Nasty virus

[kviez]

Hello,

I have a Dell laptop with Windows XP, media center edition, version 2002, service pack 3 with 1G of ram.  I use AVG Free 8.5 for virus protection. I have SuperAntispyware free edition.  Also, I have Malwarebytes.  I also scan with Ad-Aware. I have Online Armor for a firewall. If that is not enough info on my system please let me know.

With all of that I am still in serious trouble.  Two days ago I started getting what I assumed were phony security alert messages.  I rebooted in safe mode and tried to run scans.  AVG scanned and showed that trojans and other harmful programs were removed, but my other scans were shut down before completion.  When I rebooted the problem was still there.  I tried safe mode again and again and occasionally my computer would open other times it would freeze.  I have the log from the AVG scan if that would help - it has been a few days and additional problems have come up.  As I searched your site for self help answers on my desktop I continued to try safe mode and new scans on my laptop.  I can not get online on my laptop and all scans shut down before completion.  I now have a new program installed called Window Police Pro and I am unable to open almost all programs.  I cannot open Add/Remove Programs or even Windows Explorer. I get this error message - C:\WINDOWS\explorer.exe.  My laptop will not shutdown unless I hold the power button for a few seconds.

Is this enough information to get started?

[Karnac]

You'll have to go here....

http://www.computerhope.com/forum/index.php/topic,46313.0.html

If you've lost your connection, download the programs to a USB stick on a good PC and transfer them to your PC.
If you have difficulty, you may have to run them in safe mode, tap F8 at start, .
If you have difficulty, you may have to rename the programs when you save them.
If you get stuck on a step, proceed to the next .

Post the logs for step 3,4 and 6.

[kviez]

Thank you for the help so far.

I saved superantispyware, MBAM, CCleaner slim, and HJT to a memory stick.  I then opened my laptop in safe mode.  Black boxes with blue bars across the top came up and then went away.  The first read “C:\WINDOWS\system32\NTVDM.exe” in the blue bar.  The body of the box was empty.  The second read “C:\WINDOWS\system32\desote.exe.

I noticed a new icon on my desktop titled “R140747.exe” I tried to remove this in Add/Remove Programs. When I tried to open “Add/Remove Programs” I got an error message titled: C:\WINDOWS\system32\rundll.exe.

I tried to open superantispyware and a box came up with a blue bar across the top that read “C:\WINDOWS\system32\desote.exe. Another box came up over the top of the last one and it read: 16 bit MS-DOS subsystem in the top blue bar.  The internal message bar read: C:\WINDOWS\system32\desote.exe. With an error message of “The NTVDM CPU has encountered an illegal instruction

CS:0de 8 1D OP: ff ff ff ff ff chose ‘close’ to terminate the application.  Below the message were two options to click ‘Close’ and ‘ignore’.

I received the same message when I tried to open MBAM, HJT, and CCleaner.

I rebooted in normal mode, tried to run the programs and received an error message each time. That looked like this: F:\ccsetup223_slim.exe

At one point in normal mode a box appeared with the blue bar reading “svchose.exe” and the message “svdhost.exe has encountered a problem and needs to close.  I renamed the files, but kept getting the same error message the only thing different was file name.

While in normal mode “Windows Police Pro” kept automatically starting up. At one point I counted seven sessions along the bottom bar.

I re-booted in safe mode and tried to open the files with changed names. This time a black box with a blue bar across the top would pop up, but disappear before I could read it.

I am not sure if this will help, but about two months ago I backed up my whole system to an external hard drive.

I hope the info that I provided above is useful. Thanks for taking the time to help me. I really am a novice here and I appreciate any help that you have to offer.

[SuperDave]

Hello Kviez. Welcome to Computer Hope Forum. Sorry for the mixup and delay in getting to your post. My name is Superdave but you can just call me SD. I will be helping you out with your particular problem on your computer. I'm working under the guidance of one of the Malware experts on this forum so it may take a bit longer to fix your problem but not too long.

Use the following instructions to remove Windows Police Pro (Uninstall instructions)

1. Remove Windows Police Pro main components.
Please download OTM by OldTimer from here to your desktop.
Note: If you are running on Vista, right-click on OTM.exe and choose Run As Administrator.
* Save it to your Desktop.
* Double-click OTM.exe to run it.
* Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy)

Code: [Select]

:Processes
explorer.exe
svchasts.exe
windows Police Pro.exe

:services
AntipPro2009_100

:reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{76DC0B63-1533-4ba9-8BE8-D59EB676FA02}]

:files
%windir%\system32\desote.exe
%windir%\system32\dddesot.dll
%windir%\svchasts.exe
%ProgramFiles%\Windows Police Pro

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

Return OTM. right-click in the “Paste Instructions for Items to be Moved” window (under the yellow bar): and choose paste.

Click the red Moveit! button.

* Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTM

Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. If not, reboot anyway.

2. Repair running .exe files.
Click Start, Run. Type command and press Enter. Type notepad and press Enter.
Notepad opens. Copy all the text below into Notepad.

Code: [Select]

Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"
Save this as fix.reg to your Desktop (remember to select Save as file type: All files in Notepad.)
Double Click fix.reg and click YES for confirm.
Reboot your computer.

3. Remove Windows Police Pro associated malware.

Download MalwareBytes Anti-malware (MBAM) from here . Close all programs and Windows on your computer.

Double Click mbam-setup.exe to install the application. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Select Perform Quick Scan, then click Scan, it will start scanning your computer for Windows Police Pro infection. This procedure can take some time, so please be patient.

When the scan is complete, click OK, then Show Results to view the results. You will see a list of infected items.

Make sure that everything is checked, and click Remove Selected to start Windows Police Pro removal process. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
In your next post please include OTM results and MBAM log

[kviez]

SD,

You can call me Karen.  I really appreciate your help. 

Okay, I can not get online on my laptop. I downloaded OTM to my uninfected desktop and moved then moved it to a memory stick.  I powered up my laptop and tried to open OTB from my memory stick and received the following error message:

Error
“F:\OTM.exe” with an OK box to check.

A message box popped up along the bottom right– similar to the “you have lost your connection” or “Windows updates are ready to be installed” messages.  This stated: Running of application is impossible the file OTM.exe is infected.

 I then moved OTM to my desktop, tried to open it and received the following message:

Error
“C:\Documents and Settings\James Robinson\Desktop.OTM.exe”  with an OK box to click

Another error message came up and I am not sure what triggered it.

Error
“C:\WINDOWS\System32\regsvr32.exe”  /s C:\WINDOWS\Temp~19dll

I then tried to turn of my laptop – as everything was powering down windows police pro popped up and began its phony scan.  I had to hold down the power button in order to turn it off.

Next I rebooted in safe mode.  OTM.exe was no longer on my desktop.  I moved OTM.exe to my desktop once again from my memory stick.  When I tried to open it a black message box would appear and then go away very quickly.  In the blue space at the top of the box this was written:

C:\WINDOWS\System32\desote.exe

I could go no further with your instructions.  Let me know if there is a way for me to proceed.

Thanks again for your help!

Karen

[SuperDave]

Hi Karen. I sometimes have problems transferring programs with a memory stick. Can you try burning OTM to a CD-RW and see how that works?

[kviez]

SD,

I tied like you said from CD RW.  I had the same result.

Error
“C:\Documents and Settings\James Robinson\Desktop.OTM.exe”  with an OK box to click

[SuperDave]

Hi Karen, That is a nasty infection that you have and we'll have to try something else. First, try renaming OTM.exe to something else and see if it will run. If you still get an error go to this link to create a Rescue CD or to this site to create a Rescue USB. Carefully follow all the instructions for whichever method you choose.

[kviez]

SD,

Thank you for your patience and your help.  The BitDefender scan is complete and the message reads "No threats have been detected.

The top of the box reads:
BitDefener Antivirus scanner for Unices

I downloaded the file for windows: unetbootin-windows-372

How should I proceed?

[evilfantasy]

Can you try the Avira Rescue CD also. You can put it on the USB just like you did with BitDefender.

You did have it scan the C drive right?

[kviez]

Yes, I did have it on the C drive.  The scan ran fine on the infected computer - it just didn't find any threats.

Last night I tried the Avira Rescue CD, although I could not get it to load.  I moved on to the DrWeb rescue CD and had that scanning overnight.  I am not sure what happened - when I checked this morning the computer was on, but non responsive.  I powered down by holding the 'off' button and rebooted from the CD drive.  The DrWeb scan in currently running.  I will advise when the scan is complete.

Thanks for your help.

[kviez]

Okay, I re-started the DR.Web scanner about 7:30 this morning.  The scanner was running fine until 10:40 pacific time.  It has now been frozen for an hour.

Three items where identified by the scanner before it froze.

D:/Program Files/Dell/Launcher/files/3 Months Free NetZero.exe
Status: infected with Trojan.Click.1487

D:/System Volume Information/_restore{129201FA-BOAC-49B3-96B2-DEB8B91E727B}/RP475/A0040681.exe
Status: Infected with Trojan.PWS.Banker.orgin


D:/System Volume Information/_restore{129201FA-BOAC-49B3-96B2-DEB8B91E727B}/RP475/A0040932.exe
Status: archive WISE

The file being scanned when it froze, which still appears along the bottom is as follows:


D:/System Volume Information/_restore{129201FA-BOAC-49B3-96B2-DEB8B91E727B}/RP506/A00407062.exe


I do not know if the above information will help?  Please let me know.

Once again I really appreciate the help!

Karen

[evilfantasy]

Nothing there should be causing the problems you are having.

Has the scan finished and have you restarted the computer? How is it now?

[kviez]

The scan never finished. it was frozen for over an hour  - the computer was completely un-responsive.  I turned it off and re-booted from the CD drive and selected ' run scan in safe mode'.  That was at about noon pacific time and it is still scanning.

Many thanks for the support!

Karen

[evilfantasy]

Try this please.

Go to Start > Run > and type command.com then press Enter on the keyboard. Hopefully the Command window will open.

In the Command window type %systemdrive%\TSKLST.txt then press Enter on the keyboard.

See if a log pops up and post it for us please. You may need to put the notepad file on the flash drive and transfer it over to the good computer and post it from your good PC.

[kviez]

Okay.  Should I let the Dr. Web scan that is running in safe mode finish first?

[evilfantasy]

If it is the second run then no. It doesn't seem to be finding what it needs to. Windows Police Pro is a new and very nasty virus. We need to stop it from running.

[kviez]

I finally shut down the scan that was running it safe mode.  It ran for nearly 8 hours.  I followed the instruction


"Go to Start > Run > and type command.com then press Enter on the keyboard. Hopefully the Command window will open.

In the Command window type %systemdrive%\TSKLST.txt then press Enter on the keyboard.

The result was %systemdrive%\TSKLST.txt is not recognized as an internal or external command, operable program or batch file.

Also, about 12 error messages popped up at lightning speed and would not close unless clicked multiple times. 

Is there anything else that I can try?

Karen

[evilfantasy]

Go to Start > Run and type taskmgr then press Enter.

In the Task Manager under the Processes tab look for and end the processes for:

windows Police Pro

svchasts <Be  sure to look at the spelling on thi sone. It's not svchost

Now try to download and/or update and run Malwarebytes. Post the log it creates.

[kviez]

on first reboot my desktop would not open.  There were no icons just police pro - so there was no start bar.  I hit ctl, alt, delete and ended the processes that you mentioned that way.  Police pro shut down but i was not able to open Malwarebytes.  I tried OTM.exe that SD had me put on my desktop and pasted the instructions that he gave.  It ran a scan, but error messages popped up saying that the file was corrupted. Also, I got a message "Monzilla Crash Reporter.  Firefox has crashed. 

After the the OTM scan i tried to hit the red X so as to not reboot, but my system rebooted anyway.  Police pro did not come up but I can not open any programs.  I tried add/remove programs and got an error message.  Not sure how to proceed?

[evilfantasy]

Place this on your flash drive. Be sure to rename it before saving it.

Download ComboFix from one of the below links. You must rename it before saving it!

Important! You MUST save ComboFix to your desktop.

Link 1
Link 2

Rename ComboFix to Combo-Fix before saving it to the desktop.





Make sure the two processes are not running.

Now move ComboFix to the desktop and run it.

Double click on Combo-Fix.exe & follow the prompts.

Vista users Right-Click on Combo-Fix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)

Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

When the scan completes it will open a text window.
 
Post the contents of that log in your next reply.

[kviez]

I moved Combo-fix to the desktop of my infected PC.  I could not change the name before saving if that makes a difference.  I had to change it once it was on my desktop. 

When I tried to open in on my infected pc a dialog box appeared: "Open with"  Asking me to choose the program you want to use to open this file.  This same box came up when I tried to open firefox and OTM as well.  I am not sure what program to choose?

I will wait for your instructions.  And thank you very much for your kindness.

[kviez]

After every sane person had given up on me for the night i went back and followed SDs instructions:

2. Repair running .exe files.
Click Start, Run. Type command and press Enter. Type notepad and press Enter.
Notepad opens. Copy all the text below into Notepad.

Code:

Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"


Save this as fix.reg to your Desktop (remember to select Save as file type: All files in Notepad.)
Double Click fix.reg and click YES for confirm.
Reboot your computer.

This unwise step, on my part, brought back my old friend Windows Police Pro.  When I tried to open OTM.exe an error appeard claiming the file was corrupt.  However, it somehow allowed me to open Combo-Fix which is currently running.  Hopefully I will be able to post the contents of that log in my next reply.  Actually I will edit this post.

Here is the log from ComboFix

I have also attached scan logs for HJT, MBAM, and Superantispyware.

Thanks for all the help I will await your reply.

ComboFix 09-09-22.03 - James Robinson 09/22/2009 23:50.1.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1014.604 [GMT -7:00]
Running from: c:\documents and settings\James Robinson\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Online Armor Firewall *enabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}
 * Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\13644684
c:\documents and settings\All Users\Application Data\13644684\13644684
c:\documents and settings\All Users\Application Data\13644684\13644684.exe
c:\documents and settings\All Users\Application Data\13644684\pc13644684ins
c:\documents and settings\All Users\Desktop\nudetube.com.lnk
c:\documents and settings\All Users\Desktop\pornotube.com.lnk
c:\documents and settings\All Users\Desktop\youporn.com.lnk
c:\program files\Protection System
c:\program files\Protection System\core.cga
c:\program files\SafetyCenter
c:\program files\SafetyCenter\main.ico
c:\program files\SafetyCenter\new.exe
c:\program files\SafetyCenter\protector.exe
c:\program files\SafetyCenter\sound.wav
c:\program files\SafetyCenter\start.exe
c:\program files\SafetyCenter\uninstall.exe
c:\program files\Windows Police Pro
c:\program files\Windows Police Pro\msvcm80.dll
c:\program files\Windows Police Pro\msvcp80.dll
c:\program files\Windows Police Pro\msvcr80.dll
c:\program files\Windows Police Pro\windows Police Pro.exe
c:\windows\Installer\1980bf.msi
c:\windows\kb913800.exe
c:\windows\msa.exe
c:\windows\ppp3.dat
c:\windows\ppp4.dat
c:\windows\svchast.exe
c:\windows\system32\bennuar.old
c:\windows\system32\bidisp.dll
c:\windows\system32\bincd32.dat
c:\windows\system32\config\systemprofile\Desktop\System Security 2009.lnk
c:\windows\system32\config\systemprofile\Start Menu\Programs\System Security
c:\windows\system32\config\systemprofile\Start Menu\Programs\System Security\System Security
c:\windows\system32\dddesot.dll
c:\windows\system32\desot.exe
c:\windows\system32\drivers\SKYNETqrmyctxm.sys
c:\windows\system32\drivers\smss.exe
c:\windows\system32\drivers\UACmirbstlnuk.sys
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\onhelp.htm
c:\windows\system32\sdra64.exe
c:\windows\system32\SKYNETbowkowam.dll
c:\windows\system32\SKYNETgwuxtiqj.dll
c:\windows\system32\SKYNEThoewxdut.dat
c:\windows\system32\SKYNETklldlthw.dll
c:\windows\system32\SKYNETwlvmjiuw.dat
c:\windows\system32\sonhelp.htm
c:\windows\system32\sysnet.dat
c:\windows\system32\tapi.nfo
c:\windows\system32\uacinit.dll
c:\windows\system32\UACkpmkujkjne.dat
c:\windows\system32\UACmjxqoqthgn.dll
c:\windows\system32\UACpekvethtvj.dll
c:\windows\system32\UACrfdxuwvtuw.dll
c:\windows\system32\UACtvmrxwkhkn.dll
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
c:\windows\Tasks\xqamlerl.job

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\eventlog.dll
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SKYNETdqvppxei
-------\Legacy_SKYNETdqvppxei
-------\Service_UACd.sys
-------\Legacy_UACd.sys
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_AntipPolice_
-------\Service_AntipPolice_


(((((((((((((((((((((((((   Files Created from 2009-08-23 to 2009-09-23  )))))))))))))))))))))))))))))))
.

2009-09-23 03:58 . 2009-09-23 03:58   --------   d-----w-   C:\_OTM
2009-09-20 17:32 . 2009-09-20 17:32   2198   ----a-w-   C:\pPPhmrd.bat

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-11 05:38 . 2009-07-17 06:03   --------   d-----w-   c:\program files\doodoo
2009-09-11 05:05 . 2009-07-17 05:35   --------   d-----w-   c:\program files\SUPERAntiSpyware
2009-09-11 03:57 . 2006-10-10 05:07   88600   ----a-w-   c:\documents and settings\James Robinson\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-09 04:10 . 2007-01-01 07:44   --------   d-----w-   c:\program files\PokerStars
2009-09-09 03:00 . 2009-07-12 19:19   --------   d-----w-   c:\program files\Hewlett-Packard
2009-09-09 02:59 . 2005-08-17 01:54   --------   d-----w-   c:\program files\GemMaster
2009-09-09 02:57 . 2006-10-03 08:56   --------   d-----w-   c:\program files\Dell
2009-09-09 01:06 . 2009-03-16 04:12   --------   d-----w-   c:\documents and settings\All Users\Application Data\avg8
2009-09-08 15:05 . 2006-10-10 04:56   --------   d-----w-   c:\windows\system32\config\systemprofile\Application Data\Symantec
2009-08-28 18:09 . 2009-03-16 04:13   11952   ----a-w-   c:\windows\system32\avgrsstx.dll
2009-08-28 18:09 . 2009-03-16 04:13   335240   ----a-w-   c:\windows\system32\drivers\avgldx86.sys
2009-08-28 18:09 . 2007-03-26 03:24   27784   ----a-w-   c:\windows\system32\drivers\avgmfx86.sys
2009-08-24 02:34 . 2009-08-24 02:34   --------   d-----w-   c:\program files\MSBuild
2009-08-24 02:34 . 2009-08-24 02:34   --------   d-----w-   c:\program files\Reference Assemblies
2009-08-09 04:02 . 2009-04-16 00:14   256   ----a-w-   c:\windows\system32\pool.bin
2009-08-08 15:00 . 2009-07-18 16:45   --------   d-----w-   c:\documents and settings\All Users\Application Data\OnlineArmor
2009-08-05 15:36 . 2006-10-03 09:12   --------   d-----w-   c:\program files\Google
2009-08-05 09:01 . 2005-08-16 09:18   204800   ----a-w-   c:\windows\system32\mswebdvd.dll
2009-07-18 01:10 . 2009-07-18 01:10   410984   ----a-w-   c:\windows\system32\deploytk.dll
2009-07-17 19:01 . 2005-08-16 09:18   58880   ----a-w-   c:\windows\system32\atl.dll
2009-07-14 06:43 . 2005-08-16 09:19   286208   ----a-w-   c:\windows\system32\wmpdxm.dll
2009-07-13 20:36 . 2009-07-17 06:03   38160   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-13 20:36 . 2009-07-17 06:03   19096   ----a-w-   c:\windows\system32\drivers\mbam.sys
2009-07-12 20:02 . 2009-07-12 19:36   19349   ----a-w-   c:\windows\HPHins02.dat
2009-07-11 12:59 . 2009-07-18 16:45   29776   ----a-w-   c:\windows\system32\drivers\OAnet.sys
2009-07-11 12:17 . 2009-07-18 16:45   24656   ----a-w-   c:\windows\system32\drivers\OAmon.sys
2009-07-11 12:17 . 2009-07-18 16:45   200784   ----a-w-   c:\windows\system32\drivers\OADriver.sys
2009-06-29 16:12 . 2005-08-16 09:18   827392   ----a-w-   c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2005-08-16 09:18   78336   ----a-w-   c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2005-08-16 09:18   17408   ----a-w-   c:\windows\system32\corpol.dll
2009-06-25 08:25 . 2005-08-16 09:18   54272   ----a-w-   c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2005-08-16 09:18   56832   ----a-w-   c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2005-08-16 09:18   147456   ----a-w-   c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2005-08-16 09:18   136192   ----a-w-   c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2005-08-16 09:18   730112   ----a-w-   c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2005-08-16 09:18   301568   ----a-w-   c:\windows\system32\kerberos.dll
2008-03-19 22:50 . 2009-07-11 21:38   97280   ----a-w-   c:\program files\Common Files\pcsbClean.exe
2008-03-07 02:31 . 2009-07-11 21:38   134656   ----a-w-   c:\program files\Common Files\PCSBoff.exe
2008-11-26 00:18 . 2008-11-26 00:18   27976   ----a-w-   c:\program files\mozilla firefox\plugins\atgpcdec.dll
2008-11-26 00:18 . 2008-11-26 00:18   126360   ----a-w-   c:\program files\mozilla firefox\plugins\atgpcext.dll
2008-11-26 00:19 . 2008-11-26 00:19   98712   ----a-w-   c:\program files\mozilla firefox\plugins\ieatgpc.dll
2006-10-21 04:37 . 2006-10-11 02:39   88   --sh--r-   c:\windows\system32\670D5041A4.sys
2006-10-21 04:37 . 2006-10-11 02:39   3766   --sha-w-   c:\windows\system32\KGyGaAvL.sys
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-14 23:07   1004800   ----a-w-   c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\2ee355a4-4231-4b5c-bf5b-3f37f48ee10b.exe" [2009-08-14 1830128]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-10-10 2183168]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-12-04 176128]
"HPHUPD05"="c:\program files\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\hphupd05.exe" [2003-11-12 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"HPHmon05"="c:\windows\system32\hphmon05.exe" [2004-02-02 495616]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-18 148888]
"@OnlineArmor GUI"="c:\program files\Tall Emu\Online Armor\oaui.exe" [2009-07-11 2121416]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-28 2007832]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\TALLEM~1\ONLINE~1\oaevent.dll" [2009-07-11 336584]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-09 02:46   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-28 18:09   11952   ----a-w-   c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"25008:TCP"= 25008:TCP:BitComet 25008 TCP
"25008:UDP"= 25008:UDP:BitComet 25008 UDP

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/28/2009 4:08 PM 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [3/15/2009 9:13 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [3/15/2009 9:13 PM 108552]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [7/18/2009 9:45 AM 200784]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [7/18/2009 9:45 AM 24656]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [7/18/2009 9:45 AM 29776]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 74480]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [3/15/2009 9:12 PM 297752]
R2 OAcat;Online Armor Helper Service;c:\program files\Tall Emu\Online Armor\oacat.exe [7/18/2009 9:45 AM 362184]
S1 ati2mtagg;ati2mtagg;c:\windows\system32\drivers\ati2mtagg.sys --> c:\windows\system32\drivers\ati2mtagg.sys [?]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/18/2009 2:34 PM 1029456]
S2 SvcOnlineArmor;Online Armor;c:\program files\Tall Emu\Online Armor\oasrv.exe [7/18/2009 9:45 AM 3142344]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 7408]
.
Contents of the 'Scheduled Tasks' folder

2009-08-01 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 23:26]

2009-08-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:34]

2009-09-23 c:\windows\Tasks\HP Usg Daily.job
- c:\program files\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\pexpress\hphped05.exe [2004-01-06 18:05]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\James Robinson\Application Data\Mozilla\Firefox\Profiles\sra2mbqw.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://msn.foxsports.com/
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

BHO-{1F84A284-9C04-4F6C-9520-524539D2A300} - c:\windows\system32\bidisp.dll
WebBrowser-{3B905210-4AEE-4814-BFC3-6ACF6D406371} - (no file)
HKU-Default-Run-minix32 - c:\windows\system32\minix32.exe
AddRemove-HijackThis - c:\program files\Trend Micro\sniper.exe\HijackThis.exe
AddRemove-Malwarebytes' Anti-Malware_is1 - c:\program files\Malwarebytes' Anti-Malware\unins000.exe
AddRemove-Win Police Pro - c:\program files\Windows Police Pro\AntiSpyware_Uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-23 00:10
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(600)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(3392)
c:\windows\system32\WININET.dll
c:\windows\system32\IEFRAME.dll
c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
c:\windows\system32\mshtml.dll
c:\windows\IME\SPGRMR.DLL
c:\program files\Common Files\Microsoft Shared\INK\SKCHUI.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Maxtor\Sync\SyncServices.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-09-23  0:16 - machine was rebooted
ComboFix-quarantined-files.txt  2009-09-23 07:16

Pre-Run: 30,566,490,112 bytes free
Post-Run: 32,563,552,256 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

314   --- E O F ---   2009-09-20 17:29




[attachment deleted by admin]

[SuperDave]

Very Good, Karen. We seem to have gotten rid of some of the bugs on your computer. How's your computer running now? We are not finished yet. I'm presently working up some other things that we can do to make sure your computer is clean. I'll be back.

[kviez]

To be honest, SD - I am afraid to boot up the infected PC.  I wanted to wait to hear from you before I used it again.  I am afraid that nasty virus is still hiding somewhere.

Let me know what I should do next.

Thanks for all of your help!

Karen

[evilfantasy]

Just hold tight kviez. SD is working up a new fix.

Oh yea. Restart the computer. It should be running fine now but there are still a few things to do before we can give you an all-clear.

[SuperDave]

Hello Karen, Sorry for the delay. I would like you to do this: Please follow the directions below:

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

File::
C:\pPPhmrd.bat

DDS::
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

Next, please do this:

Delete the Combo-Fix.exe file, C:\Combo-Fix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, C:\combo-fix.txt and C:\Combo-Fix-quarantined-files.txt

Please download ATF Cleaner by Atribune and save
it to desktop.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit to close ATF-Cleaner.

Please go to Kaspersky website and perform an online antivirus scan.

1. Read through the requirements and privacy statement and click on Accept button.
2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
3. When the downloads have finished, click on Settings.
4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
Spyware, Adware, Dialers, and other potentially dangerous programs
Archives

5. Click on My Computer under Scan.
6. Once the scan is complete, it will display the results. Click on View Scan Report.
7. You will see a list of infected items there. Click on Save Report As....
8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
9. Please post this log in your next reply along with a fresh HijackThis log.

[kviez]

SD,

Thank you so much for the help that you and Evilfantacy have provided.  I could not find the following in order to delete per your instructions:

C:\combo-fix.txt  or

C:\Combo-Fix-quarantined-files.txt

I have attached the combofix log as you requested.  I will follow the rest of your instructions.

Thanks again,

Karen

[attachment deleted by admin]

[evilfantasy]

Something strange appeared.

First, please do this.

Create An Uninstall List

• Start HijackThis
  
• Click on the Open the Misc Tools section
  
• Click on the Open Uninstall Manager button.
  
• Click on the Save list button and specify where you would like to save this file and click Save.
  • When you press Save button a notepad will open with the contents of that file.
• Copy and paste that list in your reply.

[kviez]

Evilfantacy,

I did not see your reply until the Kaspersky scan was done so I have attached that as well as the uninstall log from HJT.

Please let me know how to proceed.

Thanks again!

Ad-Aware
Ad-Aware
Adobe Flash Player 9 ActiveX
Adobe Flash Player Plugin
Adobe Reader 7.0.8
AOLIcon
Apple Mobile Device Support
Apple Software Update
AVG 8.5
BitComet 1.13
BlackBerry Desktop Software 4.6
BlackBerry Desktop Software 4.6
BlackBerry® Media Sync
Bonjour
Broadcom Management Programs
CCleaner (remove only)
CDK Players
Conexant HDA D110 MDC V.92 Modem
Critical Update for Windows Media Player 11 (KB959772)
Dell Digital Jukebox Driver
Dell Game Console
Dell Support 3.2
Dell Wireless WLAN Card
DellConnect
Digital Content Portal
Digital Line Detect
Documentation & Support Launcher
ELIcon
Games, Music, & Photos Launcher
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
HP Memories Disc
Intel(R) Graphics Media Accelerator Driver
iTunes
J2SE Runtime Environment 5.0 Update 6
Java(TM) 6 Update 14
Learn2 Player (Uninstall Only)
Logitech Desktop Messenger
Logitech Harmony Remote Software 7
Malwarebytes' Anti-Malware
MathPlayer
Maxtor Manager
Maxtor Manager
MCU
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2002
Microsoft Money 2002 System Pack
Microsoft National Language Support Downlevel APIs
Microsoft Office Outlook 2003 with Business Contact Manager Update
Microsoft Office Small Business Edition 2003
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft SQL Server Desktop Engine (MICROSOFTSMLBIZ)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Microsoft Works 2002 Setup Launcher
Mirar
MobileMe Control Panel
Modem Helper
Mozilla Firefox (3.0.14)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
NetWaiting
Otto
PC Study Bible (remove only)
Photosmart 140,240,7200,7600,7700,7900 Series
Picasa 3
PokerStars
PowerDVD 5.7
QuickSet
QuickTime
RealPlayer Basic
Remote Control USB Driver
Roxio Media Manager
SearchAssist
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Sonic DLA
Sonic Encoders
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
SUPERAntiSpyware Free Edition
Synaptics Pointing Device Driver
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
Update Rollup 2 for Windows XP Media Center Edition 2005
URL Assistant
Viewpoint Media Player
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebEx
WildTangent Web Driver
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
Windows Media Player 11
Windows Media Player 11
Windows Media Player Firefox Plugin
Windows XP Media Center Edition 2005 KB908246
Windows XP Media Center Edition 2005 KB925766
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack 3



[attachment deleted by admin]

[SuperDave]

Hello Karen, I see we still have a few leftovers to clear out but, hopefully,  we're nearing the end. Please do this:

Click Start Control Panel and select Add/Remove Programs select the following programs and uninstalled them.

J2SE Runtime Environment 5.0 Update 6
Mirar
SearchAssist
URL Assistant
Viewpoint Media Player
WildTangent Web Driver

Double-click on OTM.exe on your desktop.

Note: If you are running on Vista, right-click on OTM.exe and choose Run As Administrator.

* Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy)

Code: [Select]

:Processes
explorer.exe

:services

:reg

:files
%windir%\found.000

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
* Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
* Click the red Moveit! button.
* Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTM

Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. If not, reboot anyway.

To turn off Windows XP System Restore:

NOTE: These instructions assume that you are using the default Windows XP Start Menu and have not changed to the Classic Start menu. To re-enable the default menu, right-click Start, click Properties, click Start menu (not Classic) and then click OK.

1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore" or "Turn off System Restore on all drives"
5. Click Apply.
6.  When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
8. Restart the computer and follow the instructions in the next section to turn on System Restore.

To turn on Windows XP System Restore:

1. Click Start.
2. Right-click My Computer, and then click Properties.
3. Click the System Restore tab.
4. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives."
5. Click Apply, and then click OK.

Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.

Once this is done I will get you to run another on-line scan from another on-line scanner. Please let me know when the above work is done.

[kviez]

SD,

I could not remove URL assistant or Mirar.  I used Add/Remove programs to uninstall the others you listed.  I did not go any further with your instructions as I did not know if they should be followed in sequence. 

Please let me know how to proceed.

Thanks again,

Karen

[SuperDave]

Hello Karen. Try this to remove those  two programs.

•Start HijackThis

•Click on the Open the Misc Tools section

•Click on the Open Uninstall Manager button.

•Highlight the entry you want to remove.

•Click Delete this entry

Then, finish doing the other things I asked for in the previous thread.

[kviez]

SD,

I have finished with your latest set of instructions.  I will post the OTM log below.  I have a couple of questions.

When I tried to uninstall Mirar the first time I downloaded a file from their website that was supposed to help.  When it did not work I went looking for it with Windows Exlporer I found something curious and am not sure what to make of it and wonder where it came from.  Under local disc (C:), then WINDOWS there were a lot of folders that look like this "$NtuninstallkB8......$.  There were 6 digits between the 8 and the last $.  Is this something that I should be worried about.  Also, there is a new icon on my desktop "catchme.log" I am pretty sure this showed up after I ran combofix for the first time.  Should I get rid of it?

Thanks again.  Here is the log.  I will await your instructions.

Karen

All processes killed
========== PROCESSES ==========
No active process named explorer.exe was found!
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
Folder C:\WINDOWSC:\WINDOWS\found.000 not found.
========== COMMANDS ==========
 
[EMPTYTEMP]
 
User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->FireFox cache emptied: 0 bytes
 
User: All Users
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: James Robinson
->Temp folder emptied: 82230050 bytes
->Temporary Internet Files folder emptied: 6063106 bytes
->Java cache emptied: 128020 bytes
->FireFox cache emptied: 44533858 bytes
->Apple Safari cache emptied: 0 bytes
 
User: LocalService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 33170 bytes
->FireFox cache emptied: 0 bytes
 
User: NetworkService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 32902 bytes
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 664 bytes
RecycleBin emptied: 85892541 bytes
 
Total Files Cleaned = 208.77 mb
 
 
OTM by OldTimer - Version 3.0.0.6 log created on 09272009_130504

Files moved on Reboot...

Registry entries deleted on Reboot...

[harry 48]

kviez , superdave is of now for the night , 

"$NtuninstallkB8......$. , do not touch these

catchme.log , i think this has to do with something he told you to download , it may be

removed when he is finished helping you

[kviez]

Thank you, Harry.

[SuperDave]

Hello Karen, Sorry for the delay. I was off playing a bit of ice hockey. The files that you see in C:\Windows are, if my memory serves me correctly, files that have something to do with System Restore. I could be wrong. I know they are not malicious. Catchme must have been a program that you download which is designed to search for rootkits etc.. Check in your Add/Remove programs to see if it's there and uninstall it. Or, it could be installed on your desktop. In that case delete the program and the log.
I have one more on-line scan for you to run.

ESET Online Scan

Scan your computer with the ESET FREE Online Virus Scan

* Click the ESET Online Scanner button.

* For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
* Click on the esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop
* Double click on the esetsmartinstaller_enu.exe icon on your desktop.
* Place a check mark next to YES, I accept the Terms of Use.

* Click the Start button.
* Accept any security warnings from your browser.
* Leave the check mark next to Remove found threats and place a check next to Scan archives.
* Click the Start button.
* ESET will then download updates, install, and begin scanning your computer. Please be patient as this can take some time.
* When the scan completes, click List of found threats.
* Next click Export to text file and save the file to your desktop using a name such as ESETScan. Include the contents of this report in your next reply.
* Click the <<Back button then click Finish.

In your next reply please include the ESET Online Scan Log

[kviez]

SD,

Don’t ever worry about the delay – I really appreciate your help and I understand that you have a life outside of my problems.  Hope you had a good time playing hockey. 

I have attached the ESET log that you requested.

I am having a couple of other problems.  First, I have the yellow shield icon on my bottom tool bar that I need to install updated for window.  When I click it the message is “automatic updates – How do you want to install.”  I then click on express and it starts and I get another message that updates are being installed.  The icon will not go away and I have the option to install again.  Also, there is a red shield, with an “x” in the lower tool bar with a message that My anti-virus is turned off and my computer is at risk.  I use AVG 8.5 free and when I open it Resident shield is only partially functional.  I have uninstalled AVG and reinstalled and the problem remains.  I uninstalled AVG a second time and am wondering if I should download another anti-virus program.

Thanks again.

Karen






[attachment deleted by admin]

[harry 48]

do not want to *censored* into you helping kviez superdave

i had the same problem with avg for months , thats why i deleted it and got avira antivir personnal

[SuperDave]

Hello Karen. I'm assuming you have automatic updates turn on. I also have it turned on and for some strange reason I get that very same thing. I'm assuming that is because my computer is not always left on when it is time for the updater to run. Try this: Go to start, control panel, Add/Remove. Make sure that the "Show updates" box is checked and look at the latest date of your updates. Perhaps there's something stopping them from loading. I seen some updates in your Uninstall list but I can't see the dates. Please let me know the date of the latest one.
As for the $NtuninstallkB8......$ These are Service Pack uninstallers. Most Windows Updates have their own uninstaller. They can be removed safely but then if an update starts making the computer crash or something you are stuck with having to reinstall. Best to always keep them.

As Harry said, AVG was once very good but lately some people have problems with it. Why not try another AV? I, myself, am very satisfied with Avast.

Download one of the free Anti-Virus programs listed below.

•Avast! Home Edition

•AVG Free Edition

•AntiVir Personal

It appears that the latest scan has cleaned up all the bugs on your computer. As soon as we get these other little problems cleared up, I'll be back with another set of instructions.

[kviez]

SD,

Great, sounds like we are almost there.  I can't thank you and Evilfantacy enough for all of your help.

My most recent updates took place on 9/11/09.  I have a "Security update for Windows Media Player" and "Windows XP Media Center Edition 2005 KB973768". 

The update that will not seem to install is "Windows Malicious Software Removal Tool - 2009 (KB890830).

I am downloading Avast! Home Edition right now.

Karen

[evilfantasy]

Try Dial-a-fix.

Download Dial-a-Fix by djlizard, save it to the desktop then extract it to it's own folder.

• Open the folder and run Dial-a-fix.exe
• 2 windows will open. Close the one in the background labeled Restrictive Policies
• Check the box in section 1, Empty temp folders.
  
• Check the box in section 2, Fix Windows Installer.
  
• Check the box in section 3, Fix Windows Update.
  
• Check the box in section 4, labeled SSL/HTTPS/Cryptography. The 4 boxes under it should be pre-checked
  
• Check all boxes in section 5, labeled Registration Center.
  
• Click Go
  
• OK any error messages if received, but write them down and post them here.
• Restart the computer when done.

.
Can you update now?

[kviez]

Evilfantacy,

I followed your instructions. but I still can not update.  The yellow shield shows up and I click install, I get a message box indicating the updates are being installed, the yellow shield disappears for about 1 minute and then returns with the same update. 

I am sure this is a silly question, but I will ask anyway.  When the virus was deep in my system all of the icons on my desktop became highlighted.  Is there a way for me to undo the highlight?

Oh, Avast home edition seems to be running fine.  Thanks for the help!

Karen

[evilfantasy]

Right click on your desktop and select properties. You can adjust the desktop settings there.

----------

Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1
Link 2

* Unzip SecurityCheck.zip and a folder named Security Check should appear.
* Open the Security Check folder and double-click Security Check.bat
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.

[kviez]

Thank you, EF.  My desktop is back to normal.

Here is the information that was generated from Security Check. 

 Results of screen317's Security Check version 0.99.0 
 Windows XP Service Pack 3 
``````````````````````````````
Antivirus/Firewall Check:
 Windows Firewall Enabled! 
 avast! Antivirus     
 Antivirus up to date! 
``````````````````````````````
Anti-malware/Other Utilities Check:
 SUPERAntiSpyware Free Edition   
 HijackThis 2.0.2   
 CCleaner (remove only)   
 Java(TM) 6 Update 14 
 Out of date Java installed!
Adobe Reader 7.0.8
Out of date Adobe Reader installed!
``````````````````````````````
Process Check: 
objlist.exe by Laurent
 Alwil Software Avast4 aswUpdSv.exe
 Alwil Software Avast4 ashServ.exe
 Alwil Software Avast4 ashDisp.exe
 Alwil Software Avast4 ashMaiSv.exe
 Alwil Software Avast4 ashWebSv.exe
``````````````````````````````
DNS Vulnerability Check:
 Request Timed Out (Wireless Internet connection/Disconnected Internet/Proxy?)

`````````End of Log```````````

[evilfantasy]

Your Java is out of date.

Older versions have vulnerabilities that malicious sites can use to infect your system.

First install the new Sun Java Runtime Environment

Note: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Be sure to close all browser windows before beginning the install.

Remove the old version(s)

Download JavaRa
* Unzip the file and open the JavaRa.exe
* Click Remove Older Versions
* JavaRa will search for and remove any outdated version of Java and remove any that are found.
* Click Additional Tasks
* Place a check next to Remove Useless JRE Files and click Go
* Exit JavaRa
* Delete the JavaRa files from the Desktop

Additional Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

----------


Update your Adobe Reader. http://get.adobe.com/reader/

Be sure to uncheck the Free McAfee Security Scan so it isn't installed.

----------

Use the Secunia Software Inspector to check for out of date software.

• Click Start Now
  
• Check the box next to Enable thorough system inspection.
  
• Click Start
  
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

.
----------

Now restart the computer and try updating again.

.

[kviez]

Well I have been working on the updates recommended from the Secunia Software Inspector.  I get a message that "Windows Malicious Software Removal Tool - September 2009 (KB890830)" was installed successfully.  And that "Security Update for Jscript 5.7 for Windows XP (KB971961)" Failed to update.  I have performed this update a number of times through the Windows Update site and get the same result everytime.

The yellow shield is still coming back with a message that I need to install update KB890830.  It's like something is blocking the update.

Thanks again for all of the help.

[evilfantasy]

Try the direct download for KB890830 http://www.microsoft.com/downloads/details.aspx?familyid=ad724ae0-e72d-4f54-9ab3-75b8eb148356&displaylang=en

[kviez]

I am sorry for being such a pain.  I tried the direct download 4 times and could never get it to install.  But after I tried the direct download I clicked on the yellow shield and got the message "installation complete".  I did this twice and rebooted each time and the yellow shield came back with the same message - that I needed to install the update. 

If this is not a remnant from the virus I can live with it and leave you alone.  My PC is running fine except for the annoying yellow shield.

Thanks for all of your help.  I hope that I do not need to ask for your assistance anytime soon.  EF and SD have been  an incredible help.

I can not say thank you enough.

Karen

[SuperDave]

Hello Karen. Could you please try this:

The MRT (Malicious Software Removal tool) is located in WINDOWS\system32 and is named MRT.EXE
To see if it's present on your system.
Go to Start > Run > copy and paste the below into the Open: line

mrt
Click OK or press Enter
Wait a little while and the tool *should* open
Click the Next button
Put a mark next to 'Full Scan',click Next, and do a full scan
Please let me know what happens.

[kviez]

SD,  I am not sure what you want me to copy and paste,  I tried "mrt" and got the following message:

"Windows cannot access the specified device, path or file.  You may not have the appropriate permissions to access the item."

Am I missing something?

[SuperDave]

That's what I wanted to know. Apparently, the download is not completing itself. Mrt should have triggered the program to run if it was there. When you download the file do you save it then install it or do you install it right away?

[evilfantasy]

Did you try mrt.exe ?

[kviez]

Yes, I tried MRT.EXE  - same error message.

SD, I have tried both ways.  I have saved and then installed. And I have installed right away.

[SuperDave]

Hello Karan. We are quite sure that the problem you're experiencing with the MRT update from MS is not caused by an infection. Your computer appears to be clean. Perhaps you could contact MS Updates to see if they can help with the MRT update problem.

NOTE: Some of these you have already done.

Use the Secunia Software Inspector to check for out of date software.

•Click Start Now

•Check the box next to Enable thorough system inspection.

•Click Start

•Allow the scan to finish and scroll down to see if any updates are needed.
•Update anything listed.
.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

Safe Surfing

[kviez]

Thanks for all of your help!