Explore topic-wise InterviewSolutions in .

Hi,

I have a PC which has DISPLAYED a virus warning message. The infected file is:

C:\Windows\System32\kamsoft.exe

I ran the scans, and they appear to have found and removed it. I've attached the log files for checking.

Cheers

Nick


[ATTACHMENT DELETED by admin]The anti virus on this MACHINE has just displayed a warning about this file:

C:\WINDOWS\SYSTEM32\GASRETYW0.DLLQuote from: nickc1976 on December 18, 2008, 03:57:49 AM

I ran the scans, and they appear to have found and removed it. I've attached the log files for checking.

OK, GOT a virus...... I was following the clean up INSTRUCTIONS on your site and when I got to load superantispyware...... it will not take it. I get a message: windows INSTALLER service COULD not be accessed.........hum!
Any ideas..
thanks

Trend Micro would not run, however Kaspersky did scan. Here is the log file:

KASPERSKY ONLINE SCANNER 7 REPORT
Friday, December 26, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, December 26, 2008 12:17:15
Records in database: 1517295


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
C:\
D:\

Scan statistics
Files scanned 102111
Threat name 2
Infected objects 2
Suspicious objects 4
Duration of the scan 02:02:53

File name Threat name Threats count
C:\Documents and Settings\james\DoctorWeb\Quarantine\sdsetup.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.qon 1

C:\Documents and Settings\james\DoctorWeb\Quarantine\Spyware.Doctor.5.5.0.212_KEYGEN+PATCH-FFF.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.qon 1

C:\Documents and Settings\james\Local Settings\Application Data\Identities\{ACEE249B-0C16-491C-B19E-348F8295C81C}\Microsoft\Outlook Express\July 07.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 1

C:\Documents and Settings\james\Local Settings\Application Data\Identities\{ACEE249B-0C16-491C-B19E-348F8295C81C}\Microsoft\Outlook Express\March 07.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 1

C:\RECYCLER\S-1-5-21-962543650-3587973138-1127685652-1115\Dc14.bak Suspicious: Trojan-Spy.HTML.Fraud.gen 1

C:\RECYCLER\S-1-5-21-962543650-3587973138-1127685652-1115\Dc18.bak Suspicious: Trojan-Spy.HTML.Fraud.gen 1

The selected area was scanned.
Download the OTMoveIt3 by OldTimer

Note: If you are running on Vista, right-click on OTMoveIt3.exe and choose Run As Administrator.

* Save it to your Desktop.
* Double-click OTMoveIt3.exe to run it.
* Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy)

Code: [Select]:Processes
explorer.exe

:services

:reg

:files
C:\Documents and Settings\james\Local Settings\Application Data\Identities\{ACEE249B-0C16-491C-B19E-348F8295C81C}\Microsoft\Outlook Express\July 07.dbx
C:\Documents and Settings\james\Local Settings\Application Data\Identities\{ACEE249B-0C16-491C-B19E-348F8295C81C}\Microsoft\Outlook Express\March 07.dbx
C:\RECYCLER\S-1-5-21-962543650-3587973138-1127685652-1115\Dc14.bak
C:\RECYCLER\S-1-5-21-962543650-3587973138-1127685652-1115\Dc18.bak

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

* Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
* Click the red Moveit! button.
* Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your NEXT reply.
Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. If not, reboot anyway.OT MOVE Log File:

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
C:\Documents and Settings\james\Local Settings\Application Data\Identities\{ACEE249B-0C16-491C-B19E-348F8295C81C}\Microsoft\Outlook Express\July 07.dbx moved successfully.
C:\Documents and Settings\james\Local Settings\Application Data\Identities\{ACEE249B-0C16-491C-B19E-348F8295C81C}\Microsoft\Outlook Express\March 07.dbx moved successfully.
C:\RECYCLER\S-1-5-21-962543650-3587973138-1127685652-1115\Dc14.bak moved successfully.
C:\RECYCLER\S-1-5-21-962543650-3587973138-1127685652-1115\Dc18.bak moved successfully.
========== COMMANDS ==========
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_338.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.7.2 log created on 12262008_163422

Files moved on Reboot...
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File C:\WINDOWS\temp\Perflib_Perfdata_338.dat not found!
1. Double click OTMoveIt3.exe to launch it.
Vista users right click and choose Run As Administrator
2. Click on the CleanUp! button.
3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)
5. Once complete exit out of OTMoveIt2

----------

Set a New Restore Point to prevent possible reinfection from an OLD one
Setting a new restore point AFTER cleaning your system will enable your computer to roll-back to a clean working STATE if needed.

• Go to Start > Programs > Accessories > System Tools and click System Restore
  
• Choose the radio button marked Create a Restore Point on the first screen then click Next Give the Restore Point a name then click Create.
  
• The new restore point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
• Next go to Start > Run and type Cleanmgr
  
• Click OK
  
• Click the More Options Tab.
  
• Click Clean Up in the System Restore section to remove all previous restore points except the newly created clean one.

• Click Start Now
  
• Check the box next to Enable thorough system inspection.
  
• Click Start
  
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

Hey everyone. I've been trying to run the basic procedures that you instruct us to use, but I am having a problem. Something is getting in the way of SAS as it scans causing my computer to restart...the msg goes something like this....

"A problem has occurred attempting to access win32. Computer must retart for the inconvenience. Save your work.
Computer will start in XX minutes...
Restart initiated by DCOM "

Something like that. It's also preventing my Security Center for automatically loading and turning off my antivirus and firewalls.

Any idea where i can start to tackle this POS?Here are the logs. I finally got my comp to get thru them w/o restarting due to DCOM

[attachment deleted by admin]here is the combofix log.

Also, sometimes when I run SAS i get "Adware.Vundo Variant/Rel" detections and other TIMES not. Anyone have any ideas?

Thanks

[attachment deleted by admin]You have an infected system file, so this could end up being tricky, but we'll see what we can do. Go here: http://www.eset.eu/online-scanner to run an online scannner from ESET.
Note: You will need to use Internet explorer for this scan
Check the box next to YES, I accept the Terms of Use.
Click Start.
When asked, allow the ActiveX control to install.
Click Start.
Make sure that the option REMOVE found threats is checked, and the option Scan unwanted applications is checked.
Click Scan.
Wait for the scan to finish.
Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log (or attach it if you wish) as a reply to this topic, ALONG with a new HijackThis log and new ComboFix log.unfortunately, IE fails before it can install properly. Either way I'm just going to format. Altho now I can't get my F8 button to work so that I can accept the MICROSOFT termsI hate to say it, but you have a pretty bad infection. If you have a proper Microsoft Windows CD (it is shiny and says "Microsoft" all over it), you may be able to delete the file (if the system will let you) and then replace it with a clean version. Even then, it's still a bit of a longshot.

What exactly do you need your F8 key for? When trying to reformat, are you taken to a screen that says something along the lines of "Press F8 to Continue/Accept Terms"? I haven't reformatted in quite awhile and it's different for each brand of computer, so please bear with me.

Also, is your keyboard wireless? And do you have another keyboard that you can try?

This is a fairly recent THING. I get these notices from AVG resident shield about tracking cookies, sometimes 9 or 10 at a time.
Could that mean I have a firewall problem?
I am only using the windows firewall but that's all I've ever used.

AVG free
SuperAntispyware
Malwarebytes
Vista BusinessSee here Are cookies really spyware and are they dangerous?@evilfantasy: Wanted info.Quote from: jimpl on January 05, 2009, 09:03:33 PM

This is a fairly recent thing. I get these notices from AVG resident shield about tracking cookies, sometimes 9 or 10 at a time.
Could that mean I have a firewall problem?
I am only using the windows firewall but that's all I've ever used.

AVG free
SuperAntispyware
Malwarebytes
Vista Business

okay here goes i download the FILES that i need to install i've gotten to the PART to use the cclean but i cant get it to run on my laptop because my laptop is what is messed up and i cant get it to run
Hi,

Sounds like you've got a virus or other dangerous form of MALWARE.
Good LUCK!Quote from: JohnDDent on January 07, 2009, 06:44:01 PM

Hi,

Sounds like you've got a virus or other dangerous form of malware. I suggest "A-Squared Free" by "EMSI Software," [a Swiss company] to fix your computer. Be sure to get the free version unless you want to pay for it. But the free version will do all the paid version will do except for a few xtra features you probably don't need. Download it - use Google or another search engine in your browser to find the download file and install it. This program will find and clean your problems.

Good luck!

• Scroll down to “Non-plug and Play Drivers” and click the plus icon to open those drivers.
  
• Then search for TDSSserv.sys
  
• Let me know if you find this or not.
• If you do find it, right click on it, and select “Disable”. Do not try to uninstall it.
  
• Also if this is found and you disable it.
• Now reboot and see if you can run the other scans that would not run.

I opened a email that I thought was a legit one to my mistake I think it was a virus. When I go into my cpu my drives come up but I cannot open them by double clicking, the c drive opens system 32 folder when I do, and my f drive(extra HD) says cannot find '''r' makes srue you typed it correctly and try again. But I can right click and open by choosing the open option. Thanks for any help

[attachment deleted by admin]Download ComboFix by sUBs from one of the below links. Be sure to save it to the Desktop.

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Close any open web browsers (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your anti-virus, and any anti-spyware real-time protection before performing a scan. Click this LINK to see a list of security programs that should be disabled and how to disable them.

Double-click combofix.exe and follow the prompts.
When finished, ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.

NOTE: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your anti-virus and anti-spyware protection when ComboFix is complete.Thks a bunch WORKED gr8 took lke 15 hours to complete all stages and I had to shut my cpu off and turn it back on to reboot everything. One thing I couldnt stop avg from running so I uninstalled it. now after the fix I am getting a meesage trying to install AVG again. I assume its from whatever the combofix did. Any clue how to fix it? thanks again Local machine: installation failed
Installation:
Error: Action failed for registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows: creating registry key....
Error 0x80070005

[attachment deleted by admin]Is that the entire ComboFix log you were given? I've never seen it produce a log like yours; PERHAPS you should try it again. As for your HJT log...run another scan and place checkmarks next to these entries...

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)

O1 - Hosts: 69.20.16.183 search.netscape.com

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)

O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZN

O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe (file missing)

O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -

Close all windows (including this one) and click on Fix Checked. If you still have Paltalk Messenger installed on your computer, uninstall it. Once you have done everything, post a new log.

Are you still having with AVG trying to install? If so, then try running AVG Remover:
http://www.avg.com/download-toolsyeah ran the avg uninstaller tried to reinstall but same message?? I removed those buttons in hijack. Do I need to run combofix again? it took forever, should it have taken all that time? I started like 11am and finished next day around 4am but like I said it wasnt rebooting so I shut the cpu down and restarted but worked fine when I did I can open my files fine.Okay, it looks like this is actually a permissions problem. Take a look at this page here:
http://freeforum.avg.com/read.php?13,160321,160327#msg-160327

In that post, a moderator of the AVG forum explains how to fix this issue.

As for ComboFix...it usually only takes a few minutes. I've seen it take up to 20 or 30 minutes on badly infected MACHINES, but I have never heard of it taking SEVERAL hours. I'm going to look into this to see if I can find any information. In the meantime, look through the above link and see if it helps with your error message.

Download the OTMoveIt3 by OldTimer

Note: If you are running on Vista, right-click on OTMoveIt3.exe and choose Run As Administrator.

* Save it to your Desktop.
* Double-click OTMoveIt3.exe to run it.
* Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy)

Code: [Select]:Processes
explorer.exe

:services

:reg
[-HKLM\Software\Classes\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}]
[-HKCR\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}]
[-HKCR\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}\InprocServer32]
[HKCR\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}\InprocServer32#ThreadingModel]
"C:\WINDOWS\SYSTEM32\OPNLIAWW.DLL"=-
[-HKCR\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}]

:files
c:\docume~1\Name\LOCALS~1\Temp\MSBNDO~1\ISLNDIS5.SYS

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

* Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
* Click the red Moveit! button.
* Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose YES. If not, reboot anyway.SAS says I'm clean! Thank you very much for sticking with me through this. You've been terrific. Latest results below:

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
UNABLE to delete registry key HKLM\Software\Classes\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\\ .
Registry key HKCR\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}\\ not found.
Registry key HKCR\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}\InprocServer32\\ not found.
Registry key HKCR\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}\InprocServer32#ThreadingModel not found.
Registry key HKCR\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}\\ not found.
========== FILES ==========
File/Folder c:\docume~1\Name\LOCALS~1\Temp\MSBNDO~1\ISLNDIS5.SYS not found.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\Name\LOCALS~1\Temp\etilqs_8VQSSUFCa5j9sWe2ehxF scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_74.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\Name\Local Settings\Application Data\Mozilla\Firefox\Profiles\pkw7nd69.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Name\Local Settings\Application Data\Mozilla\Firefox\Profiles\pkw7nd69.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Name\Local Settings\Application Data\Mozilla\Firefox\Profiles\pkw7nd69.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Name\Local Settings\Application Data\Mozilla\Firefox\Profiles\pkw7nd69.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Name\Local Settings\Application Data\Mozilla\Firefox\Profiles\pkw7nd69.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Name\Local Settings\Application Data\Mozilla\Firefox\Profiles\pkw7nd69.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.7.2 log created on 12262008_152429

Files moved on Reboot...
File C:\DOCUME~1\Name\LOCALS~1\Temp\etilqs_8VQSSUFCa5j9sWe2ehxF not found!
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File C:\WINDOWS\temp\Perflib_Perfdata_74.dat not found!
C:\Documents and Settings\Name\Local Settings\Application Data\Mozilla\Firefox\Profiles\pkw7nd69.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\Name\Local Settings\Application Data\Mozilla\Firefox\Profiles\pkw7nd69.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\Name\Local Settings\Application Data\Mozilla\Firefox\Profiles\pkw7nd69.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\Name\Local Settings\Application Data\Mozilla\Firefox\Profiles\pkw7nd69.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\Name\Local Settings\Application Data\Mozilla\Firefox\Profiles\pkw7nd69.default\urlclassifier3.sqlite moved successfully.
C:\Documents and Settings\Name\Local Settings\Application Data\Mozilla\Firefox\Profiles\pkw7nd69.default\XUL.mfl moved successfully.

There seems to be a problem I think because the file has been partly removed so the scanner is having a hard time fully deleting the rest of it. I'm going to have to have you go to the SAS forums and have them have a look at the log and suggest what to do next.

First let's clean up a little but.


• Click START then RUN
  
• Now type Combofix /u in the runbox
  
• Make sure there's a space between Combofix and /u
• Then hit Enter.
• The above procedure will:
• Delete the following:
• ComboFix and its associated files and folders.
• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Set a new, clean Restore Point.
----------

Download

• Under Main: Select Files to Delete choose: Select All.
  
• Click the Empty Selected button.
  
• If you use Firefox browser click Firefox at the top and choose: Select All
  
• Click the Empty Selected button.
  If you would like to keep your saved passwords click No at the prompt.
  
• If you use Opera browser click Opera at the top and choose: Select All
  
• Click the Empty Selected button.
  If you would like to keep your saved passwords click No at the prompt.
  
• Click Exit on the Main menu to close the program.

• Double-click OTCleanIt.exe.
  
• Click the CleanUp! button.
  
• Select Yes when the "Begin cleanup Process?" prompt appears.
  
• If you are prompted to Reboot during the cleanup, select Yes.
  
• The tool will delete itself once it finishes, if not delete it yourself.

SAS says I'm clean! Thank you very much for sticking with me through this. You've been terrific. Latest results below:

• Click Start Now
  
• Check the box next to ENABLE thorough system inspection.
  
• Click Start
  
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

Hello i think i may have got a worm on my pc. I have nortonAntiVirus 2003 it says nothing is wrong but i think there is. My Pc has been running slower then normal. I also it pop u from random web sites. I deleted my cookies and internet hisory. Im not to sure what to do.

My Computer is a:
HP Pavilion a1310n, Microsoft Windows XP Media Center 2002
AMD Athlon(tm)64 Processor 3700+ 1.77GHz, 980 MB of RAMI did i scan with a different AnitVirus and got this. If someone could help explain this too me and Im not sure if these files are they ok to DELETE can someone tell me please and THANK you.


;******
;Avast! Antivirus U3 EDITION
;VPS file version: December 26, 2008 - [81226-0]
;Params: C:\D:\Scan: Full files, All files, Ignore targeting, Archive: ARJ, MIME, EXE, ZIP, Stream, RAR, CAB, TAR, GZ, BZIP2, ACE, ARC, ZOO, WinEXEC, LHARC, CHM, CPIO, RPM, 7ZIP, ISO, TNEF, DBX, SIS, OLE, Installer,
;Columns: File name Status [OK,INFECTED,ERROR]
;******
C:\Acclaim Games\2MOONS_20080619.msi\disk1.cabERROR: The file is a decompression bomb.
C:\Program Files\FunWebProductsERROR: The system cannot find the path specified. Nr(3)
C:\Program Files\Updates from HP\9972322\Program\Interop.SHDocVw.dllINFECTED: Win32:Adware-gen [Adw]
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP308\A0051765.msi\disk1.cabERROR: The file is a decompression bomb.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP311\A0051853.msi\disk1.cabERROR: The file is a decompression bomb.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP320\A0052327.DLLINFECTED: Win32:Mywebsearch-J [Tool]
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP334\A0053205.cplINFECTED: Win32:Neptunia-AGB [trj]
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP334\A0053206.exe\$INSTDIR\PPCToolbar.dllINFECTED: Win32:Adware-gen [Adw]
D:\I386\Apps\APP17040\src\install\Worldwide-MediaCenter\games\{0C84A7C5-2762-4932-96BF-44A77202DCC3}.exe\$TEMP\0C84A7C5-2762-4932-96BF-44A77202DCC3.exe\$NS_LANG_CODE\nsis1.binERROR: The file is a decompression bomb.
D:\I386\Apps\APP17040\src\install\Worldwide-MediaCenter\games\{758619C0-7C97-42BB-B1E9-775F72FDAD1E}.exe\$TEMP\758619C0-7C97-42BB-B1E9-775F72FDAD1E.exe\$NS_LANG_CODE\nsis1.binERROR: The file is a decompression bomb.
D:\I386\Apps\APP17040\src\install\Worldwide-MediaCenter\games\{B2AA88B1-4920-462B-9F7C-019782B3C4DB}.exe\$TEMP\B2AA88B1-4920-462B-9F7C-019782B3C4DB.exe\$NS_LANG_CODE\nsis1.binERROR: The file is a decompression bomb.
D:\PRELOAD\BASE_08.INP\read0600win_ENUhpcq0700.pdfERROR: CAB archive is corrupted.
now IE7 or foxfire won't open should i do a restore on my computer?

I've looked at other posts to try to get rid of the gadcom.exe virus on my computer but most of the things in my hijackthis log don't MATCH what was said to be cleared. I've attached a copy of the log. Which ones am I supposed to CLEAN?

Thank you.

[ATTACHMENT deleted by admin]are you even shure this is a virus?

upload on virus total(dont know webste(and also its an anti malware site so is more than likley has fakers to this site (also im on my moms comp so if she GETS virus SHES mad)))

Quote from: bonehead244 on January 06, 2009, 07:56:40 AM

"By the way, do you recognize this folder?
c:\windows\system32\192.168.1.3"

Hi CHRIS, i dont know why that is a folder, but that ip address is my other desktop computer, i have 2 seperate systems right next to each other on my desk

everything is running great, and I really, really appreciate the help.....can i make any sort of donation or anything?

I do have a question also....when the system was infected i had a hard time getting to my business info.....if i get an external hard drive and keep all my important info on there would that work?
I'm assuming there is no o.s. running on that type of drive that it is just for storage and if need be i can just unplug from virus computer and plug it into another computer i should be ok??

• Double-click OTCleanIt.exe.
• Click the CleanUp! button.
• Select Yes when the "Begin cleanup Process?" prompt appears.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will DELETE itself once it FINISHES, if not delete it yourself.

Hi and just want to say thanks first off. This is a new computer I am the first owner. I scanned it with antimalware and it says I have all of these infections. I'm just wondering if they are real or not because like I said this is a new computer and I have not been to any sites with it. Thanks again for all your help and happy holidays. I couldn't figure out how to put the SASW logs but it came back with nothing.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:38:18 PM, on 12/25/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe
C:\Program Files\Acer ARCADE Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe
C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe
C:\Program Files\Acer Arcade Deluxe\PlayMovie\PMVService.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Launch Manager\LManager.exe
C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Windows\system32\igfxext.exe
C:\Windows\system32\igfxsrvc.exe
C:\Users\john\AppData\Local\Temp\RtkBtMnt.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=2&o=vp32&d=1108&m=aspire_5735
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=2&o=vp32&d=1108&m=aspire_5735
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=2&o=vp32&d=1108&m=aspire_5735
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no FILE)
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\ActiveToolBand.dll
O2 - BHO: Partner BHO Class - {83FF80F4-8C74-4b80-B5BA-C8DDD434E5C4} - C:\ProgramData\Partner\partner.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.415.1646\swg.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\RUN: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [BkupTray] "C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe"
O4 - HKLM\..\Run: [ArcadeDeluxeAgent] "C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe"
O4 - HKLM\..\Run: [CLMLServer] "C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe"
O4 - HKLM\..\Run: [PlayMovie] "C:\Program Files\Acer Arcade Deluxe\PlayMovie\PMVService.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe
O4 - HKLM\..\Run: [ePower_DMC] C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Acer Assist Launcher] C:\Program Files\Acer\Acer Assist\launcher.exe
O4 - HKLM\..\Run: [Acer Product Registration] "C:\Program Files\Acer\Acer Registration\ACE1.exe" /startup
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: NTI Backup Now 5 Agent Service (BUNAgentSvc) - NewTech Infosystems, Inc. - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe
O23 - Service: CLHNService - Unknown owner - C:\Program Files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe
O23 - Service: eDataSecurity Service - Egis Incorporated - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
O23 - Service: Empowering Technology Service (ETService) - Unknown owner - C:\Program Files\Acer\Empowering Technology\Service\ETService.exe
O23 - Service: Google Desktop Manager 5.7.808.7150 (GoogleDesktopManager-080708-050100) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NTI Backup Now 5 Backup Service (NTIBackupSvc) - NewTech InfoSystems, Inc. - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe
O23 - Service: NTI Backup Now 5 Scheduler Service (NTISchedulerSvc) - Unknown owner - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
O23 - Service: Partner Service - Google Inc. - C:\ProgramData\Partner\partner.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\Cyberlink\Shared files\RichVideo.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe

--
End of file - 9992 bytes


[attachment deleted by admin]Those aren't actually viruses but are spyware which is pre-installed by your computer vendor. This is an acer correct?

I would have MBAM fix them. It won't cause any harm.

For an example see the information on the partner.dll and the partner.exe. http://www.systemlookup.com/CLSID/55616-partner_dll.html

Looks like some of the videos have something in them that is considered a form of malware also. Yes it is an acer. Thanks for the fast response I will rescan and fix them.

I noticed odd behavior ever since I let someone use my computer the other day. Now I cannot access my drives as well as a few other things are acting wierd. When I double on a any drive letter I get the message
C:\resycled\boot.com is not a valid Win 32 application. My first clue was the spelling of rescyled? This happens with any drive, including my external. My first question before I scan & attach the logs is...Do I just scan C drive or all my HD's ? I have 2-250 Gig drives, 1-500 Gig & 1TB external that is alway hooked up.
Windows XP, SP3
Please help...this is very fustrating.
ThanksManaged to fix it myself.What did you do?Used regedit to find & delete all "boot.com" files. Then I opened the hidden files & deleted all "resycled folders" & .ini files on every hard drive. Then I disabled system RESTORE (as it would not let me do a restore to any previous point). Rebooted computer and ran every scan I have... Avira, Spybot, Ad-Aware, Spyware Blaster & Malwarebytes. It came up clean, so I re-enabled system restore and so far everything seems normal. Took a fair bit of time & hurt my eyes after while, but everything is working great so far.
Now I know better, when someone else WANTS to use my computer!! Just say No!

Thanks for asking.I'm sure we could have helped you too.....but as long as it works now.

Quote

Then I opened the hidden files & deleted all "resycled folders" & .ini files on every hard drive.

I experienced some problems with my computer about a week ago when the screen started to flash as well as CONSTANT freezing. Eventually, when I tried using an application such as AIM, my computer shut itself off. When I restarted, my computer picked up that I had trojan horse downloader.delf.BTU and other adware. I am using AVG 8.0 and I've gone through countless spyware/adware programs until I was recommended to come here. I've already gone through the whole removing malware process. Attached are the logs. If there is any more information needed, I will glady offer if I can. I really would not like to have to format my hard drive and restore it with a backup CD, but I'll wait for a response. Thank you!

I forgot to mention my computer specs.

MS WINDOWS XP
SERVICE Pack 2
Toshiba
Intel Celeron M

Thanks!

[attachment deleted by admin]Sorry for the delay.

Open HijackThis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

- R3 - URLSearchHook: (no name) - - (no file)
- O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

Important: Close all windows except for HijackThis and then click Fix checked.

Exit HijackThis.

----------

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click combofix.exe & follow the prompts.

For Windows XP Systems install the Recovery Console:

- If you are using Windows XP and do not already have the Recovery Console installed, please ensure your Internet connection is active (if possible) and click Yes.
- If for some reason your Internet is not working click No.
- If you are not using Windows XP, you will not be prompted.
- When prompted to accept the EULA click OK.
- Accept Microsoft's EULA (Click Yes).
- When you are told that the RC is installed correctly click YES to continue scanning for malware.

When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.Here is the log. Thanks again for the help!

[attachment deleted by admin]Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below CODE box by highlighting all the text and pressing Ctrl+C

Code: [Select]KillAll::

File::
c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{072b0596-a7b9-11dd-94b8-0011f54eab49}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{66586192-c564-11db-922d-000fb0648965}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{813b1d6a-7c57-11dc-9304-000fb0648965}]
3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze


Also let me know how the computer is running now.Here is the combofix log.

My computer seems to be working alright. Should I perform another scan with superantiwpyware and anti-malware? Thanks for all the help.

[attachment deleted by admin]

Should I perform another scan with superantiwpyware and anti-malware?

• Click START then RUN
  
• Now type Combofix /u in the runbox
  
• Make sure there's a space between Combofix and /u
• Then hit Enter.

• The above procedure will:
• Delete the following:
• ComboFix and its associated files and folders.
• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Set a new, clean Restore Point.

• Click Start Now
  
• Check the box next to Enable thorough system inspection.
  
• Click Start
  
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

Hi, I've been trying to fix my computer. I have horizontal lines on the display/monitor in various colors. I have already updated my drivers 'ati" and also updated my media card READER driver. I have tried the various adjustments to my display with no results. I believe I received a VIRUS from a email. I still have the email ONE was photo's the other PART of it was a snip of music. Any information would be highly appreciated.With abuse, laptop monitors can do that. It pretty much means the connectors between the monitor and the laptop's motherboard.

If you see these lines on the screen before windows loads, it's not a virus.

How old is this laptop?Thank you so much for the RESPONSE. My laptop is 3 years. Do you suggest I replace the hardware? Again thank you very much for your assistance. Unless you know how to replace laptop screens and you can get a replacement, you can try to replace the screen.

Otherwise, do you have any warranty on the laptop?

Part2 of combofix
O16 -: Microsoft XML Parser for Java - c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-23 06:43:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\drivers\MFX.sys 52076 bytes executable
C:\SYZ_DAT

scan completed successfully
hidden files: 2

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\vsdatant]
"ImagePath"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(680)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL

- - - - - - - > 'explorer.exe'(2812)
c:\docume~1\Owner\LOCALS~1\Temp\IadHide5.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Sygate\SPF\Smc.exe
c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\program files\a2 free\a2service.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\Yahoo!\browser\ycommon.exe
c:\program files\SBC Self Support Tool\bin\mpbtn.exe
c:\windows\system32\ntvdm.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hposts08.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2008-12-23 7:01:10 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-23 15:00:47
ComboFix2.txt 2008-12-23 04:44:28

Pre-RUN: 28,020,379,648 bytes free
Post-Run: 28,001,595,392 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

286--- E O F ---2008-12-21 16:27:08

Thanks MelNote: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Now download The Avenger by Swandog46 and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your Desktop
• Run avenger.exe by double-clicking on it.
• Do not change any CHECK box options!!
  
• Copy everything in the Code box below, and paste it into the Input script here window:

• Now click the Execute button.
  
• Click Yes to the prompt to confirm you want to execute.
  
• Click Yes to the "Reboot now?" question that will appear when Avenger finishes running.
  
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will pop-up for you to view when you login after reboot.

• Add the Avenger log in your next post.

• Click START then RUN
  
• Now type Combofix /u in the runbox
  
• Make sure there's a space between Combofix and /u
• Then hit Enter.
.

• The above procedure will:
• Delete the following:
• ComboFix and its associated files and folders.
• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Set a new, clean Restore Point.
.
----------

Download

• Double-click OTCleanIt.exe.
  
• Click the CleanUp! button.
  
• Select Yes when the "Begin cleanup Process?" prompt appears.
  
• If you are prompted to Reboot during the cleanup, select Yes.
  
• The tool will delete itself once it finishes, if not delete it yourself.

• Click Start Now
  
• Check the box next to Enable thorough system inspection.
  
• Click Start
  
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

Would AVG be a better than Kaspersky internet securty?A short answer is no. Security Suites are normally very bulky which takes up computer resources. The more common method is using layered free solutions. Avast is very LIGHT on resources and has a few functions that others don't, mainly Instant Messaging and * cough P2P Shields.

Either Avast, Avira or AVG are very good and I think Comodo or Online Armor for a firewall.

Remember only install ONE firewall

1) Comodo (Uncheck during installation "Install Comodo SafeSurf..", MAKE Comodo my default search provider" and "Make Comodo Search my homepage" if you choose this one)
2) Online Armor
3) Sunbelt/Kerio
4) Agnitum
5) PC Tools Firewall Plus

Remember to only install one antivirus!

1) Avast! Home Free Edition
2) AVG Free Edition
3) Avira AntiVir Personal

Thanks for the info

Hi everyone,
First post here, and I am hoping to get some help. I have a dell that had approx 256MB of memory, we have Norton. I went to the computer store and bought 1GB of memory and added it. The computer guy turned on the computer and advised that the Norton/symantic is still making my computer run slow. He suggested backing up everything on my computer and uninstalling Norton and restoring my computer to its original SELF. He suggested using AVG instead of Norton, he ALSO said AVG is free.
Without throwing too many technical terms would most of you agree with these instructions? It is just a home computer mostly used for ITunes and pictures (not photoshop or anything). One last question, if I do the above will I lose my list of favorites saved from our homepage? Thanks a lot for any advise, happy holidays!If the Windows installation is in horrible shape, yes.
Maybe just removing Norton will do, though. Google for Norton removal tool.
AVG Free is always a good choice. Make sure you GO through the Tools -> advanced SETTINGS to set it up to your liking once it's installed.

Alternatively, you can try doing this(click)Perfect, thanks a lot!

Getting closer...

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the WORKINGS of your system

Now download The Avenger by Swandog46 and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your Desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
  
• Copy everything in the Code box below, and paste it into the Input script here window:

• Now CLICK the Execute button.
  
• Click Yes to the prompt to confirm you want to execute.
  
• Click Yes to the "Reboot now?" question that will appear when Avenger finishes running.
  
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will pop-up for you to view when you login after reboot.

• Add the Avenger log in your next post.

• Click START then RUN
  
• Now type Combofix /u in the runbox
  
• Make sure there's a space between Combofix and /u
• Then hit Enter.

• Delete:
• ComboFix and its associated files and folders.
• VundoFix backups, if present
• The C:\Deckard folder, if present
• The C:_OtMoveIt folder, if present

• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Set a new, clean Restore Point.

• Start
• Run
• type: CLEANMGR.EXE
  
• Press Enter.

• Temporary Internet Files
• Downloaded Program Files
• Recycle Bin
• Temporary Files

• Double-click on drweb-cureit.exe and then click Start.
  
• An Express Scan of your PC NOTICE will appear.
  
• Under Start the Express Scan Now Click OK to start.
  • This is a short scan that will scan the files currently running in memory.
  • If or when something is found, click the Yes button when it asks you if you want to cure it.
• Once the short scan has finished, Click Options > Change settings
  
• Choose the Scan tab and UNcheck Heuristic analysis and click OK
  
• Back at the main window, select the Complete scan button.
  
• Then click the Green Arrow Start Scanning button on the right and the scan will start.
  • Click Yes to all if it asks if you want to cure/move any file(s).
• When the scan is done.
• In the Dr.Web CureIt menu on top left, click File and choose Save report list.
  
• Save the DrWeb.csv report to your Desktop.
  
• Exit Dr.Web Cureit.

• Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.

• After reboot, Right-click the Dr.Web log on the desktop and choose Open With > Notepad
  
• Copy and paste that log in the next reply

• When finished exit out of OTMoveIt3

• Click Start Now
  
• Check the box next to Enable thorough system inspection.
  
• Click Start
  
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

I NOTICED a virus on my cpu a couple of days ago. I decided to GET NOD32 antivirus and as I was installing it, my computer froze. So i rebooted and when I WENT to startup, it suddenly it froze. It keeps doing that on startup and Im pretty sure its the virus. Any Fixes?Press F8 before Windows loads, enter safe mode and scan from there.

Quote from: Raptor

Press F8 before Windows loads, enter safe mode and scan from there.

theres no way to do that because everytime i try to go into safe mode, it asks for my username and pass.....i dont have one..

I agree with the above post.

i had followed malware removal help after finding out my computer got infected with radz. the obvious symptom of a changing homepage was fixed. unfortunately, everytime i open IE, "Yahoo!-Radz Services and Internet Cafe" appears. here are the latest logs...

SUPERAntiSpyware Scan Log
HTTP://www.superantispyware.com

Generated 01/07/2009 at 11:29 PM

Application Version : 4.23.1006

Core Rules Database Version : 3698
Trace Rules Database Version: 1674

Scan type : Complete Scan
Total Scan Time : 03:29:25

Memory items scanned : 571
Memory threats DETECTED : 0
Registry items scanned : 9470
Registry threats detected : 0
File items scanned : 419887
File threats detected : 0


Malwarebytes' Anti-Malware 1.32
Database version: 1628
Windows 6.0.6001 Service Pack 1

1/8/2009 1:31:19 AM
mbam-log-2009-01-08 (01-31-19).txt

Scan type: Quick Scan
Objects scanned: 55067
Time elapsed: 3 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Logfile of TREND Micro HijackThis v2.0.2
Scan saved at 1:38:28 AM, on 1/8/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\SysMonitor.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\vsnp2std.exe
C:\Program Files\SweetIM\Messenger\SweetIM.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Windows\system32\igfxsrvc.exe
D:\Program Files\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10a.exe
C:\Program Files\Trend Micro\HijackThis\sniper.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.ph.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.ph.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Radz Services and Internet Cafe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: SweetIM ToolbarURLSearchHook Class - {EEE6C35D-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgHelper.dll
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Windows\system32\ActiveToolBand.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SWEETIE - {EEE6C35C-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll
O3 - Toolbar: SweetIM Toolbar for Internet Explorer - {EEE6C35B-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Acer Empowering Technology Monitor] C:\Windows\system32\SysMonitor.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [snp2std] C:\Windows\vsnp2std.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] D:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [PC Suite for Smartphones] "C:\Program Files\Sony Ericsson\Mobile4\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [SweetIM] C:\Program Files\SweetIM\Messenger\SweetIM.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [] ??e
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Empowering Technology Launcher.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ePerformance Service (AcerMemUsageCheckService) - Unknown owner - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Agere Modem Call Progress AUDIO (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: IPOD Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

--
End of file - 10124 bytes

Some of the music is on WMP! will it stay there once i uninstall MP3 rocket?

And can you reccomend a good site for music downloads!(legal)

Do you think this is where the problem is hiding?

I guess you cant get anything for nothing!

I cannot USE IE or firefox to acess internet. I ran my AVG and it doesnt find any viruses. Same with ad -aware.so I FOLLOWED you forum and I had to download MBAM and the spyware on another computer and transfer them with a thumb drive. When i tried to open them they just wont open. I was able to get hijack this. So I am posting and awaiting to see if you could find a way to help. THANKS for what you do. Oh and when the IE does open I get sent to some DIFFERENT websites really indicating spyware or malware.

[attachment deleted by admin]

Alright, here we go...

It all started this morning when I started up my laptop and felt like getting back into some Neverwinter Nights 2. Having just woken up, and being extremely lazy, I DECIDED I didn't want to go searching for the disc (that I legally own). I headed over to Game Copy World to find a No-CD fixed EXE, when a veritable smorgasbord of pop-ups filled my screen. I thought 'Oh great, some ad-ware' and fired up AVG 8, which is when all my problems began.

The Windows Security Center icon flashed red in the system tray and told me that my firewall, automatic updates, and virus protection had all been turned off. I clicked the balloon, hoping to remedy the problem. As the Security Center popped up, it's window border kept flashing, as if it was losing focus and regaining it, on the order of once or twice per second. I put everything back the way it was and exited hastily.

Now back in AVG, it couldn't connect to the update server, then all the different components of AVG started shutting down and starting up on their own. After it finished it's little fit, I went ahead with the SCAN, which showed me a Trojan by the name of SHeur2.GAS mascarading as csrssc.exe in my Temp folder. After moving the file and it's associated registry key to the virus vault, it prompted me to reboot, which I did.

After the reboot, I proceeded on to Firefox to learn some more about SHeur2.GAS, which a) led me to this forum, and b) showed that I definitely did not cure the entire infection as after I clicked the link to this forum, I was instead redirected to some advertisement page which spawned a number of pop-ups. Cue exiting Firefox upon noticing that my network download speed was maintaining a steady 60k/sec with no Internet activity on my part. I also disabled all network connections to my laptop, and am now broadcasting from my roommate's PC.

I read the topic regarding what to do before posting and here are all the necessary logs.

I only hope the specialists see fit to smile upon me in my time of need.

[attachment deleted by admin]Welcome to CH.

Open HijackThis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

- O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
- O20 - AppInit_DLLs: avgrsstx.dll cghckd.dll
- O20 - Winlogon Notify: khfEtSlM - khfEtSlM.dll (file missing)

Important: Close all windows except for HijackThis and then click Fix checked.

Exit HijackThis.

----------

NOTE: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Go to Start > Run and type notepad.exe then click OK

Copy and paste the below into Notepad and save as fixme.reg to Your Desktop

Code: [Select]REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"Alcmtr"=-
Locate fixme.reg on your Desktop and double-click it. Answer Yes when prompted to merge with the Registry.

Make sure that you tell me if you receive a success message about adding the above to the registry. If you do not get a success message, it did not work.

Delete the fixme.reg from the Desktop.

----------

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click combofix.exe & follow the prompts.

For Windows XP Systems install the Recovery Console:

- If you are using Windows XP and do not already have the Recovery Console installed, please ensure your Internet connection is active (if possible) and click Yes.
- If for some reason your Internet is not working click No.
- If you are not using Windows XP, you will not be prompted.
- When prompted to accept the EULA click OK.
- Accept Microsoft's EULA (Click Yes).
- When you are told that the RC is installed correctly click YES to continue scanning for malware.

When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is COMPLETE.So far, so good! The registry edit worked and ComboFix ran through to completion, so here is the log.

[attachment deleted by admin]Download the OTMoveIt3 by OldTimer

Note: If you are running on Vista, right-click on OTMoveIt3.exe and choose Run As Administrator.

* Save it to your Desktop.
* Double-click OTMoveIt3.exe to run it.
* Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy)

Code: [Select]:Processes
explorer.exe

:services

:reg

:files
d:\windows\Tasks\mqrhbrgx.job

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

* Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
* Click the red Moveit! button.
* Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. If not, reboot anyway.

----------

Run the Kaspersky Online Scanner

In Microsoft Windows Vista, you must open the Web browser using the Run as Administrator command. From the Desktop right click the icon to open the browser and choose Run as Administrator.

• Click on SCAN NOW
  
• Click Accept.
  
• The program will then begin downloading the latest definition files.
• Once the files have been downloaded locate the Scan Settings and have it scan My Computer.
  
• The scan will take a while, so be patient and let it finish.

• Next, in the Save as prompt, Save in area, select: Desktop.
  
• In the File name area use KScan, or something similar.
  
• In Save as type: click the drop arrow and select: Text file [*.txt]
  
• Then, click: Save

Looks good. Only one file REMOVED. Is the computer running OK now?


• Click START then RUN
  
• Now type Combofix /u in the runbox
  
• Make sure there's a space between Combofix and /u
• Then hit Enter.
• The above procedure will:
• Delete the following:
• ComboFix and its associated files and folders.
• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Set a new, clean Restore Point.
.
----------

1. Double click

• When finished exit out of OTMoveIt3

• Click Start Now
  
• Check the box next to Enable thorough system inspection.
  
• Click Start
  
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

I am supposed to run CCleaner? Because I did and it deleted a lot of stuff. Was that what I was supposed to do?No I don't need the JavaRA log. Yes running CCleaner is always good. You can run it daily to clean up unwanted junk on your hard drive.Generally, how long does the Kaspersky scan take?It will take at least an hour, possibly more. It does take a while. The Kaspersky scan didn't have anything in the Scan Report. It was blank.
I think that's a good thing...--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, December 22, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, December 22, 2008 11:04:03
Records in database: 1499780
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 58597
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 01:28:08

No malware has been detected. The scan area is clean.

The selected area was scanned.
Looks good.

How is the computer running now?

Use the Secunia Software Inspector to check for out of date software.

• Click Start Now
  
• Check the box next to Enable thorough system inspection.
  
• Click Start
  
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

Which is SAS?

I am running a dell inspiron 531s desktop with 2.31gHz and 1.93 GB RAM with Windows xp version 2002 service pack 3.

I have been having issues with searches being redirected, my norton antivirus had to be removed completely because it would not function and it was up to date. When I tried to go to any site with antivirus software the site was blocked. I finally got avast from filehippo as well as the other software you mentioned above.

I have followed all of the instructions above and things seem to be working better, but please let me know what else I may need to do.



[attachment deleted by admin]Download ComboFix by sUBs from one of the below links. Be sure to save it to the Desktop.

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Close any open web browsers (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your anti-virus, and any anti-spyware real-time protection before performing a scan. Click this link to see a list of SECURITY programs that should be disabled and how to disable them.

Double-click combofix.exe and follow the prompts.
When finished, ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.

NOTE: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your anti-virus and anti-spyware protection when ComboFix is complete.Okay I ran combo fix and here is the log for that and hijackthis. Thanks for the help.

[attachment deleted by admin]One more quick scan...

Please print these instructions as they will be needed later when Internet access is not available.

Download SDFix by AndyManchesta and save it to your desktop. http://rapidshare.com/files/179891642/SDFix.exe.html

When using this tool, you must use the ADMINISTRATOR's account or an account with Administrative rights

• Double click SDFix.exe and it will extract the files to %systemdrive%
  
• (this is the drive that contains the Windows Directory, typically C:\SDFix).
  
• DO NOT use it just yet.

• Type Y to begin the cleanup process.
  
• It will remove any TROJAN Services or Registry Entries found then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
  
• When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  
• Copy and paste the contents of the results file Report.txt in your next reply.

GGGGGGGGGGGGRRRRRRRRRRRRRRRR!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

I have spent COUNTLESS hours on the phone/online with Symantec over the past few years, so today I asked for a discount on their product (Norton 360 v2) IF I stayed with them. The online technician I spoke to said he couldn't give me a discount but COULD extend my service by 30 days. I then had to call them to renew because their website lists 3 different prices for 1 year service (and boy, do you have to click around to find that out!). The phone person asked me how long it took for them to answer my call, and I said that including the 3 calls I made before I went online, the time I spent online, and the call that got disconnected when the person I was about to speak to on the call prior to the current one, about 3 hours! This person offered to extend my service by 30 days. I told them the online person had also offered me 30 days, so I would like the full 60 days being offered and it was granted on the spot, with the phone person having me check my account again so I could see it was actually ADDED.

Although I initially was calling just to extend my subscription, the online tech helped me with something else I needed to ask about - it didn't take all that time to just ask about renewing. I've had Symantec technicians REALLY go above and beyond the call of duty - they've helped me with problems that weren't even their company's fault, which is why I STAY with Symantec. The problem that kept me online with them for so many hours over the years was something they really couldn't resolve - Symantec had to rewrite Norton 360 to Version 2 for the problem to be solved. Now maybe they'll un-crap their website and make it easier to find a person to talk to!I once had a Symantec sales man visit to explain me all about the wonders of Norton 2005.. Or 2006.. Or something.
Told him customers thought Norton ran like thick-*censored* and he immediately pulled out a chart to show how much faster it had become. Did get some free trial products out of him, heh.

Hi, I've recently been having PROBLEMS with some Trojans that Spybot Search and Destroy detected (All other scanners I used failed to find the problem). They were called Win32.delf and hipoug18 or something. I also found a file at C:\yt8a.exe and C:\windows\system32\yt8a.exe (which labeled it self as a system file) this was closing down my browser every time I opened a page containing "yt8a.exe".
I managed to remove yt8a.exe from startup and have run many scans including the ones recommended by the sticky post at the top of the FORUM here. Although none of the programs reported that they had detected or removed win32.delf or the other they are no longer being detected by my spybot S&D scans.
My computer does seem to be running better HOWEVER I can no longer enable the showing of hidden files and folders and I cannot boot windows in safe mode (gets so far when booting files and stops) also Hijackthis.exe won't run with that name, which it should if I was completely clean.
Also I have checked for the existence of TDSServ.sys but I don't have it.

I will attach logs I have created although one or two may be from before changes were made/files removed by other scanners.

While I await a reply I will create a combofix log, Can't seem to find the last one I created, also please let me know of any other reports you may need and I shall gather them.

Thank you very much for your help, Shandy

[attachment deleted by admin]Unfortunately only the one log seemed to become attached, Here are the rest.

[attachment deleted by admin]Here is the combofix log.
Thanks guys.

[attachment deleted by admin]Is AT&T your internet service provider?

I don't really see much in your logs. Are you still experiencing problems?Actually seems to be running fine now, and Hijackthis.exe will run under that name, I haven't tried a safe boot, I'll check that later. Thanks for your time
And no btw, AT&T isn't my isp but it may have been previously, this is an old machine from work that was setup for domain use, it's given me nothing but trouble since I've removed it from the domain. Anyway I'm all good now, thanks again I don't know if it's related or not, but you had these ENTRIES in your HJT log...

O17 - HKLM\System\CCS\Services\Tcpip\..\{6A16CDF6-7E37-4793-84D9-096B3DA653D2}: Domain = EMEA.ATT.COM
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = EMEA.ATT.COM
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = EMEA.ATT.COM
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = EMEA.ATT.COM

These could possibly be causing issues. As a test, you may want to try removing these entries with HijackThis. Simply place checkmarks next to them, close all other windows, and click on Fix Checked. NOTE: there is a possibility that this may break your internet connection. If that happens, run HijackThis again and choose the Backups option. Find the above O17 entries, place checkmarks next to them, and have HJT restore them.Thats the old domain the laptop used to be on it shouldn't affect my connection, I will remove them now. This laptop was given to my dad by a company he had a contract with, after the contract finished he kept the laptop since it was built only for his use. It's been giving me problems actually I removed the machine from the domain (guessing the admin's password) but after that I could not get past the username/password on windows log in since the account my dad used was no longer accessible. I had to download a boot disc to remove all account passwords so I could log in then I had to take permission of every file with CACLS. Everything seems to be alright now except a tonne of redundant files but I don't know if any are essential or not.
Jeez I'm rambling... Thanks for the help CHRIS! you rule Heh, well, I'm glad things seem to be running a bit better now. As for duplicate files, you may want to look into this program...
http://www.snapfiles.com/get/fastdupfinder.html

I ran all recommended scans and CCleaner, defrag, fix it, and avast still pop up error with tsoc file? The file or directory\WINDOWS\tsoc.log is corrupt and unreadable. Please run Chkdsk utility.

[attachment deleted by admin]Download ComboFix© by sUBs from one of the below links. Be sure to save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before STARTING ComboFix.

Temporarily disable your antivirus, and any antispyware REAL time protection before PERFORMING a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click combofix.exe & follow the prompts.

For Windows XP Systems install the RECOVERY Console:

- If you are using Windows XP and do not already have the Recovery Console installed, please ensure your Internet connection is active (if possible) and click Yes.
- If for some reason your Internet is not working click No.
- If you are not using Windows XP, you will not be prompted.
- When prompted to accept the EULA click OK.
- Accept Microsoft's EULA (Click Yes).
- When you are told that the RC is installed correctly click YES to continue scanning for malware.

When finished ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

Hello.
Basically my problem is that my computer has been REALLY slow, I can't access Internet Explorer (I don't really use it tho), and when I'm using Firefox sometimes I get sent to random advertisement/spam websites.

I followed all the "malware removal steps," and I my internet speed has improved a lot. I also haven't seen the random websites ANYMORE. I still don't think I have gotten rid of all the malware though. Therefore, I would really appreciate it if anyone can tell me what further steps I need to take, or what else I can delete.

Thank You & Happy Holidays

Here are my logs:



[attachment deleted by admin]Sorry for the LONG wait. We are VERY backed-up right now! If you still require assistance, please do the following...

Please print these instructions as they will be needed later when Internet access is not available.

Download SDFix by AndyManchesta and save it to your desktop. http://rapidshare.com/files/156236231/SDFix.exe.html

When using this tool, you must use the Administrator's account or an account with Administrative rights

• Double-click SDFix.exe and it will extract the files to %systemdrive% (this is the drive that contains the Windows Directory, typically C:\SDFix).
• DO NOT use it just yet.

• Type Y to begin the cleanup process.
• It will remove any Trojan Services or Registry Entries found then prompt you to press any key to reboot.
• Press any Key and it will restart the PC.
• When the PC restarts, the Fixtool will run again and complete the removal process then display Finished. Press any key to end the script and load your desktop icons.
• Once the desktop icons load, the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
• Copy and paste the contents of the results file Report.txt in your next reply along with a new HijackThis log.

I was helping a friend who had not run his AV in two years because he didn't know you were supposed to renew the subscription and never ran spyware remover. I tried to download AVG 8 but IE wouldn't go to the website (Not found) I tried downloading MCAFEE stinger, Again, couldn't open website (Not found). I finally downloaded Spybot and attempted to install in but but when the software went to int Internet for info, I would get a message "Internet connection not available" but it was. I downloaded and installed AdAware but when I went to update the defs, I would get the same message "Internet connection not available". Finally I went to my PC and downloaded AVG * and downloaded it to my Flash DRIVE and installed it and ran on His PC. Updated fine. Found several Trojans and reg viruses and they were removed. Same result when trying to update AdAware or install spybot. PC is running much better but I WANT to fix the problem with Spybot and AdAware. He is running Win XP Home and IE 6.Clik Here and Follow the Instructions...Followed the instructions and the computer is running GREAT and he has no problem connecting to all the site. Found and removed all kinds of malware, spyware, adware and viruses! THANKS!Good News indeed...
Happy HOLIDAYS and stop by anytime !Well, everything that was good has gone bad again! Can't update Adaware or AVG as before. Now can't run malwarebytes, spybot or superantispyware. When you DC the icon, the hour class starts and stops but no program opens. I removed superantispyware and tried to reinstall and it will not install. It comes up with " an error has occurred in superantispyware and needs to be closed". I ran ad-aware w/o updating and pulled out 79 objects and removed them. Ran avg w/o updating and it came back clean. Downloaded and ran stinger. Clean result. Internet seems to be working well. I tried to do a system restore to 12/24, the last day it worked well. Will not do it. No other dates availabe to restore.This is an update to my previous post. Internet is not working well. Can't open several sites because the sites I am trying to access are being hijacked by marketing sites and either go to "page not found" or "error opening the page". He is on IE8 Beta. Can't run Hijack this either. Tried friefox and a few sites that wouldn't work in IE worked in Firefox but not all sites.How do I get this moved to Malware, Viruses form?I have come across this variant before..

It appears to block the sites that are known anti-virus/spyware and will not let you download updates because it is blocking the host.

Here's what I did:

Managed to access the AVG site through a 'cached' google page.

and I found I could download using this direct link if I 'saved as'
http://www.avg.com/filedir/inst/avg_free_stf_en_8_176a1400.exe

then I had to get an update file using another machine and then use a USB stick to transfer it over (dangerous I know)

But that is what worked for me

By the way this wasn't my own machine either, it was while I was working in a computer repair shop.

My son rcently added the ARES P2P software and afterward STARTED having adjsted backgrounds and un able to get to the internet. We had AVG 7 free addition AV up and running, did some research and found that its no longer really supported so was looking for a suite APPLICATION and installed the http://www.sunbeltsoftware.com/Home-Home-Office/VIPRE/. It initially found the

trojan.fakealert c:\windows\system32\sbwltbxa.exe
trohan.Vxgame.CWS-hijacker c:\windows\system32\ahtn.htm
c:\windows\system32\warning.gif

it quarentined them but the next SCAN found the same thing. So I followed the advice and attached the logs.

So i was hoping someone COULD help me with this as the software i installed with directions found so many other things wrong or potentially harmful, also could someone suggest a good anti virus/ malware firewall suite that is a reliable suite.

Thanks in advance

Dan

[attachment deleted by admin]

Was thinking I was done with all this crap but,I let my friend use my PC when I was asleep.
And I guess my AVG running was not a enough for his adult sites...
Anyway...Did all the steps in order.
Here are my logs.


[attachment deleted by admin]Also Something pops up saying 'C:/WINDOWS/system32/zanamalo.dll' Error when I restart.
And I can not access some sites.(ie: when I did a search for "zanamalo" )
Here is a log for ComboFix I ran as well.


[attachment deleted by admin]Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]KillAll::

File::
c:\windows\system32\bzklha.dll
c:\windows\system32\nozigita.dll
c:\windows\system32\momayabe.dll
c:\windows\system32\pmnmnOhI.dll
c:\windows\system32\zanamalo.dll

Registry::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}\InprocServer32]
@=-

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not click ComboFix's window while it is running. That may cause your system to freezeHere is my new log.
Thanks for the help.

[attachment deleted by admin]Open up HijackThis and run another scan. If you find these entries, place checkmarks next to them:

O2 - BHO: (no name) - {79616925-01c5-4661-a9c8-7bc01833ca57} - C:\WINDOWS\system32\momayabe.dll (file missing)
O2 - BHO: (no name) - {B41AEA4D-CCB2-4B91-9DDF-86B5245E326A} - C:\WINDOWS\system32\pmnmnOhI.dll (file missing)

O4 - HKLM\..\Run: [yemuserihi] Rundll32.exe "C:\WINDOWS\system32\zanamalo.dll",s
O4 - HKUS\S-1-5-19\..\Run: [yemuserihi] Rundll32.exe "C:\WINDOWS\system32\zanamalo.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [yemuserihi] Rundll32.exe "C:\WINDOWS\system32\zanamalo.dll",s (User 'NETWORK SERVICE')

O20 - AppInit_DLLs: avgrsstx.dll bzklha.dll crzhlv.dll C:\WINDOWS\system32\nagadogu.dll c:\windows\system32\nozigita.dll

Close all other windows (including this one) and click on Fix CHECKED. Then run another scan with HijackThis and post the new log here.None of the above there.-No Pop-pops but,still showing some Vundo crap on Search and destroy.
Here is the log.

[attachment deleted by admin]I don't see anything malicious in this new log. Perhaps you should try ComboFix again (and post a new log). Can you post a log from Spybot - Search & Destroy? Perhaps it is merely finding BACKUPS or quarantined files...

Thanks to everyone for the posts and help with these symptoms. I had ALL of the following on my machine:
1) Weird sounds playing from ads, without me even on the internet
2) Internet browser windows linking to inexplicable pages, unprompted by anything
3) Extreme Slowness
4) On reboot Windows would often freeze up on the Windows XP or Welcome screen.
5) "Antivirus 2009" garbage
6) All helpful antispyware software blocked from downloading, updating, INSTALLING, etc.
7) Websites such as microsoft.com and avg.com won't load.
System Restore capabilities were impacted and lost.

With extreme patience, a different internet connection, a zip drive, and lots of luck I was able to walk through the "Malware Removal Guide". Step "A" was the hardest - I needed to manually UPDATE my existing AVG, scan & remove, then uninstall. I then had luck with the Avast! but only after the AVG quarantined some things and was uninstalled - I could tell it was not working properly. Then after the Avast! software scanned and did its thing, CCleaner and SAS worked. Then MBAM would work after the SAS scan. After COMPLETING the steps (IN ORDER ONLY) my machine seems to be running normally, but I wanted to post my logs for the experts to be sure to catch anything that is still hanging. I'd guess with these viruses I'm not out of the woods yet even with no visible symptoms right now. Thanks to the pros for your help, and thanks in advance for reviewing my logs. Everyone hang in there, and I hope I can help someone.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/07/2008 at 11:29 PM

Application Version : 4.22.1014

Core Rules Database Version : 3665
Trace Rules Database Version: 1645

Scan type : Complete Scan
Total Scan Time : 01:29:36

Memory items scanned : 355
Memory threats detected : 1
Registry items scanned : 13055
Registry threats detected : 172
File items scanned : 83040
File threats detected : 52

Adware.Vundo/Variant
C:\WINDOWS\SYSTEM32\RROZXE.DLL
C:\WINDOWS\SYSTEM32\RROZXE.DLL
HKU\S-1-5-21-1220945662-746137067-839522115-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E2322F83-BFE6-481A-8423-8FE206FF26BC}

Adware.Mirar/NetNucleus
HKLM\Software\Classes\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}
HKCR\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}
HKCR\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}
HKCR\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}\InprocServer32
HKCR\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}\InprocServer32#ThreadingModel
HKCR\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}\Properties
HKCR\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}\Properties#Version
HKCR\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}\Properties#BuildName
HKCR\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}\Properties#Affiliate
HKCR\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}\Properties#Show3X
HKCR\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}\Properties#ShowType
HKCR\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}\Properties#PopupCount
HKCR\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}\Properties#BlockEnable
HKCR\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}\Properties#Ticket
HKCR\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}\Properties#WalkThrough
HKCR\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}\TypeLib
HKCR\TypeLib\{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}
HKCR\TypeLib\{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}\1.0
HKCR\TypeLib\{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}\1.0\0
HKCR\TypeLib\{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}\1.0\0\win32
HKCR\TypeLib\{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}\1.0\FLAGS
HKCR\TypeLib\{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}\1.0\HELPDIR
C:\WINDOWS\SYSTEM32\WINNB55.DLL
HKLM\Software\Classes\CLSID\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E}
HKCR\CLSID\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E}
HKCR\CLSID\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E}
HKCR\CLSID\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E}\InprocServer32
HKCR\CLSID\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E}\InprocServer32#ThreadingModel
HKCR\CLSID\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E}\TypeLib
HKU\S-1-5-21-1220945662-746137067-839522115-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}
HKU\S-1-5-21-1220945662-746137067-839522115-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E}
HKLM\Software\Microsoft\Internet Explorer\Toolbar#{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}
HKU\S-1-5-21-1220945662-746137067-839522115-1007\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser#{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}
HKCR\Interface\{1037B06C-84B7-4240-8D80-485810A0497D}
HKCR\Interface\{1037B06C-84B7-4240-8D80-485810A0497D}\ProxyStubClsid
HKCR\Interface\{1037B06C-84B7-4240-8D80-485810A0497D}\ProxyStubClsid32
HKCR\Interface\{1037B06C-84B7-4240-8D80-485810A0497D}\TypeLib
HKCR\Interface\{1037B06C-84B7-4240-8D80-485810A0497D}\TypeLib#Version
HKCR\Interface\{54B287F9-FD90-4457-B65E-CB91560C021D}
HKCR\Interface\{54B287F9-FD90-4457-B65E-CB91560C021D}\ProxyStubClsid
HKCR\Interface\{54B287F9-FD90-4457-B65E-CB91560C021D}\ProxyStubClsid32
HKCR\Interface\{54B287F9-FD90-4457-B65E-CB91560C021D}\TypeLib
HKCR\Interface\{54B287F9-FD90-4457-B65E-CB91560C021D}\TypeLib#Version
HKCR\Interface\{6E4C7AFC-9915-4036-B7F9-8B3F1710788F}
HKCR\Interface\{6E4C7AFC-9915-4036-B7F9-8B3F1710788F}\ProxyStubClsid
HKCR\Interface\{6E4C7AFC-9915-4036-B7F9-8B3F1710788F}\ProxyStubClsid32
HKCR\Interface\{6E4C7AFC-9915-4036-B7F9-8B3F1710788F}\TypeLib
HKCR\Interface\{6E4C7AFC-9915-4036-B7F9-8B3F1710788F}\TypeLib#Version
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8A0DCBDA-6E20-489C-9041-C1E8A0352E75}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8A0DCBDA-6E20-489C-9041-C1E8A0352E75}#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8A0DCBDA-6E20-489C-9041-C1E8A0352E75}#UninstallString

Trojan.Vundo-Variant/NextGen-Six
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e2322f83-bfe6-481a-8423-8fe206ff26bc}
HKCR\CLSID\{E2322F83-BFE6-481A-8423-8FE206FF26BC}
HKCR\CLSID\{E2322F83-BFE6-481A-8423-8FE206FF26BC}\InprocServer32
HKCR\CLSID\{E2322F83-BFE6-481A-8423-8FE206FF26BC}\InprocServer32#ThreadingModel

Adware.MyWebSearch/FunWebProducts
HKU\S-1-5-21-1220945662-746137067-839522115-1007\SOFTWARE\FunWebProducts

Trojan.DNSChanger-Codec
HKU\S-1-5-21-1220945662-746137067-839522115-1007\Software\GetModule

Adware.Vundo Variant/Rel
HKLM\SOFTWARE\Microsoft\FCOVM
HKLM\SOFTWARE\Microsoft\RemoveRP
HKLM\SOFTWARE\Microsoft\MS Juan
HKLM\SOFTWARE\Microsoft\MS Juan#RID
HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO
HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\JKWL
HKLM\SOFTWARE\Microsoft\MS Juan\JKWL\lxkfqn.dll
HKLM\SOFTWARE\Microsoft\MS Juan\JKWL\lxkfqn.dll#LU
HKLM\SOFTWARE\Microsoft\MS Juan\JKWL\lxkfqn.dll#CT
HKLM\SOFTWARE\Microsoft\MS Juan\JKWL\lxkfqn.dll#LT
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#LBL
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#MN
HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg
HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\profiling4
HKLM\SOFTWARE\Microsoft\MS Juan\profiling4#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\profiling4#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\profiling4#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\profiling4#CPS
HKLM\SOFTWARE\Microsoft\MS Juan\superjuan
HKLM\SOFTWARE\Microsoft\MS Juan\superjuan#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\superjuan#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\superjuan#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan
HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan#CNT
HKLM\SOFTWARE\Microsoft\contim
HKLM\SOFTWARE\Microsoft\contim#SysShell
HKLM\SOFTWARE\Microsoft\MS Track System
HKLM\SOFTWARE\Microsoft\MS Track System#Uid
HKLM\SOFTWARE\Microsoft\MS Track System#Shows
HKLM\SOFTWARE\Microsoft\MS Track System#Uqs
HKLM\SOFTWARE\Microsoft\MS Track System#Click1
HKLM\SOFTWARE\Microsoft\rdfa
HKLM\SOFTWARE\Microsoft\rdfa#F
HKLM\SOFTWARE\Microsoft\rdfa#N
C:\WINDOWS\SYSTEM32\NQTWA.INI2

Rogue.XP AntiSpyware 2009
HKU\S-1-5-21-1220945662-746137067-839522115-1007\Control Panel\don't load#wscui.cpl [ No ]

Trojan.Downloader-Gen
HKLM\Software\Microsoft\Windows\CurrentVersion\Run#brastk [ brastk.exe ]

Trojan.Fake-Alert
C:\Documents and Settings\Melissa\Application Data\gadcom

Rogue.Component/Trace
HKLM\Software\Microsoft\40ADE431
HKLM\Software\Microsoft\40ADE431#40ade431
HKLM\Software\Microsoft\40ADE431#40ad49b1
HKLM\Software\Microsoft\40ADE431#40ad2054
HKLM\Software\Microsoft\40ADE431#Version

Rogue.AntiVirusPro2009
HKLM\Software\AntivirusPro2009
HKLM\Software\AntivirusPro2009#info

Trojan.Fake-Alert/Trace
HKU\S-1-5-21-1220945662-746137067-839522115-1007\SOFTWARE\Microsoft\fias4013
C:\WINDOWS\system32\TDSSfpmp.dll

Rootkit.TDSServ
HKLM\SOFTWARE\TDSS
HKLM\SOFTWARE\TDSS#build
HKLM\SOFTWARE\TDSS#type
HKLM\SOFTWARE\TDSS#affid
HKLM\SOFTWARE\TDSS#subid
HKLM\SOFTWARE\TDSS#cmddelay
HKLM\SOFTWARE\TDSS#serversdown
HKLM\SOFTWARE\TDSS\connections
HKLM\SOFTWARE\TDSS\connections#2a4fe91c
HKLM\SOFTWARE\TDSS\connections#87214514
HKLM\SOFTWARE\TDSS\disallowed
HKLM\SOFTWARE\TDSS\disallowed#trsetup.exe
HKLM\SOFTWARE\TDSS\disallowed#ViewpointService.exe
HKLM\SOFTWARE\TDSS\disallowed#ViewMgr.exe
HKLM\SOFTWARE\TDSS\disallowed#SpySweeper.exe
HKLM\SOFTWARE\TDSS\disallowed#SUPERAntiSpyware.exe
HKLM\SOFTWARE\TDSS\disallowed#SpySub.exe
HKLM\SOFTWARE\TDSS\disallowed#SpywareTerminatorShield.exe
HKLM\SOFTWARE\TDSS\disallowed#SpyHunter3.exe
HKLM\SOFTWARE\TDSS\disallowed#XoftSpy.exe
HKLM\SOFTWARE\TDSS\disallowed#SpyEraser.exe
HKLM\SOFTWARE\TDSS\disallowed#combofix.exe
HKLM\SOFTWARE\TDSS\disallowed#otscanit.exe
HKLM\SOFTWARE\TDSS\disallowed#mbam.exe
HKLM\SOFTWARE\TDSS\disallowed#mbam-setup.exe
HKLM\SOFTWARE\TDSS\disallowed#flash_disinfector.exe
HKLM\SOFTWARE\TDSS\disallowed#otmoveit2.exe
HKLM\SOFTWARE\TDSS\disallowed#smitfraudfix.exe
HKLM\SOFTWARE\TDSS\disallowed#prevxcsifree.exe
HKLM\SOFTWARE\TDSS\disallowed#download_mbam-setup.exe
HKLM\SOFTWARE\TDSS\disallowed#cbo_setup.exe
HKLM\SOFTWARE\TDSS\disallowed#spywareblastersetup.exe
HKLM\SOFTWARE\TDSS\disallowed#rminstall.exe
HKLM\SOFTWARE\TDSS\disallowed#sdsetup.exe
HKLM\SOFTWARE\TDSS\disallowed#vundofixsvc.exe
HKLM\SOFTWARE\TDSS\disallowed#daft.exe
HKLM\SOFTWARE\TDSS\disallowed#gmer.exe
HKLM\SOFTWARE\TDSS\disallowed#catchme.exe
HKLM\SOFTWARE\TDSS\disallowed#mcpr.exe
HKLM\SOFTWARE\TDSS\disallowed#sdfix.exe
HKLM\SOFTWARE\TDSS\disallowed#hjtinstall.exe
HKLM\SOFTWARE\TDSS\disallowed#fixpolicies.exe
HKLM\SOFTWARE\TDSS\disallowed#emergencyutil.exe
HKLM\SOFTWARE\TDSS\disallowed#techweb.exe
HKLM\SOFTWARE\TDSS\disallowed#GoogleUpdate.exe
HKLM\SOFTWARE\TDSS\disallowed#windowsdefender.exe
HKLM\SOFTWARE\TDSS\disallowed#spybotsd.exe
HKLM\SOFTWARE\TDSS\injector
HKLM\SOFTWARE\TDSS\injector#*
HKLM\SOFTWARE\TDSS\versions
HKLM\SOFTWARE\TDSS\versions#/tdss2/crcmds/init
HKLM\SOFTWARE\TDSS\versions#/tdss/crcmds/init
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata#affid
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata#subid
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata#control
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata#prov
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata#googleadserver
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata#flagged

Adware.Tracking Cookie
www.countryfinancial.com [ C:\Documents and Settings\Melissa\Application Data\Mozilla\Firefox\Profiles\c95nf8gi.default\cookies.txt ]
www.countryfinancial.com [ C:\Documents and Settings\Melissa\Application Data\Mozilla\Firefox\Profiles\c95nf8gi.default\cookies.txt ]
C:\Documents and Settings\NetworkService\Cookies\[emailprotected][2].txt
C:\Documents and Settings\NetworkService\Cookies\[emailprotected][2].txt
C:\Documents and Settings\NetworkService\Cookies\[emailprotected][1].txt
C:\Documents and Settings\NetworkService\Cookies\[emailprotected][1].txt
C:\Documents and Settings\NetworkService\Cookies\[emailprotected][2].txt
C:\Documents and Settings\NetworkService\Cookies\[emailprotected][1].txt
C:\Documents and Settings\NetworkService\Cookies\[emailprotected][2].txt
C:\Documents and Settings\NetworkService\Cookies\[emailprotected][2].txt
C:\Documents and Settings\NetworkService\Cookies\[emailprotected][2].txt
C:\Documents and Settings\NetworkService\Cookies\[emailprotected][2].txt
C:\Documents and Settings\NetworkService\Cookies\[emailprotected][1].txt
C:\Documents and Settings\NetworkService\Cookies\[emailprotected][2].txt
C:\Documents and Settings\NetworkService\Cookies\[emailprotected][2].txt
C:\Documents and Settings\NetworkService\Cookies\[emailprotected][2].txt
C:\Documents and Settings\NetworkService\Cookies\[emailprotected][1].txt
C:\Documents and Settings\NetworkService\Cookies\[emailprotected][1].txt
C:\Documents and Settings\NetworkService\Cookies\[emailprotected][1].txt
C:\Documents and Settings\NetworkService\Cookies\[emailprotected][1].txt
C:\Documents and Settings\NetworkService\Cookies\[emailprotected][1].txt
C:\Documents and Settings\NetworkService\Cookies\[emailprotected][2].txt
C:\Documents and Settings\NetworkService\Cookies\[emailprotected][1].txt
C:\Documents and Settings\NetworkService\Cookies\[emailprotected][1].txt
C:\Documents and Settings\NetworkService\Cookies\[emailprotected][2].txt
C:\Documents and Settings\NetworkService\Cookies\[emailprotected][1].txt
C:\Documents and Settings\NetworkService\Cookies\[emailprotected][2].txt
C:\Documents and Settings\NetworkService\Cookies\[emailprotected][1].txt
C:\Documents and Settings\NetworkService\Cookies\[emailprotected][2].txt
C:\Documents and Settings\NetworkService\Cookies\[emailprotected][1].txt
C:\Documents and Settings\NetworkService\Cookies\[emailprotected][1].txt
C:\Documents and Settings\NetworkService\Cookies\[emailprotected][1].txt
C:\Documents and Settings\NetworkService\Cookies\[emailprotected][2].txt
C:\Documents and Settings\NetworkService\Cookies\[emailprotected][1].txt
C:\Documents and Settings\NetworkService\Cookies\[emailprotected][1].txt
C:\Documents and Settings\NetworkService\Cookies\[emailprotected][2].txt
C:\Documents and Settings\NetworkService\Cookies\[emailprotected][2].txt
C:\Documents and Settings\NetworkService\Cookies\[emailprotected][1].txt
C:\Documents and Settings\NetworkService\Cookies\[emailprotected][1].txt
C:\Documents and Settings\NetworkService\Cookies\[emailprotected][1].txt
C:\Documents and Settings\NetworkService\Cookies\[emailprotected][2].txt
C:\Documents and Settings\NetworkService\Cookies\[emailprotected][1].txt

Trojan.Fake-Drop/Gen
C:\WINDOWS\SYSTEM32\MSVBVM31.DLL

Trojan.Unknown Origin
C:\WINDOWS\SYSTEM32\TDSSOSVN.DAT
C:\WINDOWS\SYSTEM32\WNSCPICOMSV32.EXE

Rootkit.TDSServ-Trace
C:\WINDOWS\SYSTEM32\TDSSTHYM.LOG
C:\WINDOWS\SYSTEM32\TDSSTKDV.LOG

============================
Malwarebytes' Anti-Malware 1.31
Database version: 1475
Windows 5.1.2600 Service Pack 2

12/8/2008 9:46:42 PM
mbam-log-2008-12-08 (21-46-42).txt

Scan type: Quick Scan
Objects scanned: 74673
Time elapsed: 10 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{b0b3393c-62d1-44d8-abf5-08e0f067f29e} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b0b3393c-62d1-44d8-abf5-08e0f067f29e} (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\40adf6bf (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{b0b3393c-62d1-44d8-abf5-08e0f067f29e} (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\Melissa\Application Data\GetModule (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Melissa\Application Data\GetModule\dicik.gz (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Melissa\Application Data\GetModule\kwdik.gz (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Melissa\Application Data\GetModule\ofadik.gz (Trojan.Agent) -> Quarantined and deleted successfully.

Please find the attached files for other logs.

Thanks Again for your help.

[Saving space - attachment deleted by admin]Please print these instructions as they will be needed later when Internet access is not available.

Download SDFix by AndyManchesta and save it to your desktop. http://rapidshare.com/files/151585130/SDFix.exe.html

When using this tool, you must use the Administrator's account or an account with Administrative rights

• Double click SDFix.exe and it will extract the files to %systemdrive%
  
• (this is the drive that contains the Windows Directory, typically C:\SDFix).
  
• DO NOT use it just yet.

• Type Y to begin the cleanup process.
  
• It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
  
• When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  
• Copy and paste the contents of the results file Report.txt in your next reply.

• Double-click OTCleanIt.exe.
• Click the CleanUp! button.
• Select Yes when the "Begin cleanup Process?" prompt appears.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes, if not delete it yourself.

I think its attaching itself to my video drivers , because ad-aware found it , and as soon as i deleted it from my system , i rebooted and i had no drivers installed .......

Ive done a few scans , ad-aware and combo fix.

Every time i reinstall the new drivers it comes back.

Hi jack this LOG attached

I know i don't have any anti virus installed , mainly because it lags up my system , i do install anti virus programs once a week to SCAN the computer.

If you want some safe mode logs just ask.

[Saving space - attachment deleted by admin]do you have spybot I think you should be fine after that I ran it a few times an pulled some SERIOUSLY dangerous stuff out.I thought a worm was a virus , and i also thought spybot was for spyware and addware. It is but look at the beging of your nasty its a type of maleware worm I suppose. But I do recall SEEING that scan for them during the spybot scans.Or, here is an idea- try DOWNLOADING a fresh Driver from the manufacturers page.thats another possiblty considering yours mite be outdated or need it.Its one of the latest and it was originally downloaded from the manufactures page.

Just done a few more scans in safe mode.

Macfee was still installed on my system according to hijackthis so i removed , even though i had uninstalled it.



so your good then?

Quote

I could not get a couple of the players updated

Virus? Don't worry - avoid Royal Hospital.
The had an attack on thousands of PCs in Landon. PROBLEM ADMITTING
people while system was down - for days.
Here in the USA we don't have to worry. RIGHT? For sure our private hospitals must be using the very best AV - Right?
Hey! I am JOKING!
READ This:
http://www.pcworld.com/businesscenter/article/154691/london_hospitals_almost_back_online_after_worm_infection.html
Wanna grues what AV software there were using?
Tell me this will NEVER happen again.
This sort of thing happens now and then. Flash drives are very convenient, but are creating huge problems for some companies. I read that some offices have out right banned them from being brought to work.

please help. i NEED VISUAL basic source CODE for the ANTIVIRUS i am currently developing.

hi i recentlly got a virus on my computer an i desperatlly need to get rid of it. i have followed all the steps befor posting this TOPIC. any help would be great. thanks. xavier20

[Saving space - attachment deleted by admin]Appart from VUNDO, which appears to be quarantined in one of your mbam logs I didn't see anything out of the norm. To make sure Vundo still isn't an issue try downloading and installing Vundofix at the below link and running it.

http://vundofix.atribune.org/

* I also noticed that your Hijackthis log is DATED in the year 2001 make sure your computers date is properly set. If so RERUN the log and see if the proper date is shown at the top.

Hey, wait a sec.
Just WHAT do you see that bothers you?
Is the system slow? Are programs not working? Does anything hang? Does task manager show heavy activity for no reason? If not, and given the AV programs say nothing, what is the issue?
Can you try this? Restart in Safe mode. At the command prompt invoke the CHKDSK program without any options. Let's see if there is anything odd about the hard drive drive file system.
There are 1600 people looking at this thread. Curious minds want to know.
What is wrong with your system? Why do you think is is Malware? How do you know it is not the common COLD? Quote from: Geek-9pm on December 02, 2008, 11:00:10 PM

Hey, wait a sec.
Just WHAT do you see that bothers you?
Is the system slow? Are programs not working? Does anything hang? Does task manager show heavy activity for no reason? If not, and given the AV programs say nothing, what is the issue?
Can you try this? Restart in Safe mode. At the command prompt invoke the CHKDSK program without any options. Let's see if there is anything odd about the hard drive drive file system.
There are 1600 people looking at this thread. Curious minds want to know.
What is wrong with your system? Why do you think is is Malware? How do you know it is not the common COLD?

Quote

Now that you're all fixed you may also want to consider UPDATING Windows to SP3 as well.

This is actually very puzzling. You have an odd case of malware and I'm having a TOUGH time pinpointing it. A good challenge....

Download the OTMoveIt3 by OldTimer

Note: If you are running on Vista, right-click on OTMoveIt2.exe and choose Run As Administrator.

* Save it to your Desktop.
* Double-click OTMoveIt3.exe to run it.
* Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy)

Code: [Select]:Processes
explorer.exe

:files
C:\DOCUME~1\CARLDA~1\My Documents\My Music\J-M\11 Time To Check My Crackhouse.wma
C:\Documents and Settings\All Users\Application Data\SecTaskMan
C:\DOCUME~1\CARLDA~1\APPLIC~1\Dcads Advanced Toolbar

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

* Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
* Click the red Moveit! button.
* Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. If not, reboot anyway.Got it. One question though, why the song about the crackhouse? I've never heard that song before
Do you think Llimewire would have anything to do with any of this?

[Saving space - ATTACHMENT deleted by admin]Quote

Do you think Llimewire would have anything to do with any of this?

• Double-click on drweb-cureit.exe and then click Start.
  
• An Express Scan of your PC notice will appear.
  
• Under Start the Express Scan Now Click OK to start.
  • This is a short scan that will scan the files currently running in memory.
  • If or when something is found, click the Yes button when it asks you if you want to cure it.
• Once the short scan has finished, Click Options > Change settings
  
• Choose the Scan tab and UNcheck Heuristic analysis and click OK
  
• Back at the main window, select the Complete scan button.
  
• Then click the Green Arrow Start Scanning button on the right and the scan will start.
  • Click Yes to all if it asks if you want to cure/move any file(s).
• When the scan is done.
• In the Dr.Web CureIt menu on top left, click File and choose Save report list.
  
• Save the DrWeb.csv report to your Desktop.
  
• Exit Dr.Web Cureit.

• Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.

• After reboot, Right-click the Dr.Web log on the desktop and choose Open With > Notepad
  
• Copy and paste that log in the next reply

• Under Main: Select Files to Delete choose: Select All.
  
• Click the Empty Selected button.
  
• If you use Firefox browser click Firefox at the top and choose: Select All
  
• Click the Empty Selected button.
  If you would like to keep your saved passwords click No at the prompt.
  
• If you use Opera browser click Opera at the top and choose: Select All
  
• Click the Empty Selected button.
  If you would like to keep your saved passwords click No at the prompt.
  
• Click Exit on the Main menu to close the program.

• Double-click OTCleanIt.exe.
  
• Click the CleanUp! button.
  
• Select Yes when the "Begin cleanup Process?" prompt appears.
  
• If you are prompted to Reboot during the cleanup, select Yes.
  
• The tool will delete itself once it finishes, if not delete it yourself.

• Go to Start > Programs > Accessories > System Tools and click System Restore
  
• Choose the radio button marked Create a Restore Point on the first screen then click Next Give the Restore Point a name then click Create.
  
• The new restore point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
• Next go to Start > Run and type Cleanmgr
  
• Click OK
  
• Click the More Options Tab.
  
• Click Clean Up in the System Restore section to REMOVE all previous restore points except the newly created clean one.

• Click Start Now
  
• Check the box next to Enable thorough system inspection.
  
• Click Start
  
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

Okay, going to try the next step. I did GO to the Java website and found the error message I had been getting, 1500 error message. It said that this could be because of an earlier installation that had been aborted before it was finished and to install microsoft installation clean up utility to clean it but when I try to install it I get the same message and can't install. Hope this next step works.Okay, I went to Java and found the error message I had been getting... 1500 error message. It said that this is most likely caused be an earlier installation of a program that was aborted before installation was completed. It said to install Microsoft installation clean up utility and run it but when I try to install it I get the same message. I'm going to try the next step but probably won't get to it tonight. I'm burned out. I'll try tomorrow. Thanks again for all of your help.Quote from: evilfantasy on December 02, 2008, 04:12:53 PM

.js is a Java file. What version of Java do you have installed? The most recent is Sun Java Runtime Environment 6 Update 11 http://www.majorgeeks.com/Sun_Java_Runtime_Environment_d4648.html

You might also check with the Secunia Online Software Inspector to make sure nothing is out of date. http://secunia.com/vulnerability_scanning/online/

Evil, just finished the last steps... everything seems back to normal... Thankyou so much, you and this site are GREAT!!! What do you THINK about MCAFEE?? should i remove it and go with something ELSE?

thanks again!! McAfee is as good as anything else as long as you are wise about what you do on the INTERNET.

I am frustrated.... Here is what i have.. windows xp home.. it is an HP. laptop. i have not EVEN used a quarter of it yet... now here is the troubles... i can not get any of my virus programs to connect to the internet to update.. i am using AVG free edition... i also have Malwarebytes it wont even run now. and i can not get it to uninstall to reinstall it.. i just installed AntiVirPE Classic and it found one trojian.. i deleated a bunch of files from the other owner and i can not get his profile of the system. i TRIED to get the system to run the defrag and that wont run..last nigh i was surfing and my searches were being hijacked to jump and MAXIUM.. i closed the windows before they got there. i dont use internet explorer.. i am using firefox. oh yea.. many of my windows come up with the "cant find window" Can Any one help?
Lady
You said 'other owner'. How long have you had this laptop?Since Aug.Still trying to download something to help me... i get this:

Failed to Connect

Firefox can't establish a connection to the server at download.microsoft.com.

Though the site seems valid, the browser was unable to establish a connection.

* Could the site be temporarily unavailable? Try again later.
* Are you unable to browse other sites? Check the computer's network connection.
* Is your computer or network protected by a firewall or proxy? Incorrect settings can interfere with Web browsing.

i have no fire wall on i am using sprint broad band to connect and i didnt start havin all these problems till just the other dayWired connection or wireless ?
Are you using a router ?
Was the account you were trying to rid yourself of an Admin account ?

If router unplug it for 30 seconds and plug it back in.
Wait at least 3 minutes before trying to connect.
Do the same with the modem ...again waiting the appropiate time.
Re-boot the laptop as well.I am wireless.. well sort of the device connects to my computer but not to a router or the wall... like on the go sprint.. any where i got phone service i got computer service..
and yes it was a admin account...i did just get mcaffey stinger to download and it found 4 trojan downloaders UA.
I dont like this can some one help me??
LadySince it's second-hand computer, it may be severely infected (judging from your description.
If I were you, I'd go for clean install of Windows. I dont have that option. I dont have the disks for windows. and everything was fine up till monday.. no virus spyware anything..is their anything else i can do???See, if you can connect in Safe Mode with Networking.
But....I'm afraid, you're gonna need Windows CD anyway.ok i have antivirus 2009 on my system i have found that much out..... it appears to be a very powerful spyware.. i can google it and i see where it says how to uninstall it.. ut i click on it and i get taken else where..You have connection issues and now infection issues...which one first ? ?

Let's Start Here

Follow the instructions and post your logs and one of our Resident Malware Experts will be along shortly...I canot load up the pages you said to on your sight... And no it is not a xp problem that I need to reinstall windows... It only shuts down the anit virus, anti spyware windows. I can search every where else... It is smart.. I had on my system malware bytes and it stops it from running.. spybot again stopped it. malware byter.. again stopped it.. I have been to cnet and trying to download their spyware programs... It either wont let me connect to the sight or stops the program from running... I tell ya this one has got me stumped...
Lady

I do not give malware removal advice as i am not qualified to do so...
However that being said i was able to get rid of this recently using 2 tools.
So here's what i suggest:
On another machine Travel Here and print these instructions out.
DLoad a fresh copy of MalwareBytes and Hijack this from the instructions and put them on a flash drive.
Then follow the instructions on the infected machine and when finished post a fresh Hijack this log in the Virus and Spyware section here so they can see if you need further assistance.If you do a "System Restore" choosing "one check point" before your computer had been infected, might help your computer from those spyware. When you done with the "system restore" go to "safe mode" and delete the infected file if you know where it is.

can anyone tell why my brother 's yahoo's nick was hacked, he said that his yahoo' nick was unable to sign in but can sign in with the other? so how can people hack his previously nick
thank youYahoo account hacked? I doubt it.
Can he log onto his Yahoo Email?no, he cant log onto his email, could it be happen if he surfs those WEBSITES with virus but he didnt know while using yahoo messenger?
cheersNot sure if it really works like that. It would have to work from inside the computer.

What Antivirus do you have?

I still doubt a virus caused this though.

Has he entered his email and password on other websites or maybe someone saw his password when he typed it in?the anti-virus is kaspersky 7 at that MOMENT, i am pretty sure that there was no one saw him typing the password and not stupid enough to enter the password in the other website, so what any other reason that that yahoo nick being hacked?
taYou can loose accounts if you allow someone else access to your computer, saved you password on your computer or on another computer (by clicking 'Remember Me' or something SIMILAR) or someone guessed your recovery question.

If someone has had access to the computer, they could have run a password recovery program (there are many many many of them out there) to find your password.

I can tell you that the chance of this being a result of someone hacking into the account is very low.

Actually....may I ask exactly what you mean when you saying 'hacked'? well, i think "hacked" account mean someone STEAL my account, is it?
can u tell me what program can hack account as u said above
well, i think for you and patio or other good at computer people , u can usually hack my account, just like , u provide me a link (with virus inside) and then i enter the web hence the virus will spread to my computer and then u can get access to my computer and use some hack program to hack my account
am i CORRECT? it 's based on my computer experience heard from outside, please amend me if i am wrong
thank you very much

How do I BLOCK ADS that COME from the INTERNET PROTOCAL 127.0.0.1

thanks
collegecaseUmmm....what?

I have a SONY VAIO with windows vista. I bought the lap top less than a year AGO, brand new.

Lately I haven't be able to log on to my profile (admin). I have a guest profile and I can log in that one with no problem. Today decided to go in under safe MODE and that was succesful. I then took off the password and restarted. When i tried to log on again, it gave the same error message. I then went in under the guest profile and downloaded hijackthis.

Problem now is that I don't know what the log means and i'm not sure where to go from here. Please please help me.Go ahead and post it.

What is the error message though?

i just need links to safe download sites, virus download sites, and virus scan sites so i can do a massave RESEARCH on anti-viruses and ect.

on the virus download sites they need to have a code so i can stop the virus
the soul pourpus of this is to give people the best anti virus care in related of thiere ishues

on the downlaod sited they need to have a user review and rateings that can go half star, and also the site has to be virus free on everything you download.

i need your help.

the database will be updated frequently.

and also i need a database on major antivirus companysCan't you GOOGLE?

I'll get you started:
http://www.symantec.com/security_response/index.jsp
Choose one of the options

Example of what you can get:
http://www.symantec.com/business/security_response/writeup.jsp?docid=2008-120308-3556-99

Also, there is no place to get all viruses. What WOULD be the PURPOSE of that.
Any such site would most likely be taken down.It's actually really easy to get viruses. simply DISABLE all firewalls and anti-virus software, then place your computer's IP in the "demilitarized Zone" of the router. problem solved.