Solve : Need help with malware? – InterviewSolution

InterviewSolution

1.	Solve : Need help with malware?
Answer» I've read the info page and thus far have run Avast, which found three or four trojans. Before coming here I had already tried to run SUPERantispyware (already on my machine) and couldn't. I uninstalled but was unable to reinstall from the site. I was able to download from Cnet but I cannot install it. I have also run Windows Defender and the regular version of Ccleaner which I already had on. I wanted to double check if I need to specifically download the CC slim version, if I am able to download. At the moment I cannot access most antispyware related sites. I am pretty sure I'm dealing with ad.doubleclick.net issues as ads on websites are being switched to the inappropriate kinds and my dh had vulgar pop ups to deal with. Never had the latter kinds of problems before. Comp is running slow and sometimes freezing up. Since I cannot download SAS, do I just continue down the list and see what I am able to do? TIA for your help!Just make note of what happens and continue on with the next step....I've completed steps 1 and 2. Couldn't complete 3 or 4. I was able to download from alternative download sites but they wouldn't install - got Microsoft message "SUPERantispyware has encountered a problem and needs to close" and the same for Malwarebytes. I completed step 5, although I forgot to close my browser. Am I okay or should I reinstall? That brings me to step 6, Hijack This. The directions SAY to run this after the other steps have been completed. Since they can't be completed, should I just go ahead and run Hijack This and post the log?Mbam renamer Try the renamer download for Malwarbytes. http://kixhelp.com/wr/files/mb/randmbam.exe The randmbam.exe will try to create random names and shortcuts for Malwarebytes Anti Malware (MBAM) if you have it installed already. If it installs then use this link to download the updates. Download Malwarebytes' Anti-Malware Database - GT500.org Just download it to the desktop and run the exe then run Malwarebytes You can try download SAS in safe mode or try renaming the file to sniper.exe and see if you can run it that way........if you can't then just go on to HJT and see if you can run it.............Ok, I was able to get SAS and Malwarebytes logs. Had to get a go-around download and run from SAS support. It made it through but froze as I clicked to quarantine. The renamer worked for Malwarebytes and I was able to complete the scan. Followed the directions for HijackThis. It took several tries because it either froze or the comp restarted, but I got the log. I'll post all three below. Although some trojans have been detected and quarantined, the comp is still running slow or freezing, and I am still dealing with inappropriate pop ups and switched ads on websites. Two other things I forgot to mention: my Seagate external hard drive has stopped functioning in all this, with a message that it cannot find any drives; and neither the disk fragmentor or the chkdsk is operational. Thanks so much for the help thus far. Hope you can help me figure the rest out. SAS: SUPERAntiSpyware Scan Log http://www.superantispyware.com Generated 07/17/2009 at 11:22 PM Application Version : 4.26.1006 Core Rules Database Version : 3966 Trace Rules Database Version: 1906 Scan type : Complete Scan Total Scan Time : 01:02:22 Memory items scanned : 619 Memory threats detected : 0 Registry items scanned : 6439 Registry threats detected : 4 File items scanned : 33962 File threats detected : 3 Trojan.Unknown Origin HKU\.DEFAULT\Software\ColdWare HKU\S-1-5-18\Software\ColdWare Trojan.DNS-Changer (Hi-Jacked DNS) HKLM\SYSTEM\CONTROLSET002\SERVICES\TCPIP\PARAMETERS\INTERFACES\{0A9A4FEC-465F-4421-8F47-4242C1C17886}#NAMESERVER HKLM\SYSTEM\CONTROLSET003\SERVICES\TCPIP\PARAMETERS\INTERFACES\{0A9A4FEC-465F-4421-8F47-4242C1C17886}#NAMESERVER Adware.Tracking Cookie C:\WINDOWS\system32\config\systemprofile\Cookies\[emailprotected][2].txt C:\WINDOWS\system32\config\systemprofile\Cookies\[emailprotected][1].txt C:\WINDOWS\system32\config\systemprofile\Cookies\[emailprotected][1].txt MALWAREBYTES: Malwarebytes' Anti-Malware 1.39 Database version: 2454 Windows 5.1.2600 Service Pack 2 7/18/2009 12:51:06 AM mbam-log-2009-07-18 (00-51-06).txt Scan type: Quick Scan Objects scanned: 155866 Time elapsed: 6 minute(s), 50 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 4 Registry Values Infected: 2 Registry Data Items Infected: 5 Folders Infected: 0 Files Infected: 2 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1720a2b8-5386-4d8a-8527-260871b6c7b5} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{1720a2b8-5386-4d8a-8527-260871b6c7b5} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niguwufosa (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\c:\WINDOWS\system32\memman.vxd (Rogue.sysCleanerPro) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.109,85.255.112.192 -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.109,85.255.112.192 -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.109,85.255.112.192 -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: c:\WINDOWS\system32\memman.vxd (Rogue.sysCleanerPro) -> Quarantined and deleted successfully. c:\WINDOWS\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job (Trojan.FakeAlert) -> Quarantined and deleted successfully. HIJACKTHIS: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:50:02 AM, on 7/18/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16850) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\ContentWatch\Internet Protection\cwsvc.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\system32\sstray.exe C:\WINDOWS\zHotkey.exe C:\Program Files\CyberLink\PowerDVD\PDVDSe rv.exe C:\Program Files\Digital Media READER\shwiconem.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe C:\Program Files\Windows Defender\MSASCui.exe C:\PROGRA~1\ALWILS~1\Avast4\as hDisp.exe C:\Documents and Settings\All Users\common\dll\netdr\msdtc.exe C:\Program Files\MEDIC\bin\sprtcmd.exe C:\WINDOWS\system32\WTClient.ex e C:\WINDOWS\system32\rundll32.exe C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe C:\Program Files\ScanSoft\OmniPageSE4\Opwar eSE4.exe C:\Program Files\Canon\MyPrinter\BJMyPrt.exe C:\Program Files\a-squared Free\a2service.exe C:\Program Files\QuickTime\QTTask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\ContentWatch\Internet Protection\cwtray.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Spyware Terminator\SpywareTerminatorUpdat e.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceServi ce.exe C:\Program Files\Seagate\Basics\Service\SyncS ervicesBasics.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS C:\Program Files\Spyware Terminator\sp_rsser.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\UAService7. exe C:\WINDOWS\System32\Drivers\WT SRV.EXE C:\Program Files\Canon\CAL\CALMAIN.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\WISPTIS.EX E C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Trend Micro\HijackThis\sniper.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/custo mize/ycomp_wave/defaults/sb/http:// www.yahoo.com/search/ie.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/custo mize/ycomp_wave/defaults/sp/http:// www.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.crosswalk.com/homeschoo l R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId= 69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId= 54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId= 54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId= 69157 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Road Runner High Speed Online R1 - HKCU\Software\Microsoft\Windows\C urrentVersion\Internet Settings,ProxyOverride = .local O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA57 8C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEH elperShim.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25 C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EAB FE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_pl ugin.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6 AD74ACC} - (no file) O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,Nv Startup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll ,NvTaskbarInit O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r O4 - HKLM\..\Run: [CHotkey] zHotkey.exe O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDSe rv.exe" O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\as hDisp.exe O4 - HKLM\..\Run: [QuickTime] C:\Documents and Settings\All Users\common\dll\netdr\msdtc.exe O4 - HKLM\..\Run: [MEDIC] "C:\Program Files\MEDIC\bin\sprtcmd.exe" /P MEDIC O4 - HKLM\..\Run: [WTClient] WTClient.exe O4 - HKLM\..\Run: [basicsmssmenu] "C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupda te.exe" -Embedding -boot O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\Opwar eSE4.exe" O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAI N.exe /logon O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [cwcptray] C:\Program Files\ContentWatch\Internet Protection\cwtray.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAnt iSpyware.exe O4 - HKCU\..\Run: [SpywareTerminatorUpdate] "C:\Program Files\Spyware Terminator\SpywareTerminatorUpdat e.exe" O4 - HKUS\S-1-5-19\..\Run: [niguwufosa] Rundll32.exe "C:\WINDOWS\system32\zodavula.dll ",s (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [niguwufosa] Rundll32.exe "C:\WINDOWS\system32\zodavula.dll ",s (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICRO S~1\DW\dwtrig20.exe" -t (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICRO S~1\DW\dwtrig20.exe" -t (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user') O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0040 1C608501} - C:\Program Files\Java\jre6\bin\npjpi160_14.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0040 1C608501} - C:\Program Files\Java\jre6\bin\npjpi160_14.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C 571A8263} - C:\PROGRA~1\MICROS~3\Office12\ REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0 F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba384 96583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba384 96583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04 F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04 F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\cwalsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\cwalsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\cwalsp.dll O16 - DPF: {01113300-3E00-11D2-8470-006008 9874ED} (Support.com Configuration Class) - http://activation.rr.com/install/downloa ds/tgctlcm.cab O16 - DPF: {17492023-C23A-453E-A040-C7C5 80BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid= 39204 O20 - AppInit_DLLs: C:\WINDOWS\system32\wugakuwa.dl l O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINL O.dll O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceServi ce.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: Basics Service - Seagate TECHNOLOGY LLC - C:\Program Files\Seagate\Basics\Service\SyncS ervicesBasics.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe O23 - Service: ContentWatch (CwAltaService20) - ContentWatch, Inc. - C:\Program Files\ContentWatch\Internet Protection\cwsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7. exe O23 - Service: WinTab Service (WinTabService) - Tablet Driver - C:\WINDOWS\System32\Drivers\WT SRV.EXE -- End of file - 11037 bytes I forgot to mention that I was unable to update SAS or Malwarebytes. I was able to access updates for HijackThis.Good job getting the required logs......Evilfantasy will be along to review them....be patient....it's a summer weekend.you need to go to seagate ( seagate for windows ) sort out your machine download and let it scan the pc http://www.seagate.com/www/en-us/support/downloads/seatools go to below and download smart defrag http://www.iobit.com/Download The Comedian to your desktop. Double click the program to run it. * It will do a series of tasks and tell you when each one is FINISHED. * You will be prompted to press any key after each step * When it is done it will close and exit itself automatically. * You can delete The_Comedian.exe once it is finished. . ---------- Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop. Link #1 Link #2 Note: It is important that it is saved directly to your Desktop Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix. Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them. Double click combofix.exe & follow the prompts. Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it) When finished ComboFix will produce a log for you. Post the ComboFix log in your next reply. Important:** Do not mouseclick ComboFix's window while it is running. That may cause it to stall. Remember to re-enable your antivirus and antispyware protection when ComboFix is complete. If you have problems with ComboFix usage, see How to use ComboFixThanks for getting back to me! I downloaded and ran The Comedian but on Step 4 it said it could not create a restore point. Should I still proceed to Combofix? Also, I wasn't sure when it asked about CREATING registry back ups kept for 30 days; I checked ok. Yes just continue on please.Here's the ComboFix log. Couldn't run it as ComboFix so I tried the renaming to Combo-Fix and that worked. ComboFix 09-07-23.04 - Owner 07/24/2009 17:21.1.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.447.43 [GMT -4:00] Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe AV: avast! antivirus 4.8.1335 [VPS 090723-0] On-access scanning disabled (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\recycler\S-1-5-21-2212892535-3016890555-2903492491-1003 c:\windows\desktop c:\windows\desktop\EA Hot Titles!.exe c:\windows\Installer\132159e.msp c:\windows\Installer\acbac.msi c:\windows\system32\drivers\ESQULxuwyltfqxuuwpdqbpnobodpqqtjkbmup.sys c:\windows\system32\ESQULabwwxiqpeltobirvvjmldunqkeqbrgai.dll c:\windows\system32\ESQULrbhtkbljbmtclcvtqjoetiwlrtsrtena.dll c:\windows\system32\ESQULzcounter c:\windows\system32\MabryObj.dll c:\windows\system32\skinboxer43.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_ESQULserv.sys -------\Legacy_NPF -------\Service_NPF ((((((((((((((((((((((((( Files Created from 2009-06-24 to 2009-07-24 ))))))))))))))))))))))))))))))) . 2009-07-24 18:56 . 2009-07-24 18:57--------d-----w-c:\program files\ERUNT 2009-07-22 01:15 . 2009-07-22 01:15--------d-----w-c:\documents and settings\Owner\Application Data\IObit 2009-07-22 01:15 . 2009-07-22 01:15--------d-----w-c:\program files\IObit 2009-07-18 05:06 . 2009-07-18 05:06--------d-----w-c:\program files\Trend Micro 2009-07-18 04:38 . 2009-07-18 04:38--------d-----w-c:\documents and settings\Owner\Application Data\Malwarebytes 2009-07-18 02:13 . 2009-07-18 02:13--------d-----w-c:\program files\Common Files\Wise Installation Wizard 2009-07-18 00:55 . 2009-07-18 00:55142592----a-w-c:\windows\system32\drivers\sp_rsdrv2.sys 2009-07-18 00:54 . 2009-07-24 20:37--------d-----w-c:\documents and settings\Owner\Application Data\Spyware Terminator 2009-07-18 00:54 . 2009-07-24 18:46--------d-----w-c:\docume~1\ALLUSE~1\APPLIC~1\Spyware Terminator 2009-07-18 00:54 . 2009-07-18 00:59--------d-----w-c:\program files\Spyware Terminator 2009-07-17 21:31 . 2009-07-17 21:32--------d-----w-c:\program files\a-squared Free 2009-07-17 13:17 . 2009-07-17 13:17410984----a-w-c:\windows\system32\deploytk.dll 2009-07-17 13:12 . 2009-07-17 13:12152576----a-w-c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_14\lzma.dll 2009-07-17 12:59 . 2009-07-13 17:3638160----a-w-c:\windows\system32\drivers\mbamswissarmy.sys 2009-07-17 12:59 . 2009-07-17 12:59--------d-----w-c:\docume~1\ALLUSE~1\APPLIC~1\Malwarebytes 2009-07-17 12:59 . 2009-07-18 04:38--------d-----w-c:\program files\Malwarebytes' Anti-Malware 2009-07-17 12:59 . 2009-07-13 17:3619096----a-w-c:\windows\system32\drivers\mbam.sys 2009-07-11 03:02 . 2009-07-11 03:02--------d-----w-c:\documents and settings\Owner\ContentWatch 2009-07-07 01:49 . 2009-07-07 01:497639----a-w-c:\windows\extend.dat 2009-07-05 20:43 . 2004-08-04 02:585504-c--a-w-c:\windows\system32\dllcache\mstee.sys 2009-07-05 20:43 . 2004-08-04 02:585504----a-w-c:\windows\system32\drivers\MSTEE.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-07-24 19:45 . 2007-01-30 15:13--------d-----w-c:\program files\Mozilla Thunderbird 2009-07-23 15:57 . 2005-01-08 20:3439514----a-w-c:\documents and settings\Owner\Application Data\wklnhst.dat 2009-07-22 00:36 . 2008-05-28 11:47--------d-----w-c:\program files\SUPERAntiSpyware 2009-07-17 13:39 . 2004-10-01 15:45--------d-----w-c:\program files\Java 2009-07-16 11:31 . 2004-10-01 16:04--------d-----w-c:\docume~1\ALLUSE~1\APPLIC~1\Viewpoint 2009-07-10 21:36 . 2009-07-10 21:34--------d-----w-c:\program files\ContentWatch 2009-07-10 21:20 . 2007-12-04 14:25--------d-----w-c:\program files\Internet Content Filter 2009-07-10 19:33 . 2008-07-02 18:3034----a-w-c:\documents and settings\Owner\jagex_runescape_preferences.dat 2009-07-07 23:04 . 2008-10-14 21:54139776----a-w-c:\documents and settings\Gabe\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-07-06 01:46 . 2008-10-15 12:33139776----a-w-c:\documents and settings\John\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-07-03 00:29 . 2007-10-22 23:51139776----a-w-c:\documents and settings\Sarah\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-07-01 00:03 . 2007-10-12 03:10139776----a-w-c:\documents and settings\Matt\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-06-26 18:54 . 2009-06-11 22:09--------d-----w-c:\documents and settings\Owner\Application Data\vlc 2009-06-26 00:28 . 2005-01-08 20:34139776----a-w-c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-06-25 19:13 . 2004-10-01 15:35--------d--h--w-c:\program files\InstallShield Installation Information 2009-06-25 15:46 . 2007-10-30 16:34--------d-----w-c:\documents and settings\Owner\Application Data\gtk-2.0 2009-06-19 02:18 . 2009-06-25 16:0916980----a-w-c:\windows\Fonts\electroh.ttf 2009-06-16 14:55 . 2004-01-02 08:06119808----a-w-c:\windows\system32\t2embed.dll 2009-06-16 14:55 . 2004-01-02 08:0382432----a-w-c:\windows\system32\fontsub.dll 2009-06-11 22:10 . 2009-01-05 22:52--------d-----w-c:\program files\Graboid 2009-06-11 22:03 . 2009-06-11 22:03--------d-----w-c:\program files\Mozilla ActiveX Control v1.7.12 2009-06-11 03:49 . 2009-06-11 03:49--------d-----w-c:\program files\iTunes 2009-06-11 03:49 . 2009-06-11 03:49--------d-----w-c:\program files\iPod 2009-06-11 03:49 . 2009-01-16 06:52--------d-----w-c:\program files\Common Files\Apple 2009-06-11 03:46 . 2009-06-11 03:45--------d-----w-c:\program files\QuickTime 2009-06-11 03:40 . 2009-01-16 06:52--------d-----w-c:\docume~1\ALLUSE~1\APPLIC~1\Apple 2009-06-08 15:32 . 2009-07-10 21:34247616----a-w-c:\windows\system32\wxIE.dll 2009-06-08 15:32 . 2009-07-10 21:341859584----a-w-c:\windows\system32\AltaRecovery.exe 2009-06-08 15:12 . 2009-07-10 21:34666624----a-w-c:\windows\system32\cwalsp.dll 2009-06-08 14:52 . 2009-07-10 21:3481920----a-w-c:\windows\system32\wxcode_msw28u_wxjson_CW.dll 2009-06-08 14:52 . 2009-07-10 21:34991232----a-w-c:\windows\system32\wxcode_msw28u_wxcurl_CW.dll 2009-06-08 14:50 . 2009-07-10 21:34975872----a-w-c:\windows\system32\libxml2_CW.dll 2009-06-08 14:46 . 2009-05-19 17:13151552----a-w-c:\windows\system32\libexpat.dll 2009-06-08 14:27 . 2009-07-10 21:34524288----a-w-c:\windows\system32\wxmsw28u_xrc_vc_CW.dll 2009-06-08 14:27 . 2009-07-10 21:34499712----a-w-c:\windows\system32\wxmsw28u_html_vc_CW.dll 2009-06-08 14:27 . 2009-07-10 21:342904064----a-w-c:\windows\system32\wxmsw28u_core_vc_CW.dll 2009-06-08 14:27 . 2009-07-10 21:34110592----a-w-c:\windows\system32\wxmsw28u_media_vc_CW.dll 2009-06-08 14:27 . 2009-07-10 21:34712704----a-w-c:\windows\system32\wxmsw28u_adv_vc_CW.dll 2009-06-08 14:27 . 2009-07-10 21:34135168----a-w-c:\windows\system32\wxbase28u_xml_vc_CW.dll 2009-06-08 14:27 . 2009-07-10 21:34135168----a-w-c:\windows\system32\wxbase28u_net_vc_CW.dll 2009-06-08 14:27 . 2009-07-10 21:341232896----a-w-c:\windows\system32\wxbase28u_vc_CW.dll 2009-06-05 15:42 . 2009-03-20 01:482060288----a-w-c:\windows\system32\usbaaplrc.dll 2009-06-05 15:42 . 2009-01-16 06:5239424----a-w-c:\windows\system32\drivers\usbaapl.sys 2009-06-03 19:27 . 2004-01-02 08:061290752----a-w-c:\windows\system32\quartz.dll 2009-05-27 21:43 . 2009-05-27 21:43--------d-----w-c:\program files\Unity 2009-05-07 15:44 . 2004-01-02 08:04344064----a-w-c:\windows\system32\localspl.dll 2009-04-29 04:56 . 2004-01-02 08:06827392----a-w-c:\windows\system32\wininet.dll 2009-04-29 04:55 . 2004-01-02 08:0378336----a-w-c:\windows\system32\ieencode.dll 2009-07-24 18:46 . 2009-03-09 18:10134648----a-w-c:\program files\mozilla firefox\components\brwsrcmp.dll 2009-01-24 18:44 . 2009-01-24 18:448--sh--r-c:\windows\system32\B3590867F3.sys 2009-04-12 16:20 . 2009-01-12 16:205696--sha-w-c:\windows\system32\bahegope.exe 2009-01-25 04:14 . 2009-01-24 18:44848--sha-w-c:\windows\system32\KGyGaAvL.sys 2009-04-11 22:08 . 2009-01-11 22:085696--sha-w-c:\windows\system32\yewukulu.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208] "MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [2003-06-19 200704] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-06-23 1830128] "SpywareTerminatorUpdate"="c:\program files\Spyware Terminator\SpywareTerminatorUpdate.exe" [2009-07-18 3055616] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-03-04 2904064] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2004-03-04 46080] "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768] "SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-03-11 135168] "Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-07 50688] "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584] "avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000] "QuickTime"="c:\documents and settings\All Users\common\dll\netdr\msdtc.exe" [2007-12-27 466944] "MEDIC"="c:\program files\MEDIC\bin\sprtcmd.exe" [2006-12-27 192512] "basicsmssmenu"="c:\program files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" [2007-10-09 169328] "SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472] "OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400] "CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-15 644696] "CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-04 1603152] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136] "cwcptray"="c:\program files\ContentWatch\Internet Protection\cwtray.exe" [2009-06-08 351040] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-17 148888] "SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2003-08-15 57344] "nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2004-03-04 782336] "nForce Tray Options"="sstray.exe" - c:\windows\system32\sstray.exe [2003-09-03 73728] "CHotkey"="zHotkey.exe" - c:\windows\zHotkey.exe [2004-05-18 543232] "ShowWnd"="ShowWnd.exe" - c:\windows\ShowWnd.exe [2003-09-19 36864] "WTClient"="WTClient.exe" - c:\windows\system32\WTClient.exe [2007-04-11 40960] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2006-10-27 434528] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2006-10-04 53760] c:\documents and settings\Owner\Start Menu\Programs\Startup\ ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "HideFastUserSwitching"= 1 (0x1) [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2008-12-22 16:05356352----a-w-c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend] @="Service" [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\WINDOWS\\system32\\dplaysvr.exe"= "c:\\Program Files\\Microsoft Games\\Motocross Madness 2\\MCM2.ICD"= "c:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Documents and Settings\\Owner\\Desktop\\k9-webprotection.exe"= "c:\\Program Files\\ZyDAS Technology Corporation\\ZyDAS_802.11g_Utility\\ZDWlan.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"= "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Spyware Terminator\\SpywareTerminatorUpdate.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings] "AllowInboundEchoRequest"= 1 (0x1) "AllowInboundTimestampRequest"= 1 (0x1) "AllowInboundMaskRequest"= 1 (0x1) "AllowInboundRouterRequest"= 1 (0x1) "AllowOutboundDestinationUnreachable"= 1 (0x1) "AllowOutboundSourceQuench"= 1 (0x1) "AllowOutboundParameterProblem"= 1 (0x1) "AllowOutboundTimeExceeded"= 1 (0x1) "AllowRedirect"= 1 (0x1) "AllowOutboundPacketTooBig"= 1 (0x1) R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [4/4/2008 6:13 AM 114768] R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 72944] R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [7/17/2009 8:55 PM 142592] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/4/2008 6:13 AM 20560] R2 CwAltaService20;ContentWatch;c:\program files\ContentWatch\Internet Protection\cwsvc.exe [7/10/2009 5:34 PM 2072384] R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 8:19 PM 13592] R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 7408] S3 BRGSp50;BRGSp50 NDIS Protocol Driver;c:\windows\system32\drivers\BRGSp50.sys [3/7/2008 1:53 PM 20608] S3 mr97310c;CIF Dual-Mode Camera;c:\windows\system32\drivers\mr97310c.sys [7/5/2009 4:42 PM 107904] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.crosswalk.com/homeschool uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7 uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyOverride = .local IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML LSP: c:\windows\system32\cwalsp.dll Trusted Zone: christianbook.com Trusted Zone: christianbook.com https\dlm FF - ProfilePath - c:\docume~1\Owner\APPLIC~1\Mozilla\Firefox\Profiles\ne8x1sqs.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.conservapedia.com/Main_Page FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ne8x1sqs.default\extensions\{62760FD6-B943-48C9-AB09-F99C6FE96088}\platform\WINNT\components\EbayAccessService.dll FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ne8x1sqs.default\extensions\{62760FD6-B943-48C9-AB09-F99C6FE96088}\platform\WINNT\components\EbayFormSubmitObserver.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll . *********************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-07-24 17:47 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... c:\windows\TEMP\_av_proI.tm~a03680\stamp.tmp 10 bytes scan completed successfully hidden files: 1 ************************************************************************ . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-3388798203-652253650-2994196867-1003\Software\Microsoft\SystemCertificates\AddressBook] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) [HKEY_USERS\S-1-5-21-3388798203-652253650-2994196867-1003\Software\YourCompanyName\YourProductName\Version] "VersionData"=hex:0d,3b,25,66,19,03,6e,fd,4f,a8,a2,fa,9d,e1,52,c2,8a,f9,01,99, 85,ff,f4,59,07,45,91,f9,29,b3,aa,34,31,2b,f2,f4,e1,09,ad,08,4c,48,f7,d3,42,\ . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(628) c:\program files\SUPERAntiSpyware\SASWINLO.dll - - - - - - - > 'lsass.exe'(684) c:\windows\system32\cwalsp.dll c:\windows\system32\wxbase28u_vc_CW.dll - - - - - - - > 'explorer.exe'(3504) c:\windows\system32\nview.dll c:\program files\ScanSoft\OmniPageSE4\OpHookSE4.dll c:\windows\system32\nvwddi.dll c:\windows\system32\WPDShServiceObj.dll c:\program files\ArcSoft\Software Suite\PhotoImpression 5\share\pihook.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Alwil Software\Avast4\aswUpdSv.exe c:\program files\Alwil Software\Avast4\ashServ.exe c:\program files\a-squared Free\a2service.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Seagate\Basics\Service\SyncServicesBasics.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Java\jre6\bin\jqs.exe c:\windows\system32\rundll32.exe c:\windows\system32\nvsvc32.exe c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS c:\program files\Spyware Terminator\sp_rsser.exe c:\windows\system32\UAService7.exe c:\windows\system32\drivers\WTSrv.exe c:\windows\system32\WISPTIS.EXE c:\program files\Canon\CAL\CALMAIN.exe c:\program files\Alwil Software\Avast4\ashMaiSv.exe c:\windows\system32\wbem\unsecapp.exe c:\program files\iPod\bin\iPodService.exe c:\program files\Alwil Software\Avast4\ashWebSv.exe . ************************************************************************ . Completion time: 2009-07-24 18:04 - machine was rebooted ComboFix-quarantined-files.txt 2009-07-24 22:04 Pre-Run: 75,996,536,832 bytes free Post-Run: 76,592,431,104 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect 279--- E O F ---2009-07-23 15:28 Download Disable/Remove Windows Messenger to the Desktop to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups. Unzip the file on the Desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply*. Exit out of MessengerDisable then delete the two files that were put on the Desktop. ---------- Click START then RUN - Vista users press the Windows Key and the R keys for the Run box. * Now type Combo-fix /u in the runbox * Make sure there's a space between Combo-fix and /u * Then hit Enter * The above procedure will: * Delete the following: * ComboFix and its associated files and folders. * Reset the clock settings. * Hide file extensions, if required. * Hide System/Hidden files, if required. * Set a new, clean Restore Point. ---------- Clean out your temporary internet files and temp files. Download TFC by OldTimer to your desktop. Double-click TFC.exe to run it. Note: If you are running on Vista, right-click on the file and choose Run As Administrator TFC will close all programs when run, so make sure you have saved all your work before you begin. * Click the Start button to begin the cleaning process. * Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. * Please let TFC run uninterrupted until it is finished. Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning. ---------- Use the ESET Online Antivirus Scanner This scanner requires Internet Explorer 1. Check the box next to YES, I accept the Terms of Use. 2. Click Start 3. When asked, allow the activex control to install 4. Click Start 5. Make sure that the option Remove found threats and the option Scan unwanted applications is check marked. 6. Click Scan 7. Wait for the scan to finish 8. Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt 9. Add the C:\Program Files\EsetOnlineScanner\log.txt log into your next reply.I think I uninstalled Windows Messenger. I followed the directions and chose the appropriate box. On the desktop I found only the icon for the zip file, so I deleted that. I had the save file box pop up several more times. Not sure why. I just clicked them off and restarted the comp. The Windows Messenger icon is gone and a search for it yielded nothing, so here's hoping. I haven't been able to uninstall Combo-fix. When I try to run Combo-fix /u, I get a message that the file can't be found. When I try to uninstall Combofix /u, I get the prompt to run combofix.exe. I did check C: for Combofix and Combo-fix files and folders and they are still there. I'm checking back to see how to proceed.

Discussion

No Comment Found

Related InterviewSolutions