnlineArmor
2011-01-11 19:47:52   --------   d-----w-   c:\docume~1\alluse~1\applic~1\OnlineArmor
2011-01-11 19:47:34   38856   ----a-w-   c:\windows\system32\drivers\oahlp32.sys
2011-01-11 19:47:34   25000   ----a-w-   c:\windows\system32\drivers\OAmon.sys
2011-01-11 19:47:33   29272   ----a-w-   c:\windows\system32\drivers\OAnet.sys
2011-01-11 19:47:33   202064   ----a-w-   c:\windows\system32\drivers\OADriver.sys
2011-01-11 19:47:25   --------   d-----w-   c:\program files\Online Armor
2010-12-26 22:03:11   --------   d-----w-   c:\program files\PC Tools Security
2010-12-26 22:03:11   --------   d-----w-   c:\program files\common files\PC Tools
2010-12-26 21:54:14   --------   d-----w-   c:\docume~1\alluse~1\applic~1\PC Tools
2010-12-26 20:32:09   60808   ----a-w-   c:\windows\system32\S32EVNT1.DLL
2010-12-26 20:32:08   124976   ----a-w-   c:\windows\system32\drivers\SYMEVENT.SYS
2010-12-26 20:32:08   --------   d-----w-   c:\program files\Symantec
2010-12-26 20:32:08   --------   d-----w-   c:\program files\common files\Symantec Shared
2010-12-26 20:21:41   --------   d-----w-   c:\windows\pss
2010-12-25 23:01:47   5632   ----a-w-   c:\windows\system32\ptpusb.dll
2010-12-25 23:01:45   159232   ----a-w-   c:\windows\system32\ptpusd.dll
2010-12-25 23:01:42   15104   ----a-w-   c:\windows\system32\drivers\usbscan.sys
2010-12-25 23:01:42   15104   ----a-w-   c:\windows\system32\dllcache\usbscan.sys
2010-12-25 23:00:24   --------   d-----w-   c:\docume~1\alluse~1\applic~1\fPhCc06305
2010-12-25 22:31:06   --------   d-----w-   c:\docume~1\jocey\applic~1\Macrovision
2010-12-25 22:14:20   --------   d-----w-   c:\docume~1\jocey\applic~1\ZumoDrive
2010-12-25 22:14:14   259584   ----a-w-   c:\windows\system32\bcdedit.exe
2010-12-25 22:14:13   --------   d-sh--w-   C:\Boot
2010-12-25 22:13:49   221184   ----a-w-   c:\windows\system32\wmpns.dll
2010-12-25 22:13:30   --------   d-----w-   C:\WildTangent
2010-12-25 22:13:30   --------   d-----w-   C:\Users
2010-12-25 22:13:04   --------   d-----w-   c:\docume~1\alluse~1\applic~1\Skyhook Wireless
2010-12-25 22:13:00   13568   ----a-w-   c:\windows\system32\drivers\wpsnuio.sys
2010-12-25 22:12:58   --------   d-----w-   c:\program files\Skyhook Wireless
2010-12-25 22:11:47   363904   ----a-w-   c:\windows\system32\drivers\cam3820a.sys
2010-12-25 22:11:47   217088   ----a-w-   c:\windows\system32\ACamPropertyPage.dll
2010-12-25 22:11:47   212992   ----a-w-   c:\windows\system32\cocam3820.dll
2010-12-25 22:11:47   110592   ----a-w-   c:\windows\system32\cam3820n.ax
2010-12-25 22:11:47   --------   d-----w-   c:\program files\HP Webcam
2010-12-25 22:11:09   238880   ----a-w-   c:\windows\system32\RaCoInst.dll
2010-12-25 22:11:09   1323296   ----a-w-   c:\windows\system32\drivers\rt2860.sys
2010-12-25 22:11:08   --------   d-----w-   c:\docume~1\alluse~1\applic~1\Ralink Driver
2010-12-25 18:35:14   26368   ----a-w-   c:\windows\system32\dllcache\usbstor.sys
2010-12-25 17:59:15   26600   ----a-w-   c:\windows\system32\drivers\GEARAspiWDM.sys
2010-12-25 17:59:15   107368   ----a-w-   c:\windows\system32\GEARAspi.dll
2010-12-25 17:57:06   --------   d-----w-   c:\program files\iPod
2010-12-25 17:56:58   --------   d-----w-   c:\program files\iTunes
2010-12-25 17:56:58   --------   d-----w-   c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-12-25 17:55:33   159744   ----a-w-   c:\program files\internet explorer\plugins\npqtplugin7.dll
2010-12-25 17:55:33   159744   ----a-w-   c:\program files\internet explorer\plugins\npqtplugin6.dll
2010-12-25 17:55:33   159744   ----a-w-   c:\program files\internet explorer\plugins\npqtplugin5.dll
2010-12-25 17:55:33   159744   ----a-w-   c:\program files\internet explorer\plugins\npqtplugin4.dll
2010-12-25 17:55:33   159744   ----a-w-   c:\program files\internet explorer\plugins\npqtplugin3.dll
2010-12-25 17:55:33   159744   ----a-w-   c:\program files\internet explorer\plugins\npqtplugin2.dll
2010-12-25 17:55:33   159744   ----a-w-   c:\program files\internet explorer\plugins\npqtplugin.dll
2010-12-25 17:51:29   --------   d-----w-   c:\docume~1\jocey\locals~1\applic~1\Apple
2010-12-25 17:50:28   41984   ----a-w-   c:\windows\system32\drivers\usbaapl.sys
2010-12-25 17:50:28   4184352   ----a-w-   c:\windows\system32\usbaaplrc.dll
2010-12-25 17:49:27   --------   d-----w-   c:\program files\Bonjour
2010-12-25 17:47:48   --------   d-----w-   c:\docume~1\jocey\locals~1\applic~1\Apple Computer
2010-12-25 15:31:47   --------   d-sh--w-   c:\documents and settings\jocey\PrivacIE
2010-12-25 15:31:31   --------   d-----w-   c:\windows\system32\SoftwareDistribution

==================== Find3M ====================

2010-11-29 23:38:30   94208   ----a-w-   c:\windows\system32\QuickTimeVR.qtx
2010-11-29 23:38:30   69632   ----a-w-   c:\windows\system32\QuickTime.qts

============= FINISH: 6:12:16.03 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-12-12.02)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 12/25/2010 4:08:49 PM
System Uptime: 1/14/2011 5:41:44 AM (1 hours ago)

Motherboard: Hewlett-Packard | | 148A
Processor: Intel(R) Atom(TM) CPU N455 @ 1.66GHz | CPU | 1662/667mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 149 GiB total, 129.781 GiB free.

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader 9.3 MUI
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Bejeweled 2 Deluxe
Blasterball 3
Bonjour
CCleaner
Chuzzle Deluxe
Compatibility Pack for the 2007 Office system
Diner Dash 2 Restaurant Rescue
Dream Chronicles
Faerie Solitaire
FATE
Gem Shop
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB949764)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB954708)
HP BatteryCheck 2.10 A4
HP CloudDrive
HP Game Console
HP Games
HP Help and Support
HP HomeBase
HP Quick Launch Buttons
HP QuickSync
HP QuickWeb Installer
HP User Guides 0197
HP Webcam
HP Wireless Assistant
HpSdpAppCoreApp
IDT Audio
Insaniquarium Deluxe
Intel(R) Graphics Media Accelerator Driver
Intel® Matrix Storage Manager
iTunes
Java Auto Updater
Java(TM) 6 Update 18
Jewel Match 2
Jewel Quest II
Jewel Quest Solitaire
JoJo's Fashion Show
Junk Mail filter update
Mahjongg Artifacts
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Default Manager
Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Suite Activation Assistant
Microsoft Office Word MUI (English) 2007
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Works
MSN Toolbar
MSN Toolbar Platform
MSVCRT
MSXML 6.0 Parser (KB925673)
Online Armor 4.5
Penguins!
Plants vs. Zombies
Polar Bowler
QLBCASL
QuickTime
Ralink RT2860 Wireless LAN Card
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Realtek PCIE Card Reader
Roxio BackOnTrack
Roxio Disaster Recovery
Roxio Instant Restore
Roxio Instant Restore Recovery Disk
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB975558)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB981997)
Segoe UI
Skyhook Wireless XPS Service
Slingo Deluxe
SUPERAntiSpyware
Synaptics Pointing Device Driver
System Tool2011
Times Reader
Update for Microsoft Office Word 2007 (KB974631)
Update for Office 2007 (KB934528)
Update for Windows XP (KB898461)
Update for Windows XP (KB955759)
Virtual Villagers - The Secret City
WebFldrs XP
Wedding Dash
Windows Backup Utility
Windows Driver Package - Skyhook Wireless NetTrans (01/24/2010 3.4.1.04)
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live ID Sign-in Assistant
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sync
Windows Live Upload Tool
Windows Live Writer
Windows Media Format 11 runtime
Windows Media Player 11
Windows Presentation Foundation
XML Paper Specification Shared Components Pack 1.0
Zuma Deluxe

==== Event Viewer Messages From Past Week ========

1/14/2011 5:43:45 AM, error: BITS [16391] - The BITS job list is not in a recognized format. It may have been created by a different version of BITS. The job list has been cleared.
1/12/2011 8:24:02 PM, error: Service Control Manager [7006] - The ScRegSetValueExW call failed for ImagePath with the following error: Access is denied.
1/11/2011 6:00:28 PM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
1/11/2011 4:21:40 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
1/11/2011 4:14:14 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
1/11/2011 4:04:16 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
1/11/2011 3:49:08 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AliIde BHDrvx86 ccHP DVMIO eeCtrl Fips IntelIde intelppm OADevice PCIIde SaibVd32 SASDIFSV SASKUTIL SRTSP SRTSPX SymIRON SYMTDI ViaIde
1/11/2011 3:32:38 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: BHDrvx86 ccHP DVMIO eeCtrl Fips intelppm OADevice SaibVd32 SASDIFSV SASKUTIL SRTSP SRTSPX SymIRON SYMTDI
1/11/2011 1:36:54 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: BHDrvx86 ccHP DVMIO eeCtrl Fips intelppm SaibVd32 SRTSP SRTSPX SymIRON SYMTDI

==== End Of File ===========================

Thanx for your help Super Dave!

SuperDave · « **Reply #7 on:** January 14, 2011, 01:08:33 PM »

Update Your Java (JRE)

Old versions of Java have vulnerabilities that malware can use to infect your system.

First Verify your Java Version

If there are any other version(s) installed then update now.

Get the new version (if needed)

If your version is out of date install the newest version of the Sun Java Runtime Environment.

Note: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Be sure to close ALL open web browsers before starting the installation.

Remove any old versions

1. Download JavaRa and unzip the file to your Desktop.
2. Open JavaRA.exe and choose Remove Older Versions
3. Once complete exit JavaRA.
4. Run CCleaner.

Additional Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and reboot your computer.
****************************************
Please download the newest version of Adobe Acrobat Reader from Adobe.com

Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs.
Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.

Once old versions are gone, please install the newest version.
****************************************************
Download Disable/Remove Windows Messenger to the desktop to remove Windows Messenger.

Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.

Exit out of MessengerDisable then delete the two files that were put on the desktop.
***************************************************
Please read here for more information about WildTangent. Your choice if you want to remove it or not.

If you choose to follow my advice, please follow these instructions.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

•WildTangent Web Driveror anything related to WildTangent.
*********************************************************
Please download ComboFix

from BleepingComputer.com

Alternate link: GeeksToGo.com

and you save it to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
Double click ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.

If you have problems with ComboFix usage, see How to use ComboFix

hazel312001a · « **Reply #8 on:** January 14, 2011, 05:56:51 PM »

From my original post:

My issue: The day after Christmas my daughter reported a strange occurrence on her brand new Compaq Netbook Computer CQ10-405DX Intel Atom Windows XP SP3 machine. I knew right away it was a fake program an deeply rooted to be able to block applications and change the background.

I reviewed this site and proceeded as instructed on http://www.computerhope.com/forum/index.php/topic,46313.0.html. However, I ran into trouble on Step 5 :Update Your Java (JRE). Since I was unable to access the internet in Normal mode I used safe mode with networking to do the first 4 steps. But when I got to the Java update the system told me I didn't have the correct permissions.

I started in normal mode and tried to update my Java version but now it is giving me an install error. So I stopped since the instructions said to do the steps in order. Any ideas on how I can get the Java updated and proceed?

SuperDave · « **Reply #9 on:** January 15, 2011, 12:28:27 PM »

Please skip java update and proceed with the others.

hazel312001a · « **Reply #10 on:** January 15, 2011, 02:06:21 PM »

Quote from: SuperDave on January 15, 2011, 12:28:27 PM

Please skip java update and proceed with the others.

Ok...Here's the HJT log

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:55:32 PM, on 1/15/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Roxio\BackOnTrack\Instant Restore\BOTService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Online Armor\OAcat.exe
C:\Program Files\Online Armor\oasrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\program files\idt\wdm\STacSV.exe
C:\Program Files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\SWSetup\QuickWeb\QW.SYS\config\DVMExportService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton Internet Security\Engine\17.0.0.136\ccSvcHst.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Skyhook Wireless\XPS\xpssvc.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Norton Internet Security\Engine\17.0.0.136\ccSvcHst.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Skyhook Wireless\XPS\xpscontrolpanel.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\MSN Toolbar\Platform\4.0.0369.0\mswinext.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Online Armor\oaui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Online Armor\OAhlp.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\WINDOWS\system32\wuauclt.exe
\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE
C:\Program Files\Trend Micro\HiJackThis\Sniper.exe.exe
c:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe
C:\WINDOWS\SoftwareDistribution\Download\fbadf956b1f29cd6cc8927434ddbc900\update\update.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\ngen.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/HPNOT/1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.bing.com/sphome.aspx?mkt={SUB_RFC1766}
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.bing.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/HPNOT/1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/HPNOT/1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/HPNOT/1
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.bing.com/sphome.aspx?mkt={SUB_RFC1766}
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\17.0.0.136\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\17.0.0.136\IPSBHO.DLL
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: MSN Toolbar BHO - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN Toolbar\Platform\4.0.0369.0\npwinext.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\17.0.0.136\coIEPlg.dll
O3 - Toolbar: MSN Toolbar - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\MSN Toolbar\Platform\4.0.0369.0\npwinext.dll
O4 - HKLM\..\Run: [HPWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe 120 C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe /hidden
O4 - HKLM\..\Run: [ZumoDrive] "C:\Program Files\Hewlett-Packard\HP CloudDrive\ZumoLauncher.lnk"
O4 - HKLM\..\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
O4 - HKLM\..\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Skyhook Wireless XPS Service] C:\Program Files\Skyhook Wireless\XPS\xpscontrolpanel.exe --no-info
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [MSN Toolbar] "C:\Program Files\MSN Toolbar\Platform\4.0.0369.0\mswinext.exe"
O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Online Armor\oaui.exe"
O4 - HKLM\..\RunOnce: [NetFxUpdate_v1.1.4322] "c:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe" 0 v1.1.4322 GAC + NI NID
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: HP Media Suite.lnk = C:\Program Files\Hewlett-Packard\HP Media Suite\Home\ArcStart.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Roxio SAIB Service (9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269) - Unknown owner - C:\Program Files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BOTService - Sonic Solutions - C:\Program Files\Roxio\BackOnTrack\Instant Restore\BOTService.exe
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: DeviceVM Meta Data Export Service (DvmMDES) - DeviceVM, Inc. - C:\SWSetup\QuickWeb\QW.SYS\config\DVMExportService.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\HP Game Console\GameConsoleService.exe
O23 - Service: HP Wireless Assistant Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Norton Internet Security (NIS) - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\17.0.0.136\ccSvcHst.exe
O23 - Service: Online Armor Helper Service (OAcat) - Unknown owner - C:\Program Files\Online Armor\OAcat.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - c:\program files\idt\wdm\STacSV.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Unknown owner - C:\Program Files\Online Armor\oasrv.exe
O23 - Service: Skyhook Wireless XPS Service (xpssvc) - Skyhook Wireless - C:\Program Files\Skyhook Wireless\XPS\xpssvc.exe

--
End of file - 11527 bytes

What next? Am I clean?

hazel312001a · « **Reply #11 on:** January 15, 2011, 02:08:26 PM »

Oh and am I supposed to go ahead with the Adobe update, Disabling windows messenger and Combo fix?

SuperDave · « **Reply #12 on:** January 15, 2011, 07:29:53 PM »

Quote from: hazel312001a on January 15, 2011, 02:08:26 PM

Oh and am I supposed to go ahead with the Adobe update, Disabling windows messenger and Combo fix?

Yes, please.

hazel312001a · « **Reply #13 on:** January 16, 2011, 09:11:16 AM »

I hope we are almost done ...Thanx again for all your help! You wonderful people are a God send!

I updated Adobe...uninstalled messenger and downloaded/ran combofix. Here is the log:

ComboFix 11-01-15.01 - jocey 01/16/2011 9:27.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1012.348 [GMT -6:00]
Running from: c:\documents and settings\jocey\Desktop\ComboFix.exe
AV: Norton Internet Security Netbook Edition *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security Netbook Edition *Disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
FW: Online Armor Firewall *Enabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\jocey\Start Menu\Programs\System Tool
c:\documents and settings\jocey\Start Menu\Programs\System Tool\System Tool 2011.lnk

.
((((((((((((((((((((((((( Files Created from 2010-12-16 to 2011-01-16 )))))))))))))))))))))))))))))))
.

2011-01-16 15:03 . 2011-01-16 15:03   --------   d-----w-   c:\windows\LastGood
2011-01-15 22:45 . 2011-01-15 22:45   --------   d-sh--w-   c:\documents and settings\LocalService\IETldCache
2011-01-15 20:56 . 2011-01-15 22:17   --------   d-----w-   c:\windows\ie8updates
2011-01-15 20:50 . 2011-01-15 20:50   --------   d-----w-   c:\program files\Trend Micro
2011-01-14 12:05 . 2008-06-13 11:05   272128   ------w-   c:\windows\system32\drivers\bthport.sys
2011-01-14 12:05 . 2008-06-13 11:05   272128   ------w-   c:\windows\system32\dllcache\bthport.sys
2011-01-14 12:04 . 2010-09-18 06:53   954368   ----a-w-   c:\windows\system32\mfc40.dll
2011-01-14 12:04 . 2010-09-18 06:53   954368   ------w-   c:\windows\system32\dllcache\mfc40.dll
2011-01-14 12:04 . 2010-09-18 06:53   953856   ----a-w-   c:\windows\system32\mfc40u.dll
2011-01-14 12:04 . 2010-09-18 06:53   953856   ------w-   c:\windows\system32\dllcache\mfc40u.dll
2011-01-14 12:04 . 2010-09-18 06:53   974848   ----a-w-   c:\windows\system32\mfc42.dll
2011-01-14 12:04 . 2010-09-18 06:53   974848   ------w-   c:\windows\system32\dllcache\mfc42.dll
2011-01-14 12:04 . 2008-08-14 10:04   138496   ----a-w-   c:\windows\system32\drivers\afd.sys
2011-01-14 12:04 . 2008-08-14 10:04   138496   ------w-   c:\windows\system32\dllcache\afd.sys
2011-01-14 12:04 . 2010-06-21 15:27   354304   ----a-w-   c:\windows\system32\drivers\srv.sys
2011-01-14 12:04 . 2010-06-21 15:27   354304   ------w-   c:\windows\system32\dllcache\srv.sys
2011-01-14 12:04 . 2010-08-23 16:12   617472   ----a-w-   c:\windows\system32\comctl32.dll
2011-01-14 12:04 . 2010-08-23 16:12   617472   ------w-   c:\windows\system32\dllcache\comctl32.dll
2011-01-14 11:59 . 2009-06-21 21:44   153088   ----a-w-   c:\program files\Common Files\Microsoft Shared\Triedit\triedit.dll
2011-01-14 11:59 . 2009-06-21 21:44   153088   ------w-   c:\windows\system32\dllcache\triedit.dll
2011-01-14 11:54 . 2009-12-09 05:53   726528   ----a-w-   c:\windows\system32\dllcache\jscript.dll
2011-01-14 11:52 . 2010-02-24 13:11   455680   ----a-w-   c:\windows\system32\drivers\mrxsmb.sys
2011-01-14 11:52 . 2010-02-24 13:11   455680   ------w-   c:\windows\system32\dllcache\mrxsmb.sys
2011-01-13 03:22 . 2009-11-21 15:51   471552   ------w-   c:\windows\system32\dllcache\aclayers.dll
2011-01-13 02:29 . 2010-11-06 00:26   5959168   ----a-w-   c:\windows\system32\dllcache\mshtml.dll
2011-01-13 02:29 . 2010-11-06 00:26   1469440   ----a-w-   c:\windows\system32\inetcpl.cpl
2011-01-13 02:29 . 2010-11-06 00:26   11080704   ------w-   c:\windows\system32\dllcache\ieframe.dll
2011-01-13 02:29 . 2010-11-02 15:17   40960   ----a-w-   c:\windows\system32\drivers\ndproxy.sys
2011-01-13 02:29 . 2010-11-02 15:17   40960   ------w-   c:\windows\system32\dllcache\ndproxy.sys
2011-01-13 02:27 . 2010-04-27 13:59   2146304   ----a-w-   c:\windows\system32\ntoskrnl.exe
2011-01-13 02:27 . 2010-04-27 13:59   2146304   ------w-   c:\windows\system32\dllcache\ntkrnlmp.exe
2011-01-13 02:27 . 2010-04-28 02:25   2189952   ------w-   c:\windows\system32\dllcache\ntoskrnl.exe
2011-01-13 02:27 . 2010-04-27 13:05   2024448   ----a-w-   c:\windows\system32\ntkrnlpa.exe
2011-01-13 02:27 . 2010-04-27 13:05   2024448   ------w-   c:\windows\system32\dllcache\ntkrpamp.exe
2011-01-13 02:27 . 2010-04-27 13:05   2066816   ------w-   c:\windows\system32\dllcache\ntkrnlpa.exe
2011-01-13 02:25 . 2008-05-08 14:02   203136   ----a-w-   c:\windows\system32\drivers\rmcast.sys
2011-01-13 02:25 . 2008-05-08 14:02   203136   ------w-   c:\windows\system32\dllcache\rmcast.sys
2011-01-13 02:25 . 2008-05-01 14:33   331776   ----a-w-   c:\program files\Common Files\System\msadc\msadce.dll
2011-01-13 02:25 . 2008-05-01 14:33   331776   ------w-   c:\windows\system32\dllcache\msadce.dll
2011-01-13 02:22 . 2011-01-16 15:03   --------   d-----w-   c:\windows\system32\drivers\NIS\1107000.00C
2011-01-13 02:21 . 2010-03-10 06:15   420352   ----a-w-   c:\windows\system32\vbscript.dll
2011-01-13 02:21 . 2010-03-10 06:15   420352   ----a-w-   c:\windows\system32\dllcache\vbscript.dll
2011-01-13 02:19 . 2008-10-15 16:34   337408   ------w-   c:\windows\system32\dllcache\netapi32.dll
2011-01-13 02:18 . 2010-10-11 14:59   45568   ----a-w-   c:\program files\Outlook Express\wab.exe
2011-01-13 02:18 . 2010-10-11 14:59   45568   ------w-   c:\windows\system32\dllcache\wab.exe
2011-01-13 02:18 . 2010-08-16 08:45   590848   ----a-w-   c:\windows\system32\rpcrt4.dll
2011-01-13 02:18 . 2010-08-16 08:45   590848   ------w-   c:\windows\system32\dllcache\rpcrt4.dll
2011-01-13 02:18 . 2010-08-13 12:53   5120   ------w-   c:\windows\system32\xpsp4res.dll
2011-01-12 01:32 . 2011-01-12 01:32   --------   d-----w-   C:\found.000
2011-01-12 01:03 . 2011-01-16 15:04   --------   d--h--w-   c:\windows\$hf_mig$
2011-01-11 23:16 . 2010-06-18 13:36   3558912   ----a-w-   c:\program files\Movie Maker\moviemk.exe
2011-01-11 23:16 . 2010-06-18 13:36   3558912   ------w-   c:\windows\system32\dllcache\moviemk.exe
2011-01-11 21:40 . 2010-12-21 00:09   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-11 21:40 . 2011-01-11 21:40   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2011-01-11 21:39 . 2011-01-11 21:40   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2011-01-11 21:39 . 2010-12-21 00:08   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2011-01-11 20:20 . 2011-01-11 20:20   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-01-11 20:19 . 2011-01-11 20:20   --------   d-----w-   c:\program files\SUPERAntiSpyware
2011-01-11 19:54 . 2011-01-11 19:54   --------   d-----w-   c:\program files\CCleaner
2011-01-11 19:47 . 2011-01-11 23:17   --------   d-----w-   c:\documents and settings\All Users\Application Data\OnlineArmor
2011-01-11 19:47 . 2010-11-03 21:57   38856   ----a-w-   c:\windows\system32\drivers\oahlp32.sys
2011-01-11 19:47 . 2010-11-03 21:55   25000   ----a-w-   c:\windows\system32\drivers\OAmon.sys
2011-01-11 19:47 . 2010-11-03 21:55   29272   ----a-w-   c:\windows\system32\drivers\OAnet.sys
2011-01-11 19:47 . 2010-11-03 21:52   202064   ----a-w-   c:\windows\system32\drivers\OADriver.sys
2011-01-11 19:47 . 2011-01-16 15:10   --------   d-----w-   c:\program files\Online Armor
2010-12-26 22:57 . 2010-12-26 23:06   --------   d-----w-   c:\documents and settings\Administrator
2010-12-26 22:03 . 2010-12-26 22:32   --------   d-----w-   c:\program files\PC Tools Security
2010-12-26 22:03 . 2010-12-26 22:32   --------   d-----w-   c:\program files\Common Files\PC Tools
2010-12-26 21:54 . 2010-12-26 22:32   --------   d-----w-   c:\documents and settings\All Users\Application Data\PC Tools
2010-12-26 21:44 . 2010-12-26 22:32   --------   d---a-w-   c:\documents and settings\All Users\Application Data\TEMP
2010-12-26 20:32 . 2010-12-26 20:32   60808   ----a-w-   c:\windows\system32\S32EVNT1.DLL
2010-12-26 20:32 . 2010-12-26 21:13   --------   d-----w-   c:\program files\Common Files\Symantec Shared
2010-12-26 20:32 . 2010-12-26 20:32   --------   d-----w-   c:\program files\Symantec
2010-12-26 20:32 . 2010-12-26 20:32   124976   ----a-w-   c:\windows\system32\drivers\SYMEVENT.SYS
2010-12-25 23:01 . 2001-08-18 04:36   5632   ----a-w-   c:\windows\system32\ptpusb.dll
2010-12-25 23:01 . 2008-04-14 11:42   159232   ----a-w-   c:\windows\system32\ptpusd.dll
2010-12-25 23:01 . 2008-04-14 06:15   15104   ----a-w-   c:\windows\system32\drivers\usbscan.sys
2010-12-25 23:01 . 2008-04-14 06:15   15104   ----a-w-   c:\windows\system32\dllcache\usbscan.sys
2010-12-25 23:00 . 2011-01-11 21:30   --------   d-----w-   c:\documents and settings\All Users\Application Data\fPhCc06305
2010-12-25 23:00 . 2010-12-25 23:00   --------   d-----w-   c:\windows\Sun
2010-12-25 22:14 . 2010-02-04 20:32   259584   ----a-w-   c:\windows\system32\bcdedit.exe
2010-12-25 22:14 . 2010-12-25 22:14   --------   d-----w-   C:\Boot
2010-12-25 22:13 . 2008-04-15 12:00   221184   ----a-w-   c:\windows\system32\wmpns.dll
2010-12-25 22:13 . 2010-12-25 22:13   --------   d-----w-   C:\WildTangent
2010-12-25 22:13 . 2010-12-25 22:13   --------   d-----w-   C:\Users
2010-12-25 22:13 . 2010-12-25 22:13   --------   d-----w-   c:\documents and settings\All Users\Application Data\Skyhook Wireless
2010-12-25 22:13 . 2010-12-25 22:13   --------   d-----w-   c:\program files\DIFX
2010-12-25 22:13 . 2010-02-17 07:11   13568   ----a-w-   c:\windows\system32\drivers\wpsnuio.sys
2010-12-25 22:12 . 2010-12-25 22:12   --------   d-----w-   c:\program files\Skyhook Wireless
2010-12-25 22:11 . 2010-12-25 22:11   --------   d-----w-   c:\program files\HP Webcam
2010-12-25 22:11 . 2010-03-10 03:17   217088   ----a-w-   c:\windows\system32\ACamPropertyPage.dll
2010-12-25 22:11 . 2010-03-03 20:39   363904   ----a-w-   c:\windows\system32\drivers\cam3820a.sys
2010-12-25 22:11 . 2010-03-02 21:51   212992   ----a-w-   c:\windows\system32\cocam3820.dll
2010-12-25 22:11 . 2010-03-02 21:51   110592   ----a-w-   c:\windows\system32\cam3820n.ax
2010-12-25 22:11 . 2010-03-01 15:54   1323296   ----a-w-   c:\windows\system32\drivers\rt2860.sys
2010-12-25 22:11 . 2010-03-01 15:50   238880   ----a-w-   c:\windows\system32\RaCoInst.dll
2010-12-25 22:11 . 2010-12-25 22:11   --------   d-----w-   c:\documents and settings\All Users\Application Data\Ralink Driver
2010-12-25 22:10 . 2011-01-13 03:22   --------   d-----w-   c:\documents and settings\jocey
2010-12-25 22:08 . 2010-08-27 02:34   --------   d-sh--w-   c:\windows\system32\config\systemprofile\IETldCache
2010-12-25 22:08 . 2010-08-27 04:54   --------   d-----w-   c:\documents and settings\Default User\Local Settings\Application Data\Adobe
2010-12-25 22:08 . 2010-08-27 03:57   --------   d-----w-   c:\documents and settings\Default User\Local Settings\Application Data\Microsoft Help
2010-12-25 22:08 . 2010-08-27 02:34   --------   d-sh--w-   c:\documents and settings\Default User\IETldCache
2010-12-25 22:08 . 2010-08-27 01:37   --------   d-----w-   c:\documents and settings\Default User\Local Settings\Application Data\ApplicationHistory
2010-12-25 18:35 . 2008-04-14 06:15   26368   ----a-w-   c:\windows\system32\dllcache\usbstor.sys
2010-12-25 18:19 . 2010-12-25 18:19   --------   d-----w-   c:\documents and settings\LocalService\Application Data\Apple Computer
2010-12-25 17:59 . 2009-05-18 19:17   26600   ----a-w-   c:\windows\system32\drivers\GEARAspiWDM.sys
2010-12-25 17:59 . 2008-04-17 18:12   107368   ----a-w-   c:\windows\system32\GEARAspi.dll
2010-12-25 17:57 . 2010-12-25 17:57   --------   d-----w-   c:\program files\iPod
2010-12-25 17:56 . 2010-12-25 17:59   --------   d-----w-   c:\program files\iTunes
2010-12-25 17:56 . 2010-12-25 17:59   --------   d-----w-   c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-12-25 17:55 . 2010-12-25 17:55   159744   ----a-w-   c:\program files\Internet Explorer\Plugins\npqtplugin7.dll
2010-12-25 17:55 . 2010-12-25 17:55   159744   ----a-w-   c:\program files\Internet Explorer\Plugins\npqtplugin6.dll
2010-12-25 17:55 . 2010-12-25 17:55   159744   ----a-w-   c:\program files\Internet Explorer\Plugins\npqtplugin5.dll
2010-12-25 17:55 . 2010-12-25 17:55   159744   ----a-w-   c:\program files\Internet Explorer\Plugins\npqtplugin4.dll
2010-12-25 17:55 . 2010-12-25 17:55   159744   ----a-w-   c:\program files\Internet Explorer\Plugins\npqtplugin3.dll
2010-12-25 17:55 . 2010-12-25 17:55   159744   ----a-w-   c:\program files\Internet Explorer\Plugins\npqtplugin2.dll
2010-12-25 17:55 . 2010-12-25 17:55   159744   ----a-w-   c:\program files\Internet Explorer\Plugins\npqtplugin.dll
2010-12-25 17:52 . 2010-12-25 17:55   --------   d-----w-   c:\program files\QuickTime
2010-12-25 17:51 . 2010-12-25 17:56   --------   d-----w-   c:\documents and settings\All Users\Application Data\Apple Computer
2010-12-25 17:51 . 2010-12-25 17:51   --------   d-----w-   c:\program files\Apple Software Update
2010-12-25 17:50 . 2010-09-28 21:44   41984   ----a-w-   c:\windows\system32\drivers\usbaapl.sys
2010-12-25 17:50 . 2010-09-28 21:44   4184352   ----a-w-   c:\windows\system32\usbaaplrc.dll
2010-12-25 17:49 . 2010-12-25 17:49   --------   d-----w-   c:\program files\Bonjour
2010-12-25 17:48 . 2010-12-25 18:19   --------   d-----w-   c:\documents and settings\All Users\Application Data\Apple
2010-12-25 17:48 . 2010-12-25 17:57   --------   d-----w-   c:\program files\Common Files\Apple

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-29 23:38 . 2010-11-29 23:38   94208   ----a-w-   c:\windows\system32\QuickTimeVR.qtx
2010-11-29 23:38 . 2010-11-29 23:38   69632   ----a-w-   c:\windows\system32\QuickTime.qts
2010-11-18 18:12 . 2010-11-18 18:12   81920   ----a-w-   c:\windows\system32\isign32.dll
2010-11-09 14:52 . 2010-11-09 14:52   249856   ----a-w-   c:\windows\system32\odbc32.dll
2010-10-28 13:13 . 2010-10-28 13:13   290048   ----a-w-   c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2010-10-26 13:25   1853312   ----a-w-   c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00Zecter]
@="{D25B32FE-CB96-491A-98FF-AD59DA382D69}"
[HKEY_CLASSES_ROOT\CLSID\{D25B32FE-CB96-491A-98FF-AD59DA382D69}]
2010-03-28 22:22   718848   ----a-w-   c:\program files\Hewlett-Packard\HP CloudDrive\ShellExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\01Zecter]
@="{EB24CA6D-F315-4A81-AC1A-C79CFD77F3F5}"
[HKEY_CLASSES_ROOT\CLSID\{EB24CA6D-F315-4A81-AC1A-C79CFD77F3F5}]
2010-03-28 22:22   718848   ----a-w-   c:\program files\Hewlett-Packard\HP CloudDrive\ShellExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\02Zecter]
@="{B3C78E40-6B64-47C3-AE34-60B770881EB8}"
[HKEY_CLASSES_ROOT\CLSID\{B3C78E40-6B64-47C3-AE34-60B770881EB8}]
2010-03-28 22:22   718848   ----a-w-   c:\program files\Hewlett-Packard\HP CloudDrive\ShellExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\03Zecter]
@="{622AFE52-33F6-4D9F-9966-E0BC52D7D69D}"
[HKEY_CLASSES_ROOT\CLSID\{622AFE52-33F6-4D9F-9966-E0BC52D7D69D}]
2010-03-28 22:22   718848   ----a-w-   c:\program files\Hewlett-Packard\HP CloudDrive\ShellExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\04Zecter]
@="{855156F0-2A0F-11DE-8C30-0800200C9A66}"
[HKEY_CLASSES_ROOT\CLSID\{855156F0-2A0F-11DE-8C30-0800200C9A66}]
2010-03-28 22:22   718848   ----a-w-   c:\program files\Hewlett-Packard\HP CloudDrive\ShellExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe" [2010-04-05 8192]
"ZumoDrive"="c:\program files\Hewlett-Packard\HP CloudDrive\ZumoLauncher.lnk" [2010-12-25 1733]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Skyhook Wireless XPS Service"="c:\program files\Skyhook Wireless\XPS\xpscontrolpanel.exe" [2010-04-02 632136]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2010-02-25 323640]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-11-17 141336]
"MSN Toolbar"="c:\program files\MSN Toolbar\Platform\4.0.0369.0\mswinext.exe" [2009-11-30 240472]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-07-17 288080]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-11-17 141336]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-10-13 186904]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-11-17 173592]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"@OnlineArmor GUI"="c:\program files\Online Armor\oaui.exe" [2010-11-03 2345000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Media Suite.lnk - c:\program files\Hewlett-Packard\HP Media Suite\Home\ArcStart.exe [2010-4-1 91648]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\ONLINE~2\oaevent.dll" [2010-11-03 353992]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Hewlett-Packard\\HP CloudDrive\\zumodrive.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:UDP"= 5353:UDP:Java(TM) Platform SE binary
"8182:TCP"= 8182:TCP:Java(TM) Platform SE binary

R0 SahdIa32;HDD Filter Driver;c:\windows\system32\drivers\SahdIa32.sys [8/26/2010 10:26 PM 21488]
R0 SaibIa32;Volume Filter Driver;c:\windows\system32\drivers\SaibIa32.sys [8/26/2010 10:26 PM 15856]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1100000.088\SymDS.sys [8/26/2010 8:49 PM 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1100000.088\SymEFA.sys [8/26/2010 8:49 PM 169008]
R0 SysCow;SysCow;c:\windows\system32\drivers\syscow32x.sys [12/28/2009 12:17 AM 106096]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20101123.003\BHDrvx86.sys [11/23/2010 3:34 AM 691248]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1100000.088\ccHPx86.sys [8/26/2010 8:49 PM 501888]
R1 DVMIO;DeviceVM IO Service;c:\windows\system32\drivers\dvmio.sys [11/11/2009 2:09 PM 18136]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [1/11/2011 1:47 PM 202064]
R1 oahlpXX;Online Armor helper driver;c:\windows\system32\drivers\oahlp32.sys [1/11/2011 1:47 PM 38856]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [1/11/2011 1:47 PM 25000]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [1/11/2011 1:47 PM 29272]
R1 SaibVd32;Virtual Disk Driver;c:\windows\system32\drivers\SaibVd32.sys [8/26/2010 10:26 PM 25584]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 12:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 12:41 PM 67656]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1107000.00C\ironx86.sys [1/12/2011 8:22 PM 116784]
R2 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269;Roxio SAIB Service;c:\program files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe [6/2/2009 8:05 PM 457200]
R2 BOTService;BOTService;c:\program files\Roxio\BackOnTrack\Instant Restore\BOTService.exe [2/4/2010 3:00 PM 211440]
R2 DvmMDES;DeviceVM Meta Data Export Service;c:\swsetup\QuickWeb\QW.SYS\config\DVMExportService.exe [4/12/2010 8:37 PM 338168]
R2 HP Wireless Assistant Service;HP Wireless Assistant Service;c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [4/5/2010 12:12 PM 103992]
R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\17.0.0.136\ccSvcHst.exe [8/26/2010 8:49 PM 126392]
R2 OAcat;Online Armor Helper Service;c:\program files\Online Armor\oacat.exe [1/11/2011 1:47 PM 380784]
R2 SvcOnlineArmor;Online Armor;c:\program files\Online Armor\oasrv.exe [1/11/2011 1:47 PM 3652696]
R2 xpssvc;Skyhook Wireless XPS Service;c:\program files\Skyhook Wireless\XPS\xpssvc.exe [4/1/2010 8:04 PM 699720]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [8/26/2010 9:06 PM 113664]
R3 Cam3820;Cam3820 PC Camera Driver;c:\windows\system32\drivers\cam3820a.sys [12/25/2010 4:11 PM 363904]
R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [8/26/2010 9:10 PM 227896]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [1/12/2011 8:24 PM 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20110114.002\IDSXpx86.sys [1/15/2011 2:57 PM 341944]
R3 RSPCIESTOR;Realtek PCIE CardReader Driver;c:\windows\system32\drivers\RtsPStor.sys [8/26/2010 9:08 PM 230944]
R3 RT80x86;Ralink 802.11n Wireless Driver;c:\windows\system32\drivers\rt2860.sys [12/25/2010 4:11 PM 1323296]
R3 XPSVCOM;XPSVCOM;c:\windows\system32\drivers\XPSVCOM.sys [2/4/2010 12:07 AM 12416]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{4FB2AA7C-C8E4-BBC8-BB1C-FAAB2EF5914B}]
2010-03-26 23:27   200769   ----a-w-   c:\program files\Hewlett-Packard\HP Media Suite\Home\QuickLaunch.exe
.
Contents of the 'Scheduled Tasks' folder

2010-12-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 17:50]

2011-01-15 c:\windows\Tasks\BackOnTrack Instant Restore Idle.job
- c:\program files\Roxio\BackOnTrack\Instant Restore\RstIdle.exe [2010-02-04 21:00]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-SysTrayApp - %ProgramFiles%\IDT\WDM\sttray.exe
HKLM-Run-SynTPEnh - %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
HKLM-Run-AESTFltr - c:\windows\system32\AESTFltr.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-16 09:53
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\17.0.0.136\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\17.0.0.136\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(504)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\igfxdev.dll
.
Completion time: 2011-01-16 10:04:28
ComboFix-quarantined-files.txt 2011-01-16 16:04

Pre-Run: 137,427,267,584 bytes free
Post-Run: 137,535,344,640 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 9AA66AC165750B17516075E855893A12

SuperDave · « **Reply #14 on:** January 16, 2011, 10:29:29 AM »

Please read here for more information about WildTangent. Your choice if you want to remove it or not.

If you choose to follow my advice, please follow these instructions.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

•WildTangent Web Driveror anything related to WildTangent.
******************************************************
Re-running ComboFix to remove infections:

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open notepad and copy/paste the text in the quotebox below into it:
Quote
KillAll::

File::
C:\found.000
MBR::
Save this as CFScript.txt, in the same location as ComboFix.exe
Referring to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt
Please post the contents of the log in your next reply.

***********************************************
Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

Click NO
In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
Now click the Scan button.
Once the scan is complete, you may receive another notice about rootkit activity.
Click OK.
GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
Save it where you can easily find it, such as your desktop.

Computer Hope Forum

News:

Author Topic: Help with System Tools virus (Read 36639 times)

hazel312001a

Help with System Tools virus

geek hoodlum

Re: Help with System Tools virus

hazel312001a

Re: Help with System Tools virus

geek hoodlum

Re: Help with System Tools virus

harry 48

Re: Help with System Tools virus

SuperDave

Re: Help with System Tools virus

hazel312001a

Re: Help with System Tools virus

SuperDave

Re: Help with System Tools virus

hazel312001a

Re: Help with System Tools virus

SuperDave

Re: Help with System Tools virus

hazel312001a

Re: Help with System Tools virus

hazel312001a

Re: Help with System Tools virus

SuperDave

Re: Help with System Tools virus

hazel312001a

Re: Help with System Tools virus

SuperDave

Re: Help with System Tools virus