4832 + Interview Questions in Computer viruses and spyware in Software Page 42 InterviewSolution

2051.	Solve : problem signing?
Answer» can't signing on messenger live Have you REGISTERED?Didn't messenger Live just DIE? QUOTE from: Geek-9pm on NOVEMBER 02, 2009, 06:31:52 PM Didn't messenger Live just die? I really don't know. I've been without internet for the last several weeks. That would explain it though.Windows Live Messenger is STILL connecting for me.

2051.

Solve : problem signing?

Answer»

can't signing on messenger live
Have you REGISTERED?Didn't messenger Live just DIE? QUOTE from: Geek-9pm on NOVEMBER 02, 2009, 06:31:52 PM

Didn't messenger Live just die?

I really don't know. I've been without internet for the last several weeks.

That would explain it though.Windows Live Messenger is STILL connecting for me.

Discussion

2052.	Solve : O.K. 1. THERE IS NO SHORTCUTS TO F- SECURE INTERNET SECURITY 2010 ON MY DESKTOP.?
Answer» And a restart didn't solve it? Click on Start, then Run, type in services.msc then click OK. When the page comes up, on the far right scroll down the list and doubleclick on Security Center. Where it says Startup, set it to Automatic. Just below that you will see the word "Start," click on that and then click OK. Restart your computer and your Service Center should be active. THANKS>>> I Just Restarted It & Its Gone!!! Is There Anything Else I Need To Do?Yes. Finish up. 1. Double click OTM to launch it. Vista users right click and CHOOSE Run As Administrator 2. Click on the CleanUp! button. 3. OTM will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access. 4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?) 5. Once complete exit out of OTM. ---------- Click START then RUN Now type Combofix /U in the runbox Make sure there's a space between Combofix and /u Then hit Enter. . . The above procedure will: Delete: ComboFix and its associated files and folders. RESET the clock settings. Hide file extensions, if REQUIRED. Hide System/Hidden files, if required. Set a new, clean Restore Point. . ---------- Use the Secunia Software Inspector to check for out of date software. Click Start Now Check the box next to Enable thorough system inspection. Click Start Allow the scan to finish and scroll down to see if any updates are needed. Update anything listed. . ---------- Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.alright thanks againYour welcome.do you know anything about Dvd Burners Cuz Now Mines Isn't Working???You mean the built in hardware? What kind of computer?yah the built in hardware & it says CD or Computer DIrectTry posting in the hardware forum

2052.

Solve : O.K. 1. THERE IS NO SHORTCUTS TO F- SECURE INTERNET SECURITY 2010 ON MY DESKTOP.?

Answer»

And a restart didn't solve it?

Click on Start, then Run, type in services.msc then click OK.

When the page comes up, on the far right scroll down the list and doubleclick on Security Center.

Where it says Startup, set it to Automatic. Just below that you will see the word "Start," click on that and then click OK. Restart your computer and your Service Center should be active. THANKS>>> I Just Restarted It & Its Gone!!!

Is There Anything Else I Need To Do?Yes. Finish up.

1. Double click OTM to launch it.
Vista users right click and CHOOSE Run As Administrator
2. Click on the CleanUp! button.
3. OTM will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)
5. Once complete exit out of OTM.

----------

Click START then RUN
Now type Combofix /U in the runbox
Make sure there's a space between Combofix and /u
Then hit Enter.

.
.
The above procedure will:

Delete: ComboFix and its associated files and folders.
RESET the clock settings.
Hide file extensions, if REQUIRED.
Hide System/Hidden files, if required.
Set a new, clean Restore Point.

.
----------

Use the Secunia Software Inspector to check for out of date software.

Click Start Now
Check the box next to Enable thorough system inspection.
Click Start
Allow the scan to finish and scroll down to see if any updates are needed.
Update anything listed.

.
----------

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.alright thanks againYour welcome.do you know anything about Dvd Burners Cuz Now Mines Isn't Working???You mean the built in hardware?

What kind of computer?yah the built in hardware & it says CD or Computer DIrectTry posting in the hardware forum

Discussion

2053.	Solve : Identification of viruses?
Answer» Can we identify any viruses, malware, spyware...........etc., without using any antivirus softwares that are running in our SYSTEM...... ( may be hidden processes). If so, How can we do this ? I need all expert solutions........ like registy entries... etc.... yes, I can do it ? wihtout any anti - viruses program . My job Virus REMOVER ..... by Manual way .... its depend on Computer Status ...... I mean every status need another way or over Can you provide me with an example ? With a neat explanation......plz also provide a virus file ( should not do any harm to my computer) to TESTI really don't think that's possible. There's also no way you could do it faster than a virus scanner, if you are looking for something specific then I would SUGGEST asking EvilFantasy. I'm going out on a limb and calling doctor hack a liar. If he could do it then it certainly doesn't explain this thread.Atleast any dos/C/C++/VB/Java PROGRAMS.........atleast for removing autorun virus......

Discussion

2054.	Solve : needing the "all clear"?
Answer» i found you guys while trying to find a fix for a pop up that kept coming up while I shut down my computer...ending task: C:\Sysvxd.exe ? along with a few more... well i some how stumbled across your forum and so far it has helped out tremendously! i was just following your "Malware Removal Steps" and was looking for the "ALL CLEAR" from one of your designated Malware Removal Specialists. here are the logs that you are requesting me to post... everything went pretty well, and your step by step was pretty easy to follow also...never really ran into any problems. if there are any questions feel free to email me of respond back to the post... Thank you so much!! [Saving space, attachment deleted by admin]Welcome to CH. It looks like the guide did a good job but there are a few things to take care of and then we will RUN another quick scan to make sure nothing else is hiding. Spyware Doctor's OnGuard protective functionality may interfere with certain HijackThis fixes we need to make. Please follow these instructions to disable it. To deactivate Spyware Doctor's OnGuard Tools * Click the Spyware Doctor icon in the System Tray. * Click Settings. * Click Startup Settings under Pick a Category. * Uncheck Run at Windows startup * Click Apply and Exit Spyware Doctor. * From within Spyware Doctor, click the OnGuard button on the left side. * Uncheck Activate OnGuard * (When we are done, you can re-enable Spyware Doctor) ---------- Open HijackThis and select Do a system scan only Place a check mark NEXT to the following entries: (if there) R3 - URLSearchHook: (no name) - - (no file) O2 - BHO: (no name) - {06647158-359E-4D10-A8DE-E6145DA90BE9} - (no file) O2 - BHO: (no name) - {6A87B991-A31F-4130-AE72-6D0C294BF082} - (no file) O2 - BHO: (no name) - {6A87B991-A31F-4130-AE72-6D0C294BF082} - (no file) . Important: Close all open windows except for HijackThis and then click Fix checked. Once completed, exit HijackThis. ---------- If you already have ComboFix be sure to delete it and download a new copy. Download ComboFix© by SUBS from one of the below links. Be sure top save it to the Desktop. LINK #1 Link #2 Note: It is important that it is saved directly to your Desktop Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix. Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them. Double click combofix.exe & follow the prompts. Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it) When finished ComboFix will produce a log for you. Post the ComboFix log in your next reply. Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall. Remember to re-enable your antivirus and antispyware protection when ComboFix is complete. If you have problems with ComboFix usage, see How to use ComboFix**

2054.

Solve : needing the "all clear"?

Answer»

i found you guys while trying to find a fix for a pop up that kept coming up while I shut down my computer...ending task: C:\Sysvxd.exe ? along with a few more... well i some how stumbled across your forum and so far it has helped out tremendously! i was just following your "Malware Removal Steps" and was looking for the "ALL CLEAR" from one of your designated Malware Removal Specialists. here are the logs that you are requesting me to post...

everything went pretty well, and your step by step was pretty easy to follow also...never really ran into any problems. if there are any questions feel free to email me of respond back to the post...

Thank you so much!!

[Saving space, attachment deleted by admin]Welcome to CH.

It looks like the guide did a good job but there are a few things to take care of and then we will RUN another quick scan to make sure nothing else is hiding.

Spyware Doctor's OnGuard protective functionality may interfere with certain HijackThis fixes we need to make. Please follow these instructions to disable it.

To deactivate Spyware Doctor's OnGuard Tools

* Click the Spyware Doctor icon in the System Tray.
* Click Settings.
* Click Startup Settings under Pick a Category.
* Uncheck Run at Windows startup
* Click Apply and Exit Spyware Doctor.
* From within Spyware Doctor, click the OnGuard button on the left side.
* Uncheck Activate OnGuard
* (When we are done, you can re-enable Spyware Doctor)

----------

Open HijackThis and select Do a system scan only

Place a check mark NEXT to the following entries: (if there)

R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: (no name) - {06647158-359E-4D10-A8DE-E6145DA90BE9} - (no file)
O2 - BHO: (no name) - {6A87B991-A31F-4130-AE72-6D0C294BF082} - (no file)
O2 - BHO: (no name) - {6A87B991-A31F-4130-AE72-6D0C294BF082} - (no file)

.
Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

----------

If you already have ComboFix be sure to delete it and download a new copy.

Download ComboFix© by SUBS from one of the below links. Be sure top save it to the Desktop.

LINK #1
Link #2

**Note: It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click combofix.exe & follow the prompts.
Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix

Discussion

2055.	Solve : Should I allow MBAM remove 1 result??
Answer» I'm learning how to use VISTA. After I downloaded HJT I couldn't find it. Everything was easy to find on the desk top with Win XP. So when I first tried to download HJT in Vista I thought I messed something up and so deleted it. Now that I know how to find it in vista I will download again. In the meantime, I downloaded MBAM and it came up with this result: see log. Seems HARMLESS but what do I know. What should I do with it? Thanks, T [Saving SPACE, attachment deleted by admin]It doesn't matter. If you use active desktop and you want the ability to CHANGE it then let MB change the setting to 0 (which is what will happen if you say "yes, delete"). Otherwise tell MB to ignore it. Either way it's not a big deal.if it found any thing take it out , its as simple as thatQuote from: harry 48 on November 07, 2009, 02:34:26 PM if it found any thing take it out , its as simple as that Well no, it's not. MBAM (and other spyware checkers) often mistake registry changes made by the user for changes made by malware. In that case you tell the app to ignore the entry. You should NEVER let a spyware checker delete entries arbitrarily - same as a "registry cleaner".i don't think the "ordinary person" would touch their reg; i have seen it said here never touch it , i run sas , mbam and ccleaner every wk and never look just hit delete but i know what you mean You don't have to manually edit the registry to make a registry change. Every time you change any sort of preference or option in a program, an entry in the registry is changed (with the exception of those programs that still use .ini or similar preference files).

2055.

Solve : Should I allow MBAM remove 1 result??

Answer»

I'm learning how to use VISTA. After I downloaded HJT I couldn't find it. Everything was easy to find on the desk top with Win XP. So when I first tried to download HJT in Vista I thought I messed something up and so deleted it.

Now that I know how to find it in vista I will download again.

In the meantime, I downloaded MBAM and it came up with this result: see log.

Seems HARMLESS but what do I know. What should I do with it?

Thanks, T

[Saving SPACE, attachment deleted by admin]It doesn't matter. If you use active desktop and you want the ability to CHANGE it then let MB change the setting to 0 (which is what will happen if you say "yes, delete"). Otherwise tell MB to ignore it. Either way it's not a big deal.if it found any thing take it out , its as simple as thatQuote from: harry 48 on November 07, 2009, 02:34:26 PM

if it found any thing take it out , its as simple as that

Well no, it's not. MBAM (and other spyware checkers) often mistake registry changes made by the user for changes made by malware. In that case you tell the app to ignore the entry. You should NEVER let a spyware checker delete entries arbitrarily - same as a "registry cleaner".i don't think the "ordinary person" would touch their reg; i have seen it said here never touch it , i run sas , mbam and ccleaner every wk and never look just hit delete

but i know what you mean You don't have to manually edit the registry to make a registry change. Every time you change any sort of preference or option in a program, an entry in the registry is changed (with the exception of those programs that still use .ini or similar preference files).

Discussion

2056.	Solve : Multiple AV?
Answer» Is it ok to have multiple AntiVirus' installed? Let's say, NOD32 & Kaspersky. I sort of need advice on a good protection since my NOD32 doesn't detect 80% of the trojans I heard. Is that incorrect? So what's a good AV? Kaspersky? Hello, your comment has been removed. Please do not POST malware advice, or post here in the malware forum, unless you need help. ~ DragonMaster JayYou can have only one Anti-Virus program active on your computer. You can have others that are inactive for scanning purposes only. I would recommend MicroSoft SECURITY Essentials. It's free to registered users, 98 % efficiency rate and not a resource hog like some AV's. It's my recommendation. Remember to only install one antivirus! 1) Avast! Home Edition 2) AVG Free Edition 3) Avira AntiVir Personal 4) Microsoft Security Essentials for Windows Vista\Windows 7 - 64 bit Download 4-a) Microsoft Security Essentials for Windows XP 5) Comodo Antivirus (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" if you choose this one) 6) PC TOOLS AntiVirus Free Edition It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can RESULT in program conflicts and false virus alerts. If you choose to install more than one antivirus program on your computer, then only one of them should be active in memory at a time.I'm not exactly poor. I can afford paying AV's. So what's the recommendations in that line?Hello, your comment has been removed. Please do not post malware advice, or post here in the malware forum, unless you need help. ~ DragonMaster JayHello, your comment has been removed. Please do not post malware advice, or post here in the malware forum, unless you need help. ~ DragonMaster Jay'cause I can.Hello, your comment has been removed. Please do not post malware advice, or post here in the malware forum, unless you need help. ~ DragonMaster JayYeah it is. Now I continue watching my movie.Hello, your comment has been removed. Please do not post malware advice, or post here in the malware forum, unless you need help. ~ DragonMaster JayTRUE brether, true.

Discussion

2057.	Solve : Eratic internet?
Answer» Hi there Hopping you guys can help. This started with me not being able to load some internet sites. Then Malwarebytes would not work. I have ran combofix and it repored that C: windows\system32\drivers\ ect\lmhost. could not be deleated. So I started in safe mode and deleated it. This then allowed malware bytes to work and nothing was found Ok. Now today the lmhost FILE is back, also is RECYCLER in C drive and H drive. I have deleated recycler but cannot deleate the lmhost file. And some sites will not load again. I enclose HIJACKTHIS file. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 17:14:56, on 07/11/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\AVG\AVG9\avgchsvx.exe C:\Program Files\AVG\AVG9\avgrsx.exe C:\Program Files\AVG\AVG9\avgcsrvx.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Microsoft IntelliType Pro\itype.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\PROGRA~1\AVG\AVG9\avgtray.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe C:\Program Files\AVG\AVG9\avgwdsvc.exe c:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe C:\PROGRA~1\MICROS~2\wcescomm.exe C:\Program Files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtectService.exe C:\WINDOWS\System32\GEARSec.exe C:\Program Files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtect.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\PROGRA~1\MICROS~2\rapimgr.exe C:\Program Files\HP\DIGITAL Imaging\bin\hpqtra08.exe C:\Program Files\AVG\AVG9\avgnsx.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.koower.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.koower.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll O2 - BHO: HP Print CLIPS - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe" O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray O4 - HKLM\..\Run: [combofix] C:\ComboFix\CF1983.exe /c C:\ComboFix\Combobatch.bat O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MICROS~2\wcescomm.exe" O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab O16 - DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} (UploadListView Class) - http://picasaweb.google.com/s/v/56.11/uploader2.cab O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.co.uk/s/v/52.09/uploader2.cab O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Adobe Active File Monitor V7 (AdobeActiveFileMonitor7.0) - Adobe Systems Incorporated - C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.R.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: FolderProtectService - Unknown owner - C:\Program Files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtectService.exe O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe O23 - Service: Google Update Service (gupdate1c9a98e341b062a) (gupdate1c9a98e341b062a) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk10\PDEngine.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe -- End of file - 12169 bytes

Discussion

2058.	Solve : Show hidden files and folders issue?
Answer» OK, it’s again about this "Show hidden files and folders" issue. 1. Hidden and protected operating system files and folders are not viewed. 2. I go to «Folder Options\View» and check the "Show hidden files and folders" radio button and uncheck the "Hide protected operating system files" checkbox, click "OK", but no effect takes place. When I close the window and go there again, it is in the same condition as before: "Do not show hidden files and folders" radio button and "Hide protected operating system files" checkbox are checked. 3. I learnt that this is caused by virus or so. The workaround, according to advices in I.net, is to go to regedit HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ Advanced\Folder\Hidden\SHOWALL and set the value of "CheckedValue" to 1 instead of 2 or 0... Now check this out: First of all, when I change the value, wait a couple of seconds and update (F5), it changes back to 2 again. Id est., nothing has changed, the "Show hidden files and folders" issue is still there. I kind of found my own work around on top. Prior to changing this value, I end «Explorer.exe» process form «Task manager\Processes», change the mentioned regedit value, and then start «Explorer.exe» from «Task Manager\File\New Task» again. This time when I refresh (F5) in regedit, all is cool and the issue is gone, I can view the hidden and system files now using the enablements described above and view some a2g21.exe virus with it's autorun.inf in all drive's root directories. For some REASON Norton or Mcafee do not react on it at all. However when I delete those, restart the machine, it is reproducing again. All is like I described above again. Now, could anybody advice what else I should delete besides a2g21.exe or what else should be changed in regedit to get rid of this plaque? Thanks in advance That sounds terribly frustrating. Just be patient though and a specialist will be with you.It looks like I have some progress here (if I didn't kill that hemorrhoid at final). As a MATTER of fact I can FREELY change my "Show hidden files and folders" and "Show system files..." settings now. How I did it? While a full scan Symante360 found some cvasds0.dll, cvasds1.dll... files in C:\Documents and Settings\"Windows account name"\Local Settings\Temp directory. Norton couldn't take any actiones on them, I brutally deleted them instead and those a2g21.exe-s from roots of course. According to Norton it was Trojan.Packed.NsAnti and it's claimed to be a low risk http://securityresponse.symantec.com/security_response/writeup.jsp?docid=2006-061009-4441-99 Now, of course I don't experience this behaviour, but still not sure if I have removed all the threats, since an .exe file was not foud. If have some ideas on this please share. The truth is somewhere, there The truth is in your logs ..... which you haven't PRODUCED yet. Malware SPECIALISTS are talented, not psychic. Visit here , follow directions and post the required logs.Don't worry , If you want to view all the hidden files including system files, you need to change some of the registry values. They are given below. HKEY_CURRENT_USER/Softwares/Microsoft/windows/currentversion/Explorer/Advanced hidden=1 HKEY_CURRENT_USER/Softwares/Microsoft/Windows/Currentversion/Explorer/Advanced showsuperhidden=1 HKEY_CURRENT_USER/Softwares/Microsoft/Windows/Currentversion/Explorer/Advanced superhidden=1OK Karnac, I'll post thoseHi Karnac, I didn't quite get the Java part. If I follow the http://www.java.com/en/download/installed.jsp link and find out theat my Java is up to date, is there still something I have to do in terms of Java?

Discussion

2059.	Solve : Trojan HijackThis log?
Answer» * Click START then RUN - Vista users press the Windows Key and the R keys for the Run box. * Now type Combofix /u in the runbox * Make sure there's a space between Combofix and /u * Then hit Enter * The above procedure will: * Delete the following: * ComboFix and its associated files and folders. * Reset the clock settings. * Hide file extensions, if REQUIRED. * Hide System/Hidden files, if required. * SET a new, clean Restore Point. ---------- Clean out your temporary internet files and temp files. Download TFC by OldTimer to your desktop. Double-click TFC.exe to run it. Note: If you are running on Vista, right-click on the file and choose Run As Administrator TFC will close all programs when run, so make sure you have saved all your work before you begin. * Click the Start button to begin the cleaning process. * Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. * Please let TFC run uninterrupted until it is finished. Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning. ---------- Open Malwarebytes' Anti-MALWARE. * Click the Update tab. * Click Check for Updates * If an update is found, it will download and install. * Click the Scanner tab. * Select Perform Quick Scan, then click Scan. * The scan may take some time to finish,so please be patient. * When the scan is complete, click OK, then Show Results to view the results. * Make sure that everything is checked, and click Remove Selected. * When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note) * The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. * Copy & Paste the entire report in your next reply. Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.Sorry for the late reply Malwarebytes log: Malwarebytes' Anti-Malware 1.41 Database version: 3090 Windows 6.0.6001 Service Pack 1 3/11/2009 10:56:59 AM mbam-log-2009-11-03 (10-56-59).txt Scan type: Quick Scan Objects scanned: 117696 Time elapsed: 9 minute(s), 51 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 2 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: C:\Users\valued customer\AppData\Roaming\ErrorSmart (Rogue.ErrorSmart) -&GT; Quarantined and deleted successfully. C:\Users\valued customer\AppData\Roaming\ErrorSmart\Log (Rogue.ErrorSmart) -> Quarantined and deleted successfully. Files Infected: C:\Users\valued customer\AppData\Roaming\ErrorSmart\Log\2008 Dec 16 - 12_58_02 PM_811.log (Rogue.ErrorSmart) -> Quarantined and deleted successfully. How is the computer now?Its back to its best (thank god) Thanks Ankur16 and Evil Fantasy for all the help. I guess ill open my eyes more and be more aware when it comes to downloading. Sounds good. Use the Secunia Software Inspector to check for out of date software. Click Start Now Check the box next to Enable thorough system inspection. Click Start Allow the scan to finish and scroll down to see if any updates are needed. Update anything listed. . ---------- Go to Microsoft Windows Update and get all critical updates. ---------- I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free. SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being ADDED to your computer when running Mozilla based browsers like Firefox. * Using SpywareBlaster to protect your computer from Spyware and Malware * If you don't know what ActiveX controls are, see here Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future. Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth. OK. Its all good. thanks so much Your welcome. Safe surfing...

2059.

Solve : Trojan HijackThis log?

Answer»

* Click START then RUN - Vista users press the Windows Key and the R keys for the Run box.
* Now type Combofix /u in the runbox
* Make sure there's a space between Combofix and /u
* Then hit Enter

* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if REQUIRED.
* Hide System/Hidden files, if required.
* SET a new, clean Restore Point.

----------

Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.

----------

Open Malwarebytes' Anti-MALWARE.

* Click the Update tab.
* Click Check for Updates
* If an update is found, it will download and install.
* Click the Scanner tab.
* Select Perform Quick Scan, then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy & Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.Sorry for the late reply

Malwarebytes log:

Malwarebytes' Anti-Malware 1.41
Database version: 3090
Windows 6.0.6001 Service Pack 1

3/11/2009 10:56:59 AM
mbam-log-2009-11-03 (10-56-59).txt

Scan type: Quick Scan
Objects scanned: 117696
Time elapsed: 9 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Users\valued customer\AppData\Roaming\ErrorSmart (Rogue.ErrorSmart) -&GT; Quarantined and deleted successfully.
C:\Users\valued customer\AppData\Roaming\ErrorSmart\Log (Rogue.ErrorSmart) -> Quarantined and deleted successfully.

Files Infected:
C:\Users\valued customer\AppData\Roaming\ErrorSmart\Log\2008 Dec 16 - 12_58_02 PM_811.log (Rogue.ErrorSmart) -> Quarantined and deleted successfully.
How is the computer now?Its back to its best (thank god)

Thanks Ankur16 and Evil Fantasy for all the help. I guess ill open my eyes more and be more aware when it comes to downloading.
Sounds good.

Use the Secunia Software Inspector to check for out of date software.

Click Start Now
Check the box next to Enable thorough system inspection.
Click Start
Allow the scan to finish and scroll down to see if any updates are needed.
Update anything listed.

.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being ADDED to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.
OK. Its all good. thanks so much Your welcome.

Safe surfing...

Discussion

2060.	Solve : Cyber Security virus/malware?
Answer» About two weeks AGO whilst my son was looking for some images on the google site (not that google is in any WAY implicated here) a box popped up on the screen saying we had a virus called Cyber Security. It outlined that there was a SOLUTION and of course when you followed those links the upshot was you had to pay for a download to fix it. Luckily we'd heard a segment on bbc radio about this virus and ignored it and started to hunt down a fix ourselves. After a number of what appear to be false starts (ie scans that tell you the virus is there but then demanding money to put it right!) and another reference to the bbc we found you guys. I've worked through the malware removal guidance and have hopefully correctly posted the three relevant logs below. It would appear that the "cyber security" rogue has now been removed but I'm following your advice and posting anyway - hope that's right and I look forward to hearing from you. lc [Saving space, attachment deleted by admin]1) Have "HijackThis" fix the following items in the list below by placing a check in the appropriate boxes.Confirm that you have only the listed ones checked, then press <Fix checked> and close"HijackThis".Please close any open programs before doing this fix. Quote R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/http://www.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.peoplepc.com/search R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/http://www.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file) O2 - BHO: ACCELERATOR Plugin - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\PROGRA~1\PEOPLE~1\PRPL_I~1.DLL (file missing) O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com (file missing) 2) Next perform a full scan with malwarebyte antimalware as follows.Make sure it is updated before performing a scan. * Open Malwarebyte Antimalware.Under the "Scanner" tab, select "Perform Full Scan" and click "Scan".In the dialog box select all your drives except CD/DVD drives. * Now click "Start Scan". * The scan may take some time to finish,so please be patient. * When the scan is complete, click OK, then Show Results to view the results. * Make sure that everything is checked, and click Remove Selected. * When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note) * The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. * Copy&Paste the entire report in your next reply. PLEASE NOTE: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes. 3) Next download RootRepeal.rar and unzip it to your Desktop. You'll need WinRAR to extract it * Double click RootRepeal.exe to start the program * Click on the Report tab at the bottom of the program window * Click the Scan button * In the Select Scan dialog, check: o Drivers o Files o Processes o SSDT o Stealth Objects o Hidden Services * Click the OK button * In the next dialog, select all drives showing * Click OK to start the scan The scan can take some time. DO NOT run any other programs while the scan is running * When the scan is complete, the Save Report button will become available * Click this and save the report to your Desktop as RootRepeal.txt * Go to File, then Exit to close the program Attach this log in your next post. 4) Download DDS* by sUBs to your desktop. Your antivirus software might question the file. If it does, allow it. * Double click DDS.scr to run it and wait for the scan to finish * When finished DDS.txt will open * A small while later, a prompt will open. Answer Yes * DDS will continue scanning * When done, Attach.txt will open Copy and paste the DDS.txt and attach Attach.txt

2060.

Solve : Cyber Security virus/malware?

Answer»

About two weeks AGO whilst my son was looking for some images on the google site (not that google is in any WAY implicated here) a box popped up on the screen saying we had a virus called Cyber Security. It outlined that there was a SOLUTION and of course when you followed those links the upshot was you had to pay for a download to fix it.

Luckily we'd heard a segment on bbc radio about this virus and ignored it and started to hunt down a fix ourselves.

After a number of what appear to be false starts (ie scans that tell you the virus is there but then demanding money to put it right!) and another reference to the bbc we found you guys.

I've worked through the malware removal guidance and have hopefully correctly posted the three relevant logs below.

It would appear that the "cyber security" rogue has now been removed but I'm following your advice and posting anyway - hope that's right and I look forward to hearing from you.

lc

[Saving space, attachment deleted by admin]1) Have "HijackThis" fix the following items in the list below by placing a check in the appropriate boxes.Confirm that you have only the listed ones checked, then press <Fix checked> and close"HijackThis".Please close any open programs before doing this fix.

Quote

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.peoplepc.com/search
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: ACCELERATOR Plugin - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\PROGRA~1\PEOPLE~1\PRPL_I~1.DLL (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com (file missing)

2) Next perform a full scan with malwarebyte antimalware as follows.Make sure it is updated before performing a scan.

* Open Malwarebyte Antimalware.Under the "Scanner" tab, select "Perform Full Scan" and click "Scan".In the dialog box select all your drives except CD/DVD drives.

* Now click "Start Scan".

* The scan may take some time to finish,so please be patient.

* When the scan is complete, click OK, then Show Results to view the results.

* Make sure that everything is checked, and click Remove Selected.

* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)

* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

* Copy&Paste the entire report in your next reply.

PLEASE NOTE:
If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

3) Next download RootRepeal.rar and unzip it to your Desktop. You'll need WinRAR to extract it

* Double click RootRepeal.exe to start the program
* Click on the Report tab at the bottom of the program window
* Click the Scan button
* In the Select Scan dialog, check:
o Drivers
o Files
o Processes
o SSDT
o Stealth Objects
o Hidden Services
* Click the OK button
* In the next dialog, select all drives showing
* Click OK to start the scan

The scan can take some time. DO NOT run any other programs while the scan is running
* When the scan is complete, the Save Report button will become available
* Click this and save the report to your Desktop as RootRepeal.txt
* Go to File, then Exit to close the program
*Attach this log in your next post.

4) Download DDS by sUBs to your desktop.
Your antivirus software might question the file. If it does, allow it.

* Double click DDS.scr to run it and wait for the scan to finish
* When finished DDS.txt will open
* A small while later, a prompt will open. Answer Yes
* DDS will continue scanning
* When done, Attach.txt will open

Copy and paste the DDS.txt and attach Attach.txt

Discussion

Discussion

2062.	Solve : won't uninstall?
Answer» how can I GET this removed: 'eeye digital SECURITY' ?Don't KNOW. You MIGHT have BETTER luck asking them. http://forums.eeye.com/forums/

Discussion

2063.	Solve : antivirus software alert / aplication cannot be executed?
Answer» If there are no more malware issues we can finish up now. * Click START then RUN * Now type Combofix /Uninstall in the runbox * Make sure there's a space between Combofix and /Uninstall * Then HIT Enter. The above procedure will: * Delete: ComboFix and its associated files and folders. * Reset the clock settings. * Hide file extensions, if required. * Hide System/Hidden files, if required. * Set a new, clean Restore Point. ---------- Clean out your temporary internet files and temp files. Download TFC by OldTimer to your desktop. Double-click TFC.exe to run it. Note: If you are running on Vista, right-click on the file and choose Run As Administrator TFC will close all programs when run, so make sure you have SAVED all your work before you begin. * Click the Start button to begin the cleaning process. * Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. * Please let TFC run uninterrupted until it is finished. Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning. ---------- Use the Secunia Software Inspector to check for out of date software. * Click Start Now * Check the box next to Enable thorough system inspection. * Click Start * Allow the scan to finish and scroll down to see if any updates are needed. * Update anything listed. ---------- Go to Microsoft Windows Update and get all critical updates. ---------- If you are using or have installed IE6 you are using an outdated and soon to be unsupported version of Internet Explorer and I strongly suggest you update to the latest version directly from Microsoft Internet Explorer 8: Home page. ---------- I recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no realtime protection so will not interfere with each other. They do not use any significant amount of resources (except a little disk space) until you run a scan. I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free. SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being ADDED to your computer when running Mozilla based browsers like Firefox. * Using SpywareBlaster to protect your computer from Spyware and Malware * If you don't know what ActiveX controls are, see here Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future. Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.many, many thanks. I appreciate your time and help.Your welcome. Safe surfing...

Discussion

2064.	Solve : infected System32\atapi.sys file. AVG need some help.?
Answer» Your WELCOME. Let us know if ANYTHING else COMES up. Safe surfing...

Discussion

2065.	Solve : Pendrive infected by gphone.exe & newfolder.exe worm.?
Answer» I connected my kingstone pendrive with my friend's pc which is infected by gphone.exe & new folder.exe. Now my pendrive is infected by these worm. When I delete these worm it is deleted. But when I connect pendrive again, the worm return again. I also formatted pendrive but the worms are not removed permanently.How can I get rid from these worm? Use both of these. Insert your flash drive before we begin. Hold down the Shift key when inserting the flash drive until Windows detects it to bypass the autorun feature. This will keep the autorun.inf from executing automatically. PLEASE have all your removable storage devices ready for disinfection. Download Flash Disinfector by sUBs and save it to your desktop. * Double-click Flash_Disinfector.exe to run it. * Your desktop and icons may disappear. This is normal. * It will do a cleanup of removable storage devices, and write a protected Autorun.inf file to help prevent re-infection. * Follow any prompts that may appear. * The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well. * Wait until it has finished scanning and then exit the program. * There will be no GUI interface or log file produced. * Reboot your computer when done. Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection. ---------- PANDA USB and AutoRun Vaccine Insert your flash drive before we begin. Hold down the Shift key when inserting the flash drive until Windows detects it to bypass the autorun feature. This will keep the autorun.inf from executing automatically. Download Panda USB and AutoRun Vaccine and save it to your desktop. * Extract (unzip) the file to your desktop and a folder named USBVaccine will be created. * Open that folder and double-click on USBVaccine.exe to start the program. * Click Run * Click the BUTTON to Vaccinate computer. * Insert your USB flash drive. * When the name of the drive appears in the dialog box, click the button to Vaccinate USB drive(s). * Exit Panda USB and AutoRun Vaccine when done. Note: Computer AutoRun Vaccination will prevent any AutoRun file from running, regardless of whether the removable device is infected or not. USB Vaccination disables the autorun file so it cannot be read, modified or replaced by malicious code. The Panda Resarch Blog advises that once USB drives have been vaccinated, they cannot be reversed except with a format. If you do this, be sure to back up your data files first or they will be lost during the formatting process. ---------- Now run this on the computer and post the log it creates. If you already have Malwarebytes be sure to update it before running the scan! Download Malwarebytes' Anti-Malware (MBAM) * Double-click mbam-setup.exe and follow the prompts to install the program. * At the end, be sure a checkmark is placed next to the following: * Update Malwarebytes' Anti-Malware * Launch Malwarebytes' Anti-Malware * Then click Finish * If an update is found, it will download and install the latest version. * Once the program has loaded, select Perform quick scan, then click Scan. * When the scan is complete, click OK, then Show Results to view the results. * Be sure that everything is checked, and click Remove Selected. * When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note) * The log is automatically saved by MBAM and can be viewed by CLICKING the Logs TAB in MBAM. * Copy and Paste the entire report in your next reply. Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

Discussion

2066.	Solve : Malware - "Antivirus Soft"?
Answer» Hello - similar to other posters, my computer has also been infected with a malware/virus of some kind that is causing millions of Security Warnings to pop up with the message "Security Warning - Application cannot be executed. The file .....exe is infected. Do you want to activate your antivirus software now?" When "Yes" is clicked, it directs to window that wants you to download Anitvirus Soft... I realize that this is not a legit program. Some information to start: I have an active version of AVG Free 8.5 installed. I have tried to go through the steps in the main post titled "Read this before requesting malware removal help" however, I am unable to complete any of the steps, because every time I try to open a program, uninstall a program, or run an application, the virus blocks it and the Security Warning pops up. In example: Step 1: Uninstall programs - I tried to uninstall a few suspicious programs but it was unsuccessful... a message popped up that said "you do not have sufficient access to remove * from the Programs and Features list. Please contact your systems administrator." However this is a personal computer used at home with only User set-up (thus the administrator CONTROL should be on this User account). Here are some programs that might be iffy (?): Hotbar Seekdns 1.0 build 133 ShopperReports Viewpoint Media Player Step 2: I tried to run CCleaner, but it wouldn't run, and yes, tried to rename it to CCleaner2 but that didn't work either. Step 3: I downloaded SUPERantispyware and tried to run the application, but it wouldn't run. Also tried renaming it, which didn't work. I gave up on the Steps after that. Your support and advice as to what steps to take from here would be greatly appreciated! (These constant pop-up security warnings are driving me batty!! Please visit this webpage for a tutorial on downloading and running ComboFix: http://www.bleepingcomputer.com/combofix/how-to-use-combofix See the area: Using ComboFix*, and when done, post the log back here.Hi Jay... thanks for your reply; however, I have two problems with using ComboFix: A) it suggests disabling my antivirus before starting (I have AVG 8.5), however I can't do this because when I try to open the AVG User INTERFACE, the virus seems to "block" it from opening and shuts it down immediately, and another one of those blasted Security Warnings comes up. B) I can't open anything! Which includes things that I download... which means I was able to download ComboFix and save it to the desktop, but when I double click on the icon, nothing happens, OR it flashes up, but then immediately is "shut down" by the virus. Any further suggestions? Or am I too far gone? I think my computer is still under warranty at Future Shop... should I take it there? Thanks in advance!Don't worry about disabling the AV if it will not.. Delete your copy of ComboFix; grab a fresh copy, except before you download it, rename it to blackpudding.bat Navigate to Start --> Run, and enter the following command exactly as shown: "%userprofile%\desktop\blackpudding.bat" /stepdel See if ComboFix will run now.Hi again... I was finally able to run ComboFix in Safe Mode and using the instructions you suggested. I'm now back in normal mode and the pop up Security Warnings have gone away. Below is the log from this Fix... please let me know if there's anything else I still need to do. Thanks so much for your help! ComboFix 10-02-03.04 - Jeremy 03/02/2010 17:21:33.1.2 - x86 MINIMAL Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.2.1033.18.3061.2631 [GMT -5:00] Running from: C:\Users\Jeremy\Desktop\blackpudding.bat.exe AV: AVG Anti-Virus Free On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} SP: AVG Anti-Virus Free enabled (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} SP: Windows Defender enabled (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\$RECYCLE.BIN\S-1-5-21-3463882276-1615482989-678483651-500 C:\$RECYCLE.BIN\S-1-5-21-867918287-2053444252-730651380-500 C:\Program Files\Seekdns C:\Program Files\Seekdns\seekdns.exe C:\Program Files\Seekdns\uninstall.exe C:\ProgramData\Seekdns C:\ProgramData\Seekdns\seekdns133.exe C:\Users\Jeremy\AppData\Local\uuwebe C:\Users\Jeremy\AppData\Local\uuwebe\iyqgsftav.exe C:\Windows\system32\KBL.LOGGo ahead and run it again, please.As requested: ComboFix 10-02-03.04 - Jeremy 03/02/2010 23:58:53.1.2 - x86 Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.2.1033.18.3061.1056 [GMT -5:00] Running from: c:\users\Jeremy\Desktop\blackpudding.bat.exe AV: AVG Anti-Virus Free On-access scanning enabled (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} SP: AVG Anti-Virus Free enabled (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} SP: Windows Defender enabled (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . ---- Previous Run ------- . c:\$recycle.bin\S-1-5-21-3463882276-1615482989-678483651-500 c:\$recycle.bin\S-1-5-21-867918287-2053444252-730651380-500 c:\program files\Seekdns c:\program files\Seekdns\seekdns.exe c:\program files\Seekdns\uninstall.exe c:\programdata\Seekdns c:\programdata\Seekdns\seekdns133.exe c:\users\Jeremy\AppData\Local\uuwebe c:\users\Jeremy\AppData\Local\uuwebe\iyqgsftav.exe c:\windows\system32\KBL.LOG . ((((((((((((((((((((((((( Files Created from 2010-01-04 to 2010-02-04 ))))))))))))))))))))))))))))))) . 2010-02-04 05:07 . 2010-02-04 05:07--------d-----w-c:\users\Jeremy\AppData\Local\temp 2010-02-04 05:07 . 2010-02-04 05:07--------d-----w-c:\users\Default\AppData\Local\temp 2010-02-03 22:12 . 2010-02-03 22:27--------d-----w-C:\blackpudding.bat 2010-02-03 20:04 . 2010-02-03 20:04680----a-w-c:\users\Jeremy\AppData\Local\d3d9caps.dat 2010-02-03 18:58 . 2010-02-03 18:582127----a-w-c:\users\Jeremy\AppData\Local\syssvc.exe 2010-02-03 04:32 . 2010-02-03 04:32--------d-----w-c:\program files\Common Files\Wise Installation Wizard 2010-02-03 03:34 . 2010-02-03 03:34--------d-----w-c:\users\Jeremy\AppData\Roaming\AVG8 2010-01-27 15:48 . 2010-01-27 15:49--------d-----w-c:\users\Jeremy\AppData\Roaming\PrimoPDF 2010-01-27 15:47 . 2010-01-27 15:47--------d-----w-c:\program files\Nitro PDF 2010-01-27 15:47 . 2009-07-31 01:44176235----a-w-c:\windows\system32\Primomonnt.dll 2010-01-16 03:46 . 2009-10-19 14:27156672----a-w-c:\windows\system32\t2embed.dll 2010-01-16 03:46 . 2009-10-19 14:2472704----a-w-c:\windows\system32\fontsub.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-02-03 22:38 . 2008-02-22 10:32672380----a-w-c:\windows\system32\perfh00C.dat 2010-02-03 22:38 . 2008-02-22 10:32127578----a-w-c:\windows\system32\perfc00C.dat 2010-02-03 20:04 . 2008-09-07 02:3977400----a-w-c:\users\Jeremy\AppData\Local\GDIPFONTCACHEV1.DAT 2010-02-03 04:08 . 2008-09-07 00:22--------d-----w-c:\program files\CCleaner 2010-02-01 03:22 . 2008-09-07 00:10--------d-----w-c:\program files\Winamp Remote 2010-01-20 18:33 . 2008-09-06 23:45--------d-----w-c:\program files\Microsoft Silverlight 2010-01-16 08:02 . 2006-11-02 11:18--------d-----w-c:\program files\Windows Mail 2010-01-14 16:12 . 2009-10-05 02:00181120------w-c:\windows\system32\MpSigStub.exe 2009-12-18 13:05 . 2010-01-22 16:18833024----a-w-c:\windows\system32\wininet.dll 2009-12-18 13:01 . 2010-01-22 16:1878336----a-w-c:\windows\system32\ieencode.dll 2009-12-18 10:14 . 2010-01-22 16:1826624----a-w-c:\windows\system32\ieUnatt.exe 2009-12-11 17:20 . 2008-09-07 02:33--------d-----w-c:\programdata\Microsoft Help 2009-11-19 16:48 . 2009-12-02 03:42872960----a-w-c:\users\Jeremy\AppData\Roaming\Mozilla\Firefox\Profiles\ck86elyo.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll 2009-11-19 16:48 . 2009-12-02 03:4243008----a-w-c:\users\Jeremy\AppData\Roaming\Mozilla\Firefox\Profiles\ck86elyo.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll 2009-11-19 16:48 . 2009-12-02 03:42340480----a-w-c:\users\Jeremy\AppData\Roaming\Mozilla\Firefox\Profiles\ck86elyo.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll 2009-11-19 16:48 . 2009-12-02 03:42346624----a-w-c:\users\Jeremy\AppData\Roaming\Mozilla\Firefox\Profiles\ck86elyo.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll 2009-11-09 13:22 . 2009-12-11 17:2124064----a-w-c:\windows\system32\nshhttp.dll 2009-11-09 13:20 . 2009-12-11 17:2131232----a-w-c:\windows\system32\httpapi.dll 2009-11-09 11:04 . 2009-12-11 17:21411136----a-w-c:\windows\system32\drivers\http.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080] [HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}] 2009-11-25 18:011230080----a-w-c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080] [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080] [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-08-23 455968] "Sidebar"="c:\program files\Windows Sidebar\Sidebar.exe" [2008-01-21 1233920] "L08AXLRD_802794904"="c:\program files\Microsoft Student\Microsoft Student with Encarta Premium 2008 DVD\EDICT.EXE" [2007-05-21 351000] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Apoint"="c:\program files\Apoint2K\Apoint.exe" [2007-10-25 212992] "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 178712] "QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-12-06 202032] "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 132496] "hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-06-02 80896] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-12 141848] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-12 166424] "Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-12 133656] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-04 111936] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-12-11 2043160] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792] c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableUIADesktopToggle"= 0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\windows\System32\avgrsstx.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [30/11/2008 8:29 PM 335240] R1 AvgTdiX;AVG8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [28/01/2009 8:07 PM 108552] R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [10/09/2009 5:55 PM 908056] R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [10/09/2009 5:55 PM 297752] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 hpdevmgmtREG_MULTI_SZ hpqcxs08 hpqddsvc [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}] 2007-08-23 21:34451872----a-w-c:\program files\Common Files\LightScribe\LSRunOnce.exe . Contents of the 'Scheduled Tasks' folder 2010-02-03 c:\windows\Tasks\User_Feed_Synchronization-{5AB2C966-5803-4839-852A-D9326EAA8366}.job - c:\windows\system32\msfeedssync.exe [2008-01-21 02:24] . . ------- Supplementary Scan ------- . mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ca&c=81&bd=Presario&pf=laptop uInternet Settings,ProxyServer = http=127.0.0.1:5555 uInternet Settings,ProxyOverride = IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000 IE: {{FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\PokerStars.NET\PokerStarsUpdate.exe FF - ProfilePath - c:\users\Jeremy\AppData\Roaming\Mozilla\Firefox\Profiles\ck86elyo.default\ FF - component: c:\users\Jeremy\AppData\Roaming\Mozilla\Firefox\Profiles\ck86elyo.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll . - - - - ORPHANS REMOVED - - - - HKCU-Run-fupakoic - c:\users\Jeremy\AppData\Local\uuwebe\iyqgsftav.exe ************************************************************************ catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-02-04 00:07 Windows 6.0.6001 Service Pack 1 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . Completion time: 2010-02-04 00:10:59 ComboFix-quarantined-files.txt 2010-02-04 05:10 Pre-Run: 166,182,215,680 bytes free Post-Run: 166,126,645,248 bytes free - - End Of File - - 46E05BA2E19B7B38FAB3CDB59379C1B5 Please download the latest version of Kaspersky GetSystemInfo (GSI) from Kaspersky and save it to your Desktop. Please close all other applications running on your system. Please double click GetSystemInfo.exe to open it. Click the Settings button. Set it to Maximum IMPORTANT! Then please click Customize - choose Driver / Ports tab and uncheck Scan Ports. Click Create Report to run it. It will create a zip folder called GetSystemInfo_XXXXXXXXXXXXXX.zip on your Desktop. Please upload the folder to Kaspersky GSI Parser and click the Submit button. Please copy and paste the url of the GSI Parser report (not the log) in your next reply.http://www.getsysteminfo.com/read.php?file=4b5b76e107273d4deb4dfdf832b78a23 Please note: I wasn't able to click on Settings and follow the instructions therein (uncheck "Scan Ports" etc)... when i tried to click on Settings it said I didn't have administrator status (which is strange because there is only one user on this computer so it is, by default, the administrator). I went ahead and ran the program anyway... HOPE that it still works okay. Thanks again!To manually create a new Restore Point Go to Control Panel and select System and Maintenance Select System On the left select Advance System Settings and accept the warning if you get one Select System Protection Tab Select Create at the bottom Type in a name i.e. Clean Select Create Now we can purge the infected ones Go back to the System and Maintenance page Select Performance Information and Tools On the left select Open Disk Cleanup Select Files from all users and accept the warning if you get one In the drop down box select your main drive i.e. C For a few moments the system will make some calculations Select the More Options tab In the System Restore and Shadow Backups select Clean up Select Delete on the pop up Select OK Select Delete You are now done To remove all of the tools we used and the files and folders they created, please do the following: Please download OTC.exe by OldTimer: Save it to your Desktop. Double click OTC.exe. Click the CleanUp! button. If you are prompted to Reboot during the cleanup, select Yes. The tool will delete itself once it finishes. Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually. == Please download TFC by OldTimer to your desktop Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator). It will close all programs when run, so make sure you have saved all your work before you begin. Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion. Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean. == Download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr. Save it to your Desktop. Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box. A Notepad document should open automatically called checkup.txt; please post the contents of that document. Results of screen317's Security Check version 0.99.1 Windows Vista Service Pack 1 (UAC is enabled) Out of date service pack!! `````````````````````````````` Antivirus/Firewall Check: Windows Firewall Enabled! AVG Free 8.5 Antivirus up to date! `````````````````````````````` Anti-malware/Other Utilities Check: CCleaner Java(TM) 6 Update 2 Out of date Java installed! Adobe Flash Player 10 Adobe Reader 8.1.3 Out of date Adobe Reader installed! `````````````````````````````` Process Check: objlist.exe by Laurent Windows Defender MSASCui.exe `````````````````````````````` DNS Vulnerability Check: GREAT! (Not vulnerable to DNS cache poisoning) `````````End of Log``````````` Please consider updating to Windows Vista Service Pack 2 (SP2). Windows Vista Service Pack 2 (SP2) contains all the updates RELEASED since SP1 plus support for new types of hardware and emerging hardware standards. It is now available via Windows Update or as a standalone installation here. == Please download the newest version of Adobe Acrobat Reader from Adobe.com Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable. Go to the Control Panel and enter Add or Remove Programs. Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them. Once old versions are gone, please install the newest version. == Please download the newest version of Java from Java.com. Before installing: it is important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable. Go to the Control Panel and enter Add or Remove Programs. Search in the list for all previous installed versions of Java. (J2SE Runtime Environment). Please uninstall/remove each of them. Once old versions are gone, please install the newest version. == Please read the following information that I have provided, which will help you prevent malicious software in the future. Please keep in mind, malware is a continuous danger on the Internet. It is highly important to stay safe while browsing, to prevent re-infection. Software recommendations Firewall Tallemu Online Armor: the free version is just as good as the premium. I have linked you to the free version. Comodo Firewall: the free version is just as good as the premium. I have linked you to the free version. The optional security suite enhances the firewall by 40% increase. If you would like to install the suite that includes antivirus, then remove your old antivirus first. PC Tools Firewall Plus: free and excellent firewall. AntiSpyware SpywareBlaster SpywareBlaster is a program that prevents spyware from installing on your computer. A tutorial on using SpywareBlaster may be found here. Spybot - Search & Destroy. Spybot - Search & Destroy is a spyware and adware removal program. It also has realtime protection, TeaTimer to help safeguard your computer against spyware. (The link for Spybot - Search & Destroy contains a tutorial that will help you download, install, and begin using Spybot). NOTE: Please keep ALL of these programs up-to-date and run them whenever you suspect a problem to prevent malware problems. Resident Protection help A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall, and scanning anti-spyware program at a time. Passive protectors such as SpywareBlaster can be run with any of them. Rogue programs help There are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here: http://www.spywarewarrior.com/rogue_anti-spyware.htm Securing your computer Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest CRITICAL security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there. hpHosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. This prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is your local computer's loopback address, meaning it will be difficult to infect your computer in the future. Please consider using an alternate browser** Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScript, can make it even more secure. Opera is another good option. If you are interested: Firefox may be downloaded from here: http://www.getfirefox.com Opera is available here: http://www.opera.com/download/ See this page for more info about malware and prevention.

2066.

Solve : Malware - "Antivirus Soft"?

Answer»

Hello - similar to other posters, my computer has also been infected with a malware/virus of some kind that is causing millions of Security Warnings to pop up with the message "Security Warning - Application cannot be executed. The file .....exe is infected. Do you want to activate your antivirus software now?" When "Yes" is clicked, it directs to window that wants you to download Anitvirus Soft... I realize that this is not a legit program.

Some information to start:

I have an active version of AVG Free 8.5 installed.

I have tried to go through the steps in the main post titled "Read this before requesting malware removal help" however, I am unable to complete any of the steps, because every time I try to open a program, uninstall a program, or run an application, the virus blocks it and the Security Warning pops up. In example:

Step 1: Uninstall programs - I tried to uninstall a few suspicious programs but it was unsuccessful... a message popped up that said "you do not have sufficient access to remove *** from the Programs and Features list. Please contact your systems administrator." However this is a personal computer used at home with only User set-up (thus the administrator CONTROL should be on this User account). Here are some programs that might be iffy (?):
Hotbar
Seekdns 1.0 build 133
ShopperReports
Viewpoint Media Player

Step 2: I tried to run CCleaner, but it wouldn't run, and yes, tried to rename it to CCleaner2 but that didn't work either.

Step 3: I downloaded SUPERantispyware and tried to run the application, but it wouldn't run. Also tried renaming it, which didn't work.

I gave up on the Steps after that.

Your support and advice as to what steps to take from here would be greatly appreciated!
(These constant pop-up security warnings are driving me batty!! Please visit this webpage for a tutorial on downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

See the area: Using ComboFix, and when done, post the log back here.Hi Jay... thanks for your reply; however, I have two problems with using ComboFix:

A) it suggests disabling my antivirus before starting (I have AVG 8.5), however I can't do this because when I try to open the AVG User INTERFACE, the virus seems to "block" it from opening and shuts it down immediately, and another one of those blasted Security Warnings comes up.

B) I can't open anything! Which includes things that I download... which means I was able to download ComboFix and save it to the desktop, but when I double click on the icon, nothing happens, OR it flashes up, but then immediately is "shut down" by the virus.

Any further suggestions? Or am I too far gone? I think my computer is still under warranty at Future Shop... should I take it there?

Thanks in advance!Don't worry about disabling the AV if it will not..

Delete your copy of ComboFix; grab a fresh copy, except before you download it, rename it to blackpudding.bat

Navigate to Start --> Run, and enter the following command exactly as shown:

"%userprofile%\desktop\blackpudding.bat" /stepdel

See if ComboFix will run now.Hi again... I was finally able to run ComboFix in Safe Mode and using the instructions you suggested.
I'm now back in normal mode and the pop up Security Warnings have gone away.

Below is the log from this Fix... please let me know if there's anything else I still need to do. Thanks so much for your help!

ComboFix 10-02-03.04 - Jeremy 03/02/2010 17:21:33.1.2 - x86 MINIMAL
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.2.1033.18.3061.2631 [GMT -5:00]
Running from: C:\Users\Jeremy\Desktop\blackpudding.bat.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\$RECYCLE.BIN\S-1-5-21-3463882276-1615482989-678483651-500
C:\$RECYCLE.BIN\S-1-5-21-867918287-2053444252-730651380-500
C:\Program Files\Seekdns
C:\Program Files\Seekdns\seekdns.exe
C:\Program Files\Seekdns\uninstall.exe
C:\ProgramData\Seekdns
C:\ProgramData\Seekdns\seekdns133.exe
C:\Users\Jeremy\AppData\Local\uuwebe
C:\Users\Jeremy\AppData\Local\uuwebe\iyqgsftav.exe
C:\Windows\system32\KBL.LOGGo ahead and run it again, please.As requested:

ComboFix 10-02-03.04 - Jeremy 03/02/2010 23:58:53.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.2.1033.18.3061.1056 [GMT -5:00]
Running from: c:\users\Jeremy\Desktop\blackpudding.bat.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\$recycle.bin\S-1-5-21-3463882276-1615482989-678483651-500
c:\$recycle.bin\S-1-5-21-867918287-2053444252-730651380-500
c:\program files\Seekdns
c:\program files\Seekdns\seekdns.exe
c:\program files\Seekdns\uninstall.exe
c:\programdata\Seekdns
c:\programdata\Seekdns\seekdns133.exe
c:\users\Jeremy\AppData\Local\uuwebe
c:\users\Jeremy\AppData\Local\uuwebe\iyqgsftav.exe
c:\windows\system32\KBL.LOG

.
((((((((((((((((((((((((( Files Created from 2010-01-04 to 2010-02-04 )))))))))))))))))))))))))))))))
.

2010-02-04 05:07 . 2010-02-04 05:07--------d-----w-c:\users\Jeremy\AppData\Local\temp
2010-02-04 05:07 . 2010-02-04 05:07--------d-----w-c:\users\Default\AppData\Local\temp
2010-02-03 22:12 . 2010-02-03 22:27--------d-----w-C:\blackpudding.bat
2010-02-03 20:04 . 2010-02-03 20:04680----a-w-c:\users\Jeremy\AppData\Local\d3d9caps.dat
2010-02-03 18:58 . 2010-02-03 18:582127----a-w-c:\users\Jeremy\AppData\Local\syssvc.exe
2010-02-03 04:32 . 2010-02-03 04:32--------d-----w-c:\program files\Common Files\Wise Installation Wizard
2010-02-03 03:34 . 2010-02-03 03:34--------d-----w-c:\users\Jeremy\AppData\Roaming\AVG8
2010-01-27 15:48 . 2010-01-27 15:49--------d-----w-c:\users\Jeremy\AppData\Roaming\PrimoPDF
2010-01-27 15:47 . 2010-01-27 15:47--------d-----w-c:\program files\Nitro PDF
2010-01-27 15:47 . 2009-07-31 01:44176235----a-w-c:\windows\system32\Primomonnt.dll
2010-01-16 03:46 . 2009-10-19 14:27156672----a-w-c:\windows\system32\t2embed.dll
2010-01-16 03:46 . 2009-10-19 14:2472704----a-w-c:\windows\system32\fontsub.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-03 22:38 . 2008-02-22 10:32672380----a-w-c:\windows\system32\perfh00C.dat
2010-02-03 22:38 . 2008-02-22 10:32127578----a-w-c:\windows\system32\perfc00C.dat
2010-02-03 20:04 . 2008-09-07 02:3977400----a-w-c:\users\Jeremy\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-03 04:08 . 2008-09-07 00:22--------d-----w-c:\program files\CCleaner
2010-02-01 03:22 . 2008-09-07 00:10--------d-----w-c:\program files\Winamp Remote
2010-01-20 18:33 . 2008-09-06 23:45--------d-----w-c:\program files\Microsoft Silverlight
2010-01-16 08:02 . 2006-11-02 11:18--------d-----w-c:\program files\Windows Mail
2010-01-14 16:12 . 2009-10-05 02:00181120------w-c:\windows\system32\MpSigStub.exe
2009-12-18 13:05 . 2010-01-22 16:18833024----a-w-c:\windows\system32\wininet.dll
2009-12-18 13:01 . 2010-01-22 16:1878336----a-w-c:\windows\system32\ieencode.dll
2009-12-18 10:14 . 2010-01-22 16:1826624----a-w-c:\windows\system32\ieUnatt.exe
2009-12-11 17:20 . 2008-09-07 02:33--------d-----w-c:\programdata\Microsoft Help
2009-11-19 16:48 . 2009-12-02 03:42872960----a-w-c:\users\Jeremy\AppData\Roaming\Mozilla\Firefox\Profiles\ck86elyo.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2009-11-19 16:48 . 2009-12-02 03:4243008----a-w-c:\users\Jeremy\AppData\Roaming\Mozilla\Firefox\Profiles\ck86elyo.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2009-11-19 16:48 . 2009-12-02 03:42340480----a-w-c:\users\Jeremy\AppData\Roaming\Mozilla\Firefox\Profiles\ck86elyo.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2009-11-19 16:48 . 2009-12-02 03:42346624----a-w-c:\users\Jeremy\AppData\Roaming\Mozilla\Firefox\Profiles\ck86elyo.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2009-11-09 13:22 . 2009-12-11 17:2124064----a-w-c:\windows\system32\nshhttp.dll
2009-11-09 13:20 . 2009-12-11 17:2131232----a-w-c:\windows\system32\httpapi.dll
2009-11-09 11:04 . 2009-12-11 17:21411136----a-w-c:\windows\system32\drivers\http.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 18:011230080----a-w-c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-08-23 455968]
"Sidebar"="c:\program files\Windows Sidebar\Sidebar.exe" [2008-01-21 1233920]
"L08AXLRD_802794904"="c:\program files\Microsoft Student\Microsoft Student with Encarta Premium 2008 DVD\EDICT.EXE" [2007-05-21 351000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2007-10-25 212992]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 178712]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-12-06 202032]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 132496]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-06-02 80896]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-12 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-12 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-12 133656]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-04 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-12-11 2043160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [30/11/2008 8:29 PM 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [28/01/2009 8:07 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [10/09/2009 5:55 PM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [10/09/2009 5:55 PM 297752]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmtREG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-08-23 21:34451872----a-w-c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-02-03 c:\windows\Tasks\User_Feed_Synchronization-{5AB2C966-5803-4839-852A-D9326EAA8366}.job
- c:\windows\system32\msfeedssync.exe [2008-01-21 02:24]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ca&c=81&bd=Presario&pf=laptop
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride =
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: {{FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\PokerStars.NET\PokerStarsUpdate.exe
FF - ProfilePath - c:\users\Jeremy\AppData\Roaming\Mozilla\Firefox\Profiles\ck86elyo.default\
FF - component: c:\users\Jeremy\AppData\Roaming\Mozilla\Firefox\Profiles\ck86elyo.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-fupakoic - c:\users\Jeremy\AppData\Local\uuwebe\iyqgsftav.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-04 00:07
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-02-04 00:10:59
ComboFix-quarantined-files.txt 2010-02-04 05:10

Pre-Run: 166,182,215,680 bytes free
Post-Run: 166,126,645,248 bytes free

- - End Of File - - 46E05BA2E19B7B38FAB3CDB59379C1B5
Please download the latest version of Kaspersky GetSystemInfo (GSI) from Kaspersky and save it to your Desktop.
Please close all other applications running on your system.

Please double click GetSystemInfo.exe to open it.

Click the Settings button.

Set it to Maximum

IMPORTANT! Then please click Customize - choose Driver / Ports tab and uncheck Scan Ports.

Click Create Report to run it.

It will create a zip folder called GetSystemInfo_XXXXXXXXXXXXXX.zip on your Desktop. Please upload the folder to Kaspersky GSI Parser and click the Submit button.

Please copy and paste the url of the GSI Parser report (not the log) in your next reply.http://www.getsysteminfo.com/read.php?file=4b5b76e107273d4deb4dfdf832b78a23

Please note: I wasn't able to click on Settings and follow the instructions therein (uncheck "Scan Ports" etc)... when i tried to click on Settings it said I didn't have administrator status (which is strange because there is only one user on this computer so it is, by default, the administrator). I went ahead and ran the program anyway... HOPE that it still works okay.

Thanks again!To manually create a new Restore Point

Go to Control Panel and select System and Maintenance
Select System
On the left select Advance System Settings and accept the warning if you get one
Select System Protection Tab
Select Create at the bottom
Type in a name i.e. Clean
Select Create

Now we can purge the infected ones

Go back to the System and Maintenance page
Select Performance Information and Tools
On the left select Open Disk Cleanup
Select Files from all users and accept the warning if you get one
In the drop down box select your main drive i.e. C
For a few moments the system will make some calculations
Select the More Options tab
In the System Restore and Shadow Backups select Clean up
Select Delete on the pop up
Select OK
Select Delete

You are now done

To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTC.exe by OldTimer:

Save it to your Desktop.
Double click OTC.exe.
Click the CleanUp! button.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

==

Please download TFC by OldTimer to your desktop

Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
It will close all programs when run, so make sure you have saved all your work before you begin.
Click the Start
button to begin the process. Depending on how often you clean temp
files, execution time should be anywhere from a few seconds to a minute
or two. Let it run uninterrupted to completion.
Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

==

Download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.

Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Results of screen317's Security Check version 0.99.1
Windows Vista Service Pack 1 (UAC is enabled)
Out of date service pack!!
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
AVG Free 8.5
Antivirus up to date!
``````````````````````````````
Anti-malware/Other Utilities Check:
CCleaner
Java(TM) 6 Update 2
Out of date Java installed!
Adobe Flash Player 10
Adobe Reader 8.1.3
Out of date Adobe Reader installed!
``````````````````````````````
Process Check:
objlist.exe by Laurent
Windows Defender MSASCui.exe
``````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````
Please consider updating to Windows Vista Service Pack 2 (SP2).
Windows Vista Service Pack 2 (SP2) contains all the updates RELEASED since SP1 plus support for new types of hardware and emerging hardware standards.
It is now available via Windows Update or as a standalone installation here.

==

Please download the newest version of Adobe Acrobat Reader from Adobe.com

Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs.
Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.

Once old versions are gone, please install the newest version.

==

Please download the newest version of Java from Java.com.

Before installing: it is important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs.
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment). Please uninstall/remove each of them.

Once old versions are gone, please install the newest version.

==

Please read the following information that I have provided, which will help you prevent malicious software in the future. Please keep in mind, malware is a continuous danger on the Internet. It is highly important to stay safe while browsing, to prevent re-infection.

Software recommendations

Firewall

Tallemu Online Armor: the free version is just as good as the premium. I have linked you to the free version.
Comodo Firewall: the free version is just as good as the premium. I have linked you to the free version. The optional security suite enhances the firewall by 40% increase. If you would like to install the suite that includes antivirus, then remove your old antivirus first.
PC Tools Firewall Plus: free and excellent firewall.

AntiSpyware

SpywareBlaster
SpywareBlaster is a program that prevents spyware from installing on your computer. A tutorial on using SpywareBlaster may be found here.
Spybot - Search & Destroy.
Spybot - Search & Destroy is a spyware and adware removal program. It also has realtime protection, TeaTimer to help safeguard your computer against spyware. (The link for Spybot - Search & Destroy contains a tutorial that will help you download, install, and begin using Spybot).

NOTE: Please keep ALL of these programs up-to-date and run them whenever you suspect a problem to prevent malware problems.

Resident Protection help
A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall, and scanning anti-spyware program at a time. Passive protectors such as SpywareBlaster can be run with any of them.

Rogue programs help
There are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here:
http://www.spywarewarrior.com/rogue_anti-spyware.htm

Securing your computer

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest CRITICAL security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
hpHosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. This prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is your local computer's loopback address, meaning it will be difficult to infect your computer in the future.

Please consider using an alternate browser
Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScript, can make it even more secure. Opera is another good option.

If you are interested:

Firefox may be downloaded from here: http://www.getfirefox.com
Opera is available here: http://www.opera.com/download/

See this page for more info about malware and prevention.

Discussion

2067.	Solve : rootkit removal never certain??
Answer» I'm infected with rootkit.gen (specifically: swerftx.sys, unique code IQ1LCWD7) at LBA SECTOR 0 of my MBR. It's a "highly severe" Trojan which can enable a remote computer to take over my computer, among other things. Webroot Security Essentials (incorporating Spy Sweeper) is unable to remove this Trojan, so I assume that most other such programs are also unable to do so. I don't want to pay a Webroot consultant $100 to remove it for me, so I'd like to remove it myself. However, I'm now reading the following online at the University of Minnesota's Safe Computing website (see http://safecomputing.umn.edu/guides/scan_unhackme.html): Quote Rootkits are a special kind of malware that are specifically designed to hide the activities of other viruses and worms, and compromise the operating system so that it may not be repaired. If your machine is infected with a rootkit, you will very likely not be able to regain complete control of the system. Reinstallation is highly recommended. However, there are exceptional cases when you absolutely need to attempt to repair the system. Although no tool can guarantee results for rootkit identification and removal, there is at least one program which has show limited success from time to time in this area. It's called UnHackMe. It goes on to say: Quote Remember that in computer security there's no such thing as a silver bullet, and that you can't be certain which files were compromised by the viruses, worms and trojans on your machine. If you've been infected, you could still have "backdoors" riddled throughout your computer's operating system, and you should think very hard about reinstalling your operating system, and starting over from scratch. Does anyone know if you can never REALLY be certain if you've succeeded in completely removing a rootkit? I'll reinstall the system and all my software if I really have to. Don't pay anybody. We can do it for free. Download the MBR Rootkit Detector to your desktop. * Doubleclick mbr.exe and follow prompts. * A black DOS window will quickly appear then disappear. * When mbr.exe is finished it will create a log on your desktop. * Copy and paste contents of that log file to your next reply. ---------- Download Rooter.exe to your desktop. * Double click Rooter.exe to START the tool. * A DOS window will appear and show the scan progress. * Once complete a notepad file containing the report will open. * Copy & paste the results in your next reply. * Close notepad and Rooter will close. A log will also save at C:\Rooter.txtHello, your comment has been removed. Please do not POST malware advice, or post here in the malware forum, unless you need help. ~ DragonMaster Jay

2067.

Solve : rootkit removal never certain??

Answer»

I'm infected with rootkit.gen (specifically: swerftx.sys, unique code IQ1LCWD7) at LBA SECTOR 0 of my MBR. It's a "highly severe" Trojan which can enable a remote computer to take over my computer, among other things. Webroot Security Essentials (incorporating Spy Sweeper) is unable to remove this Trojan, so I assume that most other such programs are also unable to do so. I don't want to pay a Webroot consultant $100 to remove it for me, so I'd like to remove it myself.

However, I'm now reading the following online at the University of Minnesota's Safe Computing website (see http://safecomputing.umn.edu/guides/scan_unhackme.html):

Quote

Rootkits are a special kind of malware that are specifically designed to hide the activities of other viruses and worms, and compromise the operating system so that it may not be repaired. If your machine is infected with a rootkit, you will very likely not be able to regain complete control of the system. Reinstallation is highly recommended.

However, there are exceptional cases when you absolutely need to attempt to repair the system. Although no tool can guarantee results for rootkit identification and removal, there is at least one program which has show limited success from time to time in this area. It's called UnHackMe.

It goes on to say:

Quote

Remember that in computer security there's no such thing as a silver bullet, and that you can't be certain which files were compromised by the viruses, worms and trojans on your machine. If you've been infected, you could still have "backdoors" riddled throughout your computer's operating system, and you should think very hard about reinstalling your operating system, and starting over from scratch.

Does anyone know if you can never REALLY be certain if you've succeeded in completely removing a rootkit? I'll reinstall the system and all my software if I really have to.
Don't pay anybody. We can do it for free.

Download the MBR Rootkit Detector to your desktop.

* Doubleclick mbr.exe and follow prompts.
* A black DOS window will quickly appear then disappear.
* When mbr.exe is finished it will create a log on your desktop.
* Copy and paste contents of that log file to your next reply.

----------

Download Rooter.exe to your desktop.

* Double click Rooter.exe to START the tool.
* A DOS window will appear and show the scan progress.
* Once complete a notepad file containing the report will open.
* Copy & paste the results in your next reply.
* Close notepad and Rooter will close.

A log will also save at C:\Rooter.txtHello, your comment has been removed. Please do not POST malware advice, or post here in the malware forum, unless you need help. ~ DragonMaster Jay

Discussion

2068.	Solve : WHAT "bad" websites??
Answer» Please excuse my naïveté: exactly what TYPES of websites am I supposed to steer CLEAR of to avoid contracting malware infections?Hello, your comment has been REMOVED. Please do not POST malware advice, or post here in the malware FORUM, unless you need help. ~ DragonMaster Jay

Discussion

2069.	Solve : Gala search?
Answer» Earlier today I had my security wall or additional guard on my computer, thanks to my daughter. I ran CCleaner, SAS REPAIR and Malwarebytes which SEEMED to take CARE of it. Or so I thought. Now when I try to search for something I get Gala Search which is not what I want. I THINK it's connected to my security wall but malwarebytes will not remove it. Any help would be greatly appreciated. I am not much of a techie, so make solutions easy for me. Thanks. Post the log from Malwarebytes please.Here's the log. Malwarebytes' Anti-Malware 1.44 Database version: 3741 Windows 5.1.2600 Service Pack 3 Internet Explorer 7.0.5730.13 2/15/2010 10:04:43 AM mbam-log-2010-02-15 (10-04-42).txt Scan type: Quick Scan Objects scanned: 144273 Time elapsed: 6 minute(s), 19 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 760 Registry Values Infected: 14 Registry Data Items Infected: 7 Folders Infected: 1 Files Infected: 4 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\brastk.exe (Security.Hijack) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AgentSvr.exe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\init32.exe (Security.Hijack) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ozn695m5.exe (Security.Hijack) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsAuxs.exe (Security.Hijack) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsGui.exe (Security.Hijack) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsSvc.exe (Security.Hijack) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsTray.exe (Security.Hijack) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pdfndr.exe (Security.Hijack) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rwg (Security.Hijack) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rwg.exe (Security.Hijack) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smart.exe (Security.Hijack) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_avp32.exe (Security.Hijack) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_avpcc.exe (Security.Hijack) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_avpm.exe (Security.Hijack) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\~1.exe (Security.Hijack) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\~2.exe (Security.Hijack) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe (Security.Hijack) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aavgapi.exe (Security.Hijack) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aawtray.exe (Security.Hijack) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\about.exe (Security.Hijack) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe (Security.Hijack) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ad-aware.exe (Security.Hijack) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe (Security.Hijack) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe (Security.Hijack) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adwareprj.exe (Security.Hijack) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe (Security.Hijack) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe (Security.Hijack) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe (Security.Hijack) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe (Security.Hijack) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe (Security.Hijack) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aluschedulersvc.exe (Security.Hijack) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\amon9x.exe (Security.Hijack) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\anti-trojan.exe (Security.Hijack) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\antivirus.exe (Security.Hijack) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\antivirus_pro.exe (Security.Hijack) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\antivirusplus (Security.Hijack) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\antivirusplus.exe (Security.Hijack) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\antivirusxp (Security.Hijack) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\antivirusxp.exe (Security.Hijack) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\antivirusxppro2009.exe (Security.Hijack) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ants.exe (Security.Hijack) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\apimonitor.exe (Security.Hijack) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aplica32.exe (Security.Hijack) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\apvxdwin.exe (Security.Hijack) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\arr.exe (Security.Hijack) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashavast.exe (Security.Hijack) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashbug.exe (Security.Hijack) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashchest.exe (Security.Hijack) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashcnsnt.exe (Security.Hijack) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashdisp.exe (Security.Hijack) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashlogv.exe (Security.Hijack) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashmaisv.exe (Security.Hijack) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashpopwz.exe (Security.Hijack) -> Quarantined and deleted successfully.If you already have ComboFix be sure to delete it and download a new copy. Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop. Link #1 Link #2 Note: It is important that it is saved directly to your Desktop Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix. Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them. Double click combofix.exe & follow the prompts. Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it) When finished ComboFix will produce a log for you. Post the ComboFix log in your next reply. Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall. Remember to re-enable your antivirus and antispyware protection when ComboFix is complete. If you have problems with ComboFix usage, see How to use ComboFixSince I sent in the issue, I went to the search window of internet explorer and chose Find more providers** from the drop down menu. Once I went there I replaced my old Google search with the new one. Since I have done this, Gala search has not reappeared. So do I still need to do the combo fix? Thanks.It would be best to make sure everything is actually gone. If not it may come back worse than before.ok--I'll work on it tonight. Thanks for your help.Ok. I see that I have Mcafee OAS as my antivirus. (This is a work laptop.) I don't see how see to disable it. I right clicked it and the only choice was to view statistics. I went to all programs and disable or exit was not a choice for either. IDEAS?Try this. http://community.mcafee.com/thread/18235

Discussion

2070.	Solve : Google link rederects in Firefox but not with IE?
Answer» Hello, I have had an issue when GOOGLING with the firefox browser for sometime now. I've tried just about every malware tool available, and still, I get rederects when using google in the firefox browser. Details: Using Firefox, I OPEN up google. I then start a search on any particular subject. I then click on a link and instead of going to google's entended site, I'm redirected to a unfimiliar search site, or a site that claims that I have a virus. When i click on the history drop down, I see this: Jump Redirect Loading Loading XXXXXXXXX - Google Search XXXXXXXXX - Google Search As a workaround, I google using an IE's browser. I would really like to resolve this problem with firefox so I can go back to using firefox when using google.Well, it LOOKS as if I'm going to have to help myself...lol I've researched this problem and It appears that there is a name for this virus. Its called, goored. Goored is an abbreviation for (malicious) Google Redirects although redirects have also been noticed in other search engines like Yahoo as well. I will give it a try when I get home and post my results. Source: HTTP://www.ghacks.net/2010/01/14/fix-uninitiated-google-redirects-with-gooredfix-firefox/All is FIXED! The gooredfix tool did the trick and it only took a few seconds. For those who are curious about what gooredfix removed from my registry, I have pasted the gooredfix log below. GooredFix by jpshortstuff (08.01.10.1) Log created at 19:32 on 16/02/2010 (Compaq_Owner) Firefox version 3.5.7 (en-US) ========== GooredScan ========== Deleting "C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\y78zdvd4.default\extensions\{4e5a0bb3-35d9-42e6-8535-d939c7596103}" -> Success! ========== GooredLog ========== C:\Program Files\Mozilla Firefox\extensions\ {972ce4c6-7e08-4474-a285-3208198ce6fd} [03:56 01/02/2006] {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} [03:40 02/08/2009] C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\y78zdvd4.default\extensions\ [emailprotected] [07:01 09/02/2008] {20a82645-c095-46ed-80e3-08825760534b} [01:12 04/09/2009] {46551EC9-40F0-4e47-8E18-8E5CF550CFB8} [07:50 28/07/2009] {635abd67-4fe9-1b23-4f01-e679fa7484c1} [08:29 16/11/2006] {7affbfae-c4e2-4915-8c0f-00fa3ec610a1} [05:20 25/02/2008] [HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions] "[emailprotected]"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [03:39 02/08/2009] "{20a82645-c095-46ed-80e3-08825760534b}"="c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [10:12 22/08/2009] -=E.O.F=-

Discussion

2071.	Solve : WHAT “bad” websites? [Malware advice spammers]?
Answer» Please excuse my naiveté: exactly what types of websites am I supposed to steer clear of to avoid contracting malware infections? 1) Download and install SpywareBlaster and update it WEEKLY (it helps protect against known malicious sites) 2) Make sure you us a GOOD Anti Virus utility (one that monitors web activity) and that it is always active and updated daily 3) Do not visit websites with which you are not completely familiar or comfortableQuote from: BobLewiston on February 16, 2010, 10:45:39 AM Please excuse my naiveté: exactly what types of websites am I supposed to steer clear of to avoid contracting malware infections? You forgot the tréma in naïveté... Sites offering "free downloads" of things that you usually PAY for; torrent sites, many gaming sites, porn sites... sites that dumb people go to basically. However it is estimated that 71% of malware hosting websites are "legitimate" sites with poor SECURITY, so Allan's advice about having some KIND of protection is good. Install MyWOTQuote Do not visit websites with which you are not completely familiar or comfortable Then how would I get "completely familiar or comfortable" with websites I've never visited before? But perhaps you were just exaggerating for emphasis...Quote from: BobLewiston on February 16, 2010, 04:11:18 PM Then how would I get "completely familiar or comfortable" with websites I've never visited before? But perhaps you were just exaggerating for emphasis... hyperbole - but you get the point

2071.

Solve : WHAT “bad” websites? [Malware advice spammers]?

Answer»

Please excuse my naiveté: exactly what types of websites am I supposed to steer clear of to avoid contracting malware infections?
1) Download and install SpywareBlaster and update it WEEKLY (it helps protect against known malicious sites)
2) Make sure you us a GOOD Anti Virus utility (one that monitors web activity) and that it is always active and updated daily
3) Do not visit websites with which you are not completely familiar or comfortableQuote from: BobLewiston on February 16, 2010, 10:45:39 AM

Please excuse my naiveté: exactly what types of websites am I supposed to steer clear of to avoid contracting malware infections?

You forgot the tréma in naïveté...

Sites offering "free downloads" of things that you usually PAY for; torrent sites, many gaming sites, porn sites... sites that dumb people go to basically. However it is estimated that 71% of malware hosting websites are "legitimate" sites with poor SECURITY, so Allan's advice about having some KIND of protection is good.

Install MyWOTQuote

Do not visit websites with which you are not completely familiar or comfortable

Then how would I get "completely familiar or comfortable" with websites I've never visited before? But perhaps you were just exaggerating for emphasis...Quote from: BobLewiston on February 16, 2010, 04:11:18 PM

Then how would I get "completely familiar or comfortable" with websites I've never visited before? But perhaps you were just exaggerating for emphasis...

hyperbole - but you get the point

Discussion

2072.	Solve : need Antivirus,firwall info - Norton AV "incompatible" with ZoneAlarm firewall?
Answer» New pc with Win Vista op system. Recently bought 12 month Norton AntiVirus 2010 & renewed 12 month ZoneAlarm firewall & was happy with both on old Win XP pc. Shortly after reinstalling both on new pc, ms Outlook was unable most days to receive new mail and secure banking WEB sites were often INACCESSIBLE. Removed both for a bit - no problems. Finally reinstalled Vista op system then ZA firewall. Reinstalling NAV, it tells me NAV2010 is 'incompatible' with ZoneAlarm. I've likely RAISED my risks with several software makers doing separate jobs. Despite having paid subscriptions, I may need to stay with 1 co. for both tasks (ZoneAlarm Extreme Security or Norton Internet Security). Does anyone have experience with these 2 companies? Success with NAV + another firewall maker besides WINDOWS firewall? Experience with Norton or ZoneAlarm full task products? I've heard complements + horror stories on both. Many thanks.Is this a home PC, or is an office/business PC?Quote from: soybean on February 15, 2010, 05:15:56 PM Is this a home PC, or is an office/business PC? This is a home pc. Very frustrating as I couldn't log into bank accts. to check ACCT, pay bills ("Internet Exp can not display this page"). I was unable most days to receive new mail via ms Outlook: error codes 0x800CCC92, 0x800CCC90, 0x8004210E; I was still able to read new mail via ISP's web page mail. (ISP recently changed email service from their server to Win Live; had 'Outlook unable to Rev new email' once since then). Outlook seems to be working now. I realize not smart to work with no AV; visiting only "safe" sites for now. Had no trouble with [ZA firewall + Norton AV] before (Win XP, old pc) but may not work together on new Win Vista pc. I may also try ZoneAlarm tech help again. Intend to upgrade to Win7 when I get rid of current problems. Thanks for your help. ps. interesting that, on days Outlook unable to Rcv email, I was usually able to receive new mail by turning off Norton AV 'scan incoming email' until new email downloaded from ISP server then turned back on. Also, Norton, ZoneAlarm Help checked, both pgm's "working well". Thanks again.

2072.

Solve : need Antivirus,firwall info - Norton AV "incompatible" with ZoneAlarm firewall?

Answer»

New pc with Win Vista op system. Recently bought 12 month Norton AntiVirus 2010 & renewed 12 month ZoneAlarm firewall & was happy with both on old Win XP pc.
Shortly after reinstalling both on new pc, ms Outlook was unable most days to receive new mail and secure banking WEB sites were often INACCESSIBLE. Removed both for a bit - no problems.
Finally reinstalled Vista op system then ZA firewall. Reinstalling NAV, it tells me NAV2010 is 'incompatible' with ZoneAlarm.
I've likely RAISED my risks with several software makers doing separate jobs.
Despite having paid subscriptions, I may need to stay with 1 co. for both tasks (ZoneAlarm Extreme Security or Norton Internet Security).
Does anyone have experience with these 2 companies? Success with NAV + another firewall maker besides WINDOWS firewall? Experience with Norton or ZoneAlarm full task products? I've heard complements + horror stories on both. Many thanks.Is this a home PC, or is an office/business PC?Quote from: soybean on February 15, 2010, 05:15:56 PM

Is this a home PC, or is an office/business PC?

This is a home pc. Very frustrating as I couldn't log into bank accts. to check ACCT, pay bills ("Internet Exp can not display this page"). I was unable most days to receive new mail via ms Outlook: error codes 0x800CCC92, 0x800CCC90, 0x8004210E; I was still able to read new mail via ISP's web page mail. (ISP recently changed email service from their server to Win Live; had 'Outlook unable to Rev new email' once since then).
Outlook seems to be working now. I realize not smart to work with no AV; visiting only "safe" sites for now. Had no trouble with [ZA firewall + Norton AV] before (Win XP, old pc) but may not work together on new Win Vista pc. I may also try ZoneAlarm tech help again. Intend to upgrade to Win7 when I get rid of current problems. Thanks for your help.

ps. interesting that, on days Outlook unable to Rcv email, I was usually able to receive new mail by turning off Norton AV 'scan incoming email' until new email downloaded from ISP server then turned back on. Also, Norton, ZoneAlarm Help checked, both pgm's "working well". Thanks again.

Discussion

2073.

Solve : Need help with Virus..."Cannot execute file....Please run Spyware"?

Answer»

I see there are others that are having ISSUES with spyware and everyone was directed to start a new thread. I cannot open my taskmanager and when I open some programs its says it is a virus and cannot continue. I also have a red x on the bottom right of my screen that KEEPS prompting me to buy anit-spyware programs.

Any help would be much appreciated...Welcome to CH.

Please post the two logs that these scanners will create.

Try not to restart the computer until one of the tools we use does it for you or tells you to.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the next one.

Vista and Windows 7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

* Rkill.com
* Rkill.scr
* Rkill.pif
* Rkill.exe

* Double-click on the Rkill desktop icon to run the tool.
* If using Vista or Windows 7 right-click on it and choose Run As Administrator.
* A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
* When finished it will create a log. Please post the rkill.log in the next reply.

* If Rkill does not run from the first link, delete the file, then download and use the one provided in Link 2. If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
* Do not reboot until instructed.
* If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run then try to immediately run the following.

Download and run exeHelper

* Please download exeHelper from Raktor to your desktop.
* Double-click on exeHelper.com to run the fix.
* A black window should pop up, press any key to close once the fix is completed.
* A log file named log.txt will be created in the directory where you ran exeHelper.com
* Add the log.txt file to your next message.

Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).Here are the logs. This did get rid of some of the pop up windows right away.

Thanks already, but is there anything else?

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as Dan on 02/14/2010 at 17:32:59.

Processes TERMINATED by Rkill or while it was running:

C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\WINDOWS\system32\smss32.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Documents and Settings\Dan\Desktop\rkill.exe

Rkill completed on 02/14/2010 at 17:33:01.

exeHelper by Raktor
Build 20091220
Run at 17:34:53 on 02/14/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Deleting file C:\WINDOWS\system32\41.exe
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

Quote from: dkamis on February 14, 2010, 05:36:21 PM

Thanks already, but is there anything else?

Yes. That just got it to where we can do what is needed to actually remove the malware.

If you already have ComboFix be sure to delete it and download a new copy.

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click combofix.exe & follow the prompts.
Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFixMy background is back to normal and i'm not getting the error ANYMORE. What should i do now?

I can't thank you enough. I spent a good 3 hours trying to troubleshoot this problem.

ComboFix 10-02-12.01 - Dan 02/14/2010 19:17:25.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2046.1202 [GMT -7:00]
Running from: c:\documents and settings\Dan\Desktop\ComboFix.exe
AV: Windows Live OneCare *On-access scanning disabled* (Updated) {427ADFC3-B354-4A51-BE34-A9D4218E45C4}
FW: Windows Live OneCare Firewall *disabled* {A3899D22-27E6-4A7E-AE4E-2C106646DAAB}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Dan\Local Settings\Application Data\{A367E2B0-92DA-41DF-8217-2979DC43F88A}
c:\documents and settings\Dan\Local Settings\Application Data\{A367E2B0-92DA-41DF-8217-2979DC43F88A}\chrome.manifest
c:\documents and settings\Dan\Local Settings\Application Data\{A367E2B0-92DA-41DF-8217-2979DC43F88A}\chrome\content\_cfg.js
c:\documents and settings\Dan\Local Settings\Application Data\{A367E2B0-92DA-41DF-8217-2979DC43F88A}\chrome\content\overlay.xul
c:\documents and settings\Dan\Local Settings\Application Data\{A367E2B0-92DA-41DF-8217-2979DC43F88A}\install.rdf
c:\windows\azepevog.dll
c:\windows\system32\11478.exe
c:\windows\system32\15724.exe
c:\windows\system32\16827.exe
c:\windows\system32\18467.exe
c:\windows\system32\19169.exe
c:\windows\system32\23281.exe
c:\windows\system32\24464.exe
c:\windows\system32\26500.exe
c:\windows\system32\26962.exe
c:\windows\system32\28145.exe
c:\windows\system32\29358.exe
c:\windows\system32\41.exe
c:\windows\system32\5705.exe
c:\windows\system32\6334.exe
c:\windows\system32\helper32.dll
c:\windows\system32\IS15.exe
c:\windows\system32\kekiyala.dll
c:\windows\system32\libupune.dll
c:\windows\system32\namavahe.dll
c:\windows\system32\remebeyi.dll
c:\windows\system32\smss32.exe
c:\windows\system32\twain_32.dll
c:\windows\system32\vegorohi.dll
c:\windows\system32\warning.html
c:\windows\system32\winlogon32.exe
c:\windows\Sysvxd.exe
c:\windows\Tasks\hgvedarf.job
c:\windows\TEMP\logishrd\LVPrcInj02.dll

.
((((((((((((((((((((((((( Files Created from 2010-01-15 to 2010-02-15 )))))))))))))))))))))))))))))))
.

2010-02-14 19:59 . 2009-12-02 13:1915880----a-w-c:\windows\system32\lsdelete.exe
2010-02-14 19:43 . 2010-02-14 19:43--------d-----w-c:\documents and settings\HelpAssistant\UserData
2010-02-14 19:43 . 2010-02-14 19:43--------d-----w-c:\documents and settings\HelpAssistant\PrivacIE
2010-02-14 19:37 . 2010-02-14 23:25--------d-----w-c:\documents and settings\HelpAssistant\IETldCache
2010-02-14 18:36 . 2010-02-14 18:36--------dc-h--w-c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-02-14 18:35 . 2010-02-14 18:39--------d-----w-c:\documents and settings\All Users\Application Data\Lavasoft
2010-02-14 18:35 . 2010-02-14 18:35--------d-----w-c:\program files\Lavasoft
2010-02-14 17:26 . 2010-02-14 17:26--------d-----w-c:\documents and settings\LocalService\Local Settings\Application Data\PCHealth
2010-02-13 23:14 . 2010-02-15 01:56120----a-w-c:\windows\Psazabul.dat
2010-02-13 23:14 . 2010-02-14 17:240----a-w-c:\windows\Uxivarowijehulal.bin
2010-02-10 14:00 . 2010-02-10 14:00--------d-sh--w-c:\windows\system32\config\systemprofile\IETldCache
2010-02-02 08:09 . 2010-02-02 08:09--------d-----w-c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-01-20 01:07 . 2010-01-20 01:07--------d-----w-c:\documents and settings\NetworkService\Local Settings\Application Data\SupportSoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-15 02:34 . 2008-02-24 01:47--------d-----w-c:\documents and settings\Dan\Application Data\uTorrent
2010-02-15 02:32 . 2008-02-23 22:170----a-w-c:\windows\system32\drivers\lvuvc.hs
2010-02-15 02:32 . 2008-10-26 13:120----a-w-c:\windows\system32\drivers\logiflt.iad
2010-02-10 13:36 . 2008-02-23 22:09--------d-----w-c:\documents and settings\Dan\Application Data\Skype
2010-02-10 07:07 . 2008-02-23 22:10--------d-----w-c:\documents and settings\Dan\Application Data\skypePM
2010-02-09 02:52 . 2009-11-14 20:56--------d-----w-c:\program files\Microsoft Windows OneCare Live
2010-02-02 08:04 . 2008-02-21 14:05--------d-----w-c:\program files\Google
2010-01-22 10:16 . 2009-01-21 05:08--------d-----w-c:\program files\Microsoft Silverlight
2010-01-14 10:01 . 2008-10-26 20:49--------d-----w-c:\documents and settings\All Users\Application Data\Microsoft Help
2010-01-04 05:31 . 2010-01-04 05:31--------d-----w-c:\documents and settings\LocalService\Application Data\DivX
2010-01-03 20:27 . 2010-01-03 20:13--------d-----w-c:\program files\TVersity Codec Pack
2010-01-03 20:27 . 2010-01-03 20:27--------d-----w-c:\program files\ffdshow
2010-01-03 20:13 . 2010-01-03 20:13--------d-----w-c:\program files\TVersity
2010-01-03 20:00 . 2010-01-03 20:00--------d-----w-c:\documents and settings\NetworkService\Application Data\DivX
2009-12-30 22:09 . 2008-02-24 00:5586512----a-w-c:\documents and settings\Danielle\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-30 22:07 . 2008-07-19 16:2686512----a-w-c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-21 19:14 . 2004-08-10 18:51916480----a-w-c:\windows\system32\wininet.dll
2009-12-14 19:15 . 2009-12-14 19:152146304----a-w-c:\windows\system32\GPhotos.scr
2009-11-21 16:36 . 2004-08-10 18:50470528----a-w-c:\windows\AppPatch\aclayers.dll
2009-12-30 22:09 . 2009-12-30 22:09119808----a-w-c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2009-02-24 19:34 . 2009-02-24 19:341044480----a-w-c:\program files\mozilla firefox\plugins\libdivx.dll
2009-02-24 19:34 . 2009-02-24 19:34200704----a-w-c:\program files\mozilla firefox\plugins\ssldivx.dll
1601-01-01 00:03 . 1601-01-01 00:0353760--sha-w-c:\windows\system32\bejevopu.dll
1601-01-01 00:03 . 1601-01-01 00:0339424--sha-w-c:\windows\system32\dejegima.dll
1601-01-01 00:03 . 1601-01-01 00:0393696--sha-w-c:\windows\system32\dukiteli.dll
1601-01-01 00:03 . 1601-01-01 00:0353760--sha-w-c:\windows\system32\fomuboza.dll
1601-01-01 00:03 . 1601-01-01 00:0353760--sha-w-c:\windows\system32\giremasu.dll.tmp
1601-01-01 00:03 . 1601-01-01 00:0393184--sha-w-c:\windows\system32\hulutozu.dll
1601-01-01 00:03 . 1601-01-01 00:0339424--sha-w-c:\windows\system32\jipiluho.dll
1601-01-01 00:03 . 1601-01-01 00:0353760--sha-w-c:\windows\system32\jobiwaje.dll.tmp
1601-01-01 00:03 . 1601-01-01 00:0393696--sha-w-c:\windows\system32\kenajibo.dll
1601-01-01 00:03 . 1601-01-01 00:0339424--sha-w-c:\windows\system32\mepepora.dll
1601-01-01 00:03 . 1601-01-01 00:0339424--sha-w-c:\windows\system32\motuzesu.dll
1601-01-01 00:03 . 1601-01-01 00:0352224--sha-w-c:\windows\system32\namogizu.dll.tmp
1601-01-01 00:03 . 1601-01-01 00:0339424--sha-w-c:\windows\system32\ninapega.dll
1601-01-01 00:03 . 1601-01-01 00:0339424--sha-w-c:\windows\system32\nufejoda.dll
1601-01-01 00:03 . 1601-01-01 00:0339424--sha-w-c:\windows\system32\pitajayi.dll
1601-01-01 00:03 . 1601-01-01 00:0339424--sha-w-c:\windows\system32\sudinasu.dll
1601-01-01 00:03 . 1601-01-01 00:0353760--sha-w-c:\windows\system32\tebapema.dll.tmp
1601-01-01 00:03 . 1601-01-01 00:0352224--sha-w-c:\windows\system32\vogomiyi.dll.tmp
1601-01-01 00:03 . 1601-01-01 00:0352224--sha-w-c:\windows\system32\wamonewe.dll.tmp
1601-01-01 00:03 . 1601-01-01 00:0393184--sha-w-c:\windows\system32\yuvodufu.dll
1601-01-01 00:03 . 1601-01-01 00:0353760--sha-w-c:\windows\system32\zowujeba.dll
1601-01-01 00:03 . 1601-01-01 00:0393184--sha-w-c:\windows\system32\zuhiwuji.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1e9788dd-adaa-4254-afe2-a3285f7ae197}]
1601-01-01 00:0353760--sha-w-c:\windows\system32\fomuboza.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-02-21 68856]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2009-04-18 2356088]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2009-11-29 289584]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-24 282624]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-12-30 30192]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-08-14 565008]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-08-14 2407184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-24 17920]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"OneCareUI"="c:\program files\Microsoft Windows OneCare Live\winssnotify.exe" [2009-07-09 65240]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-2-21 24576]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification PackagesREG_MULTI_SZ scecli mautcfc.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"quickcare"=c:\program files\Qwest\Quickcare\bin\sprtcmd.exe /P QuickCare

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Qwest\\QuickConnect\\QuickConnect.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Roxio\\Drag-to-Disc\\DrgToDsc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"3246:TCP"= 3246:TCP:Services
"2479:TCP"= 2479:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop

R2 OcHealthMon;Windows Live OneCare Health Monitor;c:\program files\Microsoft Windows OneCare Live\OcHealthMon.exe [7/9/2009 12:15 PM 26104]
R2 sprtlisten;SupportSoft LISTENER Service;c:\program files\Common Files\supportsoft\bin\sprtlisten.exe [1/8/2008 12:02 PM 1213728]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/2/2010 1:04 AM 135664]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2/21/2008 7:05 AM 30192]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/2/2009 6:19 AM 1184912]
.
Contents of the 'Scheduled Tasks' folder

2010-02-15 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 13:19]

2010-02-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2010-02-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 08:04]

2010-02-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 08:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://qwest.live.com
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=1080221
uInternet Settings,ProxyOverride =
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
Trusted Zone: buy-internetsecurity10.com
Trusted Zone: buy-is2010.com
Trusted Zone: is-software-download.com
Trusted Zone: is-software-download25.com
Trusted Zone: is10-soft-download.com
Trusted Zone: turbotax.com
Trusted Zone: buy-internetsecurity10.com
Trusted Zone: buy-is2010.com
DPF: {3BF72F68-72D8-461D-A884-329D936C5581} - hxxp://www.totsites.com/admin2/includes/imageuploader5_5_6/ImageUploader5.cab
DPF: {BBF89515-EDB6-4236-8FBB-B6045290076D} - hxxp://www.totsites.com/admin2/includes/imageuploader2/ImageUploader4.cab
FF - ProfilePath - c:\documents and settings\Dan\Application Data\Mozilla\Firefox\Profiles\htcibwlm.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.ufck.org/forums/
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\documents and settings\Dan\Application Data\Mozilla\Firefox\Profiles\htcibwlm.default\extensions\[emailprotected]\plugins\npdevalvr.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-smss32.exe - c:\windows\system32\smss32.exe
HKLM-Run-Vmafoyohovojamaz - c:\windows\azepevog.dll
HKLM-Run-pitotuduf - c:\windows\system32\kekiyala.dll
HKLM-Run-sesuhiyupu - namavahe.dll
SharedTaskScheduler-{6bcd5124-841e-4944-b780-726f8df5a22d} - c:\windows\system32\libupune.dll
SharedTaskScheduler-{04911ed9-e11b-4c9f-a6b9-4abf32464b74} - c:\windows\system32\libupune.dll
SharedTaskScheduler-{216493bc-aa17-44ee-aea7-0c08d17f446d} - c:\windows\system32\libupune.dll
SharedTaskScheduler-{a70d5985-a487-4cb3-a3fb-2cb374e259c0} - c:\windows\system32\libupune.dll
SharedTaskScheduler-{979b9cc0-6b2d-4b68-a537-473c449c22c9} - c:\windows\system32\libupune.dll
SharedTaskScheduler-{d11e4d95-f67b-45a6-a43a-27ef75d1fe4c} - c:\windows\system32\kekiyala.dll
SSODL-bibolurej-{6bcd5124-841e-4944-b780-726f8df5a22d} - c:\windows\system32\libupune.dll
SSODL-kiyefefem-{04911ed9-e11b-4c9f-a6b9-4abf32464b74} - c:\windows\system32\libupune.dll
SSODL-yikebosop-{216493bc-aa17-44ee-aea7-0c08d17f446d} - c:\windows\system32\libupune.dll
SSODL-higakekil-{a70d5985-a487-4cb3-a3fb-2cb374e259c0} - c:\windows\system32\libupune.dll
SSODL-rutepivim-{979b9cc0-6b2d-4b68-a537-473c449c22c9} - c:\windows\system32\libupune.dll
SSODL-behehuzef-{d11e4d95-f67b-45a6-a43a-27ef75d1fe4c} - c:\windows\system32\kekiyala.dll

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-14 19:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x891A28A0]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba0ecfc3
\Driver\ACPI -> ACPI.sys @ 0xb9f7fcb8
\Driver\iaStor -> 0x891a28a0
IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x80581684
\Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x80581684
NDIS: Intel(R) 82562V 10/100 Network Connection -> SendCompleteHandler -> 0x88935330
PacketIndicateHandler -> NDIS.sys @ 0xb9d9bb21
SendHandler -> NDIS.sys @ 0xb9d7987b
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(800)
c:\windows\mautcfc.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(9940)
c:\windows\system32\WININET.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\windows\system32\CDRTC.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\mautcfc.dll
c:\program files\Bonjour\mdnsNSP.dll
c:\windows\system32\hnetcfg.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\TVersity\Media Server\MediaServer.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
c:\program files\Microsoft Windows OneCare Live\winss.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\windows\system32\wscntfy.exe
c:\windows\stsystra.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\logitech\quickcam\lu\lulnchr.exe
c:\program files\logitech\quickcam\lu\LogitechUpdate.exe
c:\windows\system32\msiexec.exe
.
**************************************************************************
.
Completion time: 2010-02-14 19:44:59 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-15 02:44

Pre-Run: 209,102,614,528 bytes free
Post-Run: 211,878,346,752 bytes free

- - End Of File - - 09D9A1ED619EC56725E7AA1332F515FC
1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]KillAll::

DDS::
Trusted Zone: buy-internetsecurity10.com
Trusted Zone: buy-is2010.com
Trusted Zone: is-software-download.com
Trusted Zone: is-software-download25.com
Trusted Zone: is10-soft-download.com
Trusted Zone: turbotax.com
Trusted Zone: buy-internetsecurity10.com
Trusted Zone: buy-is2010.com

File::
c:\windows\Psazabul.dat
c:\windows\Uxivarowijehulal.bin

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1e9788dd-adaa-4254-afe2-a3285f7ae197}]

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

----------

If you already have Malwarebytes be sure to update it before running the scan!

Download Malwarebytes' Anti-Malware (MBAM)

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to the following:

* Update Malwarebytes' Anti-Malware
* Launch Malwarebytes' Anti-Malware

* Then click Finish
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy and Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

----------

Quote

AV: Windows Live OneCare *On-access scanning disabled* (Updated) {427ADFC3-B354-4A51-BE34-A9D4218E45C4}
FW: Windows Live OneCare Firewall *disabled* {A3899D22-27E6-4A7E-AE4E-2C106646DAAB}

I suggest uninstalling OneCare and getting something that has better protection (and also free). Onecare is soon to be unsupported by Microsoft.

I use these.

Microsoft Security Essentials for Windows XP
Online ArmorI honestly don't know what I would have done without your help.

Malwarebytes' Anti-Malware 1.44
Database version: 3740
Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

2/14/2010 8:52:11 PM
mbam-log-2010-02-14 (20-52-11).txt

Scan type: Quick Scan
Objects scanned: 182188
Time elapsed: 12 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 33

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\mautcfc.dll (Trojan.Hiloti) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: mautcfc.dll -> Delete on reboot.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\bejevopu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dejegima.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dukiteli.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fomuboza.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hulutozu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jipiluho.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kenajibo.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mepepora.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\motuzesu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ninapega.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nufejoda.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pitajayi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sudinasu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yuvodufu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\zowujeba.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\zuhiwuji.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\mautcfc.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\jobiwaje.dll.tmp (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\giremasu.dll.tmp (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\namogizu.dll.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tebapema.dll.tmp (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vogomiyi.dll.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wamonewe.dll.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\HelpAssistant\Local Settings\Temp\10E.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\HelpAssistant\Local Settings\Temp\113.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\HelpAssistant\Local Settings\Temp\293.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\HelpAssistant\Local Settings\Temp\294.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\HelpAssistant\Local Settings\Temp\297.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\HelpAssistant\Local Settings\Temp\bqgsht.exe (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\Documents and Settings\HelpAssistant\Local Settings\Temp\dfopoi.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HelpAssistant\Local Settings\Temp\n.exn (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\HelpAssistant\Local Settings\Temp\shkttc.dll (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\O98P1GCS\load[1].php (Rootkit.TDSS) -> Quarantined and deleted successfully.

---------------------------------------------------------------------
ComboFix 10-02-12.01 - Dan 02/14/2010 20:04:39.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2046.1208 [GMT -7:00]
Running from: c:\documents and settings\Dan\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Dan\Desktop\CFScript.txt
AV: Windows Live OneCare *On-access scanning disabled* (Updated) {427ADFC3-B354-4A51-BE34-A9D4218E45C4}
FW: Windows Live OneCare Firewall *disabled* {A3899D22-27E6-4A7E-AE4E-2C106646DAAB}

FILE ::
"c:\windows\Psazabul.dat"
"c:\windows\Uxivarowijehulal.bin"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Psazabul.dat
c:\windows\system32\_000005_.tmp.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\Uxivarowijehulal.bin

.
((((((((((((((((((((((((( Files Created from 2010-01-15 to 2010-02-15 )))))))))))))))))))))))))))))))
.

2010-02-14 19:59 . 2009-12-02 13:1915880----a-w-c:\windows\system32\lsdelete.exe
2010-02-14 19:43 . 2010-02-14 19:43--------d-----w-c:\documents and settings\HelpAssistant\UserData
2010-02-10 14:00 . 2010-02-10 14:00--------d-sh--w-c:\windows\system32\config\systemprofile\IETldCache
2010-02-02 08:09 . 2010-02-02 08:09--------d-----w-c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-01-20 01:07 . 2010-01-20 01:07--------d-----w-c:\documents and settings\NetworkService\Local Settings\Application Data\SupportSoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-15 03:14 . 2008-02-24 01:47--------d-----w-c:\documents and settings\Dan\Application Data\uTorrent
2010-02-15 03:12 . 2008-02-23 22:170----a-w-c:\windows\system32\drivers\lvuvc.hs
2010-02-15 03:12 . 2008-10-26 13:120----a-w-c:\windows\system32\drivers\logiflt.iad
2010-02-15 03:07 . 2009-11-14 20:56--------d-----w-c:\program files\Microsoft Windows OneCare Live
2010-02-15 02:42 . 2008-10-26 20:49--------d-----w-c:\documents and settings\All Users\Application Data\Microsoft Help
2010-02-14 18:39 . 2010-02-14 18:35--------d-----w-c:\documents and settings\All Users\Application Data\Lavasoft
2010-02-14 18:36 . 2010-02-14 18:36--------dc-h--w-c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-02-14 18:35 . 2010-02-14 18:35--------d-----w-c:\program files\Lavasoft
2010-02-10 13:36 . 2008-02-23 22:09--------d-----w-c:\documents and settings\Dan\Application Data\Skype
2010-02-10 07:07 . 2008-02-23 22:10--------d-----w-c:\documents and settings\Dan\Application Data\skypePM
2010-02-02 08:04 . 2008-02-21 14:05--------d-----w-c:\program files\Google
2010-01-22 10:16 . 2009-01-21 05:08--------d-----w-c:\program files\Microsoft Silverlight
2010-01-04 05:31 . 2010-01-04 05:31--------d-----w-c:\documents and settings\LocalService\Application Data\DivX
2010-01-03 20:27 . 2010-01-03 20:13--------d-----w-c:\program files\TVersity Codec Pack
2010-01-03 20:27 . 2010-01-03 20:27--------d-----w-c:\program files\ffdshow
2010-01-03 20:13 . 2010-01-03 20:13--------d-----w-c:\program files\TVersity
2010-01-03 20:00 . 2010-01-03 20:00--------d-----w-c:\documents and settings\NetworkService\Application Data\DivX
2009-12-31 16:14 . 2004-08-10 18:51352640----a-w-c:\windows\system32\drivers\srv.sys
2009-12-30 22:09 . 2008-02-24 00:5586512----a-w-c:\documents and settings\Danielle\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-30 22:07 . 2008-07-19 16:2686512----a-w-c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-21 19:14 . 2004-08-10 18:51916480------w-c:\windows\system32\wininet.dll
2009-12-16 12:58 . 2004-08-10 19:01343040----a-w-c:\windows\system32\mspaint.exe
2009-12-14 19:15 . 2009-12-14 19:152146304----a-w-c:\windows\system32\GPhotos.scr
2009-12-14 07:35 . 2004-08-10 18:5033280----a-w-c:\windows\system32\csrsrv.dll
2009-12-08 18:11 . 2004-08-10 18:512142720------w-c:\windows\system32\ntoskrnl.exe
2009-12-08 17:35 . 2004-08-04 04:592020864------w-c:\windows\system32\ntkrnlpa.exe
2009-12-04 14:41 . 2004-08-10 18:51453760----a-w-c:\windows\system32\drivers\mrxsmb.sys
2009-11-27 17:33 . 2004-08-10 18:511291264----a-w-c:\windows\system32\quartz.dll
2009-11-27 17:33 . 2004-08-04 06:5617920----a-w-c:\windows\system32\msyuv.dll
2009-11-27 16:37 . 2004-08-10 18:5128672----a-w-c:\windows\system32\msvidc32.dll
2009-11-27 16:37 . 2004-08-10 18:5111264----a-w-c:\windows\system32\msrle32.dll
2009-11-27 16:37 . 2004-08-10 18:5084992----a-w-c:\windows\system32\avifil32.dll
2009-11-27 16:37 . 2004-08-04 06:5648128----a-w-c:\windows\system32\iyuv_32.dll
2009-11-27 16:37 . 2001-08-18 04:368704----a-w-c:\windows\system32\tsbyuv.dll
2009-11-21 16:36 . 2004-08-10 18:50470528----a-w-c:\windows\AppPatch\aclayers.dll
2009-12-30 22:09 . 2009-12-30 22:09119808----a-w-c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2009-02-24 19:34 . 2009-02-24 19:341044480----a-w-c:\program files\mozilla firefox\plugins\libdivx.dll
2009-02-24 19:34 . 2009-02-24 19:34200704----a-w-c:\program files\mozilla firefox\plugins\ssldivx.dll
1601-01-01 00:03 . 1601-01-01 00:0353760--sha-w-c:\windows\system32\bejevopu.dll
1601-01-01 00:03 . 1601-01-01 00:0339424--sha-w-c:\windows\system32\dejegima.dll
1601-01-01 00:03 . 1601-01-01 00:0393696--sha-w-c:\windows\system32\dukiteli.dll
1601-01-01 00:03 . 1601-01-01 00:0353760--sha-w-c:\windows\system32\fomuboza.dll
1601-01-01 00:03 . 1601-01-01 00:0353760--sha-w-c:\windows\system32\giremasu.dll.tmp
1601-01-01 00:03 . 1601-01-01 00:0393184--sha-w-c:\windows\system32\hulutozu.dll
1601-01-01 00:03 . 1601-01-01 00:0339424--sha-w-c:\windows\system32\jipiluho.dll
1601-01-01 00:03 . 1601-01-01 00:0353760--sha-w-c:\windows\system32\jobiwaje.dll.tmp
1601-01-01 00:03 . 1601-01-01 00:0393696--sha-w-c:\windows\system32\kenajibo.dll
1601-01-01 00:03 . 1601-01-01 00:0339424--sha-w-c:\windows\system32\mepepora.dll
1601-01-01 00:03 . 1601-01-01 00:0339424--sha-w-c:\windows\system32\motuzesu.dll
1601-01-01 00:03 . 1601-01-01 00:0352224--sha-w-c:\windows\system32\namogizu.dll.tmp
1601-01-01 00:03 . 1601-01-01 00:0339424--sha-w-c:\windows\system32\ninapega.dll
1601-01-01 00:03 . 1601-01-01 00:0339424--sha-w-c:\windows\system32\nufejoda.dll
1601-01-01 00:03 . 1601-01-01 00:0339424--sha-w-c:\windows\system32\pitajayi.dll
1601-01-01 00:03 . 1601-01-01 00:0339424--sha-w-c:\windows\system32\sudinasu.dll
1601-01-01 00:03 . 1601-01-01 00:0353760--sha-w-c:\windows\system32\tebapema.dll.tmp
1601-01-01 00:03 . 1601-01-01 00:0352224--sha-w-c:\windows\system32\vogomiyi.dll.tmp
1601-01-01 00:03 . 1601-01-01 00:0352224--sha-w-c:\windows\system32\wamonewe.dll.tmp
1601-01-01 00:03 . 1601-01-01 00:0393184--sha-w-c:\windows\system32\yuvodufu.dll
1601-01-01 00:03 . 1601-01-01 00:0353760--sha-w-c:\windows\system32\zowujeba.dll
1601-01-01 00:03 . 1601-01-01 00:0393184--sha-w-c:\windows\system32\zuhiwuji.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-02-21 68856]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2009-04-18 2356088]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2009-11-29 289584]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-24 282624]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-12-30 30192]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-08-14 565008]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-08-14 2407184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-24 17920]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"OneCareUI"="c:\program files\Microsoft Windows OneCare Live\winssnotify.exe" [2009-07-09 65240]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-2-21 24576]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification PackagesREG_MULTI_SZ scecli mautcfc.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"quickcare"=c:\program files\Qwest\Quickcare\bin\sprtcmd.exe /P QuickCare

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Qwest\\QuickConnect\\QuickConnect.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Roxio\\Drag-to-Disc\\DrgToDsc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"3246:TCP"= 3246:TCP:Services
"2479:TCP"= 2479:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop

R2 OcHealthMon;Windows Live OneCare Health Monitor;c:\program files\Microsoft Windows OneCare Live\OcHealthMon.exe [7/9/2009 12:15 PM 26104]
R2 sprtlisten;SupportSoft Listener Service;c:\program files\Common Files\supportsoft\bin\sprtlisten.exe [1/8/2008 12:02 PM 1213728]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/2/2010 1:04 AM 135664]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2/21/2008 7:05 AM 30192]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/2/2009 6:19 AM 1184912]
.
Contents of the 'Scheduled Tasks' folder

2010-02-15 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 13:19]

2010-02-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2010-02-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 08:04]

2010-02-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 08:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://qwest.live.com
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=1080221
uInternet Settings,ProxyOverride =
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
DPF: {3BF72F68-72D8-461D-A884-329D936C5581} - hxxp://www.totsites.com/admin2/includes/imageuploader5_5_6/ImageUploader5.cab
DPF: {BBF89515-EDB6-4236-8FBB-B6045290076D} - hxxp://www.totsites.com/admin2/includes/imageuploader2/ImageUploader4.cab
FF - ProfilePath - c:\documents and settings\Dan\Application Data\Mozilla\Firefox\Profiles\htcibwlm.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.ufck.org/forums/
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\documents and settings\Dan\Application Data\Mozilla\Firefox\Profiles\htcibwlm.default\extensions\[emailprotected]\plugins\npdevalvr.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-14 20:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8982F670]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba0ecfc3
\Driver\ACPI -> ACPI.sys @ 0xb9f7fcb8
\Driver\iaStor -> 0x8982f670
IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x80581684
\Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x80581684
NDIS: Intel(R) 82562V 10/100 Network Connection -> SendCompleteHandler -> 0x88ee5330
PacketIndicateHandler -> NDIS.sys @ 0xb9d9bb21
SendHandler -> NDIS.sys @ 0xb9d7987b
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(800)
c:\windows\mautcfc.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(7916)
c:\windows\system32\WININET.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\mautcfc.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Bonjour\mdnsNSP.dll
c:\windows\system32\hnetcfg.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\windows\system32\CDRTC.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\TVersity\Media Server\MediaServer.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\windows\stsystra.exe
c:\program files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
c:\program files\Microsoft Windows OneCare Live\winss.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-02-14 20:24:39 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-15 03:24
ComboFix2.txt 2010-02-15 02:44

Pre-Run: 211,883,958,272 bytes free
Post-Run: 211,833,806,848 bytes free

- - End Of File - - 84A5D4AB25726BA1B4F4F48262E4195B

The Malwarebytes scan turned up more than I thought it would so we need to have a closer look at a few files.

Download GMER Rootkit Detector and save it your desktop.

* Extract it to your desktop and double-click GMER.exe
* Make sure all of the boxes on the right of the screen are checked, EXCEPT for "Show All".
* Click the Rootkit tab and then Scan.
* Don't check the Show All box while scanning in progress!
* When scanning is finished click Copy.
* This copies the log to clipboard
* Post the log in your reply.On second thought run this also and post the two logs it will create.

Download DDS from |HERE| or |HERE| or |HERE| and save it to your desktop.

Vista users right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)

* XP users Double click on dds to run it.
* If your antivirus or firewall try to block DDS then please allow it to run.
* When finished DDS will open two (2) logs.

1) DDS.txt
2) Attach.txt

* Save both logs to your desktop.
* Please copy and paste the entire contents of both logs in your next reply.

Note: DDS will instruct you to post the Attach.txt log as an attachment.
Please just post it as you would any other log by copy and pasting it into the reply.The first one froze. Should i try and re-run it?

DDS (Ver_09-12-01.01) - NTFSx86
Run by Dan at 21:34:33.21 on Sun 02/14/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2046.1278 [GMT -7:00]

AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\TVersity\Media Server\MediaServer.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Dan\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://qwest.live.com
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=1080221
uInternet Settings,ProxyOverride =
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ModemOnHold] c:\program files\netwaiting\netWaiting.exe
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc\DrgToDsc.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {25365FF3-2746-4230-9DA7-163CCA318309} - hxxp://inst.c-wss.com/vwhpro/EN/install/gtdownlr.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {3BF72F68-72D8-461D-A884-329D936C5581} - hxxp://www.totsites.com/admin2/includes/imageuploader5_5_6/ImageUploader5.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {BBF89515-EDB6-4236-8FBB-B6045290076D} - hxxp://www.totsites.com/admin2/includes/imageuploader2/ImageUploader4.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\dan\applic~1\mozilla\firefox\profiles\htcibwlm.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.ufck.org/forums/
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\documents and settings\dan\application data\mozilla\firefox\profiles\htcibwlm.default\extensions\[emailprotected]\plugins\npdevalvr.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-6-18 142832]
R2 sprtlisten;SupportSoft Listener Service;c:\program files\common files\supportsoft\bin\sprtlisten.exe [2008-1-8 1213728]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-2 135664]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-2-21 30192]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-12-2 1184912]

=============== Created Last 30 ================

2010-02-15 04:07:530d-----w-c:\program files\Microsoft Security Essentials
2010-02-15 03:36:340d-----w-c:\docume~1\dan\applic~1\Malwarebytes
2010-02-15 03:36:2838224----a-w-c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-15 03:36:260d-----w-c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-02-15 03:36:2519160----a-w-c:\windows\system32\drivers\mbam.sys
2010-02-15 03:36:250d-----w-c:\program files\Malwarebytes' Anti-Malware
2010-02-15 02:10:590d-sha-r-C:\cmdcons
2010-02-15 02:09:4198816----a-w-c:\windows\sed.exe
2010-02-15 02:09:4177312----a-w-c:\windows\MBR.exe
2010-02-15 02:09:41261632----a-w-c:\windows\PEV.exe
2010-02-15 02:09:41161792----a-w-c:\windows\SWREG.exe
2010-02-14 19:59:5515880----a-w-c:\windows\system32\lsdelete.exe
2010-02-14 18:36:170dc-h--w-c:\docume~1\alluse~1\applic~1\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-02-14 18:35:570d-----w-c:\program files\Lavasoft

==================== Find3M ====================

2010-02-15 04:27:320----a-w-c:\windows\system32\drivers\lvuvc.hs
2010-02-15 04:27:280----a-w-c:\windows\system32\drivers\logiflt.iad
2010-01-14 18:12:06181120------w-c:\windows\system32\MpSigStub.exe
2009-12-31 16:14:12352640----a-w-c:\windows\system32\drivers\srv.sys
2009-12-31 16:14:12352640------w-c:\windows\system32\dllcache\srv.sys
2009-12-21 13:19:18173056----a-w-c:\windows\system32\dllcache\ie4uinit.exe
2009-12-16 12:58:04343040----a-w-c:\windows\system32\mspaint.exe
2009-12-16 12:58:04343040------w-c:\windows\system32\dllcache\mspaint.exe
2009-12-14 19:15:142146304----a-w-c:\windows\system32\GPhotos.scr
2009-12-14 07:35:3533280----a-w-c:\windows\system32\csrsrv.dll
2009-12-14 07:35:3533280------w-c:\windows\system32\dllcache\csrsrv.dll
2009-12-08 18:14:022185984------w-c:\windows\system32\dllcache\ntoskrnl.exe
2009-12-08 18:11:442142720------w-c:\windows\system32\ntoskrnl.exe
2009-12-08 18:11:442142720------w-c:\windows\system32\dllcache\ntkrnlmp.exe
2009-12-08 17:35:252020864------w-c:\windows\system32\ntkrnlpa.exe
2009-12-08 17:35:252020864------w-c:\windows\system32\dllcache\ntkrpamp.exe
2009-12-08 17:35:222063104------w-c:\windows\system32\dllcache\ntkrnlpa.exe
2009-12-08 08:59:48474112------w-c:\windows\system32\dllcache\shlwapi.dll
2009-12-04 14:41:55453760------w-c:\windows\system32\dllcache\mrxsmb.sys
2009-11-27 17:33:3517920----a-w-c:\windows\system32\msyuv.dll
2009-11-27 17:33:3517920----a-w-c:\windows\system32\dllcache\msyuv.dll
2009-11-27 17:33:351291264----a-w-c:\windows\system32\quartz.dll
2009-11-27 17:33:351291264------w-c:\windows\system32\dllcache\quartz.dll
2009-11-27 16:37:278704----a-w-c:\windows\system32\tsbyuv.dll
2009-11-27 16:37:278704----a-w-c:\windows\system32\dllcache\tsbyuv.dll
2009-11-27 16:37:2784992----a-w-c:\windows\system32\avifil32.dll
2009-11-27 16:37:2784992------w-c:\windows\system32\dllcache\avifil32.dll
2009-11-27 16:37:2748128----a-w-c:\windows\system32\iyuv_32.dll
2009-11-27 16:37:2748128----a-w-c:\windows\system32\dllcache\iyuv_32.dll
2009-11-27 16:37:2728672----a-w-c:\windows\system32\msvidc32.dll
2009-11-27 16:37:2728672------w-c:\windows\system32\dllcache\msvidc32.dll
2009-11-27 16:37:2711264----a-w-c:\windows\system32\msrle32.dll
2009-11-27 16:37:2711264------w-c:\windows\system32\dllcache\msrle32.dll
2009-11-21 16:36:13470528------w-c:\windows\system32\dllcache\aclayers.dll

============= FINISH: 21:35:36.73 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 2/23/2008 1:38:41 PM
System Uptime: 2/14/2010 9:26:52 PM (0 hours ago)

Motherboard: Dell Inc. | | 0WG860
Processor: Intel(R) Core(TM)2 CPU 6420 @ 2.13GHz | Microprocessor | 2127/1066mhz
Processor: Intel(R) Core(TM)2 CPU 6420 @ 2.13GHz | Microprocessor | 2128/1066mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 295 GiB total, 244.78 GiB free.
D: is CDROM ()
E: is CDROM ()
G: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP626: 11/17/2009 5:02:03 AM - System Checkpoint
RP627: 11/18/2009 7:30:44 AM - System Checkpoint
RP628: 11/19/2009 8:50:00 AM - System Checkpoint
RP629: 11/20/2009 9:21:27 PM - System Checkpoint
RP630: 11/22/2009 8:56:27 AM - System Checkpoint
RP631: 11/23/2009 8:27:46 PM - System Checkpoint
RP632: 11/24/2009 8:30:54 PM - System Checkpoint
RP633: 11/26/2009 9:27:40 AM - System Checkpoint
RP634: 11/27/2009 7:06:23 AM - Software Distribution Service 3.0
RP635: 11/27/2009 7:14:26 AM - Removed Qwest Personal Digital Vault™.
RP636: 11/28/2009 7:54:10 AM - System Checkpoint
RP637: 11/29/2009 8:54:49 AM - System Checkpoint
RP638: 11/30/2009 9:06:49 AM - System Checkpoint
RP639: 12/1/2009 11:06:09 AM - System Checkpoint
RP640: 12/2/2009 12:54:52 PM - System Checkpoint
RP641: 12/3/2009 2:54:49 PM - System Checkpoint
RP642: 12/4/2009 4:53:09 PM - System Checkpoint
RP643: 12/5/2009 5:00:09 PM - System Checkpoint
RP644: 12/6/2009 8:13:30 PM - System Checkpoint
RP645: 12/7/2009 9:01:46 PM - System Checkpoint
RP646: 12/8/2009 10:54:26 PM - System Checkpoint
RP647: 12/9/2009 3:00:15 AM - Software Distribution Service 3.0
RP648: 12/10/2009 4:23:57 AM - System Checkpoint
RP649: 12/11/2009 6:24:55 AM - System Checkpoint
RP650: 12/12/2009 8:21:55 AM - System Checkpoint
RP651: 12/13/2009 8:23:56 AM - System Checkpoint
RP652: 12/14/2009 8:35:02 AM - System Checkpoint
RP653: 12/15/2009 10:35:56 AM - System Checkpoint
RP654: 12/16/2009 10:58:59 AM - System Checkpoint
RP655: 12/17/2009 12:59:56 PM - System Checkpoint
RP656: 12/18/2009 2:55:56 PM - System Checkpoint
RP657: 12/19/2009 3:08:56 PM - System Checkpoint
RP658: 12/20/2009 4:58:30 PM - System Checkpoint
RP659: 12/21/2009 6:58:30 PM - System Checkpoint
RP660: 12/22/2009 8:21:13 PM - System Checkpoint
RP661: 12/23/2009 10:09:09 PM - System Checkpoint
RP662: 12/25/2009 12:18:21 AM - System Checkpoint
RP663: 12/26/2009 2:08:13 AM - System Checkpoint
RP664: 12/27/2009 2:23:39 AM - System Checkpoint
RP665: 12/28/2009 4:09:12 AM - System Checkpoint
RP666: 12/29/2009 6:09:09 AM - System Checkpoint
RP667: 12/30/2009 6:19:25 AM - System Checkpoint
RP668: 12/31/2009 9:46:53 AM - System Checkpoint
RP669: 1/1/2010 9:55:46 AM - System Checkpoint
RP670: 1/2/2010 9:58:42 AM - System Checkpoint
RP671: 1/3/2010 10:01:42 AM - System Checkpoint
RP672: 1/4/2010 11:37:01 AM - System Checkpoint
RP673: 1/5/2010 1:49:29 PM - System Checkpoint
RP674: 1/6/2010 3:36:59 PM - System Checkpoint
RP675: 1/7/2010 5:43:43 PM - System Checkpoint
RP676: 1/8/2010 8:12:26 PM - System Checkpoint
RP677: 1/9/2010 9:04:41 PM - System Checkpoint
RP678: 1/10/2010 9:05:04 PM - System Checkpoint
RP679: 1/11/2010 10:41:43 PM - System Checkpoint
RP680: 1/12/2010 10:42:48 PM - System Checkpoint
RP681: 1/13/2010 3:00:13 AM - Software Distribution Service 3.0
RP682: 1/14/2010 3:00:16 AM - Software Distribution Service 3.0
RP683: 1/15/2010 7:33:52 AM - System Checkpoint
RP684: 1/16/2010 9:17:43 AM - System Checkpoint
RP685: 1/18/2010 6:20:32 PM - System Checkpoint
RP686: 1/19/2010 8:37:47 PM - System Checkpoint
RP687: 1/20/2010 3:00:14 AM - Software Distribution Service 3.0
RP688: 1/21/2010 4:09:53 AM - System Checkpoint
RP689: 1/22/2010 3:00:13 AM - Software Distribution Service 3.0
RP690: 1/23/2010 3:41:20 AM - System Checkpoint
RP691: 1/24/2010 5:32:01 AM - System Checkpoint
RP692: 1/25/2010 5:32:20 AM - System Checkpoint
RP693: 1/26/2010 5:36:18 AM - System Checkpoint
RP694: 1/27/2010 8:03:59 PM - System Checkpoint
RP695: 1/28/2010 9:28:00 PM - System Checkpoint
RP696: 1/29/2010 11:28:00 PM - System Checkpoint
RP697: 1/30/2010 11:31:12 PM - System Checkpoint
RP698: 1/31/2010 10:17:40 AM - Installed Windows XP -- Software Updates KB952011.
RP699: 2/1/2010 8:28:31 PM - System Checkpoint
RP700: 2/3/2010 7:10:41 AM - System Checkpoint
RP701: 2/4/2010 8:00:26 PM - System Checkpoint
RP702: 2/8/2010 8:26:48 PM - System Checkpoint
RP703: 2/9/2010 8:47:15 PM - System Checkpoint
RP704: 2/10/2010 10:59:14 PM - System Checkpoint
RP705: 2/12/2010 12:59:14 AM - System Checkpoint
RP706: 2/13/2010 4:18:01 PM - Microsoft OneCare Protection Checkpoint
RP707: 2/13/2010 4:25:47 PM - Microsoft OneCare Protection Checkpoint
RP708: 2/14/2010 10:26:02 AM - Microsoft OneCare Protection Checkpoint
RP709: 2/14/2010 7:36:32 PM - Software Distribution Service 3.0
RP710: 2/14/2010 9:10:45 PM - Software Distribution Service 3.0

==== Installed Programs ======================

µTorrent
Actiontec Gateway
Ad-Aware
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe AIR
Adobe Anchor Service CS3
Adobe Anchor Service CS4
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge CS4
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps CS4
Adobe Color - Photoshop Specific CS4
Adobe Color EU Extra Settings CS4
Adobe Color JA Extra Settings CS4
Adobe Color NA Recommended Settings CS4
Adobe Color Video Profiles CS CS4
Adobe CSI CS4
Adobe Default Language CS4
Adobe Device Central CS3
Adobe Device Central CS4
Adobe Drive CS4
Adobe ExtendScript Toolkit 2
Adobe ExtendScript Toolkit CS4
Adobe Extension Manager CS4
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Illustrator CS4
Adobe Linguistics CS3
Adobe Linguistics CS4
Adobe Media Player
Adobe Output Module
Adobe PDF Library Files CS4
Adobe Photoshop CS3
Adobe Photoshop CS4
Adobe Photoshop CS4 Support
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Adobe Search for Help
Adobe Service Manager Extension
Adobe Setup
Adobe Stock Photos CS3
Adobe Type Support CS4
Adobe Update Manager CS3
Adobe Update Manager CS4
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
Adobe XMP Panels CS4
AdobeColorCommonSetCMYK
AdobeColorCommonSetRGB
AnswerWorks 4.0 Runtime - English
AnswerWorks 5.0 English Runtime
AP Tuner 3.08
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ATI Display Driver
AutoUpdate
Bonjour
Canon MP460
Choice Guard
Conexant HDA D110 MDC V.92 Modem
Connect
Cool Edit Pro 2.0
Critical Update for Windows Media Player 11 (KB959772)
Dell CinePlayer
Dell DataSafe Online
Dell Driver Reset Tool
Dell Support Center (Support Software)
Dell System Restore
DellSupport
Digital Line Detect
DivX Codec
DivX Converter
DivX Player
DivX Version Checker
DivX Web Player
Documentation & Support Launcher
FLAC 1.2.1b (remove only)
Games, Music, & Photos Launcher
Google Desktop
Google Toolbar for Internet Explorer
Google Update Helper
High Definition Audio Driver Package - KB835221
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB906569)
Hotfix for Windows XP (KB908673)
Hotfix for Windows XP (KB909095)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB921411)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB934428-v2)
Hotfix for Windows XP (KB935448)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB954708)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
ieSpell
Intel(R) Matrix Storage Manager
Intel(R) PRO Network Connections 11.2.1.69
Internet Service Offers Launcher
iTunes
J2SE Runtime Environment 5.0 Update 6
kuler
Logitech Legacy USB Camera Driver Package
Logitech QuickCam
Logitech QuickCam Driver Package
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Antimalware
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Search Enhancement Pack
Microsoft Security Essentials
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
MobileMe Control Panel
Modem Helper
Move Networks Media Player for Internet Explorer
Mozilla Firefox (3.0.17)
MSVCRT
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB973686)
NetWaiting
PC Inspector smart recovery
PDF Settings CS4
Photoshop Camera Raw
Picasa 3
QuickConnect
QuickTime
Qwest QuickAssist Desktop Tools
Qwest Quickcare 2.6
Qwest Windows Live Toolbar Buttons
Roxio Creator Audio
Roxio Creator BDAV Plugin
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Drag-to-Disc
Roxio Express Labeler
Roxio MyDVD DE
Roxio Update Manager
SearchAssist
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB973704)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB973593)
Security Update for Microsoft Office Outlook 2007 (KB972363)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB969693)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB969604)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978706)
Segoe UI
Skype web features
Skype™ 4.1
Snood 4
Sonic Activation Module
Suite Shared Configuration CS4
TurboTax 2008
TurboTax 2008 wcoiper
TurboTax 2008 WinPerFedFormset
TurboTax 2008 WinPerProgramHelp
TurboTax 2008 WinPerReleaseEngine
TurboTax 2008 WinPerTaxSupport
TurboTax 2008 WinPerUserEducation
TurboTax 2008 wrapper
TurboTax Deluxe 2007
TVersity Codec Pack 1.2
TVersity Media Server 1.7.2.1 Beta
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office InfoPath 2007 (KB976416)
Update for Outlook 2007 Junk Email Filter (kb977719)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows XP (KB894391)
Update for Windows XP (KB896256)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB912945)
Update for Windows XP (KB914882)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB923845)
Update for Windows XP (KB925720)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VC80CRTRedist - 8.0.50727.762
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WD Diagnostics
WebFldrs XP
Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Toolbar
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 11
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB889673
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinRAR archiver
WinZip 12.1

==== Event Viewer Messages From Past Week ========

2/9/2010 6:21:18 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
2/14/2010 8:53:52 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
2/14/2010 8:04:37 PM, error: Service Control Manager [7034] - The Intuit Update Service service terminated unexpectedly. It has done this 1 time(s).
2/14/2010 8:04:37 PM, error: Service Control Manager [7034] - The Intel(R) Matrix Storage Event Monitor service terminated unexpectedly. It has done this 1 time(s).
2/14/2010 8:04:37 PM, error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
2/14/2010 8:04:37 PM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
2/14/2010 8:04:36 PM, error: Service Control Manager [7034] - The SupportSoft Sprocket Service (dellsupportcenter) service terminated unexpectedly. It has done this 1 time(s).
2/14/2010 8:04:36 PM, error: Service Control Manager [7034] - The SeaPort service terminated unexpectedly. It has done this 1 time(s).
2/14/2010 8:04:36 PM, error: Service Control Manager [7034] - The LVCOMSer service terminated unexpectedly. It has done this 1 time(s).
2/14/2010 8:04:36 PM, error: Service Control Manager [7031] - The Windows Live OneCare service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
2/14/2010 8:04:35 PM, error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s).
2/14/2010 8:04:35 PM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
2/14/2010 7:10:56 PM, error: WMPNetworkSvc [14344] - A new media server was not initialized because WMCreateDeviceRegistration() encountered error '0xc00d2711'. The Windows Media DRM components on your computer might be corrupted. Verify that protected files play correctly in Windows Media Player, and then restart the WMPNetworkSvc service.
2/14/2010 3:59:55 PM, error: Service Control Manager [7034] - The Process Monitor service terminated unexpectedly. It has done this 1 time(s).
2/14/2010 3:59:44 PM, error: Service Control Manager [7031] - The OneCare Firewall service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
2/14/2010 3:59:09 PM, error: Service Control Manager [7034] - The Roxio Hard Drive Watcher 9 service terminated unexpectedly. It has done this 1 time(s).
2/14/2010 12:44:23 PM, error: Service Control Manager [7034] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It has done this 3 time(s).
2/14/2010 12:43:49 PM, error: Service Control Manager [7031] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
2/14/2010 12:43:31 PM, error: Service Control Manager [7034] - The SupportSoft Listener Service service terminated unexpectedly. It has done this 1 time(s).
2/14/2010 12:43:22 PM, error: Service Control Manager [7034] - The Application Layer Gateway Service service terminated unexpectedly. It has done this 1 time(s).
2/14/2010 12:43:03 PM, error: Service Control Manager [7031] - The Windows Media Player Network Sharing Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
2/14/2010 12:43:01 PM, error: Service Control Manager [7031] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
2/14/2010 12:42:27 PM, error: Service Control Manager [7034] - The OneCare AntiSpyware and AntiVirus service terminated unexpectedly. It has done this 3 time(s).
2/14/2010 12:42:03 PM, error: Service Control Manager [7031] - The OneCare AntiSpyware and AntiVirus service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 15000 milliseconds: Restart the service.
2/14/2010 12:41:41 PM, error: Service Control Manager [7034] - The Windows Live OneCare Health Monitor service terminated unexpectedly. It has done this 1 time(s).
2/14/2010 12:40:27 PM, error: Service Control Manager [7034] - The Ati HotKey Poller service terminated unexpectedly. It has done this 1 time(s).
2/14/2010 12:39:46 PM, error: Service Control Manager [7031] - The OneCare AntiSpyware and AntiVirus service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 15000 milliseconds: Restart the service.
2/12/2010 7:18:33 AM, error: Service Control Manager [7034] - The TVersityMediaServer service terminated unexpectedly. It has done this 1 time(s).
2/12/2010 7:02:48 AM, error: Service Control Manager [7034] - The {8EF6A10D-6D85-4258-81165FF5D849208D} service terminated unexpectedly. It has done this 1 time(s).

==== End Of File ===========================
GMER froze?

Try this one.

* Download the following tool: RootRepeal - Rootkit Detector
* Direct download link is here: RootRepeal.zip

* Close all programs and temporarily disable your anti-virus, Firewall and any anti-malware real-time protection before performing a scan.
* Click this link to see a list of such programs and how to disable them.

* Extract the program file to a new folder such as C:\RootRepeal
* Run the program RootRepeal.exe and go to the REPORT tab and click on the Scan button.
* Select ALL of the checkboxes and then click OK and it will start scanning your system.
* If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
* When done, click on Save Report
* Save it to the same location where you ran it from, such as C:RootRepeal
* Save it as rootrepeal.txt
* Then open that log and select all and copy/paste it back on your next reply please.
* Close RootRepeal.

Discussion

2074.	Solve : prevent anti-malware software??
Answer» What's the best SOFTWARE to prevent MALWARE INFECTIONS? The best to detect infections? The best to eradicate them? The best single all-in-one PRODUCT?Hello, your comment has been removed. Please do not post malware advice, or post here in the malware forum, unless you NEED help. ~ DragonMaster Jay

Discussion

2075.	Solve : Please do not bump your thread?
Answer» WHEN YOU BUMP YOUR THREAD OR ADD UNNECESSARY POSTS YOU LENGTHEN THE TIME TO GET A RESPONSE! It does not matter whether the bump is intentional or not. Each time you bump your thread by posting another message you do not bump to the top, you bump to the BOTTOM of the list. You are better off posting once and waiting for an answer. Even starting another thread (which you should not do anyway) will not help because of the procedure we use to work through new threads. We work from oldest thread to newest. Bumping your thread could cost you hours or even days of additional waiting time. Also when a topic has multiple answers it looks as if someone is already helping you. Be patient. Malware is SPREADING like an epidemic and all forums that assist in removing malware are EXTREMELY busy. Some forums have now even stopped dealing with malware logs because it is requiring too much of peoples free time. This is a non-paid job and MANY helpers give up much of their free time to do this, but they are doing it for free and only when they have time to do so. Also we don't all LIVE in the same time zone or even the same country. We are doing our best to help all users needing assistance but we can't get to everyone at the same time. Work through and then post the logs from the Malware Removal Steps and then please be patient.

Discussion

2076.	Solve : I keep getting this window popping up on my PC r/o?
Answer» C:/WINDOWS/SYSTEMS/BIN/djrunner2.exe The box then says "Windows cannot find C:/WINDOWS/SYSTEMS/BIN/djrunner2.exe. Make sure you typed the name correctly, and then try again. To search for a file, click the start button, then click search" Problem is.. I’m not searching for anything & this just appears.. Tell me I DON’T have a virus. Anyone have any ideas as to what MAY be causing this? My OS is Windows XP Professional Thanks XP is trying to load this application in the background. The first THING is to scan for viruses and spyware. Did you recently uninstall an application? If when uninstalling, all you do is delete the directory, the Operating System still thinks it has to run the app. You'll likely have some registry SETTINGS that didn't get handled properly.Thanks for replying. I havent added or removed programs at all since getting this PC last month (its new by the way, & its a WORK PC).. Also, we dont have virus SCANNING software at present. Anything else you think this might be? I'm not very knowledgable when it comes to computer problems! Thanksdownload this >http://www.spywareinfo.com/~merijn/downloads.html it will get rid of it Thanks for the link. I informed my boss & its definetly a virus. We're getting anti-virus software ASAP. Thanks for all your help

Discussion

2077.	Solve : Unwanted Downloads?
Answer» Can anyone tell me if it is possible for movie files to be downloaded to my document file with out my permission. Is there a virus or something that is known to AUTOMATICALLY download unwanted material to PRIVATE computers?Yes, viruses and embedded scripting can cause this. I would highly recommend the full or free Version of ZoneAlarm to keep any software from relaying info. Back to it’s HOME server http://www.zonelabs.com/store/content/company/products/znalm/freeDownload.jsp?lid=zadb_zadown Leigh....several things come to mind.....first is it possible that some other than yourself downloaded the unwanted movies. Then , I assume you have a good current virus scanner enabled on your system. So I would look for other forms of bugs.. I would D/L Ad-Aware http://www.lavasoftusa.com/ its free and then TRY SpyBot.... http://download.com.com/3000-2144-10194058.html?tag=lst-0-1 its also free. Try Spysweeper...... http://www.spysweeper.com/download.html These programs should find and remove the little devils. Hope this helps , dl65

Discussion

2078.	Solve : Re: sasser worm b?
Answer» chuck.....re SASSER......go to .... http://v4.windowsupdate.microsoft.com/en/default.asp http://www.symantec.com/index.htm these sites will give you a good insite into the Worm. Good Luck dl65 often wondered if m$oft are putting these viruses in the system to test their own software and firewall as it strange that it only AFFECT windows 2k xp home and pro all ntfs files and all that have remote access next i guess LONGHORN will suffer this fate?its a pity that all the updates m$oft have produced cause pc crashes thats strange also?and pcs who DONT have updates on them like mine never crash thats strange also.watch this space.the sasser b is part of the netsky virus/worm my advice is it aint broke dont fix it

Discussion

2079.	Solve : Windows Search Bar?
Answer» "Windows Search Bar",this BS keeps intsalling it self on my computer.I have had to go to add/remove programs 4 times in the last 3 days &AMP; take it out. It is about to make me mad. Does anyone else have a problem with it? I don't KNOW where it is coming from or how to stop it.I have IE 6.0,and Windows XP. What can I do,before I chunk the computer up against the WALL... scan for spyware http://www.webroot.com/wb/products/spysweeper/index.php and this as WELL>http://www.wilderssecurity.net/bhblaster.html

Discussion

2080.	Solve : Re: www.manipulatingtheicesurface.com?
Answer» try www.secretmaker.com or even pop-up stoppersecretmaker killed that WEBSITE? block it in your firewall &GT;the isp is 81.178.214.71 or try shredder>http://www.spywareinfo.com/~merijn/downloads.html that didnt worksrry for double posting The sites u GAVE me just block them i need a program that will remove it entirly

Discussion

2081.	Solve : One jump a head of the bugs?
Answer» try this scan>http://vil.nai.com/vil/stinger/merlin..........thanks for the heads up ........I just added it to my Utility toolbox. It LOOKS like a GOOD one. NOW if people would just remember to use them.......... Thanks , dl65 RUN stinger here every night on COMPUTERS before going to bed. EVEN with virus protection, doesnt hurt to be safe"er". Even more so with kids!!! LOL

Discussion

2082.	Solve : Re: isearch toolbar?
Answer» Try CWShredder: http://209.133.47.200/~merijn/files/CWShredder.exeWell, I tired it and it didn't work. MUCH appreciated.YES! I got rid of it! I used hijackthis and it worked. In case anyone is interested, I think I got this isearch crap from downloading a windows media file from kazaa. Keep and eye out for those because often times they require a "plug in" in order to play the file. I carefully read the agreement before downloading any plug ins but after I did this one isearch was installed. I STRESS that Im only guessing thats how I got it. See ya! Had problems with isearch toolbar here. Had a hellofva time getting rid of it. Even "at the time" adaware DIDNT find it, so i clicked on a LINK that went to homepage of isearch, they say you have to download an uninstaller, LOL, go figure, but instead of saving it to hard drive, i clicked on open . Havent had isearch since then. Make sure you reboot your computer.

Discussion

2083.	Solve : Re: Sasser and Trojan PROBLEMS HELP?
Answer» are you logged in as the admin?options f8 safe mode and chose last good config or this for this time being>http://support.microsoft.com/default.aspx?kbid=192806&product=w98 and the sasser WORM did you use SYSTEM RESTORE it still maybe there if you didnot disable itwhen running a virus SCAN,and try this to make sure the sasser has GONE>http://vil.nai.com/vil/stinger/

Discussion

2084.	Solve : Re: computer is acting up?
Answer» Jason........It sounds like you have a virus in your puter... do you have current Anti Virus that is up to date ? Check to get the latest updates and then scan all files and FOLDERS in your machine You may also be sure you have the latest patches and security updates from Microsoft. http://v4.windowsupdate.microsoft.com/en/default.asp Hope this helps dl65 what o/s is this it could be anything that could CAUSE this for example>http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/q174/6/30.asp&NoWebContent=1 is there any error messages when this happens as sometimes winxp will automaticly do this ---hardware problem call the people you have BOUGHT it from and get them to fix it?okDoes it restart when you do anything in particular? because ive heard of a problem someone else had with a web cam that if used with XP would restart the computer when switched on.well i got all the parts at newegg.com it's a wholesale computer place where you can buy indivual parts. and all my parts are brand new i just recently hooked it up to the internet about 5 days ago and before that it was doing it too. I got the virus scan and update all my drivers and everything but it still happens. i scanned all the files and there was no virus. And the message that merlin posted is what happens sometimes but my computer just goes right through that and starts up. It will usually say SOMETHING about the hardware and do you WANT to start in safe mode or normal mode. i choose normal and everything starts up fine and then later it happens again. i hope this info will help you guys thanks.either try this You have "automatically restart" selected. (Press WinKey-Break, or (Start/Run/Sysdm.cpl), Advanced Tab, Start Up and Recovery/Settings/System Failure/Unmark "Automatically Restart"/Ok/Ok and this link may help you more>http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/q244/9/05.asp&NoWebContent=1 if these do not do anything to solve the issue have a look in the events log my thoughts at the moment are graphics card ?

Discussion

2085.	Solve : Re: Trojan horse downloader?
Answer» http://vil.nai.com/vil/stinger/ or this one >http://www.spywareinfo.com/~merijn/downloads.html its called SHREDDER and there is a progam to GET rid of KAZZA?

Discussion

2086.	Solve : Re: Virus problem?
Answer» save it to floppy and run it >http://vil.nai.com/vil/stinger/what do you mean save thr PROGRAM to floppy? i got an idea and went into the cd itself, opened it etc..and FOUND the setup files, installed it there and am now talking through the wireless computer. However, for some reason just a second ago, my computer retarted on its own, from a system error. This has never HAPPEND to me before, but the only first time MAYBE 2 weeks ago. wiiiieerd. thanks, -BrianI think what Merlin meant was copy the program he posted the link for (stinger) to a floppy and run it on your systems. Stinger will check your system for viruses which could be the cause of the system restart EG: Sasser.

Discussion

2087.	Solve : Re: Sasser virus?
Answer» Rick.....When you say MEMORY ......are you refering to the RAM ? If your computer is infected with Blaster and Sasser.....why dont you run the removal tools and get rid of them. http://www.microsoft.com/security/incident/sasser.asp http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html Make sure you get your Anti VIRUS updated to PROTECT your computer and get all the latest updates and patches from Micro Soft. http://v4.windowsupdate.microsoft.com/en/default.asp Hope this helps. dl65 If you're talking about a card that contains memory without being powered then I'd say no, you're just spreading the infection and if you mean RAM CHIPS then no it wouldn't be a problen coz as soon as the power is not supplied the data will be lost. However, RAM chips can keep a residual charge for over 24 hours after being removed. But this is most unlikely to be able to be transferred.

Discussion

2088.	Solve : corporate network protection against spyware?
Answer» Hi, I am PART of an IT department (Alliance Atlantis Communications). We are running a 2000/XP environment (servers and clients). Currently most users have administrative rights to their PCs, and filtered access to the internet through websense (blocking only sites with certain content flags, such as dating/personals, adult, etc.) HOWEVER, since users have administrative rights to their WORKSTATIONS and surf the web like mofos, I've been finding between 2-300 spyware/adware/crap instances on each PC on average when troubleshooting weird stuff like homepages CHANGING, IE crashing, IE bars appearing, etc. I know there's a spyware plugin for websense that provides network level protection against spyware, but before spending $11,000 on that plugin I was wondering if anyone else knew of an alternative. It has to protect the whole network, be supportable (ie not freeware) and work decently well. I believe Adaware Professional has network level spyware protection, anyone used this in a corporate environment? Appreciate your feedback.have a look here you may find something&GT;http://www.webroot.com/wb/downloads/index.phpMany thanks for your feedback.

Discussion

2089.	Solve : What is the best Internet Security?
Answer» I have AVG. Is that the best security?Well, there really isnt a "best" Internet Security, but MANY people on this board will recommend "AVG"(as long as you are having no problems with it. Others that I see advised on these boards is Avast and Avira. However, if AVG is working for you, I would say to stick with it. Hope I helped I Have AVG but every time they heal something it says file not foundI have: Avast anti virus Online Armor Firewall and program guard WinPatrol Spyware Blaster And do scans with: Malwarebytes Super Antispyware Advanced Windows Care Use Firefox 3 and Thunderbird It seems to work, but I am SURE others can give more knowledgeable advice. AVG 8 cause me nothing but problems, as did Zone ALARM firewall.Best Internet Security, eh? Kaspersky Internet Security seems to fit the title. (I have a lot of experience with Kaspersky and I like it a lot - not free)where can i get fromKaspersky? You will have to buy it.WITHOUT A DOUBT IN MY MIND AVAST IS THE BEST POSSIBLE INTERNET SECURITY! I'LL SWEAR TO YOU RIGHT HERE AND NOW, THAT IT IS THE BEST! FOR BOTH INTERNET AND GENERAL COMPUTER!!!!!!!!!!1111Quote from: kizza1645 on September 16, 2008, 03:37:00 AM WITHOUT A DOUBT IN MY MIND AVAST IS THE BEST POSSIBLE INTERNET SECURITY! I'LL SWEAR TO YOU RIGHT HERE AND NOW, THAT IT IS THE BEST! FOR BOTH INTERNET AND GENERAL COMPUTER!!!!!!!!!!1111 NO CAPSQuote from: kizza1645 on September 16, 2008, 03:37:00 AM WITHOUT A DOUBT IN MY MIND AVAST IS THE BEST POSSIBLE INTERNET SECURITY! I'LL SWEAR TO YOU RIGHT HERE AND NOW, THAT IT IS THE BEST! FOR BOTH INTERNET AND GENERAL COMPUTER!!!!!!!!!!1111 Can't be that good. It appears you have been infected with the ALLCAPSALLTHETIME virus. Quote from: Dell315 on September 14, 2008, 09:55:21 PM I have AVG. Is that the best security? I have done well with AVG but, the best Internet Security is,no modem.

2089.

Solve : What is the best Internet Security?

Answer»

I have AVG. Is that the best security?Well, there really isnt a "best" Internet Security, but MANY people on this board will recommend "AVG"(as long as you are having no problems with it. Others that I see advised on these boards is Avast and Avira. However, if AVG is working for you, I would say to stick with it. Hope I helped I Have AVG but every time they heal something it says file not foundI have:
Avast anti virus
Online Armor Firewall and program guard
WinPatrol
Spyware Blaster
And do scans with:
Malwarebytes
Super Antispyware
Advanced Windows Care

Use Firefox 3 and Thunderbird

It seems to work, but I am SURE others can give more knowledgeable advice.
AVG 8 cause me nothing but problems, as did Zone ALARM firewall.Best Internet Security, eh?

Kaspersky Internet Security seems to fit the title. (I have a lot of experience with Kaspersky and I like it a lot - not free)where can i get fromKaspersky? You will have to buy it.WITHOUT A DOUBT IN MY MIND AVAST IS THE BEST POSSIBLE INTERNET SECURITY! I'LL SWEAR TO YOU RIGHT HERE AND NOW, THAT IT IS THE BEST! FOR BOTH INTERNET AND GENERAL COMPUTER!!!!!!!!!!1111Quote from: kizza1645 on September 16, 2008, 03:37:00 AM

WITHOUT A DOUBT IN MY MIND AVAST IS THE BEST POSSIBLE INTERNET SECURITY! I'LL SWEAR TO YOU RIGHT HERE AND NOW, THAT IT IS THE BEST! FOR BOTH INTERNET AND GENERAL COMPUTER!!!!!!!!!!1111

NO CAPSQuote from: kizza1645 on September 16, 2008, 03:37:00 AM

WITHOUT A DOUBT IN MY MIND AVAST IS THE BEST POSSIBLE INTERNET SECURITY! I'LL SWEAR TO YOU RIGHT HERE AND NOW, THAT IT IS THE BEST! FOR BOTH INTERNET AND GENERAL COMPUTER!!!!!!!!!!1111

Can't be that good. It appears you have been infected with the ALLCAPSALLTHETIME virus.

Quote from: Dell315 on September 14, 2008, 09:55:21 PM

I have AVG. Is that the best security?

I have done well with AVG but, the best Internet Security is,no modem.

Discussion

2090.	Solve : I need your help please?
Answer» I am not computer savvy and I found these programs in my PC. Are any of them a spyware? Thank for your help in advance. ACDSee 8 Adobe Flash Player ActiveX Norton Security Scan ATI DISPLAY Driver Conexant 56K ACLink Modem Conexant AC-Link Audio Hijack This 1.99.1 HP WLAN 54g W450 Network Adapter J2SE Runtime Environment 5.0 Update 8 K-Lite Codec Pack 2.72 Full QuickTime Synaptics Pointing Device Driver Nope, none of them as I can see are spyware. You might want to update your Hijack This though.No one is able to help? Quote from: kpac on SEPTEMBER 15, 2008, 01:28:55 PM Nope, none of them as I can see are spyware. You might want to update your Hijack This though. Like kpac says, none of them are spyware. You could google them to find more information about them but they are not spywareQuote from: kpac on September 15, 2008, 01:28:55 PM Nope, none of them as I can see are spyware. You might want to update your Hijack This though. Download and INSTALL the newest version of the Java Runtime Environment NEXT: Download JavaRa Unzip the file and open the JavaRa.exe Click Remove Older Versions JavaRa will search for and remove any outdated version of Java and remove any that are found. Click Additional Tasks Place a check next to Remove Useless JRE Files and click Go Exit JavaRa Delete the JavaRa files from the Desktop . ---------- Use the Secunia Software Inspector Click Start Now Check the box next to Enable thorough system inspection. Click Start Allow the scan to finish and scroll down to see if any UPDATES are needed. Update anything listed. Thanks a lot. I have one more question please. I have a few email accounts with yahoo, hotmail... when I open an email and want to reply to it or forward - it pops up "holibyte.com" in that email - which is a company I worked for for a while. How do I remove it? Does the guy spy on me? Is there any way how he could see what I do on my computer? Sometimes when i log off I can see the message that someone else is connected. Sorry for my English. Do you mean a keylogger or something? Some companies install them on computers to log what employees are doing. Is this a company laptop/computer?

2090.

Solve : I need your help please?

Answer»

I am not computer savvy and I found these programs in my PC. Are any of them a spyware? Thank for your help in advance.

ACDSee 8
Adobe Flash Player ActiveX
Norton Security Scan
ATI DISPLAY Driver
Conexant 56K ACLink Modem
Conexant AC-Link Audio
Hijack This 1.99.1
HP WLAN 54g W450 Network Adapter
J2SE Runtime Environment 5.0 Update 8
K-Lite Codec Pack 2.72 Full
QuickTime
Synaptics Pointing Device Driver Nope, none of them as I can see are spyware. You might want to update your Hijack This though.No one is able to help? Quote from: kpac on SEPTEMBER 15, 2008, 01:28:55 PM

Nope, none of them as I can see are spyware. You might want to update your Hijack This though.

Like kpac says, none of them are spyware.

You could google them to find more information about them but they are not spywareQuote from: kpac on September 15, 2008, 01:28:55 PM

Nope, none of them as I can see are spyware. You might want to update your Hijack This though.

Download and INSTALL the newest version of the Java Runtime Environment

NEXT:

Download JavaRa

Unzip the file and open the JavaRa.exe
Click Remove Older Versions
JavaRa will search for and remove any outdated version of Java and remove any that are found.
Click Additional Tasks
Place a check next to Remove Useless JRE Files and click Go
Exit JavaRa
Delete the JavaRa files from the Desktop

.
----------

Use the Secunia Software Inspector

Click Start Now
Check the box next to Enable thorough system inspection.
Click Start
Allow the scan to finish and scroll down to see if any UPDATES are needed.
Update anything listed.

Thanks a lot. I have one more question please. I have a few email accounts with yahoo, hotmail... when I open an email and want to reply to it or forward - it pops up "holibyte.com" in that email - which is a company I worked for for a while. How do I remove it? Does the guy spy on me? Is there any way how he could see what I do on my computer? Sometimes when i log off I can see the message that someone else is connected. Sorry for my English. Do you mean a keylogger or something? Some companies install them on computers to log what employees are doing. Is this a company laptop/computer?

Discussion

2091.	Solve : Virus Alert in Toolbar. Already got Combofix logs.?
Answer» Hi there, I was able to get to this point from reading other peoples posts. This site is a real helper! I am so greatfull at how great you guys are! WOW. anyways, here is my Combofix log and Hijackthis logs [recovering disk space -- attachment deleted by admin]Is there an icon in your toolbar, a yellow triangle warning sign WELCOME to CH. Open HijackThis and select Do a system scan only. Place a check mark next to the following entries: (if there) - R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2 - O16 - DPF: {BDEE1959-AB6B-4745-A29B-F492861102CC} - - O21 - SSODL: mgxfebsq - {7F2CD258-C7A5-421C-B7E4-50D8623A2B55} - C:\WINDOWS\mgxfebsq.dll Important: Close all windows except for HijackThis and then click Fix checked. Exit HijackThis. ---------- Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system Delete these files/folders, as follows: 1. Go to Start > Run > type Notepad.exe and click OK to open Notepad. It must be Notepad, not Wordpad. 2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C Code: [Select]KillAll:: Folder:: C:\x File:: C:\WINDOWS\system32\2.ico C:\WINDOWS\system32\casino3.ico C:\WINDOWS\system32\casino2.ico C:\WINDOWS\system32\casino1.ico C:\WINDOWS\system32\1.ico C:\WINDOWS\vmgspntbnrp.dll C:\WINDOWS\dtseqrxk.dll C:\WINDOWS\mgxfebsq.dll C:\WINDOWS\fqbewlna.dll C:\WINDOWS\mqgldfvo.exe Registry:: [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7287293E-B0BE-4A31-B52B-EA15F57679E3}] [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] [-HKEY_CLASSES_ROOT\clsid\{94e952a4-fae1-40e5-bbe1-8199d8cf7fd0}] [-HKEY_CLASSES_ROOT\fqbewlna.1] [-HKEY_CLASSES_ROOT\TypeLib\{0955BCF0-2DB3-4926-B985-1ED8F0894D73}] [-HKEY_CLASSES_ROOT\fqbewlna] [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] 3. Go to the Notepad window and click Edit > Paste 4. Then click File > Save 5. Name the file CFScript.txt - Save the file to your Desktop 6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the SCREENSHOT below. Important: Perform this instruction carefully! ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it will produce a log for you. Post that log (Combofix.txt) in your next reply. Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freezeHere is the log but for some reason it didnt reboot before giving me this log? [recovering disk space -- attachment deleted by admin] Download OTMoveIt2 by OldTimer Save it to your desktop. Note: If you are running on Vista, right-click on OTMoveIt2.exe and choose Run As Administrator. Double-click OTMoveIt2.exe to run it. Copy the lines in the codebox below. [/list]Code: [Select][kill explorer] C:\WINDOWS\system32\2.ico C:\WINDOWS\system32\casino3.ico C:\WINDOWS\system32\casino2.ico C:\WINDOWS\system32\casino1.ico C:\x C:\WINDOWS\system32\1.ico C:\WINDOWS\vmgspntbnrp.dll C:\WINDOWS\dtseqrxk.dll C:\WINDOWS\mgxfebsq.dll C:\WINDOWS\fqbewlna.dll C:\WINDOWS\mqgldfvo.exe HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7287293E-B0BE-4A31-B52B-EA15F57679E3} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{94E952A4-FAE1-40E5-BBE1-8199D8CF7FD0} HKEY_CLASSES_ROOT\clsid\{94e952a4-fae1-40e5-bbe1-8199d8cf7fd0} HKEY_CLASSES_ROOT\fqbewlna.1 HKEY_CLASSES_ROOT\TypeLib\{0955BCF0-2DB3-4926-B985-1ED8F0894D73} HKEY_CLASSES_ROOT\fqbewlna HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\mgxfebsq EmptyTemp [start explorer] Return to OTMoveIt2, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste Click the red Moveit! button. Copy everything in the Results window (under the green bar) and paste it in your next reply. Close OTMoveIt2 Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose YES. If not, reboot anyway.Here are my results. [recovering disk space -- attachment deleted by admin]Download Malwarebytes' Anti-Malware (MBAM) Double-click mbam-setup.exe and follow the prompts to install the program. At the end, be sure a checkmark is placed next to the following: Update Malwarebytes' Anti-Malware Launch Malwarebytes' Anti-Malware Then click Finish. If an update is found, it will download and install the latest version. Once the program has loaded, select Perform quick scan, then click Scan. When the scan is complete, click OK, then Show Results to view the results. Be sure that everything is checked, and click Remove Selected. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note) The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. Copy and Paste the entire report in your next reply. . Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Here it is.. [recovering disk space -- attachment deleted by admin]How is everything now?Malwarebytes' Anti-Malware 1.28 Database version: 1147 Windows 5.1.2600 Service Pack 2 13/09/2008 10:44:33 PM mbam-log-2008-09-13 (22-44-33).txt Scan type: Full Scan (C:\\|D:\\|) Objects scanned: 192594 Time elapsed: 46 minute(s), 28 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 52 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\Qoobox\Quarantine\C\Program Files\PCHealthCenter\0.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\Program Files\PCHealthCenter\1.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\Program Files\PCHealthCenter\2.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\Program Files\PCHealthCenter\3.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\Program Files\PCHealthCenter\4.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\Program Files\PCHealthCenter\5.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\Program Files\PCHealthCenter\7.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\emnf.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\ccnrgh.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\mmx98354.dll.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\mx98354.dll.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\ngysvesj.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\opnkjklm.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\ssqoommN.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\swuewl.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\tuvTMfCr.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\vjtdfejx.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\vtUlKBUO.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\wxwptowi.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\xxyYqnNh.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\YUR4E5.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\YUR4E6.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\YUR4E8.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\YUR4EB.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\YUR506.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{97AF48F9-1888-4A08-B210-5534F302F4BA}\RP541\A0112820.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{97AF48F9-1888-4A08-B210-5534F302F4BA}\RP542\A0112868.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{97AF48F9-1888-4A08-B210-5534F302F4BA}\RP542\A0112869.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{97AF48F9-1888-4A08-B210-5534F302F4BA}\RP542\A0112871.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{97AF48F9-1888-4A08-B210-5534F302F4BA}\RP542\A0112873.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{97AF48F9-1888-4A08-B210-5534F302F4BA}\RP542\A0112874.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{97AF48F9-1888-4A08-B210-5534F302F4BA}\RP542\A0112875.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{97AF48F9-1888-4A08-B210-5534F302F4BA}\RP542\A0112876.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{97AF48F9-1888-4A08-B210-5534F302F4BA}\RP542\A0112885.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{97AF48F9-1888-4A08-B210-5534F302F4BA}\RP542\A0112886.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{97AF48F9-1888-4A08-B210-5534F302F4BA}\RP542\A0112887.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{97AF48F9-1888-4A08-B210-5534F302F4BA}\RP542\A0112888.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{97AF48F9-1888-4A08-B210-5534F302F4BA}\RP542\A0112889.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{97AF48F9-1888-4A08-B210-5534F302F4BA}\RP542\A0112890.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{97AF48F9-1888-4A08-B210-5534F302F4BA}\RP542\A0112891.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{97AF48F9-1888-4A08-B210-5534F302F4BA}\RP542\A0112892.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{97AF48F9-1888-4A08-B210-5534F302F4BA}\RP542\A0112893.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{97AF48F9-1888-4A08-B210-5534F302F4BA}\RP542\A0112895.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{97AF48F9-1888-4A08-B210-5534F302F4BA}\RP542\A0112897.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{97AF48F9-1888-4A08-B210-5534F302F4BA}\RP542\A0112898.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{97AF48F9-1888-4A08-B210-5534F302F4BA}\RP542\A0112899.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{97AF48F9-1888-4A08-B210-5534F302F4BA}\RP542\A0112900.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{97AF48F9-1888-4A08-B210-5534F302F4BA}\RP542\A0112902.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{97AF48F9-1888-4A08-B210-5534F302F4BA}\RP542\A0112903.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{97AF48F9-1888-4A08-B210-5534F302F4BA}\RP542\A0112904.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{97AF48F9-1888-4A08-B210-5534F302F4BA}\RP542\A0112901.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\_OTMoveIt\MovedFiles\09132008_092408\x (Trojan.FakeAlert) -> Quarantined and deleted successfully. How does that look?Delete the copy of ComboFix you have now and use the new version. Download ComboFix by sUBs from one of the below links. Be sure top save it to the Desktop. Link #1 Link #2 Note: It is important that it is saved directly to your Desktop Close any open Web browsers. (FIREFOX, Internet Explorer, etc) before starting ComboFix. Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them. Double click combofix.exe & follow the prompts. When finished ComboFix will produce a log for you. Post the ComboFix log and a new HijackThis log in your next reply. Important:** Do not mouseclick ComboFix's window while it is running. That may cause it to stall. Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

2091.

Solve : Virus Alert in Toolbar. Already got Combofix logs.?

Answer»

Hi there, I was able to get to this point from reading other peoples posts. This site is a real helper! I am so greatfull at how great you guys are! WOW.

anyways, here is my Combofix log and Hijackthis logs

[recovering disk space -- attachment deleted by admin]Is there an icon in your toolbar, a yellow triangle warning sign WELCOME to CH.

Open HijackThis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

- R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
- O16 - DPF: {BDEE1959-AB6B-4745-A29B-F492861102CC} -
- O21 - SSODL: mgxfebsq - {7F2CD258-C7A5-421C-B7E4-50D8623A2B55} - C:\WINDOWS\mgxfebsq.dll

Important: Close all windows except for HijackThis and then click Fix checked.

Exit HijackThis.

----------

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]KillAll::

Folder::
C:\x

File::
C:\WINDOWS\system32\2.ico
C:\WINDOWS\system32\casino3.ico
C:\WINDOWS\system32\casino2.ico
C:\WINDOWS\system32\casino1.ico
C:\WINDOWS\system32\1.ico
C:\WINDOWS\vmgspntbnrp.dll
C:\WINDOWS\dtseqrxk.dll
C:\WINDOWS\mgxfebsq.dll
C:\WINDOWS\fqbewlna.dll
C:\WINDOWS\mqgldfvo.exe

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7287293E-B0BE-4A31-B52B-EA15F57679E3}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

[-HKEY_CLASSES_ROOT\clsid\{94e952a4-fae1-40e5-bbe1-8199d8cf7fd0}]

[-HKEY_CLASSES_ROOT\fqbewlna.1]

[-HKEY_CLASSES_ROOT\TypeLib\{0955BCF0-2DB3-4926-B985-1ED8F0894D73}]

[-HKEY_CLASSES_ROOT\fqbewlna]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the SCREENSHOT below. Important: Perform this instruction carefully!

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freezeHere is the log but for some reason it didnt reboot before giving me this log?

[recovering disk space -- attachment deleted by admin]

Download OTMoveIt2 by OldTimer

Save it to your desktop.

Note: If you are running on Vista, right-click on OTMoveIt2.exe and choose Run As Administrator.

Double-click OTMoveIt2.exe to run it.
Copy the lines in the codebox below.

[/list]Code: [Select][kill explorer]
C:\WINDOWS\system32\2.ico
C:\WINDOWS\system32\casino3.ico
C:\WINDOWS\system32\casino2.ico
C:\WINDOWS\system32\casino1.ico
C:\x
C:\WINDOWS\system32\1.ico
C:\WINDOWS\vmgspntbnrp.dll
C:\WINDOWS\dtseqrxk.dll
C:\WINDOWS\mgxfebsq.dll
C:\WINDOWS\fqbewlna.dll
C:\WINDOWS\mqgldfvo.exe
HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7287293E-B0BE-4A31-B52B-EA15F57679E3}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{94E952A4-FAE1-40E5-BBE1-8199D8CF7FD0}
HKEY_CLASSES_ROOT\clsid\{94e952a4-fae1-40e5-bbe1-8199d8cf7fd0}
HKEY_CLASSES_ROOT\fqbewlna.1
HKEY_CLASSES_ROOT\TypeLib\{0955BCF0-2DB3-4926-B985-1ED8F0894D73}
HKEY_CLASSES_ROOT\fqbewlna
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\mgxfebsq
EmptyTemp
[start explorer]

Return to OTMoveIt2, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste

Click the red Moveit! button.
Copy everything in the Results window (under the green bar) and paste it in your next reply.
Close OTMoveIt2

Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose YES. If not, reboot anyway.Here are my results.

[recovering disk space -- attachment deleted by admin]Download Malwarebytes' Anti-Malware (MBAM)

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to the following:
Update Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware

Then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and Paste the entire report in your next reply.

.
Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

Here it is..

[recovering disk space -- attachment deleted by admin]How is everything now?Malwarebytes' Anti-Malware 1.28
Database version: 1147
Windows 5.1.2600 Service Pack 2

13/09/2008 10:44:33 PM
mbam-log-2008-09-13 (22-44-33).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 192594
Time elapsed: 46 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 52

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\Program Files\PCHealthCenter\0.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\PCHealthCenter\1.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\PCHealthCenter\2.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\PCHealthCenter\3.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\PCHealthCenter\4.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\PCHealthCenter\5.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\PCHealthCenter\7.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\emnf.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\ccnrgh.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\mmx98354.dll.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\mx98354.dll.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\ngysvesj.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\opnkjklm.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\ssqoommN.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\swuewl.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\tuvTMfCr.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\vjtdfejx.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\vtUlKBUO.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\wxwptowi.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\xxyYqnNh.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\YUR4E5.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\YUR4E6.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\YUR4E8.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\YUR4EB.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\YUR506.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{97AF48F9-1888-4A08-B210-5534F302F4BA}\RP541\A0112820.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{97AF48F9-1888-4A08-B210-5534F302F4BA}\RP542\A0112868.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{97AF48F9-1888-4A08-B210-5534F302F4BA}\RP542\A0112869.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{97AF48F9-1888-4A08-B210-5534F302F4BA}\RP542\A0112871.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{97AF48F9-1888-4A08-B210-5534F302F4BA}\RP542\A0112873.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{97AF48F9-1888-4A08-B210-5534F302F4BA}\RP542\A0112874.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{97AF48F9-1888-4A08-B210-5534F302F4BA}\RP542\A0112875.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{97AF48F9-1888-4A08-B210-5534F302F4BA}\RP542\A0112876.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{97AF48F9-1888-4A08-B210-5534F302F4BA}\RP542\A0112885.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{97AF48F9-1888-4A08-B210-5534F302F4BA}\RP542\A0112886.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{97AF48F9-1888-4A08-B210-5534F302F4BA}\RP542\A0112887.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{97AF48F9-1888-4A08-B210-5534F302F4BA}\RP542\A0112888.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{97AF48F9-1888-4A08-B210-5534F302F4BA}\RP542\A0112889.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{97AF48F9-1888-4A08-B210-5534F302F4BA}\RP542\A0112890.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{97AF48F9-1888-4A08-B210-5534F302F4BA}\RP542\A0112891.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{97AF48F9-1888-4A08-B210-5534F302F4BA}\RP542\A0112892.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{97AF48F9-1888-4A08-B210-5534F302F4BA}\RP542\A0112893.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{97AF48F9-1888-4A08-B210-5534F302F4BA}\RP542\A0112895.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{97AF48F9-1888-4A08-B210-5534F302F4BA}\RP542\A0112897.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{97AF48F9-1888-4A08-B210-5534F302F4BA}\RP542\A0112898.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{97AF48F9-1888-4A08-B210-5534F302F4BA}\RP542\A0112899.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{97AF48F9-1888-4A08-B210-5534F302F4BA}\RP542\A0112900.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{97AF48F9-1888-4A08-B210-5534F302F4BA}\RP542\A0112902.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{97AF48F9-1888-4A08-B210-5534F302F4BA}\RP542\A0112903.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{97AF48F9-1888-4A08-B210-5534F302F4BA}\RP542\A0112904.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{97AF48F9-1888-4A08-B210-5534F302F4BA}\RP542\A0112901.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\_OTMoveIt\MovedFiles\09132008_092408\x (Trojan.FakeAlert) -> Quarantined and deleted successfully.
How does that look?Delete the copy of ComboFix you have now and use the new version.

Download ComboFix by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

Close any open Web browsers. (FIREFOX, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click combofix.exe & follow the prompts.
When finished ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

Discussion

2092.	Solve : Zlob virus??
Answer» A couple hours ago I came across a website that looked like a phishing/highjacking site and I thought that if I just hit the back button on my browser I could get away from it. Now I realize I should've gone with alt + f4 because I think I got caught by the zlob. My desktop is blue, and computer speed is extremely slow. I found my way to the "Read this before requesting malware removal HELP" thread and have been going along smoothly. I am stuck now, I cannot download the Super Anti Spyware. When I click on the link in the post it leads me to an error (cannot connect) page. When I search for anything related to virus or spyware using yahoo or google I get redirected to ad pages. What do I do now?Can you post any logs? (preferably a HijackThis) What about in Safe Mode With Networking?I managed to download HijackThis, MBAM, and SuperAntiSpyware. I completed the steps pertaining to HijackThis and MBAM. I cannot install SAS, an error message comes up saying "system administrator does not allow this installation"... or something like that. So here are the HijackThis and MBAM logs. [recovering disk space -- attachment deleted by admin]Can you get a HijackThis log from Normal boot mode?Yep, here is the HijackThis from normal mode. [recovering disk space -- attachment deleted by admin]Open HijackThis and select Do a system scan only. Place a check mark next to the following entries: (if there) - O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) - O3 - Toolbar: (no name) - {a2595f37-48d0-46a1-9b51-478591a97764} - (no file) - O8 - Extra context menu item: &Search - ?p=ZCfox000 - O9 - Extra button: (no name) - {B48798CE-A2E0-4918-BC00-0F72FBA708E2} - (no file) (HKCU) - O9 - Extra button: (no name) - {F2B441CC-E026-47fb-BDC3-A07750FA3D2C} - file://C:\Program Files\EbatesMoeMoneyMaker4\ebatessmmm\ebatestmmm\ebmmC0.htm (file missing) (HKCU) Important: Close all windows except for HijackThis and then click Fix checked. Exit HijackThis, run CCleaner and restart the computer to register the changes made by HijackThis. ---------- Download ComboFix by sUBs from one of the below links. Be sure top save it to the Desktop. Link #1 Link #2 Note: It is important that it is SAVED directly to your Desktop Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix. Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them. Double click combofix.exe & follow the prompts. When finished ComboFix will produce a log for you. Post the ComboFix log and a new HijackThis log in your next reply. Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall. Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.Done, thanks. Here are the logs. [recovering disk space -- attachment deleted by admin]Download SDFix by AndyManchesta and save it to your desktop. When using this tool, you must use the Administrator's account or an account with Administrative rights Double click SDFix.exe** and it will extract the files to %systemdrive% (this is the drive that contains the Windows Directory, typically C:\SDFix). DO NOT use it just yet. Reboot your computer in Safe Mode using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode". Open the SDFix folder and double click RunThis.bat to start the script. Type Y to begin the cleanup process. It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot. Press any Key and it will restart the PC. When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons. Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt. Copy and paste the contents of the results file Report.txt in your next reply[/b]. While the SDFix was running a message kept popping up saying the Symantec dll application failed... I clicked close but it kept popping up, then I clicked Ignore and it finally started scanning. If that was referring to Symantec security I deleted that several months ago and now use another security program. Here is the Report.txt log: SDFix: Version 1.226 Run by HP_Administrator on Fri 09/19/2008 at 04:20 PM Microsoft Windows XP [Version 5.1.2600] Running From: C:\SDFix Checking Services : Restoring Default Security Values Restoring Default Hosts File Rebooting Checking Files : No Trojan Files Found Removing Temp Files ADS Check : Final Check : catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-09-19 16:28:51 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden services & system hive ... [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TDSSserv] "start"=dword:00000001 "type"=dword:00000001 "imagepath"=str(2):"\systemroot\system32\drivers\TDSSserv.sys" scanning hidden registry entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services : Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe::enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe::Enabled:hpqtra08.exe" "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe::Enabled:hpqste08.exe" "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe::Enabled:hpofxm08.exe" "C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe::Enabled:hposfx08.exe" "C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe::Enabled:hposid01.exe" "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe::Enabled:hpqscnvw.exe" "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe::Enabled:hpqkygrp.exe" "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe::Enabled:hpqcopy.exe" "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe::Enabled:hpfccopy.exe" "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe::Enabled:hpzwiz01.exe" "C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe::Enabled:hpqphunl.exe" "C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe::Enabled:hpqdia.exe" "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe::Enabled:hpoews01.exe" "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe::Enabled:Yahoo! Messenger" "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe::Enabled:Yahoo! FT Server" "C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe::Enabled:LimeWire" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe::Enabled:@xpsp3res.dll,-20000" "C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe::Enabled:Windows Messenger" "C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe::Enabled:avgupd.exe" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe::enabled:@xpsp2res.dll,-22019" "%ProgramFiles%\\iTunes\\iTunes.exe"="%ProgramFiles%\\iTunes\\iTunes.exe::enabled:iTunes" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe::Enabled:@xpsp3res.dll,-20000" "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe::Enabled:Windows Live Messenger" "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe::Enabled:Windows Live Messenger (Phone)" "C:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"="C:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe::Enabled:Updates from HP" Remaining Files : Files with Hidden Attributes : Finished! Download the Norton Removal Tool (SymNRT) to your Desktop. Once downloaded please close ALL open browsers, also save any work because this may require a restart. Go to your desktop and double click on the removal tool and then click Setup. Once open Click Next Accept the license agreement and click Next Type in the letters/numbers that you see into the text box then click Next. Then click Next and the tool will start running. Once finished restart the PC and run the tool again to ensure everything has been removed. . ---------- Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system Delete these files/folders, as follows: 1. Go to Start > Run > type Notepad.exe and click OK to open Notepad. It must be Notepad, not Wordpad. 2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C Code: [Select]KillAll:: Driver:: TDSSSERV TDSSserv 3. Go to the Notepad window and click Edit > Paste 4. Then click File > Save 5. Name the file CFScript.txt - Save the file to your Desktop 6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully! ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it will produce a log for you. Post that log (Combofix.txt) in your next reply. Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freezeGood, that Symantec error didn't pop up this time. Here is the log. ComboFix 08-09-19.04 - HP_Administrator 2008-09-19 17:51:44.2 - NTFSx86 Running from: C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\HP_Administrator\Desktop\CFScript.txt * Created a new restore point . ((((((((((((((((((((((((( Files Created from 2008-08-19 to 2008-09-19 ))))))))))))))))))))))))))))))) . 2008-09-19 17:33 . 2008-09-19 17:33d--------C:\Documents and Settings\All Users\Application Data\NortonInstaller 2008-09-19 16:18 . 2008-09-19 16:18d--------C:\WINDOWS\ERUNT 2008-09-19 15:52 . 2008-09-19 16:40d--------C:\SDFix 2008-09-19 10:28 . 2008-09-19 10:30d--------C:\Program Files\Trend Micro 2008-09-19 10:10 . 2008-09-19 10:10d--------C:\Program Files\Malwarebytes Anti-Malware 2008-09-19 10:10 . 2008-09-19 10:10d--------C:\Documents and Settings\HP_Administrator\Application Data\Malwarebytes 2008-09-19 10:10 . 2008-09-19 10:10d--------C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-09-19 10:10 . 2008-09-10 00:0438,528--a------C:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-09-19 10:10 . 2008-09-10 00:0317,200--a------C:\WINDOWS\system32\drivers\mbam.sys 2008-09-19 09:57 . 2008-09-19 09:57d--------C:\Program Files\Common Files\Wise Installation Wizard 2008-09-19 01:32 . 2008-09-19 01:32d--------C:\Program Files\CCleaner 2008-09-19 01:28 . 2008-09-19 16:46d--------C:\WINDOWS\system32\CatRoot_bak 2008-09-18 23:27 . 2008-09-18 23:27d--hs----C:\WINDOWS\ftpcache 2008-09-18 23:27 . 2008-09-18 23:27917,504--a------C:\WINDOWS\system32\FLASH.OCX 2008-09-18 19:37 . 2008-09-18 21:07d--------C:\WINDOWS\system32\config\systemprofile\Application Data\AVGTOOLBAR . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-09-19 22:01---------d-----WC:\Program Files\lx_cats 2008-09-19 19:04---------d-----wC:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-09-19 04:38---------d-----wC:\Documents and Settings\All Users\Application Data\avg8 2008-09-19 00:18---------d-----wC:\Program Files\Spybot - Search & Destroy 2008-09-13 17:54---------d-----wC:\Documents and Settings\HP_Administrator\Application Data\NCH Swift Sound 2008-08-31 18:1197,928----a-wC:\WINDOWS\system32\drivers\avgldx86.sys 2008-08-28 01:25---------d-----wC:\Documents and Settings\HP_Administrator\Application Data\OpenOffice.org2 2008-08-17 02:43---------d-----wC:\Documents and Settings\All Users\Application Data\NCH Swift Sound 2008-08-15 22:40---------d-----wC:\Program Files\Common Files\xing shared 2008-08-15 22:39---------d-----wC:\Program Files\Common Files\Real 2008-08-15 21:17---------d-----wC:\Program Files\LimeWire 2008-08-13 02:08---------d-----wC:\Program Files\Microsoft Silverlight 2008-08-08 02:48---------d-----wC:\Documents and Settings\HP_Administrator\Application Data\AdobeUM 2008-08-04 16:04---------d-----wC:\Program Files\Lexmark Toolbar 2008-08-04 16:04---------d-----wC:\Program Files\Lexmark 2400 Series 2008-07-29 19:46---------d-----wC:\Program Files\QuickTime 2008-07-28 22:43---------d-----wC:\Program Files\Reference Assemblies 2008-07-28 22:43---------d-----wC:\Program Files\MSBuild 2008-07-23 03:5326,926----a-wC:\Documents and Settings\HP_Administrator\Application Data\wklnhst.dat 2007-12-13 21:0721,321,008-c--a-wC:\Program Files\QuickTimeInstaller.exe 2007-09-20 21:3931-c--a-wC:\Documents and Settings\HP_Administrator\b289484.dll 2007-09-20 21:3930-c--a-wC:\Documents and Settings\HP_Administrator\p289484.dll 2007-07-04 01:54785,160-c--a-wC:\Program Files\WindowsMediaPlayer10.exe 2007-04-26 00:170-c-h--wC:\Program Files\AppUpdate.log 2007-04-04 23:566,372-c--a-wC:\Program Files\Uninst.isu 2006-04-22 22:43774,144-c--a-wC:\Program Files\RngInterstitial.dll 2005-12-29 22:58251-c--a-wC:\Program Files\wt3d.ini 2001-11-08 05:49405,504-c--a-wC:\Program Files\SStylerProDemo.exe 2001-11-08 03:04163,840-c--a-wC:\Program Files\AdvCtrl.dll 2001-11-08 03:0240,960-c--a-wC:\Program Files\AdvDlg.dll 2001-11-08 02:58135,168-c--a-wC:\Program Files\CDib24.dll 2001-10-02 06:0151----a-wC:\Program Files\Mail.url 2001-10-02 06:0150----a-wC:\Program Files\Web.url 2001-10-01 18:143,858-c--a-wC:\Program Files\read.me 2001-10-01 17:322,019-c--a-wC:\Program Files\license.txt . ((((((((((((((((((((((((((((( [emailprotected]_15.29.30.37 ))))))))))))))))))))))))))))))))))))))))) . + 2008-08-07 20:27:04163,328----a-wC:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE + 2008-09-19 20:18:256,823,936----a-wC:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat + 2008-09-19 20:18:251,392,640----a-wC:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat + 2008-08-07 20:27:04163,328----a-wC:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE + 2008-09-19 20:18:236,823,936----a-wC:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\ntuser.dat + 2008-09-19 20:18:231,392,640----a-wC:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 64512] "HPHUPD08"="c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 49152] "HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-26 245760] "LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2005-05-10 253952] "HP Software Update"="C:\Program Files\HP\HP Software Update\HPwuSchd2.exe" [2005-05-12 49152] "REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248] "tgcmd"="C:\Program Files\Support.com\BellSouth\hcenter.exe" [2005-08-31 1277952] "AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-08-31 1235736] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-05-27 413696] "lxcrmon.exe"="C:\Program Files\Lexmark 2400 Series\lxcrmon.exe" [2006-03-06 286720] "EzPrint"="C:\Program Files\Lexmark 2400 Series\ezprint.exe" [2006-02-07 98304] "LXCRCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll" [2006-02-24 65536] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-08-15 185896] "SMSERIAL"="sm56hlpr.exe" [2005-01-24 C:\WINDOWS\sm56hlpr.exe] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-12 282624] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles "InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=avgrsstx.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k [X] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr] -ra--c--- 2006-03-30 17:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= "C:\\Program Files\\LimeWire\\LimeWire.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "C:\\Program Files\\AVG\\AVG8\\avgupd.exe"= R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-31 97928] R3 USB_RNDIS_XP;Westell WireSpeed Dual Connect Modem;C:\WINDOWS\system32\DRIVERS\usb8023.sys [2004-08-10 12672] S3 MREMP50;MREMP50 NDIS Protocol Driver;C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS [2008-02-21 19712] S3 MREMP50a64;MREMP50a64 NDIS Protocol Driver;C:\PROGRA~1\COMMON~1\Motive\MREMP50a64.SYS [ ] S3 MRESP50;MRESP50 NDIS Protocol Driver;C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS [2008-02-21 18304] S3 MRESP50a64;MRESP50a64 NDIS Protocol Driver;C:\PROGRA~1\COMMON~1\Motive\MRESP50a64.SYS [ ] . Contents of the 'Scheduled Tasks' folder 2008-09-16 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57] . ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-09-19 17:59:48 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\WINDOWS\system32\ati2evxx.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\WINDOWS\ehome\ehrecvr.exe C:\WINDOWS\ehome\ehSched.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Common Files\Motive\McciCMService.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\ati2evxx.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\lxcrcoms.exe C:\hp\KBD\kbd.exe C:\WINDOWS\system32\imapi.exe . ********************************************************************** . Completion time: 2008-09-19 18:11:27 - machine was rebooted ComboFix-quarantined-files.txt 2008-09-19 22:11:09 ComboFix2.txt 2008-09-19 19:29:55 Pre-Run: 176,555,810,816 bytes free Post-Run: 176,572,583,936 bytes free 183--- E O F ---2008-09-19 13:44:40 Looks good. Let's do some cleanup and then a final scan. Next: Go to Start > Control Panel > Internet Options In the General tab, Temporary Internet Files, click:Delete Files When prompted, check:Delete all offline content You can also check: Delete Cookies (You will have to re-enter passwords at websites that require them.) Click OK Then, go to Start > Run and enter: cleanmgr Select the drive to clean: C:\ Check the following boxes and then press OK to remove: Temporary Files Temporary Internet Files RecycleBin Agree to the prompt to perform the action... Next: Download ATF Cleaner by Atribune and save it to your Desktop Follow the instructions for the browser you use. Read the instructions about the cookies. Delete what you do not need. Double click ATF-Cleaner.exe to run the program. Check the boxes to the left of: Windows Temp Current User Temp All Users Temp Temporary Internet Files Java Cache The rest are optional - if you want to remove everything, check Select All Finally click Empty Selected. When you get the "Done Cleaning" message, click OK. If you use the Firefox or Opera browsers, you can use this program as a quick way to tidy those up as well. When you have finished, click on the Exit button in the Main menu. ---------- Click START then RUN Now type Combofix /u in the runbox MAKE sure there's a space between Combofix and /u Then hit Enter. The above procedure will: Delete the following: ComboFix and its associated files and folders. Reset the clock settings. Hide file extensions, if required. Hide System/Hidden files, if required. Set a new, clean Restore Point. . ---------- Download OTCleanIt.exe and save it to your Desktop. Double-click OTCleanIt.exe. Click the CleanUp! button. Select Yes when the "Begin cleanup Process?" prompt appears. If you are prompted to Reboot during the cleanup, select Yes. The tool will delete itself once it finishes, if not delete it yourself. . ---------- Disable the System Restore Utility to prevent re-infection from an old one 1) Right click the My Computer icon on the Desktop and click on Properties. 2) Click on the System Restore tab. 3) Put a check mark next to Turn off System Restore on All Drives 4) Click the OK button. 5) You will be prompted to restart the computer. Click the Yes button. Now re-enable System Restore To re-enable the System Restore Utility, follow steps one to five and on STEP three remove the check mark next to 'Turn off System Restore on All Drives'. 1) Right click the My Computer icon on the Desktop and click on Properties. 2) Click on the System Restore tab. 3) Remove the check mark next to Turn off System Restore on All Drives** 4) Click the OK button. ---------- Run this online scan. Requires Internet Explorer Use the ESET Nod32 Online Scanner 1. Check the box next to YES, I accept the Terms of Use. 2. Click Start 3. When asked, allow the activex control to install 4. Click Start 5. Make sure that the option Remove found threats and the option Scan unwanted applications is check marked. 6. Click Scan 7. Wait for the scan to finish 8. Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt 9. Add the C:\Program Files\EsetOnlineScanner\log.txt log into your next reply [/list]Log from ESET scan. # version=4 # OnlineScanner.ocx=1.0.0.635 # OnlineScannerDLLA.dll=1, 0, 0, 79 # OnlineScannerDLLW.dll=1, 0, 0, 78 # OnlineScannerUninstaller.exe=1, 0, 0, 49 # vers_standard_module=3457 (20080919) # vers_arch_module=1.064 (20080214) # vers_adv_heur_module=1.066 (20070917) # EOSSerial=8628e1e1d8e68c44970de2b49ab03713 # end=finished # remove_checked=true # unwanted_checked=true # utc_time=2008-09-20 01:00:11 # local_time=2008-09-19 09:00:11 (-0500, Eastern Daylight Time) # country="United States" # osver=5.1.2600 NT Service Pack 2 # scanned=629565 # found=1 # scan_time=4428 C:\Program Files\Mozilla Firefox\plugins\NPMyWebS.dllWin32/Toolbar.MyWebSearch application (unable to clean - deleted)00000000000000000000000000000000 Looks fine. Is everything running OK now? Use the Secunia Software Inspector to check for out of date software. Click Start Now Check the box next to Enable thorough system inspection. Click Start Allow the scan to finish and scroll down to see if any updates are needed. Update anything listed. . ---------- Go to Microsoft Windows Update and get all critical updates. ---------- Here are some great FREE tools to help you keep from getting infected again. These tools use little or no resources so won't slow down your PC. Concerned about Browser Security? Consider using Mozilla Firefox 3.0 with Adblock Plus and NoScript To prevent unknown applications from being installed on your computer install WinPatrol 2008 * Using Winpatrol to protect your computer from malicious software I suggest using SiteAdvisor. SiteAdvisor rates sites on business practices and spam. Safety ratings from McAfee SiteAdvisor are based on automated safety tests of Web sites. SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox. * Using SpywareBlaster to protect your computer from Spyware and Malware * If you don't know what ActiveX controls are, see here Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future. Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.Yep, everything is running great again. Thank you so much! I'm going to try those tips you gave me as well. Thanks again!

2092.

Solve : Zlob virus??

Answer»

A couple hours ago I came across a website that looked like a phishing/highjacking site and I thought that if I just hit the back button on my browser I could get away from it. Now I realize I should've gone with alt + f4 because I think I got caught by the zlob. My desktop is blue, and computer speed is extremely slow. I found my way to the "Read this before requesting malware removal HELP" thread and have been going along smoothly. I am stuck now, I cannot download the Super Anti Spyware. When I click on the link in the post it leads me to an error (cannot connect) page. When I search for anything related to virus or spyware using yahoo or google I get redirected to ad pages. What do I do now?Can you post any logs? (preferably a HijackThis)

What about in Safe Mode With Networking?I managed to download HijackThis, MBAM, and SuperAntiSpyware. I completed the steps pertaining to HijackThis and MBAM. I cannot install SAS, an error message comes up saying "system administrator does not allow this installation"... or something like that. So here are the HijackThis and MBAM logs.

[recovering disk space -- attachment deleted by admin]Can you get a HijackThis log from Normal boot mode?Yep, here is the HijackThis from normal mode.

[recovering disk space -- attachment deleted by admin]Open HijackThis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

- O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
- O3 - Toolbar: (no name) - {a2595f37-48d0-46a1-9b51-478591a97764} - (no file)
- O8 - Extra context menu item: &Search - ?p=ZCfox000
- O9 - Extra button: (no name) - {B48798CE-A2E0-4918-BC00-0F72FBA708E2} - (no file) (HKCU)
- O9 - Extra button: (no name) - {F2B441CC-E026-47fb-BDC3-A07750FA3D2C} - file://C:\Program Files\EbatesMoeMoneyMaker4\ebatessmmm\ebatestmmm\ebmmC0.htm (file missing) (HKCU)

Important: Close all windows except for HijackThis and then click Fix checked.

Exit HijackThis, run CCleaner and restart the computer to register the changes made by HijackThis.

----------

Download ComboFix by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is SAVED directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click combofix.exe & follow the prompts.
When finished ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.Done, thanks.

Here are the logs.

[recovering disk space -- attachment deleted by admin]Download SDFix by AndyManchesta and save it to your desktop.

When using this tool, you must use the Administrator's account or an account with Administrative rights

Double click SDFix.exe and it will extract the files to %systemdrive%
(this is the drive that contains the Windows Directory, typically C:\SDFix).
DO NOT use it just yet.

Reboot your computer in Safe Mode using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Open the SDFix folder and double click RunThis.bat to start the script.

Type Y to begin the cleanup process.
It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
Copy and paste the contents of the results file Report.txt in your next reply[/b].

While the SDFix was running a message kept popping up saying the Symantec dll application failed... I clicked close but it kept popping up, then I clicked Ignore and it finally started scanning. If that was referring to Symantec security I deleted that several months ago and now use another security program.

Here is the Report.txt log:

SDFix: Version 1.226
Run by HP_Administrator on Fri 09/19/2008 at 04:20 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Restoring Default Security Values
Restoring Default Hosts File

Rebooting

Checking Files :

No Trojan Files Found

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-19 16:28:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TDSSserv]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\systemroot\system32\drivers\TDSSserv.sys"

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe:*:Enabled:hpqcopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe:*:Enabled:hpfccopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe:*:Enabled:hpqphunl.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe:*:Enabled:hpqdia.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%ProgramFiles%\\iTunes\\iTunes.exe"="%ProgramFiles%\\iTunes\\iTunes.exe:*:enabled:iTunes"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"="C:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe:*:Enabled:Updates from HP"

Remaining Files :

Files with Hidden Attributes :

Finished!

Download the Norton Removal Tool (SymNRT) to your Desktop.

Once downloaded please close ALL open browsers, also save any work because this may require a restart.

Go to your desktop and double click on the removal tool and then click Setup.
Once open Click Next
Accept the license agreement and click Next
Type in the letters/numbers that you see into the text box then click Next.
Then click Next and the tool will start running.
Once finished restart the PC and run the tool again to ensure everything has been removed.

.
----------

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]KillAll::

Driver::
TDSSSERV
TDSSserv
3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freezeGood, that Symantec error didn't pop up this time. Here is the log.

ComboFix 08-09-19.04 - HP_Administrator 2008-09-19 17:51:44.2 - NTFSx86
Running from: C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\HP_Administrator\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-08-19 to 2008-09-19 )))))))))))))))))))))))))))))))
.

2008-09-19 17:33 . 2008-09-19 17:33d--------C:\Documents and Settings\All Users\Application Data\NortonInstaller
2008-09-19 16:18 . 2008-09-19 16:18d--------C:\WINDOWS\ERUNT
2008-09-19 15:52 . 2008-09-19 16:40d--------C:\SDFix
2008-09-19 10:28 . 2008-09-19 10:30d--------C:\Program Files\Trend Micro
2008-09-19 10:10 . 2008-09-19 10:10d--------C:\Program Files\Malwarebytes Anti-Malware
2008-09-19 10:10 . 2008-09-19 10:10d--------C:\Documents and Settings\HP_Administrator\Application Data\Malwarebytes
2008-09-19 10:10 . 2008-09-19 10:10d--------C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-19 10:10 . 2008-09-10 00:0438,528--a------C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-19 10:10 . 2008-09-10 00:0317,200--a------C:\WINDOWS\system32\drivers\mbam.sys
2008-09-19 09:57 . 2008-09-19 09:57d--------C:\Program Files\Common Files\Wise Installation Wizard
2008-09-19 01:32 . 2008-09-19 01:32d--------C:\Program Files\CCleaner
2008-09-19 01:28 . 2008-09-19 16:46d--------C:\WINDOWS\system32\CatRoot_bak
2008-09-18 23:27 . 2008-09-18 23:27d--hs----C:\WINDOWS\ftpcache
2008-09-18 23:27 . 2008-09-18 23:27917,504--a------C:\WINDOWS\system32\FLASH.OCX
2008-09-18 19:37 . 2008-09-18 21:07d--------C:\WINDOWS\system32\config\systemprofile\Application Data\AVGTOOLBAR

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-19 22:01---------d-----WC:\Program Files\lx_cats
2008-09-19 19:04---------d-----wC:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-19 04:38---------d-----wC:\Documents and Settings\All Users\Application Data\avg8
2008-09-19 00:18---------d-----wC:\Program Files\Spybot - Search & Destroy
2008-09-13 17:54---------d-----wC:\Documents and Settings\HP_Administrator\Application Data\NCH Swift Sound
2008-08-31 18:1197,928----a-wC:\WINDOWS\system32\drivers\avgldx86.sys
2008-08-28 01:25---------d-----wC:\Documents and Settings\HP_Administrator\Application Data\OpenOffice.org2
2008-08-17 02:43---------d-----wC:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2008-08-15 22:40---------d-----wC:\Program Files\Common Files\xing shared
2008-08-15 22:39---------d-----wC:\Program Files\Common Files\Real
2008-08-15 21:17---------d-----wC:\Program Files\LimeWire
2008-08-13 02:08---------d-----wC:\Program Files\Microsoft Silverlight
2008-08-08 02:48---------d-----wC:\Documents and Settings\HP_Administrator\Application Data\AdobeUM
2008-08-04 16:04---------d-----wC:\Program Files\Lexmark Toolbar
2008-08-04 16:04---------d-----wC:\Program Files\Lexmark 2400 Series
2008-07-29 19:46---------d-----wC:\Program Files\QuickTime
2008-07-28 22:43---------d-----wC:\Program Files\Reference Assemblies
2008-07-28 22:43---------d-----wC:\Program Files\MSBuild
2008-07-23 03:5326,926----a-wC:\Documents and Settings\HP_Administrator\Application Data\wklnhst.dat
2007-12-13 21:0721,321,008-c--a-wC:\Program Files\QuickTimeInstaller.exe
2007-09-20 21:3931-c--a-wC:\Documents and Settings\HP_Administrator\b289484.dll
2007-09-20 21:3930-c--a-wC:\Documents and Settings\HP_Administrator\p289484.dll
2007-07-04 01:54785,160-c--a-wC:\Program Files\WindowsMediaPlayer10.exe
2007-04-26 00:170-c-h--wC:\Program Files\AppUpdate.log
2007-04-04 23:566,372-c--a-wC:\Program Files\Uninst.isu
2006-04-22 22:43774,144-c--a-wC:\Program Files\RngInterstitial.dll
2005-12-29 22:58251-c--a-wC:\Program Files\wt3d.ini
2001-11-08 05:49405,504-c--a-wC:\Program Files\SStylerProDemo.exe
2001-11-08 03:04163,840-c--a-wC:\Program Files\AdvCtrl.dll
2001-11-08 03:0240,960-c--a-wC:\Program Files\AdvDlg.dll
2001-11-08 02:58135,168-c--a-wC:\Program Files\CDib24.dll
2001-10-02 06:0151----a-wC:\Program Files\Mail.url
2001-10-02 06:0150----a-wC:\Program Files\Web.url
2001-10-01 18:143,858-c--a-wC:\Program Files\read.me
2001-10-01 17:322,019-c--a-wC:\Program Files\license.txt
.

((((((((((((((((((((((((((((( [emailprotected]_15.29.30.37 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-07 20:27:04163,328----a-wC:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-09-19 20:18:256,823,936----a-wC:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
+ 2008-09-19 20:18:251,392,640----a-wC:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-08-07 20:27:04163,328----a-wC:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-09-19 20:18:236,823,936----a-wC:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\ntuser.dat
+ 2008-09-19 20:18:231,392,640----a-wC:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 64512]
"HPHUPD08"="c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 49152]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-26 245760]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2005-05-10 253952]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPwuSchd2.exe" [2005-05-12 49152]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]
"tgcmd"="C:\Program Files\Support.com\BellSouth\hcenter.exe" [2005-08-31 1277952]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-08-31 1235736]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-05-27 413696]
"lxcrmon.exe"="C:\Program Files\Lexmark 2400 Series\lxcrmon.exe" [2006-03-06 286720]
"EzPrint"="C:\Program Files\Lexmark 2400 Series\ezprint.exe" [2006-02-07 98304]
"LXCRCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll" [2006-02-24 65536]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-08-15 185896]
"SMSERIAL"="sm56hlpr.exe" [2005-01-24 C:\WINDOWS\sm56hlpr.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-12 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra--c--- 2006-03-30 17:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-31 97928]
R3 USB_RNDIS_XP;Westell WireSpeed Dual Connect Modem;C:\WINDOWS\system32\DRIVERS\usb8023.sys [2004-08-10 12672]
S3 MREMP50;MREMP50 NDIS Protocol Driver;C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS [2008-02-21 19712]
S3 MREMP50a64;MREMP50a64 NDIS Protocol Driver;C:\PROGRA~1\COMMON~1\Motive\MREMP50a64.SYS [ ]
S3 MRESP50;MRESP50 NDIS Protocol Driver;C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS [2008-02-21 18304]
S3 MRESP50a64;MRESP50a64 NDIS Protocol Driver;C:\PROGRA~1\COMMON~1\Motive\MRESP50a64.SYS [ ]
.
Contents of the 'Scheduled Tasks' folder

2008-09-16 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-19 17:59:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\lxcrcoms.exe
C:\hp\KBD\kbd.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-09-19 18:11:27 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-19 22:11:09
ComboFix2.txt 2008-09-19 19:29:55

Pre-Run: 176,555,810,816 bytes free
Post-Run: 176,572,583,936 bytes free

183--- E O F ---2008-09-19 13:44:40
Looks good. Let's do some cleanup and then a final scan.

Next:

Go to Start > Control Panel > Internet Options
In the General tab, Temporary Internet Files, click:Delete Files
When prompted, check:Delete all offline content
You can also check: Delete Cookies (You will have to re-enter passwords at websites that require them.)
Click OK

Then, go to Start > Run and enter: cleanmgr
Select the drive to clean: C:\
Check the following boxes and then press OK to remove:

Temporary Files
Temporary Internet Files
RecycleBin

Agree to the prompt to perform the action...

Next:

Download ATF Cleaner by Atribune and save it to your Desktop
Follow the instructions for the browser you use.
Read the instructions about the cookies. Delete what you do not need.

Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Java Cache

The rest are optional - if you want to remove everything, check Select All
Finally click Empty Selected. When you get the "Done Cleaning" message, click OK.
If you use the Firefox or Opera browsers, you can use this program as a quick way to tidy those up as well.
When you have finished, click on the Exit button in the Main menu.

----------

Click START then RUN
Now type Combofix /u in the runbox
MAKE sure there's a space between Combofix and /u
Then hit Enter.

The above procedure will:
Delete the following:
ComboFix and its associated files and folders.
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Set a new, clean Restore Point.

.
----------

Download OTCleanIt.exe and save it to your Desktop.

Double-click OTCleanIt.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it yourself.

.
----------

Disable the System Restore Utility to prevent re-infection from an old one

1) Right click the My Computer icon on the Desktop and click on Properties.
2) Click on the System Restore tab.
3) Put a check mark next to Turn off System Restore on All Drives
4) Click the OK button.
5) You will be prompted to restart the computer. Click the Yes button.

Now re-enable System Restore

To re-enable the System Restore Utility, follow steps one to five and on STEP three remove the check mark next to 'Turn off System Restore on All Drives'.

1) Right click the My Computer icon on the Desktop and click on Properties.
2) Click on the System Restore tab.
3) Remove the check mark next to Turn off System Restore on All Drives
4) Click the OK button.

----------

Run this online scan. Requires Internet Explorer

Use the ESET Nod32 Online Scanner

1. Check the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the activex control to install
4. Click Start
5. Make sure that the option Remove found threats and the option Scan unwanted applications is check marked.
6. Click Scan
7. Wait for the scan to finish
8. Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
9. Add the C:\Program Files\EsetOnlineScanner\log.txt log into your next reply [/list]Log from ESET scan.

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3457 (20080919)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=8628e1e1d8e68c44970de2b49ab03713
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-09-20 01:00:11
# local_time=2008-09-19 09:00:11 (-0500, Eastern Daylight Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=629565
# found=1
# scan_time=4428
C:\Program Files\Mozilla Firefox\plugins\NPMyWebS.dllWin32/Toolbar.MyWebSearch application (unable to clean - deleted)00000000000000000000000000000000
Looks fine.

Is everything running OK now?

Use the Secunia Software Inspector to check for out of date software.

Click Start Now
Check the box next to Enable thorough system inspection.
Click Start
Allow the scan to finish and scroll down to see if any updates are needed.
Update anything listed.

.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

Here are some great FREE tools to help you keep from getting infected again. These tools use little or no resources so won't slow down your PC.

Concerned about Browser Security? Consider using Mozilla Firefox 3.0 with Adblock Plus and NoScript

To prevent unknown applications from being installed on your computer install WinPatrol 2008
* Using Winpatrol to protect your computer from malicious software

I suggest using SiteAdvisor. SiteAdvisor rates sites on business practices and spam. Safety ratings from McAfee SiteAdvisor are based on automated safety tests of Web sites.

SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.Yep, everything is running great again. Thank you so much! I'm going to try those tips you gave me as well. Thanks again!

Discussion

2093.	Solve : I got a virus again.....?
Answer» Ill get the logs.here they are Evil [recovering disk space -- attachment deleted by admin]Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 4:41:52 PM, on 9/19/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) BOOT mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\nvraidservice.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe C:\Program Files\McAfee.com\Agent\mcagent.exe C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe C:\Program Files\McAfee\MPF\MPFSrv.exe C:\Program Files\McAfee\MSK\MskSrver.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\wbem\unsecapp.exe C:\WINDOWS\system32\wuauclt.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe c:\PROGRA~1\mcafee\msc\mcuimgr.exe C:\WINDOWS\system32\ntvdm.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6080611 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6080611 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey O4 - HKLM\..\Run: [XboxStat] "C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKCU\..\Run: [NVIDIA nTune] C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe resetprofile O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE O4 - Global Startup: Digital Line Detect.lnk = ? O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} (YYGInstantPlay Control) - http://www.yoyogames.com/downloads/activex/YoYo.cab O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe O23 - Service: Performance Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe -- End of file - 7062 bytes im going to reboot Reboot is normal And faster... Nothing weird happens. But heres what happen I just got a music CD I bought off Amazon. so. I popped it in so I can RIP the songs to my library but it didnt bring me to A window asking me If I want to play the CD. it brang me to "Winstart.exe" so I am concered if this file is harmful I did a search on bleeping computer and apparently its Good but It is also easily hijacked. Nothing is wrong with my computer and I dont think this File is malicious Due to the fact that It played my CD. It had a menu with lyrics and others. But I still think its harmful. Tell me what you find and BTW I couldnt Rename HJT to sniper ------------------------------------------------------------------------------------------------------ Im gonna go play assassins creed.Download ComboFix by sUBs from one of the below links. Be sure top save it to the Desktop. Link #1 Link #2 Note: It is important that it is saved DIRECTLY to your Desktop Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix. Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. CLICK this link to see a list of security programs that should be disabled and how to disable them. Double click combofix.exe & follow the prompts. When finished ComboFix will produce a log for you. Post the ComboFix log and a new HijackThis log in your next reply. Important:** Do not mouseclick ComboFix's window while it is running. That may cause it to stall. Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.Hey Mcaffee wont let me disable how do you do it?McAfee is like that. just run it anyway, if McAfee tries to block it then just allow it to run.Quote from: evilfantasy on September 19, 2008, 06:12:39 PM McAfee is like that. just run it anyway, if McAfee tries to block it then just allow it to run. K.

2093.

Solve : I got a virus again.....?

Answer»

Ill get the logs.here they are Evil

[recovering disk space -- attachment deleted by admin]Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:41:52 PM, on 9/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
BOOT mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvraidservice.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6080611
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6080611
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [XboxStat] "C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [NVIDIA nTune] C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe resetprofile
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} (YYGInstantPlay Control) - http://www.yoyogames.com/downloads/activex/YoYo.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Performance Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 7062 bytes

im going to reboot

Reboot is normal And faster...

Nothing weird happens.

But heres what happen I just got a music CD I bought off Amazon.

so. I popped it in so I can RIP the songs to my library

but it didnt bring me to A window asking me If I want to play the CD.

it brang me to "Winstart.exe" so I am concered if this file is harmful I did a search on bleeping computer and apparently its Good but It is also easily hijacked.

Nothing is wrong with my computer and I dont think this File is malicious
Due to the fact that It played my CD.

It had a menu with lyrics and others.

But I still think its harmful.
Tell me what you find and BTW I couldnt Rename HJT to sniper

------------------------------------------------------------------------------------------------------

Im gonna go play assassins creed.Download ComboFix by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved DIRECTLY to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. CLICK this link to see a list of security programs that should be disabled and how to disable them.

Double click combofix.exe & follow the prompts.
When finished ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.Hey Mcaffee wont let me disable how do you do it?McAfee is like that. just run it anyway, if McAfee tries to block it then just allow it to run.Quote from: evilfantasy on September 19, 2008, 06:12:39 PM

McAfee is like that. just run it anyway, if McAfee tries to block it then just allow it to run.

K.

Discussion

2094.	Solve : very laggy?
Answer» ok when i play games like counter strike source.. if anyone is familiar with this game they will know that it shows your latency in the side... a couple of days ago my latency in this one server used to be around 64 now it it around like 150 and it will jump to like 300 and stuff real fast. I have WEP and Mac filtering on my linksys. I was wondering why this happens and could it be from a virus or anything or is it just my linksys. please help i will post anything YALL want me to. I have windows xp and i read i should post a hijack log Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 4:47:40 PM, on 9/19/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet EXPLORER v6.00 SP3 (6.00.2900.5512) Boot mode: Normal Running processes: F:\WINDOWS\System32\smss.exe F:\WINDOWS\system32\winlogon.exe F:\WINDOWS\system32\services.exe F:\WINDOWS\system32\lsass.exe F:\WINDOWS\system32\svchost.exe F:\WINDOWS\System32\svchost.exe F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe F:\Program Files\Alwil Software\Avast4\ashServ.exe F:\WINDOWS\Explorer.EXE F:\Program Files\Java\jre1.6.0_07\bin\jusched.exe F:\WINDOWS\system32\RUNDLL32.EXE F:\WINDOWS\RTHDCPL.EXE F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe F:\WINDOWS\system32\ctfmon.exe F:\program files\steam\steam.exe F:\Program Files\CBS Software\SpeedConnect Internet Accelerator\SpeedConnectStartUp.exe F:\WINDOWS\system32\spoolsv.exe F:\WINDOWS\system32\nvsvc32.exe F:\WINDOWS\system32\PnkBstrA.exe F:\Program Files\Alwil Software\Avast4\ashMaiSv.exe F:\Program Files\Alwil Software\Avast4\ashWebSv.exe F:\Program Files\Mozilla Firefox\firefox.exe F:\Program Files\Trend Micro\HijackThis\HijackThis.exe R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) F2 - REG:system.ini: UserInit=F:\WINDOWS\system32\Userinit.exe O2 - BHO: (no name) - {000123B4-9B42-4900-B3F7-F4B073EFC214} - (no file) O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file) O2 - BHO: (no name) - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - F:\PROGRA~1\FlashGet\jccatch.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file) O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: (no name) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - (no file) O2 - BHO: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file) O2 - BHO: Megaupload Toolbar - {A057A204-BACC-4D26-C39E-35F1D2A32EC8} - F:\PROGRA~1\MEGAUP~2\MEGAUP~1.DLL O2 - BHO: (no name) - {A20854FD-DDB5-4931-8F76-D11EA2364D94} - (no file) O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file) O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - F:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll O2 - BHO: (no name) - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - (no file) O2 - BHO: (no name) - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - (no file) O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - F:\PROGRA~1\FlashGet\getflash.dll O3 - Toolbar: (no name) - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - (no file) O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - (no file) O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - F:\PROGRA~1\FlashGet\fgiebar.dll O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - F:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll O3 - Toolbar: Megaupload Toolbar - {A057A204-BACC-4D26-C39E-35F1D2A32EC8} - F:\PROGRA~1\MEGAUP~2\MEGAUP~1.DLL O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [avast!] F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKCU\..\Run: [swg] F:\WINDOWS\system32\regsvr32.exe O4 - HKCU\..\Run: [Uniblue SpeedUpMyPC] F:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe -s O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [PlayNC Launcher] F:\program files\ncsoft\launcher\NCLauncher.exe /Minimized O4 - HKCU\..\Run: [Steam] "f:\program files\steam\steam.exe" -silent O4 - HKCU\..\Run: [SpeedConnectStartUp] F:\Program Files\CBS Software\SpeedConnect Internet Accelerator\SpeedConnectStartUp.exe -run O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [SUPERAntiSpyware] F:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] F:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S O8 - Extra context menu item: Download All by FlashGet - F:\PROGRA~1\FlashGet\jc_all.htm O8 - Extra context menu item: Download using FlashGet - F:\PROGRA~1\FlashGet\jc_link.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - F:\PROGRA~1\FlashGet\flashget.exe O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - F:\PROGRA~1\FlashGet\flashget.exe O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab O16 - DPF: {DB7BF79A-FC51-4B5A-92BC-A65731174380} (InstantAction Game Launcher) - http://www.instantaction.com/download/iaplayer.cab O20 - Winlogon Notify: !SASWinLogon - F:\Program Files\SUPERAntiSpyware\SASWINLO.dll O20 - Winlogon Notify: Fly - F:\WINDOWS\ O20 - Winlogon Notify: Love - F:\WINDOWS\ O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - F:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - F:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - F:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: eAcceleration Notification Service (eac_notifysvc) - Unknown owner - F:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_svc.exe (file missing) O23 - Service: eAcceleration Product Manager Service (eac_productsvc) - Unknown owner - F:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_productsvc.exe (file missing) O23 - Service: McAfee E-mail Proxy (Emproxy) - Unknown owner - F:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe (file missing) O23 - Service: Google Updater Service (gusvc) - Google - F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: McAfee Update Manager (mcmispupdmgr) - Unknown owner - F:\PROGRA~1\McAfee\MSC\mcupdmgr.exe (file missing) O23 - Service: McAfee Services (mcmscsvc) - Unknown owner - F:\PROGRA~1\McAfee\MSC\mcmscsvc.exe (file missing) O23 - Service: McAfee Network Agent (McNASvc) - Unknown owner - f:\program files\common files\mcafee\mna\mcnasvc.exe (file missing) O23 - Service: McAfee Scanner (McODS) - Unknown owner - F:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe (file missing) O23 - Service: McAfee Protection Manager (mcpromgr) - Unknown owner - F:\PROGRA~1\McAfee\MSC\mcpromgr.exe (file missing) O23 - Service: McAfee Redirector Service (McRedirector) - Unknown owner - f:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe (file missing) O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - F:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing) O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - F:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing) O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe O23 - Service: PnkBstrA - Unknown owner - F:\WINDOWS\system32\PnkBstrA.exe -- End of file - 9198 bytes Disable Spybot's TeaTimer While TeaTimer is an excellent tool for the prevention of spyware, it can also interfere with HijackThis fixes. Please disable TeaTimer for now until you are clean. 1. Right click Spybot in the System Tray (looks like a calendar with a padlock symbol). Choose Exit Spybot S&D Resident 2. Run Spybot S&D 3. Go to the Mode menu, and make sure Advanced Mode is selected. 4. On the left hand side, choose Tools > Resident uncheck Resident TeaTimer and OK any prompt and Restart your computer. Note: If TeaTimer gives you a warning afterwards that some changes were made, allow this instead of blocking it. If TeaTimer will not turn off then uninstall Spybot until we are done cleaning. ---------- Open HijackThis and select Do a system scan only. Place a check mark next to the following entries: (if there) - F2 - REG:system.ini: UserInit=F:\WINDOWS\system32\Userinit.exe - O2 - BHO: (no name) - {000123B4-9B42-4900-B3F7-F4B073EFC214} - (no file) - O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file) - O2 - BHO: (no name) - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - (no file) - O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file) - O2 - BHO: (no name) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - (no file) - O2 - BHO: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file) - O2 - BHO: (no name) - {A20854FD-DDB5-4931-8F76-D11EA2364D94} - (no file) - O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file) - O2 - BHO: (no name) - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - (no file) - O2 - BHO: (no name) - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - (no file) - O3 - Toolbar: (no name) - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - (no file) - O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - (no file) Important: Close all open windows except for HijackThis and then click Fix checked. Once completed, exit HijackThis and restart the computer to register the changes. ---------- Download Malwarebytes' Anti-Malware (MBAM) Double-click mbam-setup.exe and follow the prompts to install the program. At the end, be sure a checkmark is placed next to the following: Update Malwarebytes' Anti-Malware Launch Malwarebytes' Anti-Malware Then click Finish. If an update is FOUND, it will download and install the latest version. Once the program has loaded, select Perform quick scan, then click Scan. When the scan is complete, click OK, then Show Results to view the results. Be sure that everything is checked, and click Remove Selected. When DISINFECTION is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note) The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. Copy and Paste the entire report in your next reply. Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. ---------- Now run a new HijackThis scan and post that log along with the MBAM log.

2094.

Solve : very laggy?

Answer»

ok when i play games like counter strike source.. if anyone is familiar with this game they will know that it shows your latency in the side... a couple of days ago my latency in this one server used to be around 64 now it it around like 150 and it will jump to like 300 and stuff real fast. I have WEP and Mac filtering on my linksys. I was wondering why this happens and could it be from a virus or anything or is it just my linksys. please help i will post anything YALL want me to. I have windows xp and i read i should post a hijack log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:47:40 PM, on 9/19/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet EXPLORER v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
F:\Program Files\Alwil Software\Avast4\ashServ.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
F:\WINDOWS\system32\RUNDLL32.EXE
F:\WINDOWS\RTHDCPL.EXE
F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
F:\WINDOWS\system32\ctfmon.exe
F:\program files\steam\steam.exe
F:\Program Files\CBS Software\SpeedConnect Internet Accelerator\SpeedConnectStartUp.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\WINDOWS\system32\PnkBstrA.exe
F:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
F:\Program Files\Alwil Software\Avast4\ashWebSv.exe
F:\Program Files\Mozilla Firefox\firefox.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=F:\WINDOWS\system32\Userinit.exe
O2 - BHO: (no name) - {000123B4-9B42-4900-B3F7-F4B073EFC214} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - F:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - (no file)
O2 - BHO: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O2 - BHO: Megaupload Toolbar - {A057A204-BACC-4D26-C39E-35F1D2A32EC8} - F:\PROGRA~1\MEGAUP~2\MEGAUP~1.DLL
O2 - BHO: (no name) - {A20854FD-DDB5-4931-8F76-D11EA2364D94} - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - F:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - (no file)
O2 - BHO: (no name) - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - (no file)
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - F:\PROGRA~1\FlashGet\getflash.dll
O3 - Toolbar: (no name) - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - (no file)
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - (no file)
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - F:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - F:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O3 - Toolbar: Megaupload Toolbar - {A057A204-BACC-4D26-C39E-35F1D2A32EC8} - F:\PROGRA~1\MEGAUP~2\MEGAUP~1.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [avast!] F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [swg] F:\WINDOWS\system32\regsvr32.exe
O4 - HKCU\..\Run: [Uniblue SpeedUpMyPC] F:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe -s
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PlayNC Launcher] F:\program files\ncsoft\launcher\NCLauncher.exe /Minimized
O4 - HKCU\..\Run: [Steam] "f:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [SpeedConnectStartUp] F:\Program Files\CBS Software\SpeedConnect Internet Accelerator\SpeedConnectStartUp.exe -run
O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] F:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] F:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O8 - Extra context menu item: Download All by FlashGet - F:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - F:\PROGRA~1\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - F:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - F:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} -
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {DB7BF79A-FC51-4B5A-92BC-A65731174380} (InstantAction Game Launcher) - http://www.instantaction.com/download/iaplayer.cab
O20 - Winlogon Notify: !SASWinLogon - F:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: Fly - F:\WINDOWS\
O20 - Winlogon Notify: Love - F:\WINDOWS\
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - F:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - F:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - F:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: eAcceleration Notification Service (eac_notifysvc) - Unknown owner - F:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_svc.exe (file missing)
O23 - Service: eAcceleration Product Manager Service (eac_productsvc) - Unknown owner - F:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_productsvc.exe (file missing)
O23 - Service: McAfee E-mail Proxy (Emproxy) - Unknown owner - F:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - Unknown owner - F:\PROGRA~1\McAfee\MSC\mcupdmgr.exe (file missing)
O23 - Service: McAfee Services (mcmscsvc) - Unknown owner - F:\PROGRA~1\McAfee\MSC\mcmscsvc.exe (file missing)
O23 - Service: McAfee Network Agent (McNASvc) - Unknown owner - f:\program files\common files\mcafee\mna\mcnasvc.exe (file missing)
O23 - Service: McAfee Scanner (McODS) - Unknown owner - F:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe (file missing)
O23 - Service: McAfee Protection Manager (mcpromgr) - Unknown owner - F:\PROGRA~1\McAfee\MSC\mcpromgr.exe (file missing)
O23 - Service: McAfee Redirector Service (McRedirector) - Unknown owner - f:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe (file missing)
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - F:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - F:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - F:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 9198 bytes
Disable Spybot's TeaTimer

While TeaTimer is an excellent tool for the prevention of spyware, it can also interfere with HijackThis fixes. Please disable TeaTimer for now until you are clean.

1. Right click Spybot in the System Tray (looks like a calendar with a padlock symbol). Choose Exit Spybot S&D Resident
2. Run Spybot S&D
3. Go to the Mode menu, and make sure Advanced Mode is selected.
4. On the left hand side, choose Tools > Resident
uncheck Resident TeaTimer and OK any prompt and Restart your computer.

Note: If TeaTimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

If TeaTimer will not turn off then uninstall Spybot until we are done cleaning.

----------

Open HijackThis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

- F2 - REG:system.ini: UserInit=F:\WINDOWS\system32\Userinit.exe
- O2 - BHO: (no name) - {000123B4-9B42-4900-B3F7-F4B073EFC214} - (no file)
- O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
- O2 - BHO: (no name) - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - (no file)
- O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
- O2 - BHO: (no name) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - (no file)
- O2 - BHO: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
- O2 - BHO: (no name) - {A20854FD-DDB5-4931-8F76-D11EA2364D94} - (no file)
- O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
- O2 - BHO: (no name) - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - (no file)
- O2 - BHO: (no name) - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - (no file)
- O3 - Toolbar: (no name) - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - (no file)
- O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - (no file)

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis and restart the computer to register the changes.

----------

Download Malwarebytes' Anti-Malware (MBAM)

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to the following:
Update Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware

Then click Finish.
If an update is FOUND, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When DISINFECTION is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

----------

Now run a new HijackThis scan and post that log along with the MBAM log.

Discussion

2095.	Solve : Help me completely clean Virumonde please?
Answer» Click START then RUN Now type Combofix /u in the runbox Make sure there's a space between Combofix and /u Then hit Enter. . . The above procedure will: Delete: ComboFix and its associated files and folders. VundoFix backups, if present The C:\Deckard folder, if present The C:_OtMoveIt folder, if present Reset the clock settings. Hide file extensions, if required. Hide System/Hidden files, if required. Set a new, clean Restore Point. . ---------- Download JAVARA Unzip the file and open the JavaRa.exe Click Remove Older Versions JavaRa will search for and remove any outdated version of Java and remove any that are found. Click Additional Tasks Place a check next to Remove Useless JRE Files and click Go Exit JavaRa Delete the JavaRa files from the Desktop . ---------- Set a New Restore Point to prevent possible reinfection from an old one Setting a new restore point AFTER cleaning your system will enable your computer to roll-back to a clean working state if needed. Go to Start > Programs > Accessories > System Tools and click System Restore Choose the radio button marked Create a Restore Point on the first screen then click Next Give the Restore Point a name then click Create. The new restore point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore. Next go to Start > Run and type Cleanmgr Click OK Click the More OPTIONS Tab. Click Clean Up in the System Restore section to remove all previous restore points except the newly created clean one. You can find instructions on how to enable and re-enable system restore here: Windows XP System Restore GUIDE or Windows Vista System Restore Guide . ---------- Use the Secunia Software Inspector to check for out of date software. Click Start Now Check the box next to Enable thorough system inspection. Click Start Allow the scan to finish and scroll down to see if any updates are needed. Update anything listed. . ---------- Go to Microsoft Windows Update and get all critical updates. ---------- Here are some great FREE tools to help you keep from getting infected again. These tools use little or no resources so won't slow down your PC. Concerned about Browser Security? Consider using Mozilla Firefox 3.0 with Adblock Plus and NoScript To prevent unknown applications from being INSTALLED on your computer install WinPatrol 2008 * Using Winpatrol to protect your computer from malicious software I suggest using SiteAdvisor. SiteAdvisor rates sites on business practices and spam. Safety ratings from McAfee SiteAdvisor are based on automated safety tests of Web sites. SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being ADDED to your computer when running Mozilla based browsers like Firefox. * Using SpywareBlaster to protect your computer from Spyware and Malware * If you don't know what ActiveX controls are, see here Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future. Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

2095.

Solve : Help me completely clean Virumonde please?

Answer»

Click START then RUN
Now type Combofix /u in the runbox
Make sure there's a space between Combofix and /u
Then hit Enter.

.
.
The above procedure will:

Delete:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present

Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Set a new, clean Restore Point.

.
----------
Download JAVARA

Unzip the file and open the JavaRa.exe
Click Remove Older Versions
JavaRa will search for and remove any outdated version of Java and remove any that are found.
Click Additional Tasks
Place a check next to Remove Useless JRE Files and click Go
Exit JavaRa
Delete the JavaRa files from the Desktop

.
----------

Set a New Restore Point to prevent possible reinfection from an old one
Setting a new restore point AFTER cleaning your system will enable your computer to roll-back to a clean working state if needed.

Go to Start > Programs > Accessories > System Tools and click System Restore
Choose the radio button marked Create a Restore Point on the first screen then click Next Give the Restore Point a name then click Create.
The new restore point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
Next go to Start > Run and type Cleanmgr
Click OK
Click the More OPTIONS Tab.
Click Clean Up in the System Restore section to remove all previous restore points except the newly created clean one.

You can find instructions on how to enable and re-enable system restore here:

Windows XP System Restore GUIDE or Windows Vista System Restore Guide
.
----------

Use the Secunia Software Inspector to check for out of date software.

Click Start Now
Check the box next to Enable thorough system inspection.
Click Start
Allow the scan to finish and scroll down to see if any updates are needed.
Update anything listed.

.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

Here are some great FREE tools to help you keep from getting infected again. These tools use little or no resources so won't slow down your PC.

Concerned about Browser Security? Consider using Mozilla Firefox 3.0 with Adblock Plus and NoScript

To prevent unknown applications from being INSTALLED on your computer install WinPatrol 2008
* Using Winpatrol to protect your computer from malicious software

I suggest using SiteAdvisor. SiteAdvisor rates sites on business practices and spam. Safety ratings from McAfee SiteAdvisor are based on automated safety tests of Web sites.

SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being ADDED to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

Discussion

2096.	Solve : comptuer is running a little strangley?
Answer» Hi My laptop is a Toshiba Satellite Pro and it's about 2 years old. I'm running windows xp professional and have 1.49 gb ram Whenever i turn on my laptop the keyboard goes all crazy for a while. When I type r i get 7r, when i type m i get mv, to mention just 2 of the keys. After a while it sorts itself out but i'm not sure if this PROBLEM is related to viruses or not. I'm using avast's free antivirus softwa7re along with ad-aware and i also have a subscription to tune up utilities which i run regularly. another problem i've encountered is, when trying to play games over a wireless network, my screen always crashes about 10 minutes into it. this used to WORK fine and all the other gamers can continue no problem. I thought I'd ask before posting a hijack this log file but if you need it please let me know. Really appreciate your help on this and thanks for providing this service.I think you can go ahead and post the HijackThis Log. When did the problem start?hey thanks for getting back to me so quickly. Here's the hijack this log file. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 21:21:24, on 18/09/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\SkyTel.EXE C:\WINDOWS\system32\00THotkey.exe C:\WINDOWS\AGRSMMSG.exe C:\WINDOWS\system32\TPSMain.exe C:\WINDOWS\system32\thpsrv.exe C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\TPSBattM.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\Program Files\CMBCHINA\WebProtect\WPService.exe C:\WINDOWS\system32\DVDRAMSV.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\ThpSrv.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\BitTorrent\bittorrent.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.rd.yahoo.com/customize/ycomp/defaults/sb/http://uk.yahoo.com/search/ie.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search PAGE = http://uk.rd.yahoo.com/customize/ycomp/defaults/sp/http://uk.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/ycomp/defaults/su/http://uk.yahoo.com F2 - REG:system.ini: UserInit=userinit.exe,EXPLORER.EXE O2 - BHO: Adobe PDF Reader Link HELPER - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll O2 - BHO: Video decompressor - {490BE71A-AAA4-4616-B6C8-4847CA2972D0} - (no file) O2 - BHO: WebProtect.IEHlpObj - {53763D1D-9CA8-4C7C-9756-A8E6B8FC063B} - C:\Program Files\CMBCHINA\WebProtect\WebProtect.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL O2 - BHO: IntelligentAdvisor - {6548BF73-58FF-71D5-F97D-17C71E323709} - (no file) O2 - BHO: dcads - {6FC3C36D-7635-4D43-BA62-0D9D2F2CD06E} - (no file) O2 - BHO: dcads - {733716E1-76D2-4003-AC39-845281C0EF85} - C:\WINDOWS\system32\nsxA8.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll O2 - BHO: MySidesearch Search Assistant - {DDFA1356-E6ED-42a5-9D62-93211D424A90} - (no file) O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [TPSMain] TPSMain.exe O4 - HKLM\..\Run: [ThpSrv] thpsrv /logon O4 - HKLM\..\Run: [TOSDCR] TOSDCR.EXE O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless O4 - HKLM\..\Run: [IMSCMIG40W] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40W\IMSCMIG.EXE /SetPreload /Log O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: Download with Xilisoft Download YouTube Video - C:\Program Files\Xilisoft\Download YouTube Video\upod_link.HTM O8 - Extra context menu item: Use ViDown to download - C:\Program Files\ViDown\vd_link.htm O8 - Extra context menu item: Ìí¼Óµ½¿¨°ÍË¹»ù·´¹ã¸æ - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\\ie_banner_deny.htm O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe O16 - DPF: {0CA54D3F-CEAE-48AF-9A2B-31909CB9515D} (Edit Class) - https://site.cmbchina.com/download/CMBEdit.cab O16 - DPF: {436ABEF3-3479-4703-B4A9-64268AEFFEE9} - http://www.joytopic.com/download/SOPCORE.CAB O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1189775432640 O17 - HKLM\System\CCS\Services\Tcpip\..\{59C93906-5A48-4633-B917-C0F0C7E793EE}: NameServer = 85.255.116.173 85.255.112.72 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: ?? 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe (file missing) O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe O23 - Service: Cmb WebProtect Support (CMBWPS) - China Merchants Bank - C:\Program Files\CMBCHINA\WebProtect\WPService.exe O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\xivhweoa.exe (file missing) O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe O23 - Service: TOSHIBA HDD Protection (Thpsrv) - TOSHIBA Corporation - C:\WINDOWS\system32\ThpSrv.exe O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe -- End of file - 9024 bytes Thanks again With my noobish log-checking skills, there are some questionable entries... I think you should wait for a Malware Specialist to have a look. (Moving to Computer Virus and Spyware Section)You need to visit the Malware Removal Guide. Be sure to read the part about "You should only have one antivirus and one firewall installed at any time. If you have two of either installed then uninstall one now before continuing.*"

Discussion

2097.	Solve : BAR311.EXE please help me?
Answer» Depending on what all damage has been done that may be the only option. Try to scan it for virus. Post the log when complete. Plug in the USB drive prior to performing the steps below. PLEASE keep ALL other programs closed during the scan Run an online scan with the Kaspersky Online Scanner The program will launch and then start to download the latest definition files. Once the scanner is installed and the definitions DOWNLOADED, click Next. Now click on Scan Settings Now under select a target to scan select Your USB drive. Once the scan is complete it will display if your system has been infected. Please do not use your computer while the scan is RUNNING. Once the scan is complete it will display if your USB drive has been infected. Click the Save Report As... button. In the Save as... prompt, select Desktop In the File name box, name the file KasScan-ddmmyy (or similar) In the Save as type prompt, select Text file (see below) Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%. Quote from: windsor00 on September 17, 2008, 10:15:41 AM i give up. none of the TWO works so i decided to reformat my portable storage device. now the problem is it cannot be formated and i dont KNOW why. it says windows cannot complete the format. what is wrong? should i replace my portable storage device? Try to reformat it in other computer.

2097.

Solve : BAR311.EXE please help me?

Answer»

Depending on what all damage has been done that may be the only option.

Try to scan it for virus.

Post the log when complete.

Plug in the USB drive prior to performing the steps below.

PLEASE keep ALL other programs closed during the scan

Run an online scan with the Kaspersky Online Scanner

The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions DOWNLOADED, click Next.
Now click on Scan Settings
Now under select a target to scan select Your USB drive.
Once the scan is complete it will display if your system has been infected.
Please do not use your computer while the scan is RUNNING. Once the scan is complete it will display if your USB drive has been infected.
Click the Save Report As... button.

In the Save as... prompt, select Desktop
In the File name box, name the file KasScan-ddmmyy (or similar)
In the Save as type prompt, select Text file (see below)

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Quote from: windsor00 on September 17, 2008, 10:15:41 AM

i give up. none of the TWO works so i decided to reformat my portable storage device. now the problem is it cannot be formated and i dont KNOW why. it says windows cannot complete the format. what is wrong? should i replace my portable storage device?

Try to reformat it in other computer.

Discussion

2098.	Solve : Virus Alert on Time Bar?
Answer» ALL DONE. THANKS again !

Discussion

2099.	Solve : Thanks Guys.................................?
Answer» Just wanted to say a big THANKYOU to everyone involved in this SITE. Got infected with Poison Ivy on Sunday night, ran XSoftSpySE which supposedly detected and deleted it. On boot up on Monday morning Firefox was as slow as a snail and all my Google searches were being redirected to USELESS Ad sites. Ran XoftSpySE and McAfee which detected nothing yet the problem remained. Registered here, ran the steps and the problem was sorted. I didnt even have to post !!! Why am I paying for Internet Security and Anti- Virus services when free DOWNLOADS and advice do a better job. Thank you so much to everyone involved in this site, especially the author of " Before you post " thread. You saved my PC !!!! Thanks for the kind words. I would not trust XoftSpySE. The tools in the malware removal thread are all you should need. Setting a new restore point AFTER cleaning your system will enable your computer to roll-back to a clean working state if needed. Go to Start > Programs > Accessories > System Tools and click System Restore Choose the radio button marked Create a Restore Point on the first screen then click Next Give the Restore Point a name then click Create. The new restore point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore. Next go to Start > Run and type Cleanmgr Click OK Click the More OPTIONS Tab. Click Clean Up in the System Restore section to remove all previous restore points except the newly created clean one. You can find instructions on how to enable and re-enable system restore here: Windows XP System Restore Guide or Windows Vista System Restore Guide . ---------- Use the Secunia Software Inspector to check for out of date software. Click Start Now Check the box next to Enable thorough system inspection. Click Start Allow the scan to finish and scroll down to SEE if any updates are needed. Update anything listed. . ---------- Go to Microsoft Windows Update and get all critical updates. ---------- Here are some great FREE tools to help you keep from getting infected again. These tools use little or no resources so won't slow down your PC. Concerned about Browser Security? Consider using Mozilla Firefox 3.0 with Adblock Plus and NoScript To prevent unknown applications from being installed on your computer install WinPatrol 2008 * Using Winpatrol to protect your computer from malicious software I suggest using SiteAdvisor. SiteAdvisor rates sites on business practices and spam. Safety ratings from McAfee SiteAdvisor are based on automated safety tests of Web sites. SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox. * Using SpywareBlaster to protect your computer from Spyware and Malware * If you don't know what ActiveX controls are, see here Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future. Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

2099.

Solve : Thanks Guys.................................?

Answer»

Just wanted to say a big THANKYOU to everyone involved in this SITE.

Got infected with Poison Ivy on Sunday night, ran XSoftSpySE which supposedly detected and deleted it. On boot up on Monday morning Firefox was as slow as a snail and all my Google searches were being redirected to USELESS Ad sites.

Ran XoftSpySE and McAfee which detected nothing yet the problem remained.

Registered here, ran the steps and the problem was sorted.

I didnt even have to post !!!

Why am I paying for Internet Security and Anti- Virus services when free DOWNLOADS and advice do a better job.

Thank you so much to everyone involved in this site, especially the author of " Before you post " thread.

You saved my PC !!!!

Thanks for the kind words.

I would not trust XoftSpySE. The tools in the malware removal thread are all you should need.

Setting a new restore point AFTER cleaning your system will enable your computer to roll-back to a clean working state if needed.

Go to Start > Programs > Accessories > System Tools and click System Restore
Choose the radio button marked Create a Restore Point on the first screen then click Next Give the Restore Point a name then click Create.
The new restore point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
Next go to Start > Run and type Cleanmgr
Click OK
Click the More OPTIONS Tab.
Click Clean Up in the System Restore section to remove all previous restore points except the newly created clean one.

You can find instructions on how to enable and re-enable system restore here:

Windows XP System Restore Guide or Windows Vista System Restore Guide
.
----------

Use the Secunia Software Inspector to check for out of date software.

Click Start Now
Check the box next to Enable thorough system inspection.
Click Start
Allow the scan to finish and scroll down to SEE if any updates are needed.
Update anything listed.

.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

Here are some great FREE tools to help you keep from getting infected again. These tools use little or no resources so won't slow down your PC.

Concerned about Browser Security? Consider using Mozilla Firefox 3.0 with Adblock Plus and NoScript

To prevent unknown applications from being installed on your computer install WinPatrol 2008
* Using Winpatrol to protect your computer from malicious software

I suggest using SiteAdvisor. SiteAdvisor rates sites on business practices and spam. Safety ratings from McAfee SiteAdvisor are based on automated safety tests of Web sites.

SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

Discussion

2100.	Solve : Using Hijack this for this XP 2008 Antivirus?
Answer» Click START then RUN Now type Combofix /u in the runbox Make sure there's a space between Combofix and /u Then hit Enter. The above procedure will: Delete the following: ComboFix and its associated files and folders. Reset the clock settings. Hide file extensions, if required. Hide System/Hidden files, if required. Set a new, clean Restore Point. . ---------- Download ATF CLEANER by Atribune to your Desktop. Alternate download link Note: Vista users must use Run As Administrator Under Main: Select Files to Delete choose: Select All. Click the Empty Selected button. If you use Firefox browser click Firefox at the top and choose: Select All Click the Empty Selected button. If you would like to keep your saved passwords click No at the prompt. If you use Opera browser click Opera at the top and choose: Select All Click the Empty Selected button. If you would like to keep your saved passwords click No at the prompt. Click Exit on the Main menu to close the program. Note that your system will run slower for a reboot or two after having used this tool so don't panic. ---------- Download OTCleanIt.exe and save it to your Desktop. Double-click OTCleanIt.exe. Click the CleanUp! button. Select Yes when the "Begin cleanup Process?" prompt appears. If you are prompted to Reboot during the cleanup, select Yes. The tool will delete itself once it finishes, if not delete it yourself. . ---------- Disable the System Restore Utility to prevent re-infection from an old one 1) Right click the My Computer icon on the Desktop and click on Properties. 2) Click on the System Restore tab. 3) Put a check MARK next to Turn off System Restore on All Drives 4) Click the OK button. 5) You will be prompted to restart the computer. Click the Yes button. Now re-enable System Restore To re-enable the System Restore Utility, follow steps one to five and on step three remove the check mark next to 'Turn off System Restore on All Drives'. 1) Right click the My Computer icon on the Desktop and click on Properties. 2) Click on the System Restore tab. 3) Remove the check mark next to Turn off System Restore on All Drives 4) Click the OK button. ---------- Use the Secunia Software Inspector to check for out of date software. Click Start Now Check the box next to Enable thorough system inspection. Click Start Allow the scan to finish and scroll down to see if any updates are needed. Update anything listed. . ---------- Go to Microsoft Windows Update and get all critical updates. ---------- Here are some great FREE tools to help you keep from getting infected again. These tools use little or no resources so won't slow down your PC. To prevent unknown applications from being installed on your computer install WinPatrol 2008 * Using Winpatrol to protect your computer from malicious software I suggest using SiteAdvisor. SiteAdvisor rates sites on business practices and spam. Safety ratings from McAfee SiteAdvisor are based on automated safety tests of Web sites. SpywareBlaster - Secure your Internet Explorer to make it HARDER for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox. * Using SpywareBlaster to protect your computer from Spyware and Malware * If you don't know what ActiveX controls are, see here Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future. Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth. I'm afraid I ran out of time and had to go to work. I got as far as rebooting after the OTclean. I will do the rest and get back to you later. I have some questions that will most LIKELY seem dumb to you I guess; The advice you give is to save to desk top. I don't seem to get that option when I download. after I click RUN it saves it to the c: drive. I can't see the desk top option if I click browse. Am I just not looking hard enough? With Hijack this I removed all the protocol files (you can see in the log) should I restore some of them? Would it be too much for my brain to understand if you were to explain what they are? Thanks again for your instructions and guidance (as to thank you for your "help" would imply I know what I'm doing and you're just assisting, which is not the case). The protocol files were unnecessary and just taking up space. It sounds like the default install location is C:\ and thats fine. OTCleanIt will remove everything that you don't need so it sounds like everything should be fine now.

2100.

Solve : Using Hijack this for this XP 2008 Antivirus?

Answer»

Click START then RUN
Now type Combofix /u in the runbox
Make sure there's a space between Combofix and /u
Then hit Enter.

The above procedure will:
Delete the following:
ComboFix and its associated files and folders.
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Set a new, clean Restore Point.

.
----------

Download ATF CLEANER by Atribune to your Desktop.

Alternate download link

Note: Vista users must use Run As Administrator

Under Main: Select Files to Delete choose: Select All.
Click the Empty Selected button.
If you use Firefox browser click Firefox at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords click No at the prompt.
If you use Opera browser click Opera at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords click No at the prompt.
Click Exit on the Main menu to close the program.

Note that your system will run slower for a reboot or two after having used this tool so don't panic.

----------

Download OTCleanIt.exe and save it to your Desktop.

Double-click OTCleanIt.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it yourself.

.

----------

Disable the System Restore Utility to prevent re-infection from an old one

1) Right click the My Computer icon on the Desktop and click on Properties.
2) Click on the System Restore tab.
3) Put a check MARK next to Turn off System Restore on All Drives
4) Click the OK button.
5) You will be prompted to restart the computer. Click the Yes button.

Now re-enable System Restore

To re-enable the System Restore Utility, follow steps one to five and on step three remove the check mark next to 'Turn off System Restore on All Drives'.

1) Right click the My Computer icon on the Desktop and click on Properties.
2) Click on the System Restore tab.
3) Remove the check mark next to Turn off System Restore on All Drives
4) Click the OK button.

----------

Use the Secunia Software Inspector to check for out of date software.

Click Start Now
Check the box next to Enable thorough system inspection.
Click Start
Allow the scan to finish and scroll down to see if any updates are needed.
Update anything listed.

.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

Here are some great FREE tools to help you keep from getting infected again. These tools use little or no resources so won't slow down your PC.

To prevent unknown applications from being installed on your computer install WinPatrol 2008
* Using Winpatrol to protect your computer from malicious software

I suggest using SiteAdvisor. SiteAdvisor rates sites on business practices and spam. Safety ratings from McAfee SiteAdvisor are based on automated safety tests of Web sites.

SpywareBlaster - Secure your Internet Explorer to make it HARDER for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

I'm afraid I ran out of time and had to go to work. I got as far as rebooting after the OTclean. I will do the rest and get back to you later.

I have some questions that will most LIKELY seem dumb to you I guess;

The advice you give is to save to desk top. I don't seem to get that option when I download. after I click RUN it saves it to the c: drive. I can't see the desk top option if I click browse. Am I just not looking hard enough?

With Hijack this I removed all the protocol files (you can see in the log) should I restore some of them? Would it be too much for my brain to understand if you were to explain what they are?

Thanks again for your instructions and guidance (as to thank you for your "help" would imply I know what I'm doing and you're just assisting, which is not the case). The protocol files were unnecessary and just taking up space. It sounds like the default install location is C:\ and thats fine. OTCleanIt will remove everything that you don't need so it sounds like everything should be fine now.

Discussion

Explore topic-wise InterviewSolutions in .

Solve : problem signing?

Solve : O.K. 1. THERE IS NO SHORTCUTS TO F- SECURE INTERNET SECURITY 2010 ON MY DESKTOP.?

Solve : Identification of viruses?

Solve : needing the "all clear"?

Solve : Should I allow MBAM remove 1 result??

Solve : Multiple AV?

Solve : Eratic internet?

Solve : Show hidden files and folders issue?

Solve : Trojan HijackThis log?

Solve : Cyber Security virus/malware?

Solve : infected System32\atapi.sys file. AVG can't fix...help!?

Solve : won't uninstall?

Solve : antivirus software alert / aplication cannot be executed?

Solve : infected System32\atapi.sys file. AVG need some help.?

Solve : Pendrive infected by gphone.exe & newfolder.exe worm.?

Solve : Malware - "Antivirus Soft"?

Solve : rootkit removal never certain??

Solve : WHAT "bad" websites??

Solve : Gala search?

Solve : Google link rederects in Firefox but not with IE?

Solve : WHAT “bad” websites? [Malware advice spammers]?

Solve : need Antivirus,firwall info - Norton AV "incompatible" with ZoneAlarm firewall?

Solve : Need help with Virus..."Cannot execute file....Please run Spyware"?

Solve : prevent anti-malware software??

Solve : Please do not bump your thread?

Solve : I keep getting this window popping up on my PC r/o?

Solve : Unwanted Downloads?

Solve : Re: sasser worm b?

Solve : Windows Search Bar?

Solve : Re: www.manipulatingtheicesurface.com?

Solve : One jump a head of the bugs?

Solve : Re: isearch toolbar?

Solve : Re: Sasser and Trojan PROBLEMS HELP?

Solve : Re: computer is acting up?

Solve : Re: Trojan horse downloader?

Solve : Re: Virus problem?

Solve : Re: Sasser virus?

Solve : corporate network protection against spyware?

Solve : What is the best Internet Security?

Solve : I need your help please?

Solve : Virus Alert in Toolbar. Already got Combofix logs.?

Solve : Zlob virus??

Solve : I got a virus again.....?

Solve : very laggy?

Solve : Help me completely clean Virumonde please?

Solve : comptuer is running a little strangley?

Solve : BAR311.EXE please help me?

Solve : Virus Alert on Time Bar?

Solve : Thanks Guys.................................?

Solve : Using Hijack this for this XP 2008 Antivirus?