Welcome guest. Before posting on our computer help forum, you must register. Click here it's easy and free.

Author Topic: Nasty virus  (Read 23038 times)

0 Members and 1 Guest are viewing this topic.

kviez

    Topic Starter


    Rookie

    Re: Nasty virus
    « Reply #15 on: September 22, 2009, 06:47:20 PM »
    Okay.  Should I let the Dr. Web scan that is running in safe mode finish first?

    evilfantasy

    • Malware Removal Specialist
    • Moderator


    • Genius
    • Calm like a bomb
    • Thanked: 493
    • Experience: Experienced
    • OS: Windows 11
    Re: Nasty virus
    « Reply #16 on: September 22, 2009, 06:53:04 PM »
    If it is the second run then no. It doesn't seem to be finding what it needs to. Windows Police Pro is a new and very nasty virus. We need to stop it from running.

    kviez

      Topic Starter


      Rookie

      Re: Nasty virus
      « Reply #17 on: September 22, 2009, 09:23:36 PM »
      I finally shut down the scan that was running it safe mode.  It ran for nearly 8 hours.  I followed the instruction


      "Go to Start > Run > and type command.com then press Enter on the keyboard. Hopefully the Command window will open.

      In the Command window type %systemdrive%\TSKLST.txt then press Enter on the keyboard.

      The result was %systemdrive%\TSKLST.txt is not recognized as an internal or external command, operable program or batch file.

      Also, about 12 error messages popped up at lightning speed and would not close unless clicked multiple times. 

      Is there anything else that I can try?

      Karen

      evilfantasy

      • Malware Removal Specialist
      • Moderator


      • Genius
      • Calm like a bomb
      • Thanked: 493
      • Experience: Experienced
      • OS: Windows 11
      Re: Nasty virus
      « Reply #18 on: September 22, 2009, 09:29:58 PM »
      Go to Start > Run and type taskmgr then press Enter.

      In the Task Manager under the Processes tab look for and end the processes for:

      windows Police Pro

      svchasts <Be  sure to look at the spelling on thi sone. It's not svchost

      Now try to download and/or update and run Malwarebytes. Post the log it creates.

      kviez

        Topic Starter


        Rookie

        Re: Nasty virus
        « Reply #19 on: September 22, 2009, 10:07:49 PM »
        on first reboot my desktop would not open.  There were no icons just police pro - so there was no start bar.  I hit ctl, alt, delete and ended the processes that you mentioned that way.  Police pro shut down but i was not able to open Malwarebytes.  I tried OTM.exe that SD had me put on my desktop and pasted the instructions that he gave.  It ran a scan, but error messages popped up saying that the file was corrupted. Also, I got a message "Monzilla Crash Reporter.  Firefox has crashed. 

        After the the OTM scan i tried to hit the red X so as to not reboot, but my system rebooted anyway.  Police pro did not come up but I can not open any programs.  I tried add/remove programs and got an error message.  Not sure how to proceed?

        evilfantasy

        • Malware Removal Specialist
        • Moderator


        • Genius
        • Calm like a bomb
        • Thanked: 493
        • Experience: Experienced
        • OS: Windows 11
        Re: Nasty virus
        « Reply #20 on: September 22, 2009, 10:12:04 PM »
        Place this on your flash drive. Be sure to rename it before saving it.

        Download ComboFix from one of the below links. You must rename it before saving it!

        Important! You MUST save ComboFix to your desktop.

        Link 1
        Link 2

        Rename ComboFix to Combo-Fix before saving it to the desktop.





        Make sure the two processes are not running.

        Now move ComboFix to the desktop and run it.

        Double click on Combo-Fix.exe & follow the prompts.

        Vista users Right-Click on Combo-Fix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)

        Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

        When the scan completes it will open a text window.
         
        Post the contents of that log in your next reply.

        kviez

          Topic Starter


          Rookie

          Re: Nasty virus
          « Reply #21 on: September 22, 2009, 10:27:09 PM »
          I moved Combo-fix to the desktop of my infected PC.  I could not change the name before saving if that makes a difference.  I had to change it once it was on my desktop. 

          When I tried to open in on my infected pc a dialog box appeared: "Open with"  Asking me to choose the program you want to use to open this file.  This same box came up when I tried to open firefox and OTM as well.  I am not sure what program to choose?

          I will wait for your instructions.  And thank you very much for your kindness.

          kviez

            Topic Starter


            Rookie

            Re: Nasty virus
            « Reply #22 on: September 23, 2009, 12:31:46 AM »
            After every sane person had given up on me for the night i went back and followed SDs instructions:

            2. Repair running .exe files.
            Click Start, Run. Type command and press Enter. Type notepad and press Enter.
            Notepad opens. Copy all the text below into Notepad.

            Code:

            Windows Registry Editor Version 5.00
            [HKEY_CLASSES_ROOT\exefile\shell\open\command]
            @="\"%1\" %*"


            Save this as fix.reg to your Desktop (remember to select Save as file type: All files in Notepad.)
            Double Click fix.reg and click YES for confirm.
            Reboot your computer.

            This unwise step, on my part, brought back my old friend Windows Police Pro.  When I tried to open OTM.exe an error appeard claiming the file was corrupt.  However, it somehow allowed me to open Combo-Fix which is currently running.  Hopefully I will be able to post the contents of that log in my next reply.  Actually I will edit this post.

            Here is the log from ComboFix

            I have also attached scan logs for HJT, MBAM, and Superantispyware.

            Thanks for all the help I will await your reply.

            ComboFix 09-09-22.03 - James Robinson 09/22/2009 23:50.1.2 - NTFSx86
            Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1014.604 [GMT -7:00]
            Running from: c:\documents and settings\James Robinson\Desktop\Combo-Fix.exe
            AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
            FW: Online Armor Firewall *enabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}
             * Created a new restore point
            .

            (((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
            .

            c:\documents and settings\All Users\Application Data\13644684
            c:\documents and settings\All Users\Application Data\13644684\13644684
            c:\documents and settings\All Users\Application Data\13644684\13644684.exe
            c:\documents and settings\All Users\Application Data\13644684\pc13644684ins
            c:\documents and settings\All Users\Desktop\nudetube.com.lnk
            c:\documents and settings\All Users\Desktop\pornotube.com.lnk
            c:\documents and settings\All Users\Desktop\youporn.com.lnk
            c:\program files\Protection System
            c:\program files\Protection System\core.cga
            c:\program files\SafetyCenter
            c:\program files\SafetyCenter\main.ico
            c:\program files\SafetyCenter\new.exe
            c:\program files\SafetyCenter\protector.exe
            c:\program files\SafetyCenter\sound.wav
            c:\program files\SafetyCenter\start.exe
            c:\program files\SafetyCenter\uninstall.exe
            c:\program files\Windows Police Pro
            c:\program files\Windows Police Pro\msvcm80.dll
            c:\program files\Windows Police Pro\msvcp80.dll
            c:\program files\Windows Police Pro\msvcr80.dll
            c:\program files\Windows Police Pro\windows Police Pro.exe
            c:\windows\Installer\1980bf.msi
            c:\windows\kb913800.exe
            c:\windows\msa.exe
            c:\windows\ppp3.dat
            c:\windows\ppp4.dat
            c:\windows\svchast.exe
            c:\windows\system32\bennuar.old
            c:\windows\system32\bidisp.dll
            c:\windows\system32\bincd32.dat
            c:\windows\system32\config\systemprofile\Desktop\System Security 2009.lnk
            c:\windows\system32\config\systemprofile\Start Menu\Programs\System Security
            c:\windows\system32\config\systemprofile\Start Menu\Programs\System Security\System Security
            c:\windows\system32\dddesot.dll
            c:\windows\system32\desot.exe
            c:\windows\system32\drivers\SKYNETqrmyctxm.sys
            c:\windows\system32\drivers\smss.exe
            c:\windows\system32\drivers\UACmirbstlnuk.sys
            c:\windows\system32\lowsec
            c:\windows\system32\lowsec\local.ds
            c:\windows\system32\lowsec\user.ds
            c:\windows\system32\onhelp.htm
            c:\windows\system32\sdra64.exe
            c:\windows\system32\SKYNETbowkowam.dll
            c:\windows\system32\SKYNETgwuxtiqj.dll
            c:\windows\system32\SKYNEThoewxdut.dat
            c:\windows\system32\SKYNETklldlthw.dll
            c:\windows\system32\SKYNETwlvmjiuw.dat
            c:\windows\system32\sonhelp.htm
            c:\windows\system32\sysnet.dat
            c:\windows\system32\tapi.nfo
            c:\windows\system32\uacinit.dll
            c:\windows\system32\UACkpmkujkjne.dat
            c:\windows\system32\UACmjxqoqthgn.dll
            c:\windows\system32\UACpekvethtvj.dll
            c:\windows\system32\UACrfdxuwvtuw.dll
            c:\windows\system32\UACtvmrxwkhkn.dll
            c:\windows\Tasks\At1.job
            c:\windows\Tasks\At10.job
            c:\windows\Tasks\At11.job
            c:\windows\Tasks\At12.job
            c:\windows\Tasks\At13.job
            c:\windows\Tasks\At14.job
            c:\windows\Tasks\At15.job
            c:\windows\Tasks\At16.job
            c:\windows\Tasks\At17.job
            c:\windows\Tasks\At18.job
            c:\windows\Tasks\At19.job
            c:\windows\Tasks\At2.job
            c:\windows\Tasks\At20.job
            c:\windows\Tasks\At21.job
            c:\windows\Tasks\At22.job
            c:\windows\Tasks\At23.job
            c:\windows\Tasks\At24.job
            c:\windows\Tasks\At3.job
            c:\windows\Tasks\At4.job
            c:\windows\Tasks\At5.job
            c:\windows\Tasks\At6.job
            c:\windows\Tasks\At7.job
            c:\windows\Tasks\At8.job
            c:\windows\Tasks\At9.job
            c:\windows\Tasks\xqamlerl.job

            Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
            Restored copy from - c:\windows\ServicePackFiles\i386\eventlog.dll
            .
            (((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
            .

            -------\Service_SKYNETdqvppxei
            -------\Legacy_SKYNETdqvppxei
            -------\Service_UACd.sys
            -------\Legacy_UACd.sys
            -------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
            -------\Legacy_AntipPolice_
            -------\Service_AntipPolice_


            (((((((((((((((((((((((((   Files Created from 2009-08-23 to 2009-09-23  )))))))))))))))))))))))))))))))
            .

            2009-09-23 03:58 . 2009-09-23 03:58   --------   d-----w-   C:\_OTM
            2009-09-20 17:32 . 2009-09-20 17:32   2198   ----a-w-   C:\pPPhmrd.bat

            .
            ((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
            .
            2009-09-11 05:38 . 2009-07-17 06:03   --------   d-----w-   c:\program files\doodoo
            2009-09-11 05:05 . 2009-07-17 05:35   --------   d-----w-   c:\program files\SUPERAntiSpyware
            2009-09-11 03:57 . 2006-10-10 05:07   88600   ----a-w-   c:\documents and settings\James Robinson\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
            2009-09-09 04:10 . 2007-01-01 07:44   --------   d-----w-   c:\program files\PokerStars
            2009-09-09 03:00 . 2009-07-12 19:19   --------   d-----w-   c:\program files\Hewlett-Packard
            2009-09-09 02:59 . 2005-08-17 01:54   --------   d-----w-   c:\program files\GemMaster
            2009-09-09 02:57 . 2006-10-03 08:56   --------   d-----w-   c:\program files\Dell
            2009-09-09 01:06 . 2009-03-16 04:12   --------   d-----w-   c:\documents and settings\All Users\Application Data\avg8
            2009-09-08 15:05 . 2006-10-10 04:56   --------   d-----w-   c:\windows\system32\config\systemprofile\Application Data\Symantec
            2009-08-28 18:09 . 2009-03-16 04:13   11952   ----a-w-   c:\windows\system32\avgrsstx.dll
            2009-08-28 18:09 . 2009-03-16 04:13   335240   ----a-w-   c:\windows\system32\drivers\avgldx86.sys
            2009-08-28 18:09 . 2007-03-26 03:24   27784   ----a-w-   c:\windows\system32\drivers\avgmfx86.sys
            2009-08-24 02:34 . 2009-08-24 02:34   --------   d-----w-   c:\program files\MSBuild
            2009-08-24 02:34 . 2009-08-24 02:34   --------   d-----w-   c:\program files\Reference Assemblies
            2009-08-09 04:02 . 2009-04-16 00:14   256   ----a-w-   c:\windows\system32\pool.bin
            2009-08-08 15:00 . 2009-07-18 16:45   --------   d-----w-   c:\documents and settings\All Users\Application Data\OnlineArmor
            2009-08-05 15:36 . 2006-10-03 09:12   --------   d-----w-   c:\program files\Google
            2009-08-05 09:01 . 2005-08-16 09:18   204800   ----a-w-   c:\windows\system32\mswebdvd.dll
            2009-07-18 01:10 . 2009-07-18 01:10   410984   ----a-w-   c:\windows\system32\deploytk.dll
            2009-07-17 19:01 . 2005-08-16 09:18   58880   ----a-w-   c:\windows\system32\atl.dll
            2009-07-14 06:43 . 2005-08-16 09:19   286208   ----a-w-   c:\windows\system32\wmpdxm.dll
            2009-07-13 20:36 . 2009-07-17 06:03   38160   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
            2009-07-13 20:36 . 2009-07-17 06:03   19096   ----a-w-   c:\windows\system32\drivers\mbam.sys
            2009-07-12 20:02 . 2009-07-12 19:36   19349   ----a-w-   c:\windows\HPHins02.dat
            2009-07-11 12:59 . 2009-07-18 16:45   29776   ----a-w-   c:\windows\system32\drivers\OAnet.sys
            2009-07-11 12:17 . 2009-07-18 16:45   24656   ----a-w-   c:\windows\system32\drivers\OAmon.sys
            2009-07-11 12:17 . 2009-07-18 16:45   200784   ----a-w-   c:\windows\system32\drivers\OADriver.sys
            2009-06-29 16:12 . 2005-08-16 09:18   827392   ----a-w-   c:\windows\system32\wininet.dll
            2009-06-29 16:12 . 2005-08-16 09:18   78336   ----a-w-   c:\windows\system32\ieencode.dll
            2009-06-29 16:12 . 2005-08-16 09:18   17408   ----a-w-   c:\windows\system32\corpol.dll
            2009-06-25 08:25 . 2005-08-16 09:18   54272   ----a-w-   c:\windows\system32\wdigest.dll
            2009-06-25 08:25 . 2005-08-16 09:18   56832   ----a-w-   c:\windows\system32\secur32.dll
            2009-06-25 08:25 . 2005-08-16 09:18   147456   ----a-w-   c:\windows\system32\schannel.dll
            2009-06-25 08:25 . 2005-08-16 09:18   136192   ----a-w-   c:\windows\system32\msv1_0.dll
            2009-06-25 08:25 . 2005-08-16 09:18   730112   ----a-w-   c:\windows\system32\lsasrv.dll
            2009-06-25 08:25 . 2005-08-16 09:18   301568   ----a-w-   c:\windows\system32\kerberos.dll
            2008-03-19 22:50 . 2009-07-11 21:38   97280   ----a-w-   c:\program files\Common Files\pcsbClean.exe
            2008-03-07 02:31 . 2009-07-11 21:38   134656   ----a-w-   c:\program files\Common Files\PCSBoff.exe
            2008-11-26 00:18 . 2008-11-26 00:18   27976   ----a-w-   c:\program files\mozilla firefox\plugins\atgpcdec.dll
            2008-11-26 00:18 . 2008-11-26 00:18   126360   ----a-w-   c:\program files\mozilla firefox\plugins\atgpcext.dll
            2008-11-26 00:19 . 2008-11-26 00:19   98712   ----a-w-   c:\program files\mozilla firefox\plugins\ieatgpc.dll
            2006-10-21 04:37 . 2006-10-11 02:39   88   --sh--r-   c:\windows\system32\670D5041A4.sys
            2006-10-21 04:37 . 2006-10-11 02:39   3766   --sha-w-   c:\windows\system32\KGyGaAvL.sys
            .

            (((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
            .
            .
            *Note* empty entries & legit default entries are not shown
            REGEDIT4

            [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
            "{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

            [HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

            [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
            2009-06-14 23:07   1004800   ----a-w-   c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

            [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
            "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

            [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

            [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
            "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

            [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

            [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
            "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\2ee355a4-4231-4b5c-bf5b-3f37f48ee10b.exe" [2009-08-14 1830128]
            "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

            [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
            "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-10-10 2183168]
            "HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-12-04 176128]
            "HPHUPD05"="c:\program files\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\hphupd05.exe" [2003-11-12 49152]
            "HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
            "HPHmon05"="c:\windows\system32\hphmon05.exe" [2004-02-02 495616]
            "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-18 148888]
            "@OnlineArmor GUI"="c:\program files\Tall Emu\Online Armor\oaui.exe" [2009-07-11 2121416]
            "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-28 2007832]

            [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
            "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
            "{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\TALLEM~1\ONLINE~1\oaevent.dll" [2009-07-11 336584]

            [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
            2009-09-09 02:46   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL

            [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
            2009-08-28 18:09   11952   ----a-w-   c:\windows\system32\avgrsstx.dll

            [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
            @="Service"

            [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
            path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
            backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

            [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
            "%windir%\\system32\\sessmgr.exe"=
            "c:\\Program Files\\Messenger\\msmsgs.exe"=
            "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
            "c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
            "c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
            "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
            "c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
            "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
            "c:\\Program Files\\iTunes\\iTunes.exe"=
            "c:\\Program Files\\BitComet\\BitComet.exe"=

            [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
            "25008:TCP"= 25008:TCP:BitComet 25008 TCP
            "25008:UDP"= 25008:UDP:BitComet 25008 UDP

            R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/28/2009 4:08 PM 64160]
            R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [3/15/2009 9:13 PM 335240]
            R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [3/15/2009 9:13 PM 108552]
            R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [7/18/2009 9:45 AM 200784]
            R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [7/18/2009 9:45 AM 24656]
            R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [7/18/2009 9:45 AM 29776]
            R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968]
            R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 74480]
            R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [3/15/2009 9:12 PM 297752]
            R2 OAcat;Online Armor Helper Service;c:\program files\Tall Emu\Online Armor\oacat.exe [7/18/2009 9:45 AM 362184]
            S1 ati2mtagg;ati2mtagg;c:\windows\system32\drivers\ati2mtagg.sys --> c:\windows\system32\drivers\ati2mtagg.sys [?]
            S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/18/2009 2:34 PM 1029456]
            S2 SvcOnlineArmor;Online Armor;c:\program files\Tall Emu\Online Armor\oasrv.exe [7/18/2009 9:45 AM 3142344]
            S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 7408]
            .
            Contents of the 'Scheduled Tasks' folder

            2009-08-01 c:\windows\Tasks\Ad-Aware Update (Weekly).job
            - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 23:26]

            2009-08-05 c:\windows\Tasks\AppleSoftwareUpdate.job
            - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:34]

            2009-09-23 c:\windows\Tasks\HP Usg Daily.job
            - c:\program files\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\pexpress\hphped05.exe [2004-01-06 18:05]
            .
            .
            ------- Supplementary Scan -------
            .
            uStart Page = hxxp://www.google.com/
            uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
            uInternet Settings,ProxyOverride = *.local
            IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
            IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
            FF - ProfilePath - c:\documents and settings\James Robinson\Application Data\Mozilla\Firefox\Profiles\sra2mbqw.default\
            FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
            FF - prefs.js: browser.search.selectedEngine - Google
            FF - prefs.js: browser.startup.homepage - hxxp://msn.foxsports.com/
            FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
            FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
            FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
            FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
            FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
            FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
            FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
            FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
            FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
            FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
            .
            - - - - ORPHANS REMOVED - - - -

            BHO-{1F84A284-9C04-4F6C-9520-524539D2A300} - c:\windows\system32\bidisp.dll
            WebBrowser-{3B905210-4AEE-4814-BFC3-6ACF6D406371} - (no file)
            HKU-Default-Run-minix32 - c:\windows\system32\minix32.exe
            AddRemove-HijackThis - c:\program files\Trend Micro\sniper.exe\HijackThis.exe
            AddRemove-Malwarebytes' Anti-Malware_is1 - c:\program files\Malwarebytes' Anti-Malware\unins000.exe
            AddRemove-Win Police Pro - c:\program files\Windows Police Pro\AntiSpyware_Uninstall.exe



            **************************************************************************

            catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
            Rootkit scan 2009-09-23 00:10
            Windows 5.1.2600 Service Pack 3 NTFS

            scanning hidden processes ... 

            scanning hidden autostart entries ...

            scanning hidden files ... 

            scan completed successfully
            hidden files: 0

            **************************************************************************
            .
            --------------------- DLLs Loaded Under Running Processes ---------------------

            - - - - - - - > 'winlogon.exe'(600)
            c:\program files\SUPERAntiSpyware\SASWINLO.DLL
            c:\windows\system32\WININET.dll
            c:\windows\System32\BCMLogon.dll

            - - - - - - - > 'explorer.exe'(3392)
            c:\windows\system32\WININET.dll
            c:\windows\system32\IEFRAME.dll
            c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
            c:\windows\system32\mshtml.dll
            c:\windows\IME\SPGRMR.DLL
            c:\program files\Common Files\Microsoft Shared\INK\SKCHUI.DLL
            .
            ------------------------ Other Running Processes ------------------------
            .
            c:\windows\system32\BCMWLTRY.EXE
            c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
            c:\program files\Bonjour\mDNSResponder.exe
            c:\windows\ehome\ehrecvr.exe
            c:\windows\ehome\ehSched.exe
            c:\program files\Java\jre6\bin\jqs.exe
            c:\program files\Maxtor\Sync\SyncServices.exe
            c:\program files\AVG\AVG8\avgrsx.exe
            c:\progra~1\AVG\AVG8\avgnsx.exe
            c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
            c:\windows\ehome\mcrdsvc.exe
            c:\windows\system32\HPZipm12.exe
            c:\windows\system32\wscntfy.exe
            .
            **************************************************************************
            .
            Completion time: 2009-09-23  0:16 - machine was rebooted
            ComboFix-quarantined-files.txt  2009-09-23 07:16

            Pre-Run: 30,566,490,112 bytes free
            Post-Run: 32,563,552,256 bytes free

            WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
            [boot loader]
            timeout=2
            default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
            [operating systems]
            c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
            multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

            314   --- E O F ---   2009-09-20 17:29




            [attachment deleted by admin]
            « Last Edit: September 23, 2009, 02:22:23 AM by kviez »

            SuperDave

            • Malware Removal Specialist
            • Moderator


            • Genius
            • Thanked: 1020
            • Certifications: List
            • Experience: Expert
            • OS: Windows 10
            Re: Nasty virus
            « Reply #23 on: September 23, 2009, 06:11:01 PM »
            Very Good, Karen. We seem to have gotten rid of some of the bugs on your computer. How's your computer running now? We are not finished yet. I'm presently working up some other things that we can do to make sure your computer is clean. I'll be back.
            Windows 8 and Windows 10 dual boot with two SSD's

            kviez

              Topic Starter


              Rookie

              Re: Nasty virus
              « Reply #24 on: September 23, 2009, 07:44:41 PM »
              To be honest, SD - I am afraid to boot up the infected PC.  I wanted to wait to hear from you before I used it again.  I am afraid that nasty virus is still hiding somewhere.

              Let me know what I should do next.

              Thanks for all of your help!

              Karen


              evilfantasy

              • Malware Removal Specialist
              • Moderator


              • Genius
              • Calm like a bomb
              • Thanked: 493
              • Experience: Experienced
              • OS: Windows 11
              Re: Nasty virus
              « Reply #25 on: September 23, 2009, 07:47:25 PM »
              Just hold tight kviez. SD is working up a new fix.

              Oh yea. Restart the computer. It should be running fine now but there are still a few things to do before we can give you an all-clear. :)

              SuperDave

              • Malware Removal Specialist
              • Moderator


              • Genius
              • Thanked: 1020
              • Certifications: List
              • Experience: Expert
              • OS: Windows 10
              Re: Nasty virus
              « Reply #26 on: September 25, 2009, 05:37:18 PM »
              Hello Karen, Sorry for the delay. I would like you to do this: Please follow the directions below:

              Delete these files/folders, as follows:

              1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
              It must be Notepad, not Wordpad.
              2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

              Code: [Select]
              KillAll::

              File::
              C:\pPPhmrd.bat

              DDS::
              FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

              3. Go to the Notepad window and click Edit > Paste
              4. Then click File > Save
              5. Name the file CFScript.txt - Save the file to your Desktop
              6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



              ComboFix will begin to execute, just follow the prompts.
              After reboot (in case it asks to reboot), it will produce a log for you.
              Post that log (Combofix.txt) in your next reply.

              Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

              Next, please do this:

              Delete the Combo-Fix.exe file, C:\Combo-Fix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, C:\combo-fix.txt and C:\Combo-Fix-quarantined-files.txt

              Please download ATF Cleaner by Atribune and save
              it to desktop.

              Double-click ATF-Cleaner.exe to run the program.
              Under Main choose: Select All
              Click the Empty Selected button.

              If you use Firefox browser

              Click Firefox at the top and choose: Select All
              Click the Empty Selected button.
              NOTE: If you would like to keep your saved passwords, please click No at the prompt.

              If you use Opera browser

              Click Opera at the top and choose: Select All
              Click the Empty Selected button.
              NOTE: If you would like to keep your saved passwords, please click No at the prompt.

              Click Exit to close ATF-Cleaner.

              Please go to Kaspersky website and perform an online antivirus scan.

              1. Read through the requirements and privacy statement and click on Accept button.
              2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
              3. When the downloads have finished, click on Settings.
              4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
              Spyware, Adware, Dialers, and other potentially dangerous programs
              Archives


              5. Click on My Computer under Scan.
              6. Once the scan is complete, it will display the results. Click on View Scan Report.
              7. You will see a list of infected items there. Click on Save Report As....
              8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
              9. Please post this log in your next reply along with a fresh HijackThis log.

              Windows 8 and Windows 10 dual boot with two SSD's

              kviez

                Topic Starter


                Rookie

                Re: Nasty virus
                « Reply #27 on: September 25, 2009, 07:52:29 PM »
                SD,

                Thank you so much for the help that you and Evilfantacy have provided.  I could not find the following in order to delete per your instructions:

                C:\combo-fix.txt  or

                C:\Combo-Fix-quarantined-files.txt

                I have attached the combofix log as you requested.  I will follow the rest of your instructions.

                Thanks again,

                Karen

                [attachment deleted by admin]

                evilfantasy

                • Malware Removal Specialist
                • Moderator


                • Genius
                • Calm like a bomb
                • Thanked: 493
                • Experience: Experienced
                • OS: Windows 11
                Re: Nasty virus
                « Reply #28 on: September 25, 2009, 07:56:59 PM »
                Something strange appeared.

                First, please do this.

                Create An Uninstall List
                • Start HijackThis
                • Click on the Open the Misc Tools section
                • Click on the Open Uninstall Manager button.
                • Click on the Save list button and specify where you would like to save this file and click Save.
                  • When you press Save button a notepad will open with the contents of that file.
                • Copy and paste that list in your reply.

                kviez

                  Topic Starter


                  Rookie

                  Re: Nasty virus
                  « Reply #29 on: September 25, 2009, 10:59:59 PM »
                  Evilfantacy,

                  I did not see your reply until the Kaspersky scan was done so I have attached that as well as the uninstall log from HJT.

                  Please let me know how to proceed.

                  Thanks again!

                  Ad-Aware
                  Ad-Aware
                  Adobe Flash Player 9 ActiveX
                  Adobe Flash Player Plugin
                  Adobe Reader 7.0.8
                  AOLIcon
                  Apple Mobile Device Support
                  Apple Software Update
                  AVG 8.5
                  BitComet 1.13
                  BlackBerry Desktop Software 4.6
                  BlackBerry Desktop Software 4.6
                  BlackBerry® Media Sync
                  Bonjour
                  Broadcom Management Programs
                  CCleaner (remove only)
                  CDK Players
                  Conexant HDA D110 MDC V.92 Modem
                  Critical Update for Windows Media Player 11 (KB959772)
                  Dell Digital Jukebox Driver
                  Dell Game Console
                  Dell Support 3.2
                  Dell Wireless WLAN Card
                  DellConnect
                  Digital Content Portal
                  Digital Line Detect
                  Documentation & Support Launcher
                  ELIcon
                  Games, Music, & Photos Launcher
                  High Definition Audio Driver Package - KB835221
                  HijackThis 2.0.2
                  Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
                  Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
                  Hotfix for Windows Internet Explorer 7 (KB947864)
                  Hotfix for Windows Media Format 11 SDK (KB929399)
                  Hotfix for Windows Media Player 10 (KB903157)
                  Hotfix for Windows Media Player 11 (KB939683)
                  Hotfix for Windows XP (KB952287)
                  Hotfix for Windows XP (KB961118)
                  Hotfix for Windows XP (KB970653-v3)
                  HP Memories Disc
                  Intel(R) Graphics Media Accelerator Driver
                  iTunes
                  J2SE Runtime Environment 5.0 Update 6
                  Java(TM) 6 Update 14
                  Learn2 Player (Uninstall Only)
                  Logitech Desktop Messenger
                  Logitech Harmony Remote Software 7
                  Malwarebytes' Anti-Malware
                  MathPlayer
                  Maxtor Manager
                  Maxtor Manager
                  MCU
                  Microsoft .NET Framework 1.1
                  Microsoft .NET Framework 1.1
                  Microsoft .NET Framework 1.1 Hotfix (KB928366)
                  Microsoft .NET Framework 2.0 Service Pack 2
                  Microsoft .NET Framework 3.0 Service Pack 2
                  Microsoft .NET Framework 3.5 SP1
                  Microsoft .NET Framework 3.5 SP1
                  Microsoft Compression Client Pack 1.0 for Windows XP
                  Microsoft Internationalized Domain Names Mitigation APIs
                  Microsoft Money 2002
                  Microsoft Money 2002 System Pack
                  Microsoft National Language Support Downlevel APIs
                  Microsoft Office Outlook 2003 with Business Contact Manager Update
                  Microsoft Office Small Business Edition 2003
                  Microsoft Plus! Digital Media Edition Installer
                  Microsoft Plus! Photo Story 2 LE
                  Microsoft SQL Server Desktop Engine (MICROSOFTSMLBIZ)
                  Microsoft User-Mode Driver Framework Feature Pack 1.0
                  Microsoft Visual C++ 2005 Redistributable
                  Microsoft Works
                  Microsoft Works 2002 Setup Launcher
                  Mirar
                  MobileMe Control Panel
                  Modem Helper
                  Mozilla Firefox (3.0.14)
                  MSXML 4.0 SP2 (KB927978)
                  MSXML 4.0 SP2 (KB936181)
                  MSXML 4.0 SP2 (KB954430)
                  NetWaiting
                  Otto
                  PC Study Bible (remove only)
                  Photosmart 140,240,7200,7600,7700,7900 Series
                  Picasa 3
                  PokerStars
                  PowerDVD 5.7
                  QuickSet
                  QuickTime
                  RealPlayer Basic
                  Remote Control USB Driver
                  Roxio Media Manager
                  SearchAssist
                  Security Update for Windows Internet Explorer 7 (KB928090)
                  Security Update for Windows Internet Explorer 7 (KB931768)
                  Security Update for Windows Internet Explorer 7 (KB933566)
                  Security Update for Windows Internet Explorer 7 (KB937143)
                  Security Update for Windows Internet Explorer 7 (KB938127)
                  Security Update for Windows Internet Explorer 7 (KB939653)
                  Security Update for Windows Internet Explorer 7 (KB942615)
                  Security Update for Windows Internet Explorer 7 (KB944533)
                  Security Update for Windows Internet Explorer 7 (KB950759)
                  Security Update for Windows Internet Explorer 7 (KB953838)
                  Security Update for Windows Internet Explorer 7 (KB956390)
                  Security Update for Windows Internet Explorer 7 (KB958215)
                  Security Update for Windows Internet Explorer 7 (KB960714)
                  Security Update for Windows Internet Explorer 7 (KB961260)
                  Security Update for Windows Internet Explorer 7 (KB963027)
                  Security Update for Windows Internet Explorer 7 (KB969897)
                  Security Update for Windows Internet Explorer 7 (KB972260)
                  Security Update for Windows Media Player (KB952069)
                  Security Update for Windows Media Player (KB968816)
                  Security Update for Windows Media Player (KB973540)
                  Security Update for Windows Media Player 10 (KB917734)
                  Security Update for Windows Media Player 11 (KB936782)
                  Security Update for Windows Media Player 11 (KB954154)
                  Security Update for Windows XP (KB923561)
                  Security Update for Windows XP (KB938464)
                  Security Update for Windows XP (KB938464-v2)
                  Security Update for Windows XP (KB941569)
                  Security Update for Windows XP (KB946648)
                  Security Update for Windows XP (KB950760)
                  Security Update for Windows XP (KB950762)
                  Security Update for Windows XP (KB950974)
                  Security Update for Windows XP (KB951066)
                  Security Update for Windows XP (KB951376)
                  Security Update for Windows XP (KB951376-v2)
                  Security Update for Windows XP (KB951698)
                  Security Update for Windows XP (KB951748)
                  Security Update for Windows XP (KB952004)
                  Security Update for Windows XP (KB952954)
                  Security Update for Windows XP (KB953839)
                  Security Update for Windows XP (KB954211)
                  Security Update for Windows XP (KB954459)
                  Security Update for Windows XP (KB954600)
                  Security Update for Windows XP (KB955069)
                  Security Update for Windows XP (KB956391)
                  Security Update for Windows XP (KB956572)
                  Security Update for Windows XP (KB956744)
                  Security Update for Windows XP (KB956802)
                  Security Update for Windows XP (KB956803)
                  Security Update for Windows XP (KB956841)
                  Security Update for Windows XP (KB957095)
                  Security Update for Windows XP (KB957097)
                  Security Update for Windows XP (KB958644)
                  Security Update for Windows XP (KB958687)
                  Security Update for Windows XP (KB958690)
                  Security Update for Windows XP (KB959426)
                  Security Update for Windows XP (KB960225)
                  Security Update for Windows XP (KB960715)
                  Security Update for Windows XP (KB960803)
                  Security Update for Windows XP (KB960859)
                  Security Update for Windows XP (KB961371)
                  Security Update for Windows XP (KB961373)
                  Security Update for Windows XP (KB961501)
                  Security Update for Windows XP (KB968537)
                  Security Update for Windows XP (KB969898)
                  Security Update for Windows XP (KB970238)
                  Security Update for Windows XP (KB971557)
                  Security Update for Windows XP (KB971633)
                  Security Update for Windows XP (KB971657)
                  Security Update for Windows XP (KB973346)
                  Security Update for Windows XP (KB973354)
                  Security Update for Windows XP (KB973507)
                  Security Update for Windows XP (KB973869)
                  Sonic DLA
                  Sonic Encoders
                  Sonic RecordNow Audio
                  Sonic RecordNow Copy
                  Sonic RecordNow Data
                  Sonic Update Manager
                  SUPERAntiSpyware Free Edition
                  Synaptics Pointing Device Driver
                  Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
                  Update for Windows Media Player 10 (KB913800)
                  Update for Windows Media Player 10 (KB926251)
                  Update for Windows XP (KB951072-v2)
                  Update for Windows XP (KB951978)
                  Update for Windows XP (KB955839)
                  Update for Windows XP (KB967715)
                  Update for Windows XP (KB968389)
                  Update for Windows XP (KB973815)
                  Update Rollup 2 for Windows XP Media Center Edition 2005
                  URL Assistant
                  Viewpoint Media Player
                  Visual C++ 2008 x86 Runtime - (v9.0.30729)
                  Visual C++ 2008 x86 Runtime - v9.0.30729.01
                  WebEx
                  WildTangent Web Driver
                  Windows Media Format 11 runtime
                  Windows Media Format 11 runtime
                  Windows Media Player 10
                  Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
                  Windows Media Player 11
                  Windows Media Player 11
                  Windows Media Player Firefox Plugin
                  Windows XP Media Center Edition 2005 KB908246
                  Windows XP Media Center Edition 2005 KB925766
                  Windows XP Media Center Edition 2005 KB973768
                  Windows XP Service Pack 3



                  [attachment deleted by admin]