Welcome guest. Before posting on our computer help forum, you must register. Click here it's easy and free.

Author Topic: System Security 2009 recovery?  (Read 12820 times)

0 Members and 1 Guest are viewing this topic.

Zippy2

    Topic Starter


    Rookie

    System Security 2009 recovery?
    « on: January 21, 2010, 08:58:45 PM »
    Hello all, first time poster on this forum.  I've read many of the previous posts regarding this wonderful situation I have found myself in.  While I believe I may be 'out of the woods' by following the necessary steps, as directed by this forum, to remove the malware, I am still posting my logs in an attempt to ensure that everything is as it seems. 
    First, some background.  I began to get the annoying pop up windows indicating the System Security 2009 breach.  After choosing to ignore the alerts to download the necessary software, I was greeted with various porn sites popping up all over my screen.  Via FireFox, I was still able to browse the web, but  I was unable to run any .exe file other than FireFox.  I restarted in SAFE MODE and was able to run SUPERAntiSPYWARE which located and removed 45 threats.  At this point I was able to restart XP normally and open the .exe files, but wasn't able to update Malwarebytes Anti-Malware or SUPERAntiSPYWARE.  After further research, I learned I needed to make some changes to my IE internet option settings.  After the changes I made the necessary updates and downloaded HJT.

    Everything functions as it did before the infection, but I would just like to be sure that I removed all that I should have to keep this from further damaging my system.

    THANK YOU!!!
    Trever

    [Saving space, attachment deleted by admin]

    SuperDave

    • Malware Removal Specialist
    • Moderator


    • Genius
    • Thanked: 1020
    • Certifications: List
    • Experience: Expert
    • OS: Windows 10
    Re: System Security 2009 recovery?
    « Reply #1 on: January 23, 2010, 11:49:59 AM »
    Hello Zippy2 and welcome to Computer Hope Forum. My name is Superdave but you can just call me SD. I will be helping you out with your particular problem on your computer. I am working under the guidance of one of the specialist of this forum so it may take a bit longer to process your logs.

    1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
    2. The fixes are specific to your problem and should only be used for this issue on this machine.
    3. If you don't know or understand something, please don't hesitate to ask.
    4. Please DO NOT run any other tools or scans while I am helping you.
    5. It is important that you reply to this thread. Do not start a new topic.
    6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
    7. Absence of symptoms does not mean that everything is clear.

    -------------------------------------------------------------------------

    It appears that you're running two Anti-Virus programs on your computer which is a no-no. One will have to be uninstalled. If you have problems with the uninstall, please let me know and I'll send you a tool to remove it.

    -------------------------------------------------------------------------

    Add or Remove Programs

    1. Click on the Windows Start button and click on the Control Panel
    2. In the Control Panel window, double-click Add or Remove Programs icon.
    3. When the Add or Remove Programs window has fully populated, check for iWin Games and uninstall it.

    ------------------------------------------------------------------------------

    Open HijackThis and select Do a system scan only

    Place a check mark next to the following entries: (if there)

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
    O4 - Startup: iWin Desktop Alerts.lnk = C:\Documents and Settings\All Users\Application Data\iWin Games\DesktopAlerts\DesktopAlerts.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] \"C:\Program Files\Common Files\Java\Java Update\jusched.exe\"

    (Description: Sun Java update scheduler. Checks for updates. Not necessary. Removing this entry will free up a small amount of system resources.)


    Important: Close all open windows except for HijackThis and then click Fix checked.

    Once completed, exit HijackThis.

    ---------------------------------------------------------------------------------

    Download ComboFix by sUBs from one of the below links.  Be sure to save it to the Desktop.

    link # 1
    link #2

    Close any open web browsers (Firefox, Internet Explorer, etc) before starting ComboFix.

    Temporarily disable your anti-virus, and any anti-spyware real-time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

    Vista users Right-click combofix.exe and select Run as Administrator and follow the prompts.
    Double-click combofix.exe and follow the prompts.
    When finished, ComboFix will produce a log for you.
    Post the ComboFix log and a new HijackThis log in your next reply.

    NOTE: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

    Remember to re-enable your anti-virus and anti-spyware protection when ComboFix is complete.

    Windows 8 and Windows 10 dual boot with two SSD's

    Zippy2

      Topic Starter


      Rookie

      Re: System Security 2009 recovery?
      « Reply #2 on: January 23, 2010, 01:18:09 PM »
      Thanks SD!

      I'm looking forward to getting this situation figured out! 

      As for the antivirus, I had uninstalled McAfee a few months ago (or so I thought) If there is any trail left on the HD, I am unaware of it, as it doen's appear in the add/remove programs window.

      Was this one of the two AV programs you saw?

      harry 48



        Egghead

      • lay back , relax and chill out
      • Thanked: 129
        • Yes
        • Yes
        • Yes
        • Dribbling Pensioner
      • Certifications: List
      • Experience: Familiar
      • OS: Windows 7
      Re: System Security 2009 recovery?
      « Reply #3 on: January 23, 2010, 01:21:14 PM »

      Zippy2

        Topic Starter


        Rookie

        Re: System Security 2009 recovery?
        « Reply #4 on: January 23, 2010, 02:21:02 PM »
        Disregard my last post.  I took Harry's advice to remove the old McAfee files.  The rest went well, and I have posted the logs below.

        Trev



        [Saving space, attachment deleted by admin]

        harry 48



          Egghead

        • lay back , relax and chill out
        • Thanked: 129
          • Yes
          • Yes
          • Yes
          • Dribbling Pensioner
        • Certifications: List
        • Experience: Familiar
        • OS: Windows 7
        Re: System Security 2009 recovery?
        « Reply #5 on: January 23, 2010, 02:30:48 PM »
        sorry , do as dave says he is the expert

        SuperDave

        • Malware Removal Specialist
        • Moderator


        • Genius
        • Thanked: 1020
        • Certifications: List
        • Experience: Expert
        • OS: Windows 10
        Re: System Security 2009 recovery?
        « Reply #6 on: January 24, 2010, 11:55:07 AM »
        DON'T RUN THIS FIX. THERE'S A PROBLEM WITH COMBOFIX.

        1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
        It must be Notepad, not Wordpad.
        2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

        Code: [Select]
        KillAll::

        File::

        c:\documents and settings\Trever Good\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
        c:\documents and settings\Trever Good\Start Menu\Programs\Startup\iWin Desktop Alerts.lnk
        c:\windows\pss\iWin Desktop Alerts.lnkStartup

        MIA::
        c:\windows\system32\DRIVERS\atapi.sys

        Folder::
        c:\program files\iWin.com
        c:\program files\iWin Games
        c:\documents and settings\All Users\Application Data\iWin Games
        c:\documents and settings\Trever Good\Local Settings\Application Data\vjfxrc


        3. Go to the Notepad window and click Edit > Paste
        4. Then click File > Save
        5. Name the file CFScript.txt - Save the file to your Desktop
        6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



        ComboFix will begin to execute, just follow the prompts.
        After reboot (in case it asks to reboot), it will produce a log for you.
        Post that log (Combofix.txt) in your next reply.

        Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze
        « Last Edit: January 24, 2010, 07:28:41 PM by SuperDave »
        Windows 8 and Windows 10 dual boot with two SSD's

        Zippy2

          Topic Starter


          Rookie

          Re: System Security 2009 recovery?
          « Reply #7 on: January 25, 2010, 09:03:53 AM »
          Got the note to not run last post this morning, after having run it yesterday afternoon.  Desktop wiped clean, "start"/all programs wiped clean"  Most data gone. HELP!!!

          evilfantasy

          • Malware Removal Specialist
          • Moderator


          • Genius
          • Calm like a bomb
          • Thanked: 493
          • Experience: Experienced
          • OS: Windows 11
          Re: System Security 2009 recovery?
          « Reply #8 on: January 25, 2010, 09:29:34 AM »
          Hello Zippy2.

          We need you to follow the instructions in the following link to get your computer back to normal. http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/455388-combofix-issue-resolution.html

          Let us know when that is complete and how the computer is running.

          Zippy2

            Topic Starter


            Rookie

            Re: System Security 2009 recovery?
            « Reply #9 on: January 26, 2010, 05:46:32 AM »
            As per the NEW INSTRUCTIONS from Virus/Trojan/Spyware Removal Help from techsupportforum




            DDS (Ver_09-12-01.01) - NTFSx86 
            Run by Trever Good at 16:50:38.67 on Mon 01/25/2010
            Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_18
            Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.2303.1677 [GMT -5:00]

            AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)   {17DDD097-36FF-435F-9E1B-52D74245D6BF}

            ============== Running Processes ===============

            C:\WINDOWS\system32\svchost -k DcomLaunch
            svchost.exe
            C:\WINDOWS\System32\svchost.exe -k netsvcs
            C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
            C:\Program Files\AVG\AVG9\avgchsvx.exe
            C:\Program Files\AVG\AVG9\avgrsx.exe
            C:\Program Files\AVG\AVG9\avgcsrvx.exe
            svchost.exe
            svchost.exe
            C:\WINDOWS\system32\spoolsv.exe
            svchost.exe
            C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
            C:\Program Files\AVG\AVG9\avgwdsvc.exe
            C:\Program Files\Bonjour\mDNSResponder.exe
            C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
            C:\Program Files\Java\jre6\bin\jqs.exe
            C:\WINDOWS\System32\nvsvc32.exe
            C:\WINDOWS\System32\svchost.exe -k imgsvc
            C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
            C:\Program Files\AVG\AVG9\avgemc.exe
            C:\Program Files\AVG\AVG9\avgcsrvx.exe
            C:\WINDOWS\Explorer.EXE
            C:\WINDOWS\BCMSMMSG.exe
            C:\WINDOWS\System32\svchost.exe -k HTTPFilter
            C:\PROGRA~1\AVG\AVG9\avgtray.exe
            C:\Program Files\Microsoft ActiveSync\wcescomm.exe
            C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
            C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
            C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
            C:\WINDOWS\system32\ctfmon.exe
            C:\PROGRA~1\MI3AA1~1\rapimgr.exe
            C:\Program Files\Outlook Express\msimn.exe
            C:\Program Files\Internet Explorer\IEXPLORE.EXE
            C:\Documents and Settings\Trever Good\Desktop\dds.scr

            ============== Pseudo HJT Report ===============

            uSearchMigratedDefaultURL = 687474703a2f2f7777772e676f6f676c652e636 f6d2f
            uStart Page = https://www6.glic.com/gol/homepage/login.aspx
            uInternet Connection Wizard,ShellNext = hxxp://www.dellnet.com/
            uInternet Settings,ProxyServer = http=127.0.0.1:5555
            uInternet Settings,ProxyOverride = <local>
            uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/ymj/*http://www.yahoo.com
            uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
            BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
            BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
            BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
            BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
            BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
            TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
            TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
            uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
            uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
            uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"
            uRun: [PhotoShow Deluxe Media Manager] c:\progra~1\nero\data\xtras\mssysmgr.exe
            uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
            mRun: [SetDefPrt] c:\program files\brother\brmfl06a\BrStDvPt.exe
            mRun: [BCMSMMSG] BCMSMMSG.exe
            mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
            mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
            mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
            mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
            DPF: {15B782AF-55D8-11D1-B477-006097098764} - hxxps://www6.glic.com/gol/Virtual%20University/cab/awswaxm.cab
            DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} - hxxps://www6.glic.com/gol/common/scripts/smsx.cab
            DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
            DPF: {21D817CE-B22E-11D2-B514-00C04F930B5E} - hxxps://www6.glic.com/gol/Common/Scripts/GuardianDownload.CAB
            DPF: {2E764AF3-8311-11D2-B4EC-00C04F930B5E} - hxxps://www6.glic.com/gol/GuardianHelp/Scripts/ctlDownloadHelp_2.CAB
            DPF: {2F01ABF9-0799-11D2-B771-00C04F930B5E} - hxxps://www6.glic.com/gol/GuardianHelp/scripts/ctlshowHelp_3.CAB
            DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} - hxxps://www6.glic.com/srvlw1/iNotes6W.cab
            DPF: {3E755E01-BB38-11D4-B44C-00105A0D610A} - hxxps://www6.glic.com/gol/Common/Cabs/ctlCommonControls.CAB
            DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
            DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}
            DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} - hxxp://www.gamehouse.com/realarcade-webgames/dinerdash2/DinerDash2.cab
            DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
            DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
            DPF: {9E4A8277-58D1-11D4-8E62-00C04F6F3010} - hxxps://www6.glic.com/gol/Common/Cabs/GDL_VbRuntime.CAB
            DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
            DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} - hxxp://www.gamehouse.com/realarcade-webgames/dinerdashfloonthego/DinerDashFloGo.cab
            DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,19/mcgdmgr.cab
            DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
            DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
            DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
            DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
            DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
            DPF: {E03EEB49-B0CB-46A3-A84B-BA758243A7B0} - hxxp://www.shockwave.com/content/thwartpoker/sis/OrbitalLauncher-2.0.15.cab
            Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
            Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
            Notify: avgrsstarter - avgrsstx.dll
            SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
            SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

            ================= FIREFOX ===================

            FF - ProfilePath - c:\docume~1\trever~1\applic~1\mozilla\firefox\profiles\71xjct53.default\
            FF - prefs.js: browser.search.selectedEngine - GoogleCOM
            FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/|http://www.weather.com/weather/local/17569?lswe=17569&lwsa=WeatherLocalUndeclared&from=searchbox|http://sections.lancasteronline.com/local/1/9
            FF - prefs.js: keyword.URL - hxxp://www.ffsearching.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
            FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
            FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll
            FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
            FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
            FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

            ---- FIREFOX POLICIES ----

            FF - user.js: browser.search.selectedEngine - GoogleCOM
            FF - user.js: keyword.URL - hxxp://www.ffsearching.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
            c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

            ============= SERVICES / DRIVERS ===============

            R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-1-21 333192]
            R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-1-21 28424]
            R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-1-21 360584]
            R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-3-23 9968]
            R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-3-23 74480]
            R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-1-21 906520]
            R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-1-21 285392]
            R2 mrtRate;mrtRate;c:\windows\system32\drivers\MrtRate.sys [2003-10-14 34712]
            R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2009-8-27 92008]
            R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-3-23 7408]
            S3 fsbl;F-Secure BlackLight Engine Driver;\??\c:\documents and settings\trever good\desktop\f-downadup\fsbldrv.sys --> c:\documents and settings\trever good\desktop\f-downadup\fsbldrv.sys [?]
            S3 ICDUSB2;Sony IC Recorder (P);c:\windows\system32\drivers\IcdUsb2.sys [2009-3-16 39048]
            S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\11b.tmp --> c:\windows\system32\11B.tmp [?]

            =============== Created Last 30 ================

            2010-01-25 21:31:31   0   d-----w-   c:\docume~1\trever~1\applic~1\Zen Puzzle Garden
            2010-01-25 21:31:25   0   d-----w-   c:\docume~1\trever~1\applic~1\yoclient
            2010-01-25 21:31:25   0   d-----w-   c:\docume~1\trever~1\applic~1\Wildfire
            2010-01-25 21:31:25   0   d-----w-   c:\docume~1\trever~1\applic~1\ViquaSoft
            2010-01-25 21:31:25   0   d-----w-   c:\docume~1\trever~1\applic~1\Valusoft
            2010-01-25 21:31:25   0   d-----w-   c:\docume~1\trever~1\applic~1\URSE Games
            2010-01-25 21:31:25   0   d-----w-   c:\docume~1\trever~1\applic~1\Uniblue
            2010-01-25 21:31:20   0   d-----w-   c:\docume~1\trever~1\applic~1\TomTom
            2010-01-25 21:31:11   0   d-----w-   c:\docume~1\trever~1\applic~1\Super-Cow
            2010-01-25 21:30:35   0   d-----w-   c:\docume~1\trever~1\applic~1\Simple Star
            2010-01-25 21:30:31   0   d-----w-   c:\docume~1\trever~1\applic~1\Raptisoft
            2010-01-25 21:30:19   0   d-----w-   c:\docume~1\trever~1\applic~1\quickhit.football.QHFootball.4D5206CA741FBF5FD6AAD1A97F5076E917382B34.1
            2010-01-25 21:30:19   0   d-----w-   c:\docume~1\trever~1\applic~1\Pogo Games
            2010-01-25 21:30:16   0   d-----w-   c:\docume~1\trever~1\applic~1\PDF reDirect
            2010-01-25 21:30:16   0   d-----w-   c:\docume~1\trever~1\applic~1\PCF-VLC
            2010-01-25 21:30:16   0   d-----w-   c:\docume~1\trever~1\applic~1\PC-FAX TX
            2010-01-25 21:29:55   0   d-----w-   c:\docume~1\trever~1\applic~1\Participatory Culture Foundation
            2010-01-25 21:29:47   0   d-----w-   c:\docume~1\trever~1\applic~1\OpenOffice.org
            2010-01-25 21:29:46   0   d-----w-   c:\docume~1\trever~1\applic~1\Ludia
            2010-01-25 21:29:46   0   d-----w-   c:\docume~1\trever~1\applic~1\Kontiki
            2010-01-25 21:29:46   0   d-----w-   c:\docume~1\trever~1\applic~1\Jane s Hotel
            2010-01-25 21:29:46   0   d-----w-   c:\docume~1\trever~1\applic~1\iWinArcade
            2010-01-25 21:29:46   0   d-----w-   c:\docume~1\trever~1\applic~1\iWin_DressUpRush
            2010-01-25 21:29:46   0   d-----w-   c:\docume~1\trever~1\applic~1\Intuit
            2010-01-25 21:29:41   0   d-----w-   c:\docume~1\trever~1\applic~1\Home Sweet Home
            2010-01-25 21:29:30   0   d-----w-   c:\docume~1\trever~1\applic~1\Gamelab
            2010-01-25 21:29:29   0   d-----w-   c:\docume~1\trever~1\applic~1\GameInvest
            2010-01-25 21:29:29   0   d-----w-   c:\docume~1\trever~1\applic~1\Gaijin Ent
            2010-01-25 21:29:29   0   d-----w-   c:\docume~1\trever~1\applic~1\funkitron
            2010-01-25 21:29:29   0   d-----w-   c:\docume~1\trever~1\applic~1\Free Sound Recorder
            2010-01-25 21:29:29   0   d-----w-   c:\docume~1\trever~1\applic~1\FlowPlay
            2010-01-25 21:29:29   0   d-----w-   c:\docume~1\trever~1\applic~1\EleFun Games
            2010-01-25 21:29:20   0   d-----w-   c:\docume~1\trever~1\applic~1\Digital Album Organizer
            2010-01-25 21:29:17   0   d-----w-   c:\docume~1\trever~1\applic~1\CoffeeCup Software
            2010-01-25 21:29:17   0   d-----w-   c:\docume~1\trever~1\applic~1\Boolat Games
            2010-01-25 21:27:35   0   d-----w-   c:\docume~1\trever~1\applic~1\bang
            2010-01-25 21:27:34   0   d-----w-   c:\docume~1\trever~1\applic~1\Alawar
            2010-01-25 21:27:34   0   d-----w-   c:\docume~1\trever~1\applic~1\AlauxSoft
            2010-01-25 21:26:20   146   ----a-w-   c:\docume~1\trever~1\applic~1\_$_hpcst$_.hpc.zip
            2010-01-25 21:26:12   5632   ----a-w-   c:\documents and settings\trever good\Thumbs.db
            2010-01-25 21:26:12   4   ----a-w-   c:\documents and settings\trever good\win_rhtdo53x4
            2010-01-25 21:26:12   30   ----a-w-   c:\documents and settings\trever good\jagex_runescape_preferences.dat
            2010-01-25 21:26:12   187749   ----a-w-   c:\documents and settings\trever good\~
            2010-01-25 21:26:12   0   d-----w-   c:\documents and settings\trever good\.housecall6.6
            2010-01-25 21:26:11   125   ----a-w-   c:\documents and settings\trever good\BritannicaReadyReferencePrefs
            2010-01-25 21:21:27   0   d-----w-   c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
            2010-01-25 21:21:26   0   d-----w-   c:\docume~1\alluse~1\applic~1\{755AC846-7372-4AC8-8550-C52491DAA8BD}
            2010-01-25 21:21:26   0   d-----w-   c:\docume~1\alluse~1\applic~1\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
            2010-01-25 21:21:25   0   d-----w-   c:\docume~1\alluse~1\applic~1\VirtualFarm
            2010-01-25 21:21:24   0   d-----w-   c:\docume~1\alluse~1\applic~1\Viewpoint
            2010-01-25 21:21:23   0   d-----w-   c:\docume~1\alluse~1\applic~1\Trymedia
            2010-01-25 21:21:18   0   d-----w-   c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
            2010-01-25 21:21:18   0   d-----w-   c:\docume~1\alluse~1\applic~1\Sony Corporation
            2010-01-25 21:21:18   0   d-----w-   c:\docume~1\alluse~1\applic~1\SBSI
            2010-01-25 21:21:17   0   d-----w-   c:\docume~1\alluse~1\applic~1\Sandlot Games
            2010-01-25 21:21:17   0   d-----w-   c:\docume~1\alluse~1\applic~1\PlayPond
            2010-01-25 21:21:16   0   d-----w-   c:\docume~1\alluse~1\applic~1\NeoEdge Networks
            2010-01-25 21:21:16   0   d-----w-   c:\docume~1\alluse~1\applic~1\Napster
            2010-01-25 21:21:15   0   d-----w-   c:\docume~1\alluse~1\applic~1\JollyBear
            2010-01-25 21:21:14   0   d-----w-   c:\docume~1\alluse~1\applic~1\iWin Games
            2010-01-25 21:20:05   0   d-----w-   c:\docume~1\alluse~1\applic~1\Intuit
            2010-01-25 21:20:05   0   d-----w-   c:\docume~1\alluse~1\applic~1\HipSoft
            2010-01-25 21:19:58   0   d-----w-   c:\docume~1\alluse~1\applic~1\Grisoft
            2010-01-25 21:19:58   0   d-----w-   c:\docume~1\alluse~1\applic~1\Gogii
            2010-01-25 21:19:56   0   d-----w-   c:\docume~1\alluse~1\applic~1\GameHouse
            2010-01-25 21:19:47   0   d-----w-   c:\docume~1\alluse~1\applic~1\Fugazo
            2010-01-25 21:19:47   0   d-----w-   c:\docume~1\alluse~1\applic~1\FreshGames
            2010-01-25 21:19:47   0   d-----w-   c:\docume~1\alluse~1\applic~1\FarmFrenzy2
            2010-01-25 21:19:47   0   d-----w-   c:\docume~1\alluse~1\applic~1\FarmFrenzy-PizzaParty
            2010-01-25 21:19:44   0   d-----w-   c:\docume~1\alluse~1\applic~1\COMMON FILES
            2010-01-25 21:19:43   0   d-----w-   c:\docume~1\alluse~1\applic~1\Brother
            2010-01-25 21:19:43   0   d-----w-   c:\docume~1\alluse~1\applic~1\Awem
            2010-01-25 21:19:25   0   d-----w-   c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
            2010-01-25 21:18:34   32   ----a-w-   c:\documents and settings\all users\hash.dat
            2010-01-25 21:18:34   0   d-----w-   c:\docume~1\alluse~1\applic~1\3 Blokes Studios
            2010-01-25 16:05:26   0   d-----w-   c:\docume~1\trever~1\applic~1\Malwarebytes
            2010-01-25 16:05:26   0   d-----w-   c:\docume~1\alluse~1\applic~1\Malwarebytes
            2010-01-25 14:57:55   0   d-sh--w-   c:\documents and settings\all users\DRM
            2010-01-25 11:43:12   178   ----a-w-   c:\documents and settings\trever good\ntuser.ini
            2010-01-25 11:14:30   0   d-----w-   c:\docume~1\trever~1\applic~1\SUPERAntiSpyware.com
            2010-01-25 11:14:30   0   d-----w-   c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
            2010-01-23 20:37:02   0   d-sha-r-   C:\cmdcons
            2010-01-23 20:35:09   77312   ----a-w-   c:\windows\MBR.exe
            2010-01-23 20:35:09   261632   ----a-w-   c:\windows\PEV.exe
            2010-01-23 20:35:08   98816   ----a-w-   c:\windows\sed.exe
            2010-01-23 20:35:08   161792   ----a-w-   c:\windows\SWREG.exe
            2010-01-22 02:41:02   0   d-----w-   C:\$AVG
            2010-01-22 02:40:11   12464   ----a-w-   c:\windows\system32\avgrsstx.dll
            2010-01-22 02:40:09   360584   ----a-w-   c:\windows\system32\drivers\avgtdix.sys
            2010-01-22 02:40:07   333192   ----a-w-   c:\windows\system32\drivers\avgldx86.sys
            2010-01-22 02:40:05   0   d-----w-   c:\windows\system32\drivers\Avg
            2010-01-22 02:39:12   0   d-----w-   c:\docume~1\alluse~1\applic~1\avg9
            2010-01-22 02:38:35   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
            2010-01-22 02:38:33   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
            2010-01-13 12:29:53   471552   -c----w-   c:\windows\system32\dllcache\aclayers.dll
            2010-01-09 16:13:24   0   d-----w-   c:\windows\system32\Runningman
            2010-01-09 16:13:24   0   d-----w-   c:\program files\Runningman

            ==================== Find3M  ====================

            2010-01-22 03:40:17   411368   ----a-w-   c:\windows\system32\deploytk.dll
            2010-01-05 10:00:29   832512   ------w-   c:\windows\system32\wininet.dll
            2010-01-05 10:00:21   78336   ----a-w-   c:\windows\system32\ieencode.dll
            2010-01-05 10:00:20   17408   ----a-w-   c:\windows\system32\corpol.dll
            2009-11-16 12:13:51   109016   -c--a-w-   c:\docume~1\trever~1\applic~1\GDIPFONTCACHEV1.DAT
            2008-09-13 16:27:48   32768   --sha-w-   c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091320080914\index.dat

            ============= FINISH: 16:51:59.12 ===============


            [Saving space, attachment deleted by admin]

            Zippy2

              Topic Starter


              Rookie

              Re: System Security 2009 recovery?
              « Reply #10 on: January 26, 2010, 07:37:37 AM »
              Also, my HD had about 10 GB available space before all of this took place, but now it has 400MB available.  Any ideas as to why or what might be causing this?

              evilfantasy

              • Malware Removal Specialist
              • Moderator


              • Genius
              • Calm like a bomb
              • Thanked: 493
              • Experience: Experienced
              • OS: Windows 11
              Re: System Security 2009 recovery?
              « Reply #11 on: January 26, 2010, 03:42:43 PM »
              Also, my HD had about 10 GB available space before all of this took place, but now it has 400MB available.  Any ideas as to why or what might be causing this?

              Not sure unless CCleaner removed a bunch of junk.


              Download JavaRa
              * Unzip the file and open the JavaRa.exe
              * Click Remove Older Versions
              * JavaRa will search for and remove any outdated version of Java and remove any that are found.
              * Click Additional Tasks
              * Place a check next to Remove Useless JRE Files and click Go
              * Exit JavaRa
              * Delete the JavaRa files from the desktop

              ----------

              If you already have ComboFix be sure to delete it and download a new copy.

              Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

              Link #1
              Link #2

              **Note:  It is important that it is saved directly to your Desktop

              DO NOT run it yet!

              Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

              Delete these files/folders, as follows:

              1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
              It must be Notepad, not Wordpad.
              2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

              Code: [Select]
              KillAll::

              DDS::
              TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
              DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}


              3. Go to the Notepad window and click Edit > Paste
              4. Then click File > Save
              5. Name the file CFScript.txt - Save the file to your Desktop
              6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



              ComboFix will begin to execute, just follow the prompts.
              After reboot (in case it asks to reboot), it will produce a log for you.
              Post that log (Combofix.txt) in your next reply.

              Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

              Zippy2

                Topic Starter


                Rookie

                Re: System Security 2009 recovery?
                « Reply #12 on: January 26, 2010, 05:37:51 PM »
                Evil, combofix.txt log is attached.   Regarding the space available on my HD, I didn't gain space, I lost available space, from 10GB to 400MB.

                Thanks for all your help!
                Trev

                [Saving space, attachment deleted by admin]

                evilfantasy

                • Malware Removal Specialist
                • Moderator


                • Genius
                • Calm like a bomb
                • Thanked: 493
                • Experience: Experienced
                • OS: Windows 11
                Re: System Security 2009 recovery?
                « Reply #13 on: January 26, 2010, 06:55:39 PM »
                Download TreeSize Free. http://www.jam-software.com/freeware/index.shtml

                Run TreeSize and see if you can tell what is taking up all of the disk space.

                Zippy2

                  Topic Starter


                  Rookie

                  Re: System Security 2009 recovery?
                  « Reply #14 on: January 27, 2010, 07:27:18 AM »
                  Thanks Evil,

                  Ran TreeSize, and dicovered a folder on my C drive with a little over 13GB in it.  C:\QooBox\Quarantine\C\Documents and Settings.  Any recommendations on how to handle it? 

                  Everything appears to be back to how it was before the first ComboFix incident where my desktop was wiped clean.  The only thing I am still missing is all of the email messages that were stored within Outlook Express.

                  Thanks,
                  Zippy2