|
Answer» OK do you still get the error?
Do you have your Windows install CD?HI--I'm going away out of the country until JAN 11, and I won't have access to this machine (no remote access either). SO, I'll pick up with this when I return! THANKS so far!!
Have a happy new year!! oh and oops I didn't see your past post--
No, unfortunately I don't have the Windows Install CD. I content my husband lost it.
Otherwise, I'd have reinstalled a *long* time ago...
I'd rather not upgrade to VISTA either, as I prefer XP for now, if I can help it...
ok, my plane leaves soon, so I'm shutting down...
Thanks again, and I'll post when I get back, to see if there's anything else I can do to get that windows security system firewall thing installed, and the Add/Remove Hardware option to come back again...
cheers
ginaHello,
I'm back.
Reminder of where I am: I did the CFScript above, and attached the log.
I don't have my Windows XP installation CD. I hope that will not be a deal-breaker. (I really don't want to change to Vista...)
The windows security alert "red X" icon still appears at the bottom, and when I click it, it still says,
"Windows cannot find 'rundll32.exe'. Make sure you typed the name correctly..."
Is there anything else I can do?
Thanks again!Oh yeah, and to be clear, I should also mention this:
I did *not* get as far as running the IE-only-based scan mentioned above.
This is because I didn't get beyone the first step of removeing Avast, because I cannot access the Add/Remove Programs function via control panel.
I didn't want to skip any steps...
Thanks
Do a system restore to before you ran ComboFix. Then run ComboFix again and post the log.I did a system restore to Dec 29. That was the only option. So, we may need to re-do several of the steps again...
Here is the Combofix Log:
ComboFix 09-01-10.01 - HP_Administrator 2009-01-10 11:30:26.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.456 [GMT -8:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1296 [VPS 090110-0] *On-access scanning disabled* (Updated)
AV: Norton Internet Security 2006 *On-access scanning enabled* (Updated)
FW: Norton Internet Security 2006 *enabled*
FW: Norton Internet Worm Protection *disabled*
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\java2.sys c:\windows\system32\snjava.dll
c:\windows\system32\mfcans32.DLL
c:\windows\system32\mfcuia32.dll
c:\windows\system32\msrdo20.dll
c:\windows\system32\rdocurs.dll
.
((((((((((((((((((((((((( Files Created from 2008-12-10 to 2009-01-10 )))))))))))))))))))))))))))))))
.
2009-01-10 10:46 . 2009-01-10 10:46d--------c:\program files\Java
2009-01-10 10:45 . 2009-01-10 10:45d--------c:\documents and settings\HP_Administrator\Application Data\Symantec
2009-01-10 10:45 . 2009-01-10 10:45d--------c:\documents and settings\All Users\Application Data\Symantec
2009-01-10 09:26 . 2009-01-10 10:44d--------C:\ComboFix(2)
2008-12-30 15:28 . 2008-12-30 15:28d--------C:\rsit
2008-12-30 15:18 . 2009-01-10 10:44d--------c:\windows\system32\CatRoot2
2008-12-30 14:44 . 2008-12-30 14:44d--------C:\_OTMoveIt
2008-12-30 14:04 . 2008-12-30 14:04d--------c:\documents and settings\All Users\Application Data\NortonInstaller
2008-12-29 23:53 . 2009-01-10 10:45d--------c:\program files\Java(2)
2008-12-29 23:49 . 2009-01-10 10:48d--------c:\program files\SUPERAntiSpyware
2008-12-29 23:49 . 2008-12-29 23:49d--------c:\documents and settings\HP_Administrator\Application Data\SUPERAntiSpyware.com
2008-12-29 22:45 . 2008-12-29 22:491,393--a------c:\windows\imsins.BAK
2008-12-29 22:27 . 2008-09-04 09:151,106,944---------c:\windows\system32\dllcache\msxml3.dll
2008-12-29 22:27 . 2008-10-24 03:21455,296---------c:\windows\system32\dllcache\mrxsmb.sys
2008-12-29 17:09 . 2008-12-29 17:09d--------c:\program files\4U Computing
2008-12-29 17:09 . 2005-04-18 11:212,564,096--a------c:\windows\system32\NCTAudioCompress3.dll
2008-12-29 17:09 . 2005-04-14 19:072,260,992--a------c:\windows\system32\NCTVideoCompress.dll
2008-12-29 17:09 . 2005-04-13 11:321,810,432--a------c:\windows\system32\NCTAudioCompress2.dll
2008-12-29 17:09 . 2005-04-21 18:231,245,184--a------c:\windows\system32\NCTRMFile.dll
2008-12-29 17:09 . 2005-04-18 19:01991,232--a------c:\windows\system32\NCTVideoCoreM.dll
2008-12-29 17:09 . 2005-04-14 19:05294,912--a------c:\windows\system32\NCTAVIFile.dll
2008-12-29 17:09 . 2005-04-21 17:15282,624--a------c:\windows\system32\NCTQuickTimeFile.dll
2008-12-29 17:09 . 2003-05-22 00:50261,632--a------c:\windows\system32\mcdvd_32.dll
2008-12-29 17:09 . 2005-04-14 19:06196,608--a------c:\windows\system32\NCTWMVFile.dll
2008-12-29 17:09 . 2005-04-18 15:14139,264--a------c:\windows\system32\NCTVideoFile.dll
2008-12-29 17:09 . 2005-03-03 17:18106,496--a------c:\windows\system32\NCTVideoCoreU.dll
2008-12-29 02:21 . 2008-12-29 02:21d--------c:\program files\Trend Micro
2008-12-29 02:05 . 2008-12-29 02:27664--a------c:\windows\system32\d3d9caps.dat
2008-12-29 01:13 . 2008-10-16 14:0723,576--a------c:\windows\system32\wuapi.dll.mui
2008-12-29 00:56 . 2008-12-29 01:02d--------c:\program files\SpywareBlaster
2008-12-29 00:30 . 2008-12-29 00:30d--------c:\program files\Malwarebytes' Anti-Malware
2008-12-29 00:30 . 2008-12-29 00:30d--------c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
2008-12-29 00:30 . 2008-12-29 00:30d--------c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-29 00:30 . 2008-12-03 19:5238,496--a------c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-29 00:30 . 2008-12-03 19:5215,504--a------c:\windows\system32\drivers\mbam.sys
2008-12-28 14:07 . 2008-12-28 14:07d--------c:\program files\CCleaner
2008-12-28 02:24 . 2008-12-28 02:24d--------c:\windows\system32\config\systemprofile\Application Data\s_4610_fHx8fHx8fDEyNDMwOTY3MTJ8_
2008-12-28 02:18 . 2008-12-28 02:1882,944--a------c:\windows\system32\bgl.exe
2008-12-28 02:07 . 2008-12-28 02:07d--------C:\VundoFix Backups
2008-12-27 19:46 . 2008-12-27 19:4640,448--a------c:\windows\system32\k9261108.exe
2008-12-10 13:04 . 2008-12-10 13:05d--------c:\windows\system32\Adobe
.
(((((((((((((((((((((((((((((((((((((((( Find3M REPORT ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-10 18:45---------d-----wc:\program files\Common Files\Symantec Shared
2008-12-30 23:11---------d-----wc:\documents and settings\HP_Administrator\Application Data\U3
2008-12-30 22:13---------d---a-wc:\documents and settings\All Users\Application Data\TEMP
2008-12-30 00:46---------d-----wc:\documents and settings\HP_Administrator\Application Data\NCH Swift Sound
2008-12-29 08:55---------d-----wc:\program files\Common Files\Wise Installation Wizard
2008-12-28 22:15---------d-----wc:\program files\WildGames
2008-12-28 22:14---------d-----wc:\documents and settings\All Users\Application Data\WildTangent
2008-12-28 10:27---------d-----wc:\program files\Alawar
2008-12-28 00:0312,489,550----a-wc:\program files\PROCESSLIST.DB
2008-12-28 00:031,107,211----a-wc:\program files\PROCESSLISTRELATED.DB
2008-12-11 20:18---------d-----wc:\documents and settings\All Users\Application Data\BigFishGamesCache
2008-12-04 09:4759,856----a-wc:\documents and settings\HP_Administrator\Application Data\GDIPFONTCACHEV1.DAT
2008-11-27 20:41---------d-----wc:\program files\bfgclient
2008-11-15 02:03---------d-----wc:\documents and settings\All Users\Application Data\AlawarWrapper
2008-11-14 08:13---------d-----wc:\documents and settings\HP_Administrator\Application Data\PlayFirst
2008-11-14 08:13---------d-----wc:\documents and settings\All Users\Application Data\PlayFirst
2008-11-10 02:11---------d-----wc:\program files\Spybot - Search & Destroy
2008-03-28 21:530----a-wc:\program files\temp01
2008-02-20 18:00168----a-wc:\documents and settings\HP_Administrator\Application Data\wklnhst.dat
2007-10-05 13:39110----a-wc:\documents and settings\All Users\Application Data\MostFunGameId.bin
2006-12-01 03:468----a-wc:\documents and settings\HP_Administrator\Application Data\usb.dat.bin
2006-11-09 07:34774,144----a-wc:\program files\RngInterstitial.dll
2008-09-07 08:03122,880----a-wc:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2008-11-11 20:2867,696----a-wc:\program files\mozilla firefox\components\jar50.dll
2008-11-11 20:2854,376----a-wc:\program files\mozilla firefox\components\jsd3250.dll
2008-11-11 20:2834,952----a-wc:\program files\mozilla firefox\components\myspell.dll
2008-11-11 20:2846,720----a-wc:\program files\mozilla firefox\components\spellchk.dll
2008-11-11 20:28172,144----a-wc:\program files\mozilla firefox\components\xpinstal.dll
.
((((((((((((((((((((((((((((( [emailprotected]_23.44.12.71 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-10 19:49:244,096----a-wc:\windows\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\neodesk\3d0bfd8b\a6f03149\_qol1q67.dll
+ 2009-01-10 19:49:233,072----a-wc:\windows\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\neodesk\3d0bfd8b\a6f03149\crsofd0p.dll
+ 2009-01-10 19:49:2424,576----a-wc:\windows\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\neodesk\3d0bfd8b\a6f03149\uepzthil.dll
- 2008-11-10 02:26:58224,816----a-wc:\windows\system32\FNTCACHE.DAT
+ 2009-01-10 18:48:08224,816----a-wc:\windows\system32\FNTCACHE.DAT
+ 2009-01-10 18:47:001,793,884----a-wc:\windows\system32\Restore\rstrlog.dat
+ 2009-01-10 19:49:2016,384----atwc:\windows\Temp\Perflib_Perfdata_280.dat
+ 2009-01-10 19:44:1616,384----atwc:\windows\Temp\Perflib_Perfdata_640.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-11 136600]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2004-12-13 663552]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-03 118784]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-03 77824]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-01 49152]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-11-09 249856]
"HP Software Update"="c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-05-11 49152]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-09-07 29744]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"DISCover"="c:\program files\DISC\DISCover.exe" [2007-10-30 1095256]
"Dell AIO Printer A940"="c:\program files\Dell AIO Printer A940\dlbabmgr.exe" [2003-02-17 86102]
"CitiVAN"="c:\program files\Citi Virtual Account Numbers\CitiVAN.exe" [2004-08-12 192512]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"SoundMan"="SOUNDMAN.EXE" [2005-09-21 c:\windows\SOUNDMAN.EXE]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 c:\windows\system32\HdAShCut.exe]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-02 c:\windows\arpwrmsg.exe]
c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\
MostFun.lnk - c:\program files\MostFun\Bin\MostFun.exe [2007-08-28 147456]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 282624]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Abacast\\Abaclient.exe"=
"c:\\Program Files\\MostFun\\Bin\\MostFun.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\HP Rhapsody\\rhapsody.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-08-22 111184]
R3 NGSSLDrv;VPN Tunnel NGSSLDrv Adapter;c:\windows\system32\drivers\NGSSLDrv.sys [2007-05-10 17632]
R4 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-08-22 20560]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2006-10-07 29744]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ad445336-5ba1-11dd-bb75-00173104f808}]
\Shell\AutoRun\command - vmyphd.bat
\Shell\explore\Command - vmyphd.bat
\Shell\open\Command - vmyphd.bat
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.therainforestsite.com/
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
c:\windows\Downloaded Program Files\stg_drm.ocx - O16 -: {149E45D8-163E-4189-86FC-45022AB2B6C9}
file:///C:/Program%20Files/Big%20Island%20Blends/Images/stg_drm.ocx
c:\windows\Downloaded Program Files\MLWebCacheCleaner.DLL - O16 -: {79D6214F-CFCE-480F-9901-27950E78F1E6}
hxxps://vpn.mirabilismedica.com/MLWebCacheCleaner.cab
c:\windows\Downloaded Program Files\MLWebCacheCleaner.inf
c:\windows\Downloaded Program Files\GoBitGamesPlayer.dll - O16 -: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429}
hxxp://aolsvc.aol.com/onlinegames/free-trial-burger-shop/GoBitGamesPlayer_v4.cab
c:\windows\Downloaded Program Files\GoBitGamesPlayer.inf
c:\windows\Downloaded Program Files\YYGInstantPlay.ocx - O16 -: {C49134CC-B5EF-458C-A442-E8DFE7B4645F}
hxxp://www.yoyogames.com/downloads/activex/YoYo.cab
c:\windows\Downloaded Program Files\YYGInstantPlay.inf
c:\windows\Downloaded Program Files\armhelper.ocx - O16 -: {CC450D71-CC90-424C-8638-1F2DBAC87A54}
file:///C:/Program%20Files/Big%20Island%20Blends/Images/armhelper.ocx
c:\windows\NGUninstallVPNTunnel.exe - c:\windows\ngssldrv.txt
c:\windows\ngssldrv.sys
c:\windows\Downloaded Program Files\ngvpntunnel.dll
O16 -: {DD5E6739-FDD6-4542-8940-4A4B8AB5276E}
hxxps://vpn.mirabilismedica.com/NGVPNTunnel.cab
c:\windows\Downloaded Program Files\NGVPNTunnel.inf
c:\windows\Downloaded Program Files\ParkingDashWeb.1.0.0.15.dll - O16 -: {F135A813-7152-4532-AC8D-28AC2136DFC7}
hxxp://p.playfirst.com/play/game/parking-dash/parkingdash.1.0.0.15.cab
c:\windows\Downloaded Program Files\ParkingDashWeb.1.0.0.15.inf
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\c9zkmlvt.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage -
FF - prefs.js: keyword.URL - hxxp://toolbar.vmn.net/en/error404-dns.php?lg=en&mkt=en&type=dns&tbo=toolbar__2evmn__2enet__2fen__2foptions__2ephp&q=
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-10 11:49:59
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-607517009-3822631778-399514384-1008\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F5C45177-1380-6595-986F-3EE98D3B3274}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"eajamganoc"=hex:66,61,64,61,6c,68,69,69,68,70,6b,63,00,fc
"daeagppm"=hex:64,62,6c,6f,6f,6a,64,68,70,6e,6d,6c,6c,67,64,6a,66,67,6d,69,65,
6f,6e,65,65,64,63,6e,66,69,6e,69,62,6c,64,64,6a,68,64,63,00,00
"iabbgflfmhmicgngef"=hex:6b,61,6e,6e,6b,61,69,6c,64,6c,64,66,66,6a,6c,6c,6b,62,
68,6b,68,61,00,9b
"haloolnnmkmblnhe"=hex:6b,61,6e,6e,6b,61,69,6c,64,6c,64,66,66,6a,6c,6c,6b,62,
68,6b,68,61,00,7f
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\windows\arservice.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\program files\Dell AIO Printer A940\dlbabmon.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\msiexec.exe
c:\windows\system32\wbem\unsecapp.exe
c:\hp\KBD\kbd.exe
c:\program files\Java\jre6\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2009-01-10 11:53:58 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-10 19:53:33
ComboFix2.txt 2008-12-31 00:23:34
ComboFix3.txt 2008-12-30 07:45:28
Pre-Run: 173,637,173,248 bytes free
Post-Run: 173,627,486,208 bytes free
261--- E O F ---2008-12-30 06:49:46
Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system
Delete these files/folders, as follows:
1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C
Code: [Select]KillAll::
File::
c:\windows\system32\bgl.exe
Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ad445336-5ba1-11dd-bb75-00173104f808}]
3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while DRAGGING the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!
ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.
Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze
----------
Run this online scan.
This scanner requires Internet Explorer
Use the ESET Nod32 Online Scanner
1. Check the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the activex control to install
4. Click Start
5. Make sure that the option Remove found threats and the option Scan unwanted applications is check marked.
6. Click Scan
7. Wait for the scan to finish
8. Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
9. Add the C:\Program Files\EsetOnlineScanner\log.txt log into your next reply.
1. The ESET scan results: This scan took 1 hr 52 minutes, and produced a file called "debuglog.txt" with only 3 lines:
# vers_standard_module=3756 (20090110)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
2. the latest ComboFix log:
ComboFix 09-01-10.01 - HP_Administrator 2009-01-10 12:25:34.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.499 [GMT -8:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Administrator\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1296 [VPS 090110-0] *On-access scanning disabled* (Updated)
AV: Norton Internet Security 2006 *On-access scanning enabled* (Updated)
FW: Norton Internet Security 2006 *enabled*
FW: Norton Internet Worm Protection *disabled*
* Created a new restore point
FILE ::
c:\windows\system32\bgl.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\bgl.exe
c:\windows\system32\java2.sys c:\windows\system32\snjava.dll
.
((((((((((((((((((((((((( Files Created from 2008-12-10 to 2009-01-10 )))))))))))))))))))))))))))))))
.
2009-01-10 10:46 . 2009-01-10 10:46d--------c:\program files\Java
2009-01-10 10:45 . 2009-01-10 10:45d--------c:\documents and settings\HP_Administrator\Application Data\Symantec
2009-01-10 10:45 . 2009-01-10 10:45d--------c:\documents and settings\All Users\Application Data\Symantec
2009-01-10 09:26 . 2009-01-10 10:44d--------C:\ComboFix(2)
2008-12-30 15:28 . 2008-12-30 15:28d--------C:\rsit
2008-12-30 15:18 . 2009-01-10 10:44d--------c:\windows\system32\CatRoot2
2008-12-30 14:44 . 2008-12-30 14:44d--------C:\_OTMoveIt
2008-12-30 14:04 . 2008-12-30 14:04d--------c:\documents and settings\All Users\Application Data\NortonInstaller
2008-12-29 23:53 . 2009-01-10 10:45d--------c:\program files\Java(2)
2008-12-29 23:49 . 2009-01-10 10:48d--------c:\program files\SUPERAntiSpyware
2008-12-29 23:49 . 2008-12-29 23:49d--------c:\documents and settings\HP_Administrator\Application Data\SUPERAntiSpyware.com
2008-12-29 22:45 . 2008-12-29 22:491,393--a------c:\windows\imsins.BAK
2008-12-29 22:27 . 2008-09-04 09:151,106,944---------c:\windows\system32\dllcache\msxml3.dll
2008-12-29 22:27 . 2008-10-24 03:21455,296---------c:\windows\system32\dllcache\mrxsmb.sys
2008-12-29 17:09 . 2008-12-29 17:09d--------c:\program files\4U Computing
2008-12-29 17:09 . 2005-04-18 11:212,564,096--a------c:\windows\system32\NCTAudioCompress3.dll
2008-12-29 17:09 . 2005-04-14 19:072,260,992--a------c:\windows\system32\NCTVideoCompress.dll
2008-12-29 17:09 . 2005-04-13 11:321,810,432--a------c:\windows\system32\NCTAudioCompress2.dll
2008-12-29 17:09 . 2005-04-21 18:231,245,184--a------c:\windows\system32\NCTRMFile.dll
2008-12-29 17:09 . 2005-04-18 19:01991,232--a------c:\windows\system32\NCTVideoCoreM.dll
2008-12-29 17:09 . 2005-04-14 19:05294,912--a------c:\windows\system32\NCTAVIFile.dll
2008-12-29 17:09 . 2005-04-21 17:15282,624--a------c:\windows\system32\NCTQuickTimeFile.dll
2008-12-29 17:09 . 2003-05-22 00:50261,632--a------c:\windows\system32\mcdvd_32.dll
2008-12-29 17:09 . 2005-04-14 19:06196,608--a------c:\windows\system32\NCTWMVFile.dll
2008-12-29 17:09 . 2005-04-18 15:14139,264--a------c:\windows\system32\NCTVideoFile.dll
2008-12-29 17:09 . 2005-03-03 17:18106,496--a------c:\windows\system32\NCTVideoCoreU.dll
2008-12-29 02:21 . 2008-12-29 02:21d--------c:\program files\Trend Micro
2008-12-29 02:05 . 2008-12-29 02:27664--a------c:\windows\system32\d3d9caps.dat
2008-12-29 01:13 . 2008-10-16 14:0723,576--a------c:\windows\system32\wuapi.dll.mui
2008-12-29 00:56 . 2008-12-29 01:02d--------c:\program files\SpywareBlaster
2008-12-29 00:30 . 2008-12-29 00:30d--------c:\program files\Malwarebytes' Anti-Malware
2008-12-29 00:30 . 2008-12-29 00:30d--------c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
2008-12-29 00:30 . 2008-12-29 00:30d--------c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-29 00:30 . 2008-12-03 19:5238,496--a------c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-29 00:30 . 2008-12-03 19:5215,504--a------c:\windows\system32\drivers\mbam.sys
2008-12-28 14:07 . 2008-12-28 14:07d--------c:\program files\CCleaner
2008-12-28 02:24 . 2008-12-28 02:24d--------c:\windows\system32\config\systemprofile\Application Data\s_4610_fHx8fHx8fDEyNDMwOTY3MTJ8_
2008-12-28 02:07 . 2008-12-28 02:07d--------C:\VundoFix Backups
2008-12-27 19:46 . 2008-12-27 19:4640,448--a------c:\windows\system32\k9261108.exe
2008-12-10 13:04 . 2008-12-10 13:05d--------c:\windows\system32\Adobe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-10 18:45---------d-----wc:\program files\Common Files\Symantec Shared
2008-12-30 23:11---------d-----wc:\documents and settings\HP_Administrator\Application Data\U3
2008-12-30 22:13---------d---a-wc:\documents and settings\All Users\Application Data\TEMP
2008-12-30 00:46---------d-----wc:\documents and settings\HP_Administrator\Application Data\NCH Swift Sound
2008-12-29 08:55---------d-----wc:\program files\Common Files\Wise Installation Wizard
2008-12-28 22:15---------d-----wc:\program files\WildGames
2008-12-28 22:14---------d-----wc:\documents and settings\All Users\Application Data\WildTangent
2008-12-28 10:27---------d-----wc:\program files\Alawar
2008-12-28 00:0312,489,550----a-wc:\program files\PROCESSLIST.DB
2008-12-28 00:031,107,211----a-wc:\program files\PROCESSLISTRELATED.DB
2008-12-11 20:18---------d-----wc:\documents and settings\All Users\Application Data\BigFishGamesCache
2008-12-04 09:4759,856----a-wc:\documents and settings\HP_Administrator\Application Data\GDIPFONTCACHEV1.DAT
2008-11-27 20:41---------d-----wc:\program files\bfgclient
2008-11-15 02:03---------d-----wc:\documents and settings\All Users\Application Data\AlawarWrapper
2008-11-14 08:13---------d-----wc:\documents and settings\HP_Administrator\Application Data\PlayFirst
2008-11-14 08:13---------d-----wc:\documents and settings\All Users\Application Data\PlayFirst
2008-11-10 02:11---------d-----wc:\program files\Spybot - Search & Destroy
2008-03-28 21:530----a-wc:\program files\temp01
2008-02-20 18:00168----a-wc:\documents and settings\HP_Administrator\Application Data\wklnhst.dat
2007-10-05 13:39110----a-wc:\documents and settings\All Users\Application Data\MostFunGameId.bin
2006-12-01 03:468----a-wc:\documents and settings\HP_Administrator\Application Data\usb.dat.bin
2006-11-09 07:34774,144----a-wc:\program files\RngInterstitial.dll
2008-09-07 08:03122,880----a-wc:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2008-11-11 20:2867,696----a-wc:\program files\mozilla firefox\components\jar50.dll
2008-11-11 20:2854,376----a-wc:\program files\mozilla firefox\components\jsd3250.dll
2008-11-11 20:2834,952----a-wc:\program files\mozilla firefox\components\myspell.dll
2008-11-11 20:2846,720----a-wc:\program files\mozilla firefox\components\spellchk.dll
2008-11-11 20:28172,144----a-wc:\program files\mozilla firefox\components\xpinstal.dll
.
((((((((((((((((((((((((((((( [emailprotected]_23.44.12.71 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-10 19:49:244,096----a-wc:\windows\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\neodesk\3d0bfd8b\a6f03149\_qol1q67.dll
+ 2009-01-10 19:49:233,072----a-wc:\windows\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\neodesk\3d0bfd8b\a6f03149\crsofd0p.dll
+ 2009-01-10 19:49:2424,576----a-wc:\windows\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\neodesk\3d0bfd8b\a6f03149\uepzthil.dll
- 2008-11-10 02:26:58224,816----a-wc:\windows\system32\FNTCACHE.DAT
+ 2009-01-10 18:48:08224,816----a-wc:\windows\system32\FNTCACHE.DAT
+ 2009-01-10 18:47:001,793,884----a-wc:\windows\system32\Restore\rstrlog.dat
+ 2009-01-10 20:34:3916,384----atwc:\windows\Temp\Perflib_Perfdata_648.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-11 136600]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2004-12-13 663552]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-03 118784]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-03 77824]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-01 49152]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-11-09 249856]
"HP Software Update"="c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-05-11 49152]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-09-07 29744]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"DISCover"="c:\program files\DISC\DISCover.exe" [2007-10-30 1095256]
"Dell AIO Printer A940"="c:\program files\Dell AIO Printer A940\dlbabmgr.exe" [2003-02-17 86102]
"CitiVAN"="c:\program files\Citi Virtual Account Numbers\CitiVAN.exe" [2004-08-12 192512]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"SoundMan"="SOUNDMAN.EXE" [2005-09-21 c:\windows\SOUNDMAN.EXE]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 c:\windows\system32\HdAShCut.exe]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-02 c:\windows\arpwrmsg.exe]
c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\
MostFun.lnk - c:\program files\MostFun\Bin\MostFun.exe [2007-08-28 147456]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 282624]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Abacast\\Abaclient.exe"=
"c:\\Program Files\\MostFun\\Bin\\MostFun.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\HP Rhapsody\\rhapsody.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-08-22 111184]
R3 NGSSLDrv;VPN Tunnel NGSSLDrv Adapter;c:\windows\system32\drivers\NGSSLDrv.sys [2007-05-10 17632]
R4 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-08-22 20560]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2006-10-07 29744]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.therainforestsite.com/
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
c:\windows\Downloaded Program Files\stg_drm.ocx - O16 -: {149E45D8-163E-4189-86FC-45022AB2B6C9}
file:///C:/Program%20Files/Big%20Island%20Blends/Images/stg_drm.ocx
c:\windows\Downloaded Program Files\MLWebCacheCleaner.DLL - O16 -: {79D6214F-CFCE-480F-9901-27950E78F1E6}
hxxps://vpn.mirabilismedica.com/MLWebCacheCleaner.cab
c:\windows\Downloaded Program Files\MLWebCacheCleaner.inf
c:\windows\Downloaded Program Files\GoBitGamesPlayer.dll - O16 -: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429}
hxxp://aolsvc.aol.com/onlinegames/free-trial-burger-shop/GoBitGamesPlayer_v4.cab
c:\windows\Downloaded Program Files\GoBitGamesPlayer.inf
c:\windows\Downloaded Program Files\YYGInstantPlay.ocx - O16 -: {C49134CC-B5EF-458C-A442-E8DFE7B4645F}
hxxp://www.yoyogames.com/downloads/activex/YoYo.cab
c:\windows\Downloaded Program Files\YYGInstantPlay.inf
c:\windows\Downloaded Program Files\armhelper.ocx - O16 -: {CC450D71-CC90-424C-8638-1F2DBAC87A54}
file:///C:/Program%20Files/Big%20Island%20Blends/Images/armhelper.ocx
c:\windows\NGUninstallVPNTunnel.exe - c:\windows\ngssldrv.txt
c:\windows\ngssldrv.sys
c:\windows\Downloaded Program Files\ngvpntunnel.dll
O16 -: {DD5E6739-FDD6-4542-8940-4A4B8AB5276E}
hxxps://vpn.mirabilismedica.com/NGVPNTunnel.cab
c:\windows\Downloaded Program Files\NGVPNTunnel.inf
c:\windows\Downloaded Program Files\ParkingDashWeb.1.0.0.15.dll - O16 -: {F135A813-7152-4532-AC8D-28AC2136DFC7}
hxxp://p.playfirst.com/play/game/parking-dash/parkingdash.1.0.0.15.cab
c:\windows\Downloaded Program Files\ParkingDashWeb.1.0.0.15.inf
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\c9zkmlvt.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage -
FF - prefs.js: keyword.URL - hxxp://toolbar.vmn.net/en/error404-dns.php?lg=en&mkt=en&type=dns&tbo=toolbar__2evmn__2enet__2fen__2foptions__2ephp&q=
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-10 12:39:33
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-607517009-3822631778-399514384-1008\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F5C45177-1380-6595-986F-3EE98D3B3274}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"eajamganoc"=hex:66,61,64,61,6c,68,69,69,68,70,6b,63,00,fc
"daeagppm"=hex:64,62,6c,6f,6f,6a,64,68,70,6e,6d,6c,6c,67,64,6a,66,67,6d,69,65,
6f,6e,65,65,64,63,6e,66,69,6e,69,62,6c,64,64,6a,68,64,63,00,00
"iabbgflfmhmicgngef"=hex:6b,61,6e,6e,6b,61,69,6c,64,6c,64,66,66,6a,6c,6c,6b,62,
68,6b,68,61,00,9b
"haloolnnmkmblnhe"=hex:6b,61,6e,6e,6b,61,69,6c,64,6c,64,66,66,6a,6c,6c,6b,62,
68,6b,68,61,00,7f
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\windows\arservice.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\ehome\mcrdsvc.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\dllhost.exe
c:\program files\Dell AIO Printer A940\dlbabmon.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\msiexec.exe
c:\program files\DISC\DiscStreamHub.exe
c:\windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2009-01-10 12:44:28 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-10 20:43:48
ComboFix2.txt 2009-01-10 19:53:59
ComboFix3.txt 2008-12-31 00:23:34
ComboFix4.txt 2008-12-30 07:45:28
Pre-Run: 173,603,606,528 bytes free
Post-Run: 173,586,448,384 bytes free
257--- E O F ---2008-12-30 06:49:46
To completely remove Norton/Symantec go to add remove programs and uninstall anything with Norton, Symantec or Live Update in the name.
Download the Norton Removal Tool (SymNRT) to your Desktop.
Once downloaded please close ALL open browsers, also save any work because this may require a restart.
- Go to your desktop and double click on the removal tool and then click Setup.
- Once open Click Next
- Accept the license agreement and click Next
- Type in the letters/numbers that you see into the text box then click Next.
- Then click Next and the tool will start running.
- Once finished restart the PC and run the tool again to ensure everything has been removed.
- Delete Nortonremoval tool from your Desktop.
.
----------
How is the computer running now?
,whaddya know, I think it worked
I don't seem to have the problem with accessing the control panel anymore, and the "red X" doesn't appear at the bottom, and the SuperAntiSpyware and Malwarebytes scans come up clean...
Anything else I need to do??
Also, how can I make sure a paypal donation goes to you?!
thanks
Glad it worked. We can clean up now.
- Click START then RUN
- Now type Combofix /u in the runbox
- Make sure there's a space between Combofix and /u
- Then hit Enter.
- The above procedure will:
- Delete the following:
- ComboFix and its associated files and folders.
- Reset the clock settings.
- HIDE file extensions, if required.
- Hide System/Hidden files, if required.
- Set a new, clean Restore Point.
----------
Download ATF Cleaner by Atribune to your Desktop.
Alternate download link
Note: Vista users must use Run As Administrator
- Under Main: Select Files to Delete choose: Select All.
- Click the Empty Selected button.
- If you use Firefox browser click Firefox at the top and choose: Select All
- Click the Empty Selected button.
If you would like to keep your saved passwords click No at the prompt.
- If you use Opera browser click Opera at the top and choose: Select All
- Click the Empty Selected button.
If you would like to keep your saved passwords click No at the prompt.
- Click Exit on the Main menu to close the program.
Note that your system will run slower for a reboot or two after having used this tool so don't panic.
----------
Download OTCleanIt.exe and save it to your Desktop.
- Double-click OTCleanIt.exe.
- Click the CleanUp! button.
- Select Yes when the "Begin cleanup Process?" prompt appears.
- If you are prompted to Reboot during the cleanup, select Yes.
- The tool will delete itself once it finishes, if not delete it yourself.
Important: Restart the computer before continuing.
----------
Use the Secunia Software Inspector to check for out of date software.
- Click Start Now
- Check the box next to Enable thorough system inspection.
- Click Start
- Allow the scan to finish and scroll down to see if any updates are needed.
- Update anything listed.
.
----------
Go to Microsoft Windows Update and get all critical updates.
----------
Here are some great FREE tools to help you keep from getting infected again. These tools use little or no resources so won't slow down your PC.
Concerned about Browser Security? Consider using Mozilla Firefox 3.0 with Adblock Plus and NoScript
To prevent unknown applications from being installed on your computer install WinPatrol 2008
* Using Winpatrol to protect your computer from malicious software
I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.
SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here
Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.
Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.THis is great, can't thank you enough! Excellent resources at the end, too.
I wish everyone would use those!
(And I wish malware writing would be illegal...)
ANyway, thanks and be on the lookout for a donation--I wish I could afford more.
It is illegal, but since they are usually in countries that the US, Europe, Austrailia, Canada and so on don't have any legal resources in they get away with it very easily.
Glad it all worked!
Safe surfing...
|
