Author Topic: At9 (Read 13305 times)

Ralph12 · « **Reply #15 on:** February 25, 2009, 07:28:40 AM »

The Ask Toolbar wouldn't remove from the Add or Remove Programs it came up with a window asking to close IE and to click yes to do so when I did that nothing happened so I closed IE and tried again still nothing happened I haven't gone any farther and will wait on an answer from you as to whether I should

evilfantasy · « **Reply #16 on:** February 25, 2009, 08:02:19 AM »

Download Revo Uninstaller

Go in to Revo, right click what you want to uninstall (Ask Toolbar) and choose Uninstall.
Next choose Advanced Mode
This will launch the programs built in uninstaller and go through the normal uninstall process.
Even if the uninstaller fails still continue with the rest of the steps.
Once complete: In Revo Uninstaller click Next and Revo will scan the registry for leftovers.
- This scan can take several seconds.
Once the results are shown look at each one to ensure they are all related to the program that was uninstalled.
Choose Select All then click Delete
Click Next and Revo will scan for any files or folders that were not removed.
If any files/folders are found choose Select all > Delete

Ralph12 · « **Reply #17 on:** February 25, 2009, 12:40:54 PM »

Microsoft Windows XP Professional ( v5.1.2600 ) Service Pack 3
X86-based PC ( Multiprocessor Free : Intel(R) Core(TM)2 CPU T5600 @ 1.83GHz )
BIOS : Phoenix ROM BIOS PLUS Version 1.10 A08
USER : Ralph Foster ( Administrator )
BOOT : Normal boot

Antivirus : AVG Anti-Virus Free 8.0 (Activated)

C:\ (Local Disk) - NTFS - Total:67 Go (Free:44 Go)
D:\ (CD or DVD)

Wed 02/25/2009|13:42

----------------------\\ Search..

No infections found !

1 - "C:\Rooter$\Rooter_1.txt" - Wed 02/25/2009|13:43

----------------------\\ Scan completed at 13:43

ComboFix 09-02-24.02 - Ralph Foster 2009-02-25 14:07:08.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1271 [GMT -5:00]
Running from: c:\documents and settings\Ralph Foster\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\AutoRun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDIDRV32.SYS

((((((((((((((((((((((((( Files Created from 2009-01-25 to 2009-02-25 )))))))))))))))))))))))))))))))
.

2009-02-25 13:42 . 2009-02-25 13:43   <DIR>   d--------   C:\Rooter$
2009-02-25 13:22 . 2009-02-25 13:22   <DIR>   d--------   c:\program files\VS Revo Group
2009-02-25 08:34 . 2009-01-09 14:19   1,089,593   ---------   c:\windows\system32\dllcache\ntprint.cat
2009-02-24 08:45 . 2009-02-24 08:45   <DIR>   d--------   c:\program files\IrfanView
2009-02-23 09:16 . 2009-02-23 09:17   <DIR>   d--------   C:\rsit
2009-02-20 12:38 . 2009-02-20 12:42   <DIR>   d--------   c:\program files\Virtual Earth 3D
2009-02-12 10:35 . 2009-02-12 10:36   <DIR>   d--------   c:\program files\Malwarebytes' Anti-Malware
2009-02-12 10:35 . 2009-02-12 10:35   <DIR>   d--------   c:\documents and settings\Ralph Foster\Application Data\Malwarebytes
2009-02-12 10:35 . 2009-02-12 10:35   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-12 10:35 . 2009-02-11 10:19   38,496   --a------   c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-12 10:35 . 2009-02-11 10:19   15,504   --a------   c:\windows\system32\drivers\mbam.sys
2009-02-12 09:47 . 2009-02-12 09:47   <DIR>   d--------   c:\program files\Common Files\Wise Installation Wizard
2009-02-11 14:15 . 2009-02-11 14:15   <DIR>   d--------   c:\windows\$SQLUninstallSQL2000-KB960082-v8.00.2055-x86-ENU$
2009-02-11 11:26 . 2009-02-11 12:04   <DIR>   d--------   c:\documents and settings\Ralph Foster\Application Data\HPAppData
2009-02-10 12:18 . 2009-02-10 12:18   <DIR>   d--------   c:\windows\system32\XPSViewer
2009-02-10 12:18 . 2009-02-10 12:18   <DIR>   d--------   c:\program files\Reference Assemblies
2009-02-10 12:18 . 2009-02-10 12:18   <DIR>   d--------   c:\program files\MSBuild
2009-02-10 12:17 . 2009-02-10 12:18   <DIR>   d--------   C:\13b34594bda98888c66450cc
2009-02-10 12:17 . 2008-07-06 07:06   1,676,288   ---------   c:\windows\system32\xpssvcs.dll
2009-02-10 12:17 . 2008-07-06 07:06   1,676,288   ---------   c:\windows\system32\dllcache\xpssvcs.dll
2009-02-10 12:17 . 2008-07-06 05:50   597,504   ---------   c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-02-10 12:17 . 2008-07-06 07:06   575,488   ---------   c:\windows\system32\xpsshhdr.dll
2009-02-10 12:17 . 2008-07-06 07:06   575,488   ---------   c:\windows\system32\dllcache\xpsshhdr.dll
2009-02-10 12:17 . 2008-07-06 07:06   117,760   ---------   c:\windows\system32\prntvpt.dll
2009-02-10 12:17 . 2008-07-06 07:06   89,088   ---------   c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-02-10 12:16 . 2009-02-10 12:26   <DIR>   d--------   c:\windows\SxsCaPendDel
2009-02-10 07:58 . 2009-02-10 07:58   <DIR>   d--------   c:\program files\MWSnap
2009-02-07 14:11 . 2009-02-07 14:11   <DIR>   d--------   c:\windows\system32\Dell
2009-02-02 11:28 . 2009-02-02 11:29   <DIR>   d--------   c:\documents and settings\Ralph Foster\Application Data\DriverCure
2009-02-02 11:28 . 2009-02-02 11:28   <DIR>   d--------   c:\documents and settings\All Users\Application Data\ParetoLogic
2009-02-02 11:28 . 2009-02-02 11:32   <DIR>   d--------   c:\documents and settings\All Users\Application Data\DriverCure
2009-01-29 10:43 . 2009-01-29 10:49   <DIR>   d--------   c:\program files\Eusing Free Registry Cleaner
2009-01-26 11:05 . 2009-01-26 11:05   <DIR>   d--------   c:\program files\Common Files\Adobe AIR
2009-01-26 10:50 . 2009-01-26 10:50   <DIR>   d--------   c:\program files\NOS
2009-01-26 10:50 . 2009-01-26 10:50   <DIR>   d--------   c:\documents and settings\All Users\Application Data\NOS
2009-01-26 08:04 . 2009-01-26 08:05   <DIR>   d--------   c:\program files\QuickTime
2009-01-26 08:04 . 2009-01-26 08:04   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Apple Computer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-25 14:21   ---------   d-----w   c:\program files\Java
2009-02-24 13:01   ---------   d-----w   c:\documents and settings\Ralph Foster\Application Data\WeatherWatcherLive
2009-02-14 13:04   ---------   d-----w   c:\documents and settings\All Users\Application Data\avg8
2009-02-12 16:08   ---------   d-----w   c:\program files\Trend Micro
2009-02-12 14:47   ---------   d-----w   c:\program files\SUPERAntiSpyware
2009-02-12 14:47   ---------   d-----w   c:\documents and settings\Ralph Foster\Application Data\SUPERAntiSpyware.com
2009-02-12 14:31   ---------   d-----w   c:\program files\Spybot - Search & Destroy
2009-02-12 14:28   ---------   d-----w   c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-11 19:26   162   ----a-w   c:\documents and settings\Ralph Foster\Application Data\wklnhst.dat
2009-02-11 18:51   ---------   d-----w   c:\program files\Logitech
2009-02-11 16:18   ---------   d-----w   c:\program files\HP
2009-02-09 17:06   ---------   d-----w   c:\program files\Google
2009-02-09 17:02   ---------   d-----w   c:\program files\Lavasoft
2009-02-08 20:02   ---------   d-----w   c:\documents and settings\Ralph Foster\Application Data\IObit
2009-02-07 19:11   ---------   d-----w   c:\program files\Dell
2009-02-03 13:11   325,128   ----a-w   c:\windows\system32\drivers\avgldx86.sys
2009-02-03 13:11   107,272   ----a-w   c:\windows\system32\drivers\avgtdix.sys
2009-02-02 16:08   ---------   d-----w   c:\program files\CCleaner
2009-01-29 12:32   ---------   d-----w   c:\program files\Weather Watcher Live
2009-01-26 16:05   ---------   d-----w   c:\program files\Common Files\Adobe
2009-01-20 13:45   ---------   d-----w   c:\program files\Microsoft Baseline Security Analyzer 2
2009-01-20 13:28   ---------   d-----w   c:\program files\Secunia
2009-01-19 21:49   ---------   d-----w   c:\program files\TLCN2007
2009-01-19 15:04   ---------   d-----w   c:\program files\IObit
2009-01-14 14:02   ---------   d-----w   c:\program files\Uniblue
2009-01-10 14:11   0   ----a-w   c:\windows\system32\drivers\lvuvc.hs
2009-01-10 14:11   0   ----a-w   c:\windows\system32\drivers\logiflt.iad
2008-12-31 13:17   ---------   d-----w   c:\program files\Common Files\Logitech
2008-12-29 11:48   ---------   d-----w   c:\program files\Common Files\LogiShrd
2008-12-29 11:44   ---------   d-----w   c:\documents and settings\All Users\Application Data\Logishrd
2008-12-27 12:57   ---------   d-----w   c:\documents and settings\Ralph Foster\Application Data\Move Networks
2007-12-17 18:08   534   ----a-w   c:\documents and settings\Sandra Foster\Application Data\wklnhst.dat
2008-10-08 00:16   32,768   --sha-w   c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008100720081008\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2008-09-19 4347120]
"WeatherWatcherLive"="c:\program files\Weather Watcher Live\ww.exe" [2009-01-28 1171456]
"Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2009-01-09 2262352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-06-24 185896]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-08-14 2407184]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-08-14 565008]
"ISUSScheduler"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe" [2004-07-27 81920]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2007-10-09 202544]
"Dell QuickSet"="c:\program files\Dell\QuickSet\Quickset.exe" [2006-08-03 1032192]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-01 1392640]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-03 1601304]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-12 148888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-13 c:\windows\system32\narrator.exe]

c:\documents and settings\Ralph Foster\Start Menu\Programs\Startup\
Secunia PSI.lnk - c:\program files\Secunia\PSI\psi.exe [2008-12-17 748840]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-03 08:11 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-06-10 325128]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-06-10 107272]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-09-03 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-09-03 55024]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-07-04 903960]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-07-04 298264]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S1 tcyazfq;tcyazfq;\??\c:\windows\system32\uwzfqas.sys --> c:\windows\system32\uwzfqas.sys [?]
S1 uwzfqas;uwzfqas;\??\øc --> øc [?]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2009-01-26 33752]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2008-12-10 7808]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-09-03 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12   REG_MULTI_SZ     Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt   REG_MULTI_SZ     hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-02-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-02-25 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]

2009-02-25 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
- - - - ORPHANS REMOVED - - - -

BHO-{52217D1A-11A9-9B1F-8CDB-BA7F100E616C} - (no file)
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)

.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
TCP: {0F34B328-516A-44EF-B7D7-E1016ACA898F} = 68.28.242.91 68.28.250.92
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-25 14:13:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\uwzfqas]
"ImagePath"="\??\øc\08"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2969014591-1171066246-3971638899-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(576)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\windows\system32\scardsvr.exe
c:\windows\system32\msdtc.exe
c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\windows\system32\spool\drivers\w32x86\3\HPBPRO.EXE
c:\windows\system32\spool\drivers\w32x86\3\HPBOID.EXE
c:\program files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\msiexec.exe
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
c:\windows\system32\sessmgr.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\vssvc.exe
c:\program files\Windows Live\installer\WLSetupSvc.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlagent.EXE
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
c:\progra~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2009-02-25 14:17:32 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-25 19:17:14

Pre-Run: 47,678,504,960 bytes free
Post-Run: 47,797,551,104 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

263   --- E O F ---   2009-02-25 14:49:10

evilfantasy · « **Reply #18 on:** February 25, 2009, 12:46:22 PM »

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillALL::

Driver::
tcyazfq
uwzfqas

Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\uwzfqas]

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

Also let me know how the computer is running now.

Ralph12 · « **Reply #19 on:** February 25, 2009, 01:56:45 PM »

ComboFix 09-02-24.02 - Ralph Foster 2009-02-25 15:36:38.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1367 [GMT -5:00]
Running from: c:\documents and settings\Ralph Foster\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ralph Foster\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_tcyazfq
-------\Service_uwzfqas

((((((((((((((((((((((((( Files Created from 2009-01-25 to 2009-02-25 )))))))))))))))))))))))))))))))
.

2009-02-25 13:42 . 2009-02-25 13:43   <DIR>   d--------   C:\Rooter$
2009-02-25 13:22 . 2009-02-25 13:22   <DIR>   d--------   c:\program files\VS Revo Group
2009-02-25 08:34 . 2009-01-09 14:19   1,089,593   ---------   c:\windows\system32\dllcache\ntprint.cat
2009-02-24 08:45 . 2009-02-24 08:45   <DIR>   d--------   c:\program files\IrfanView
2009-02-23 09:16 . 2009-02-23 09:17   <DIR>   d--------   C:\rsit
2009-02-20 12:38 . 2009-02-20 12:42   <DIR>   d--------   c:\program files\Virtual Earth 3D
2009-02-12 10:35 . 2009-02-12 10:36   <DIR>   d--------   c:\program files\Malwarebytes' Anti-Malware
2009-02-12 10:35 . 2009-02-12 10:35   <DIR>   d--------   c:\documents and settings\Ralph Foster\Application Data\Malwarebytes
2009-02-12 10:35 . 2009-02-12 10:35   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-12 10:35 . 2009-02-11 10:19   38,496   --a------   c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-12 10:35 . 2009-02-11 10:19   15,504   --a------   c:\windows\system32\drivers\mbam.sys
2009-02-12 09:47 . 2009-02-12 09:47   <DIR>   d--------   c:\program files\Common Files\Wise Installation Wizard
2009-02-11 14:15 . 2009-02-11 14:15   <DIR>   d--------   c:\windows\$SQLUninstallSQL2000-KB960082-v8.00.2055-x86-ENU$
2009-02-11 11:26 . 2009-02-11 12:04   <DIR>   d--------   c:\documents and settings\Ralph Foster\Application Data\HPAppData
2009-02-10 12:18 . 2009-02-10 12:18   <DIR>   d--------   c:\windows\system32\XPSViewer
2009-02-10 12:18 . 2009-02-10 12:18   <DIR>   d--------   c:\program files\Reference Assemblies
2009-02-10 12:18 . 2009-02-10 12:18   <DIR>   d--------   c:\program files\MSBuild
2009-02-10 12:17 . 2009-02-10 12:18   <DIR>   d--------   C:\13b34594bda98888c66450cc
2009-02-10 12:17 . 2008-07-06 07:06   1,676,288   ---------   c:\windows\system32\xpssvcs.dll
2009-02-10 12:17 . 2008-07-06 07:06   1,676,288   ---------   c:\windows\system32\dllcache\xpssvcs.dll
2009-02-10 12:17 . 2008-07-06 05:50   597,504   ---------   c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-02-10 12:17 . 2008-07-06 07:06   575,488   ---------   c:\windows\system32\xpsshhdr.dll
2009-02-10 12:17 . 2008-07-06 07:06   575,488   ---------   c:\windows\system32\dllcache\xpsshhdr.dll
2009-02-10 12:17 . 2008-07-06 07:06   117,760   ---------   c:\windows\system32\prntvpt.dll
2009-02-10 12:17 . 2008-07-06 07:06   89,088   ---------   c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-02-10 12:16 . 2009-02-10 12:26   <DIR>   d--------   c:\windows\SxsCaPendDel
2009-02-10 07:58 . 2009-02-10 07:58   <DIR>   d--------   c:\program files\MWSnap
2009-02-07 14:11 . 2009-02-07 14:11   <DIR>   d--------   c:\windows\system32\Dell
2009-02-02 11:28 . 2009-02-02 11:29   <DIR>   d--------   c:\documents and settings\Ralph Foster\Application Data\DriverCure
2009-02-02 11:28 . 2009-02-02 11:28   <DIR>   d--------   c:\documents and settings\All Users\Application Data\ParetoLogic
2009-02-02 11:28 . 2009-02-02 11:32   <DIR>   d--------   c:\documents and settings\All Users\Application Data\DriverCure
2009-01-29 10:43 . 2009-01-29 10:49   <DIR>   d--------   c:\program files\Eusing Free Registry Cleaner
2009-01-26 11:05 . 2009-01-26 11:05   <DIR>   d--------   c:\program files\Common Files\Adobe AIR
2009-01-26 10:50 . 2009-01-26 10:50   <DIR>   d--------   c:\program files\NOS
2009-01-26 10:50 . 2009-01-26 10:50   <DIR>   d--------   c:\documents and settings\All Users\Application Data\NOS
2009-01-26 08:04 . 2009-01-26 08:05   <DIR>   d--------   c:\program files\QuickTime
2009-01-26 08:04 . 2009-01-26 08:04   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Apple Computer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-25 19:17   ---------   d-----w   c:\documents and settings\Ralph Foster\Application Data\WeatherWatcherLive
2009-02-25 14:21   ---------   d-----w   c:\program files\Java
2009-02-14 13:04   ---------   d-----w   c:\documents and settings\All Users\Application Data\avg8
2009-02-12 16:08   ---------   d-----w   c:\program files\Trend Micro
2009-02-12 14:47   ---------   d-----w   c:\program files\SUPERAntiSpyware
2009-02-12 14:47   ---------   d-----w   c:\documents and settings\Ralph Foster\Application Data\SUPERAntiSpyware.com
2009-02-12 14:31   ---------   d-----w   c:\program files\Spybot - Search & Destroy
2009-02-12 14:28   ---------   d-----w   c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-11 19:26   162   ----a-w   c:\documents and settings\Ralph Foster\Application Data\wklnhst.dat
2009-02-11 18:51   ---------   d-----w   c:\program files\Logitech
2009-02-11 16:18   ---------   d-----w   c:\program files\HP
2009-02-09 17:06   ---------   d-----w   c:\program files\Google
2009-02-09 17:02   ---------   d-----w   c:\program files\Lavasoft
2009-02-08 20:02   ---------   d-----w   c:\documents and settings\Ralph Foster\Application Data\IObit
2009-02-07 19:11   ---------   d-----w   c:\program files\Dell
2009-02-03 13:11   325,128   ----a-w   c:\windows\system32\drivers\avgldx86.sys
2009-02-03 13:11   107,272   ----a-w   c:\windows\system32\drivers\avgtdix.sys
2009-02-02 16:08   ---------   d-----w   c:\program files\CCleaner
2009-01-29 12:32   ---------   d-----w   c:\program files\Weather Watcher Live
2009-01-26 16:05   ---------   d-----w   c:\program files\Common Files\Adobe
2009-01-20 13:45   ---------   d-----w   c:\program files\Microsoft Baseline Security Analyzer 2
2009-01-20 13:28   ---------   d-----w   c:\program files\Secunia
2009-01-19 21:49   ---------   d-----w   c:\program files\TLCN2007
2009-01-19 15:04   ---------   d-----w   c:\program files\IObit
2009-01-14 14:02   ---------   d-----w   c:\program files\Uniblue
2009-01-10 14:11   0   ----a-w   c:\windows\system32\drivers\lvuvc.hs
2009-01-10 14:11   0   ----a-w   c:\windows\system32\drivers\logiflt.iad
2008-12-31 13:17   ---------   d-----w   c:\program files\Common Files\Logitech
2008-12-29 11:48   ---------   d-----w   c:\program files\Common Files\LogiShrd
2008-12-29 11:44   ---------   d-----w   c:\documents and settings\All Users\Application Data\Logishrd
2008-12-27 12:57   ---------   d-----w   c:\documents and settings\Ralph Foster\Application Data\Move Networks
2007-12-17 18:08   534   ----a-w   c:\documents and settings\Sandra Foster\Application Data\wklnhst.dat
2008-10-08 00:16   32,768   --sha-w   c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008100720081008\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-02-25_14.16.24.04 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-02-25 20:40:50   16,384   ----atw   c:\windows\temp\Perflib_Perfdata_214.dat
+ 2009-02-25 20:40:49   16,384   ----atw   c:\windows\temp\Perflib_Perfdata_7b4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2008-09-19 4347120]
"WeatherWatcherLive"="c:\program files\Weather Watcher Live\ww.exe" [2009-01-28 1171456]
"Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2009-01-09 2262352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-06-24 185896]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-08-14 2407184]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-08-14 565008]
"ISUSScheduler"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe" [2004-07-27 81920]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2007-10-09 202544]
"Dell QuickSet"="c:\program files\Dell\QuickSet\Quickset.exe" [2006-08-03 1032192]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-01 1392640]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-03 1601304]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-12 148888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-13 c:\windows\system32\narrator.exe]

c:\documents and settings\Ralph Foster\Start Menu\Programs\Startup\
Secunia PSI.lnk - c:\program files\Secunia\PSI\psi.exe [2008-12-17 748840]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-03 08:11 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-06-10 325128]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-06-10 107272]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-09-03 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-09-03 55024]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-07-04 903960]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-07-04 298264]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2009-01-26 33752]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2008-12-10 7808]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-09-03 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12   REG_MULTI_SZ     Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt   REG_MULTI_SZ     hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-02-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-02-25 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]

2009-02-25 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)

.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
TCP: {0F34B328-516A-44EF-B7D7-E1016ACA898F} = 68.28.242.91 68.28.250.92
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-25 15:45:10
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2969014591-1171066246-3971638899-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(576)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\windows\system32\scardsvr.exe
c:\windows\system32\msdtc.exe
c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\windows\system32\spool\drivers\w32x86\3\HPBPRO.EXE
c:\windows\system32\spool\drivers\w32x86\3\HPBOID.EXE
c:\program files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\msiexec.exe
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\sessmgr.exe
c:\program files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\vssvc.exe
c:\program files\Windows Live\installer\WLSetupSvc.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlagent.EXE
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
c:\progra~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2009-02-25 15:48:52 - machine was rebooted [Ralph Foster]
ComboFix-quarantined-files.txt 2009-02-25 20:48:48
ComboFix2.txt 2009-02-25 19:17:34

Pre-Run: 47,817,404,416 bytes free
Post-Run: 47,806,996,480 bytes free

258   --- E O F ---   2009-02-25 14:49:10

It seemed to be a little better but I wasn't paying close attention sorry. At least this time my sprint air card worked after boot up from combofix the last time I had to reboot

evilfantasy · « **Reply #20 on:** February 25, 2009, 02:03:56 PM »

Do you still have these programs installed?

2009-02-02 11:28 . 2009-02-02 11:29 <DIR> d-------- c:\documents and settings\Ralph Foster\Application Data\DriverCure
2009-02-02 11:28 . 2009-02-02 11:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\ParetoLogic
2009-02-02 11:28 . 2009-02-02 11:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\DriverCure
2009-01-29 10:43 . 2009-01-29 10:49 <DIR> d-------- c:\program files\Eusing Free Registry Cleaner

Ralph12 · « **Reply #21 on:** February 25, 2009, 02:28:13 PM »

I did not find Driver Cure in c:\documents and settings\Ralph Foster\Application Data\DriverCure
I did find Drivrer Cure in c:\documents and settings\Ralph Foster\Application Data\DriverCure
and I did find Paretologic in c:\documents and settings\All Users\Application Data\ParetoLogic

evilfantasy · « **Reply #22 on:** February 25, 2009, 03:01:18 PM »

Did you uninstall them is what I need to know?

The files are there but the programs aren't in the Add/Remove Programs list and we can remove the folders with the next fix. Those aren't trusted programs.

Ralph12 · « **Reply #23 on:** February 25, 2009, 03:07:39 PM »

If I did uninstall them I don't remeber doing it.

evilfantasy · « **Reply #24 on:** February 25, 2009, 03:18:41 PM »

OK no problem.

Download the OTMoveIt3 by OldTimer

Note: If you are running on Vista, right-click on OTMoveIt3.exe and choose Run As Administrator.

* Save it to your Desktop.
* Double-click OTMoveIt3.exe to run it.
* Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy)

Code: [Select]

:Processes
explorer.exe

:files
C:\Rooter$
c:\documents and settings\Ralph Foster\Application Data\DriverCure
c:\documents and settings\All Users\Application Data\ParetoLogic
c:\documents and settings\All Users\Application Data\DriverCure

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

* Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
* Click the red Moveit! button.
* Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. If not, reboot anyway.

----------

After posting the OTMoveIt3 log.

Use the Kaspersky Lab Online Scanner

In Microsoft Windows Vista, you must open the Web browser using the Run as Administrator command. From the Desktop right click the icon to open the browser and choose Run as Administrator.

Click on SCAN NOW
Click Accept.
The program will then begin downloading the latest definition files.
Once the files have been downloaded locate the Scan Settings and have it scan My Computer.
The scan will take a while, so be patient and let it finish.

.
When the scan is done, in the Scan is complete window, any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.

To obtain the report:
Click on: Save Report As

Next, in the Save as prompt, Save in area, select: Desktop.
In the File name area use KScan, or something similar.
In Save as type: click the drop arrow and select: Text file [*.txt]
Then, click: Save

.
Copy and paste the Kaspersky Online Scanner Report in your next reply.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

Ralph12 · « **Reply #25 on:** February 26, 2009, 06:27:06 AM »

User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\logishrd\LVPrcInj01.dll scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\17f61245-07e3-469b-a2fb-502424def491.tmp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\6e06df26-ce89-42db-a5e2-8cdee3153178.tmp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\7c2bf409-ac90-4f5d-a396-5b5f8ad54103.tmp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\bb4c1f81-7c15-4d3a-b86e-eb0c8c516379.tmp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_340.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_7e4.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 02262009_081119

This log came up after I rebooted I didn't know if you needed it or not so I am sending it also

User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\logishrd\LVPrcInj01.dll scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\17f61245-07e3-469b-a2fb-502424def491.tmp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\6e06df26-ce89-42db-a5e2-8cdee3153178.tmp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\7c2bf409-ac90-4f5d-a396-5b5f8ad54103.tmp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\bb4c1f81-7c15-4d3a-b86e-eb0c8c516379.tmp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_340.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_7e4.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 02262009_081119

evilfantasy · « **Reply #26 on:** February 26, 2009, 09:37:42 AM »

What about the Kaspersky scan?

Ralph12 · « **Reply #27 on:** February 26, 2009, 10:05:47 AM »

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, February 26, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, February 26, 2009 11:42:48
Records in database: 1847735
--------------------------------------------------------------------------------

Scan settings:
   Scan using the following database: extended
   Scan archives: yes
   Scan mail databases: yes

Scan area - My Computer:
   C:\
   D:\

Scan statistics:
   Files scanned: 88634
   Threat name: 0
   Infected objects: 0
   Suspicious objects: 0
   Duration of the scan: 01:02:51

No malware has been detected. The scan area is clean.

The selected area was scanned.

evilfantasy · « **Reply #28 on:** February 26, 2009, 10:06:18 AM »

Looks OK. How is the computer running now?

Ralph12 · « **Reply #29 on:** February 26, 2009, 10:21:37 AM »

I still get at start up get the message that a scheduled task did not start at the scheculed time I just went in to the schedule task folder and found one that I thought I had changed but hadn't I will shut down and let you know if it still pops up
Thank you for your patience and help so far

Computer Hope Forum

News:

Author Topic: At9 (Read 13305 times)

Ralph12

Re: At9

evilfantasy

Re: At9

Ralph12

Re: At9

evilfantasy

Re: At9

Ralph12

Re: At9

evilfantasy

Re: At9

Ralph12

Re: At9

evilfantasy

Re: At9

Ralph12

Re: At9

evilfantasy

Re: At9

Ralph12

Re: At9

evilfantasy

Re: At9

Ralph12

Re: At9

evilfantasy

Re: At9

Ralph12

Re: At9