InterviewSolution
Saved Bookmarks
InterviewSolution
This section includes InterviewSolutions, each offering curated multiple-choice questions to sharpen your knowledge and support exam preparation. Choose a topic below to get started.
| 4101. |
Solve : Need help with installing AVG 8.5? |
|
Answer» Hi everyone, |
|
| 4102. |
Solve : Better but not quite right? |
|
Answer» Hi Folks,
Find AWF report by noahdfear ©2006 Version 1.40 The current date is: Mon 03/23/2009 The current time is: 22:40:41.37 bak folders found ~~~~~~~~~~~ Duplicate files of bak directory contents ~~~~~~~~~~~~~~~~~~~~~~~ end of report Well it looks like ComboFix took care of them for us. How is the computer running now?excellent...like brand new....you really know your stuff...what's next?
You can delete FindAWF. ---------- Use the This scanner requires Internet Explorer 1. Check the box next to YES, I accept the Terms of Use. 2. Click Start 3. When asked, allow the activex control to install 4. Click Start 5. Make sure that the option Remove found threats and the option Scan unwanted applications is check marked. 6. Click Scan 7. Wait for the scan to finish 8. Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt 9. Add the C:\Program Files\EsetOnlineScanner\log.txt log into your next reply.Looks like it found a few...what next? # version=4 # OnlineScanner.ocx=1.0.0.635 # OnlineScannerDLLA.dll=1, 0, 0, 79 # OnlineScannerDLLW.dll=1, 0, 0, 78 # OnlineScannerUninstaller.exe=1, 0, 0, 49 # vers_standard_module=3958 (20090324) # vers_arch_module=1.064 (20080214) # vers_adv_heur_module=1.066 (20070917) # EOSSerial=bc70ec8159f4504386a8da0ab6bf52f5 # end=finished # remove_checked=true # unwanted_checked=true # utc_time=2009-03-25 01:52:19 # local_time=2009-03-24 09:52:19 (-0500, Eastern Daylight Time) # country="United States" # osver=5.1.2600 NT Service Pack 3 # scanned=330204 # found=7 # scan_time=3611 C:\Documents and Settings\aBi\Application Data\tizupd.bina variant of Win32/Adware.MediaTickets application (deleted)00000000000000000000000000000000 C:\Documents and Settings\aBi\Application Data\tizupd.bin »NSIS »Mshtml3.exea variant of Win32/Adware.MediaTickets application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object)00000000000000000000000000000000 C:\Documents and Settings\Administrator\Desktop\catchme.zipWin32/Delf.NFO trojan (deleted)00000000000000000000000000000000 C:\Documents and Settings\Administrator\Desktop\catchme.zip »ZIP »btukkskc.sysWin32/Delf.NFO trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object)00000000000000000000000000000000 C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAutoitD.zipWin32/Bagle.gen.zip worm (unable to clean - deleted)00000000000000000000000000000000 C:\Documents and Settings\William Flynn\Application Data\tizupd.bina variant of Win32/Adware.MediaTickets application (deleted)00000000000000000000000000000000 C:\Documents and Settings\William Flynn\Application Data\tizupd.bin »NSIS »Mshtml3.exea variant of Win32/Adware.MediaTickets application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object)00000000000000000000000000000000 That's not bad. Everything was either already quarantined or some low level adware. Time to finish up. Use the Secunia Software Inspector to check for out of date software.
---------- Go to Microsoft Windows Update and get all critical updates. ---------- I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free. SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox. * Using SpywareBlaster to protect your computer from Spyware and Malware * If you don't know what ActiveX controls are, see here Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future. Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.I think we're lookin' pretty good here evilfantasy. I took care of the last chores and things are running extremely well. I would like to donate so if you can direct me there I would appreciate it. Thank you for all you've done, thank you for a "humanitarian" activity. Keep up the fight. flinee |
|
| 4103. |
Solve : W32.SillyFDC? |
|
Answer» Hi,
A copy of the report can be found at this location: %systemdrive%\lopR.txt, in most cases C:\lopR.txt Many thanks indeed for your help evilfantasy, here is the log: --------------------\\ Lop S&D 4.2.5-0 XP/Vista Microsoft Windows XP Home Edition ( v5.1.2600 ) Service Pack 3 X86-based PC ( Uniprocessor Free : Intel(R) Pentium(R) 4 CPU 3.00GHz ) BIOS : Phoenix ROM BIOS PLUS Version 1.10 A07 USER : Peter ( Administrator ) BOOT : Normal boot Antivirus : Norton Internet Security 2006 2006 (Not Activated) Firewall : Norton Internet Security 2006 2006 (Activated) A:\ (USB) C:\ (Local Disk) - NTFS - Total:74 Go (Free:38 Go) D:\ (USB) - FAT - Total:1967 Mo (Free:1 Go) E:\ (CD or DVD) F:\ (Local Disk) - FAT32 - Total:232 Go (Free:9 Go) "C:\Lop SD" ( MAJ : 19-12-2008|23:40 ) Option : [1] ( 27/03/2009| 9:20 ) --------------------\\ Listing folders in APPLIC~1 [04/01/2009|10:48] C:\DOCUME~1\ADMINI~1\APPLIC~1\Microsoft [25/01/2009|11:26] C:\DOCUME~1\ALLUSE~1\APPLIC~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6} [27/03/2009|07:06] C:\DOCUME~1\ALLUSE~1\APPLIC~1\~0 [14/03/2009|08:06] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Adobe [25/01/2009|11:17] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple [25/01/2009|11:24] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer [04/01/2009|13:09] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google [01/02/2009|08:35] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Hagel Technologies [25/03/2009|19:12] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft [27/03/2009|06:14] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Malwarebytes [15/02/2009|10:50] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft [08/02/2009|10:37] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft Help [04/01/2009|16:27] C:\DOCUME~1\ALLUSE~1\APPLIC~1\NOS [28/02/2009|09:34] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Skype [26/03/2009|19:26] C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com [16/03/2009|06:30] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec [23/03/2009|21:32] C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP [04/01/2009|11:46] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage [14/02/2009|08:11] C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinZip [04/01/2009|10:48] C:\DOCUME~1\DEFAUL~1\APPLIC~1\Microsoft [11/01/2009|08:32] C:\DOCUME~1\LOCALS~1\APPLIC~1\Microsoft [04/01/2009|11:05] C:\DOCUME~1\NETWOR~1\APPLIC~1\Microsoft [05/01/2009|15:38] C:\DOCUME~1\PETERE~1\APPLIC~1\Adobe [25/01/2009|13:06] C:\DOCUME~1\PETERE~1\APPLIC~1\Apple Computer [04/01/2009|14:23] C:\DOCUME~1\PETERE~1\APPLIC~1\Google [04/01/2009|11:08] C:\DOCUME~1\PETERE~1\APPLIC~1\Identities [04/01/2009|14:58] C:\DOCUME~1\PETERE~1\APPLIC~1\Macromedia [27/03/2009|06:14] C:\DOCUME~1\PETERE~1\APPLIC~1\Malwarebytes [05/03/2009|19:52] C:\DOCUME~1\PETERE~1\APPLIC~1\Microsoft [24/03/2009|18:27] C:\DOCUME~1\PETERE~1\APPLIC~1\Skype [24/03/2009|17:13] C:\DOCUME~1\PETERE~1\APPLIC~1\skypePM [25/01/2009|08:00] C:\DOCUME~1\PETERE~1\APPLIC~1\Steinberg [21/03/2009|17:18] C:\DOCUME~1\PETERE~1\APPLIC~1\Sun [26/03/2009|19:26] C:\DOCUME~1\PETERE~1\APPLIC~1\SUPERAntiSpyware.com [10/01/2009|12:53] C:\DOCUME~1\PETERE~1\APPLIC~1\Symantec [14/02/2009|08:14] C:\DOCUME~1\PETERE~1\APPLIC~1\uniblue [05/02/2009|12:35] C:\DOCUME~1\PETERE~1\APPLIC~1\vlc --------------------\\ Scheduled Tasks located in C:\WINDOWS\Tasks [25/03/2009 19:23][--a------] C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job [16/03/2009 10:51][--a------] C:\WINDOWS\tasks\Uniblue SpeedUpMyPC Nag.job [14/02/2009 08:14][--a------] C:\WINDOWS\tasks\Uniblue SpeedUpMyPC.job [24/03/2009 16:37][--a------] C:\WINDOWS\tasks\AppleSoftwareUpdate.job [21/03/2009 00:22][--a------] C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - Peter.job [27/03/2009 06:34][--ah-----] C:\WINDOWS\tasks\SA.DAT [16/07/2003 20:36][-r-h-----] C:\WINDOWS\tasks\desktop.ini --------------------\\ Listing Folders in C:\Program Files [25/01/2009|07:19] C:\Program Files\7-Zip [14/03/2009|08:05] C:\Program Files\Adobe [04/01/2009|11:34] C:\Program Files\Analog Devices [25/01/2009|11:18] C:\Program Files\Apple Software Update [27/03/2009|09:16] C:\Program Files\BitComet [25/01/2009|11:22] C:\Program Files\Bonjour [26/03/2009|19:06] C:\Program Files\CCleaner [26/03/2009|19:25] C:\Program Files\Common Files [04/01/2009|10:46] C:\Program Files\ComPlus Applications [04/01/2009|12:58] C:\Program Files\CONEXANT [18/03/2009|20:12] C:\Program Files\Creative Element Power Tools [01/02/2009|08:47] C:\Program Files\DU Meter [27/03/2009|07:07] C:\Program Files\Enigma Software Group [04/01/2009|19:06] C:\Program Files\GenoPro [04/01/2009|13:09] C:\Program Files\Google [04/01/2009|18:23] C:\Program Files\HighCriteria [18/01/2009|16:41] C:\Program Files\InstallShield Installation Information [04/01/2009|11:36] C:\Program Files\Intel [14/02/2009|08:35] C:\Program Files\Internet Explorer [25/01/2009|11:25] C:\Program Files\iPod [25/01/2009|11:26] C:\Program Files\iTunes [21/03/2009|17:20] C:\Program Files\Java [25/03/2009|19:12] C:\Program Files\Lavasoft [04/01/2009|12:54] C:\Program Files\Lexmark 5200 Series [27/03/2009|06:14] C:\Program Files\Malwarebytes' Anti-Malware [24/01/2009|09:28] C:\Program Files\M-Audio Fast Track [06/01/2009|20:24] C:\Program Files\Messenger [04/01/2009|11:01] C:\Program Files\microsoft frontpage [04/01/2009|13:18] C:\Program Files\Microsoft Office [04/01/2009|13:32] C:\Program Files\Microsoft Visual Studio [04/01/2009|13:34] C:\Program Files\Microsoft Works [06/01/2009|20:18] C:\Program Files\Movie Maker [13/02/2009|19:56] C:\Program Files\MSBuild [04/01/2009|10:45] C:\Program Files\MSN [04/01/2009|10:45] C:\Program Files\MSN Gaming Zone [06/01/2009|20:14] C:\Program Files\NetMeeting [04/01/2009|17:27] C:\Program Files\Nike+ Utility [21/03/2009|07:08] C:\Program Files\Norton Ghost [16/03/2009|10:19] C:\Program Files\Norton Internet Security [04/01/2009|16:27] C:\Program Files\NOS [04/01/2009|10:47] C:\Program Files\Online Services [06/01/2009|20:14] C:\Program Files\Outlook Express [04/01/2009|12:59] C:\Program Files\PowerISO [25/01/2009|11:21] C:\Program Files\QuickTime [13/02/2009|19:56] C:\Program Files\Reference Assemblies [28/02/2009|09:34] C:\Program Files\Skype [14/02/2009|08:14] C:\Program Files\SpeedupmyPC [15/02/2009|10:29] C:\Program Files\Steinberg [26/03/2009|19:26] C:\Program Files\SUPERAntiSpyware [06/01/2009|06:28] C:\Program Files\Symantec [25/01/2009|07:44] C:\Program Files\Syncrosoft [04/01/2009|17:26] C:\Program Files\TClockEx [14/02/2009|08:14] C:\Program Files\Uniblue [04/01/2009|11:08] C:\Program Files\Uninstall Information [05/02/2009|12:28] C:\Program Files\VideoLAN [07/01/2009|10:27] C:\Program Files\Windows Desktop Search [06/01/2009|21:25] C:\Program Files\Windows Media Connect 2 [06/01/2009|21:25] C:\Program Files\Windows Media Player [06/01/2009|20:14] C:\Program Files\Windows NT [04/01/2009|11:41] C:\Program Files\WindowsUpdate [14/02/2009|08:10] C:\Program Files\WinZip [04/01/2009|11:01] C:\Program Files\xerox [04/01/2009|15:27] C:\Program Files\Yahoo! --------------------\\ Listing Folders in C:\Program Files\Common Files [14/03/2009|08:05] C:\Program Files\Common Files\Adobe [04/01/2009|15:04] C:\Program Files\Common Files\Adobe AIR [25/01/2009|11:25] C:\Program Files\Common Files\Apple [04/01/2009|13:32] C:\Program Files\Common Files\DESIGNER [24/01/2009|09:27] C:\Program Files\Common Files\InstallShield [04/01/2009|12:59] C:\Program Files\Common Files\logishrd [04/01/2009|13:33] C:\Program Files\Common Files\Microsoft Shared [04/01/2009|10:46] C:\Program Files\Common Files\MSSoap [04/01/2009|10:37] C:\Program Files\Common Files\ODBC [04/01/2009|10:47] C:\Program Files\Common Files\Services [28/02/2009|09:34] C:\Program Files\Common Files\Skype [04/01/2009|10:37] C:\Program Files\Common Files\SpeechEngines [27/03/2009|06:16] C:\Program Files\Common Files\Symantec Shared [06/01/2009|20:14] C:\Program Files\Common Files\System [26/03/2009|19:25] C:\Program Files\Common Files\Wise Installation Wizard --------------------\\ Process ( 48 Processes ) iexplore.exe ~ [PID:1044] --------------------\\ Searching with S_Lop No Lop folder found ! --------------------\\ Searching for Lop Files - Folders C:\DOCUME~1\PETERE~1\Cookies\[emailprotected][1].txt C:\DOCUME~1\PETERE~1\Cookies\[emailprotected][1].txt C:\DOCUME~1\PETERE~1\Cookies\[emailprotected][1].txt C:\DOCUME~1\PETERE~1\Cookies\[emailprotected][1].txt --------------------\\ Searching within the Registry ..... OK ! --------------------\\ Checking the Hosts file Hosts file CLEAN --------------------\\ Searching for hidden files with Catchme catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-03-27 09:19:58 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden files ... catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-03-27 09:22:43 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden files: 0 --------------------\\ Searching for other infections --------------------\\ Cracks & Keygens .. C:\DOCUME~1\PETERE~1\Favorites\SpyHunter Security Suite v3.4.9+Crack-HeartBug (download torrent) - TPB.url C:\DOCUME~1\PETERE~1\My Documents\Software\Corel.Paint.Shop.Pro.Photo.XI.v11.0.Incl.Keygen-SSG C:\DOCUME~1\PETERE~1\My Documents\Software\Total Recorder 4.2 Pro. with crack.Sfx.exe C:\DOCUME~1\PETERE~1\My Documents\Software\Total Recorder 4.3 + Keygen.exe C:\DOCUME~1\PETERE~1\My Documents\Software\Total_Recorder_v4.x_Generic_Crack.zip C:\DOCUME~1\PETERE~1\My Documents\Software\Corel.Paint.Shop.Pro.Photo.XI.v11.0.Incl.Keygen-SSG\keygen.exe C:\DOCUME~1\PETERE~1\My Documents\Software\Corel.Paint.Shop.Pro.Photo.XI.v11.0.Incl.Keygen-SSG\setup.exe C:\DOCUME~1\PETERE~1\My Documents\Software\Corel.Paint.Shop.Pro.Photo.XI.v11.0.Incl.Keygen-SSG\ssg.nfo C:\DOCUME~1\PETERE~1\My Documents\Software\Corel.Paint.Shop.Pro.Photo.XI.v11.0.Incl.Keygen-SSG\Torrent downloaded from Demonoid.com.txt [F:104][D:9]-> C:\DOCUME~1\PETERE~1\LOCALS~1\Temp [F:409][D:0]-> C:\DOCUME~1\PETERE~1\Cookies [F:1336][D:5]-> C:\DOCUME~1\PETERE~1\LOCALS~1\TEMPOR~1\content.IE5 1 - "C:\Lop SD\LopR_1.txt" - 27/03/2009| 9:24 - Option : [1] --------------------\\ Scan completed at 9:24:32 You are going to have to remove the cracks before I can continue helping. Download the OTMoveIt3 by OldTimer Note: If you are running on Vista, right-click on OTMoveIt3.exe and choose Run As Administrator. * Save it to your Desktop. * Double-click OTMoveIt3.exe to run it. * Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy) Code: [Select]:Processes explorer.exe :services :reg :files C:\DOCUME~1\PETERE~1\Favorites\SpyHunter Security Suite v3.4.9+Crack-HeartBug (download torrent) - TPB.url C:\DOCUME~1\PETERE~1\My Documents\Software\Corel.Paint.Shop.Pro.Photo.XI.v11.0.Incl.Keygen-SSG C:\DOCUME~1\PETERE~1\My Documents\Software\Total Recorder 4.2 Pro. with crack.Sfx.exe C:\DOCUME~1\PETERE~1\My Documents\Software\Total Recorder 4.3 + Keygen.exe C:\DOCUME~1\PETERE~1\My Documents\Software\Total_Recorder_v4.x_Generic_Crack.zip C:\DOCUME~1\PETERE~1\My Documents\Software\Corel.Paint.Shop.Pro.Photo.XI.v11.0.Incl.Keygen-SSG\keygen.exe C:\DOCUME~1\PETERE~1\My Documents\Software\Corel.Paint.Shop.Pro.Photo.XI.v11.0.Incl.Keygen-SSG\setup.exe C:\DOCUME~1\PETERE~1\My Documents\Software\Corel.Paint.Shop.Pro.Photo.XI.v11.0.Incl.Keygen-SSG\ssg.nfo C:\DOCUME~1\PETERE~1\My Documents\Software\Corel.Paint.Shop.Pro.Photo.XI.v11.0.Incl.Keygen-SSG\Torrent downloaded from Demonoid.com.txt :Commands [purity] [emptytemp] [start explorer] [REBOOT] * Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste. * Click the red Moveit! button. * Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply. Close OTMoveIt3 Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes.Here it is evilfantasy (after reboot)... ========== PROCESSES ========== Process explorer.exe killed successfully. ========== SERVICES/DRIVERS ========== ========== REGISTRY ========== ========== FILES ========== File/Folder C:\DOCUME~1\PETERE~1\Favorites\SpyHunter Security Suite v3.4.9+Crack-HeartBug (download torrent) - TPB.url not found. C:\DOCUME~1\PETERE~1\My Documents\Software\Corel.Paint.Shop.Pro.Photo.XI.v11.0.Incl.Keygen-SSG moved successfully. C:\DOCUME~1\PETERE~1\My Documents\Software\Total Recorder 4.2 Pro. with crack.Sfx.exe moved successfully. C:\DOCUME~1\PETERE~1\My Documents\Software\Total Recorder 4.3 + Keygen.exe moved successfully. C:\DOCUME~1\PETERE~1\My Documents\Software\Total_Recorder_v4.x_Generic_Crack.zip moved successfully. File/Folder C:\DOCUME~1\PETERE~1\My Documents\Software\Corel.Paint.Shop.Pro.Photo.XI.v11.0.Incl.Keygen-SSG\keygen.exe not found. File/Folder C:\DOCUME~1\PETERE~1\My Documents\Software\Corel.Paint.Shop.Pro.Photo.XI.v11.0.Incl.Keygen-SSG\setup.exe not found. File/Folder C:\DOCUME~1\PETERE~1\My Documents\Software\Corel.Paint.Shop.Pro.Photo.XI.v11.0.Incl.Keygen-SSG\ssg.nfo not found. File/Folder C:\DOCUME~1\PETERE~1\My Documents\Software\Corel.Paint.Shop.Pro.Photo.XI.v11.0.Incl.Keygen-SSG\Torrent downloaded from Demonoid.com.txt not found. ========== COMMANDS ========== File delete failed. C:\DOCUME~1\PETERE~1\LOCALS~1\Temp\Perflib_Perfdata_844.dat scheduled to be deleted on reboot. File delete failed. C:\DOCUME~1\PETERE~1\LOCALS~1\Temp\~DFA191.tmp scheduled to be deleted on reboot. File delete failed. C:\DOCUME~1\PETERE~1\LOCALS~1\Temp\~DFA1A4.tmp scheduled to be deleted on reboot. User's Temp folder emptied. User's Temporary Internet Files folder emptied. User's Internet Explorer cache folder emptied. Local Service Temp folder emptied. File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot. Local Service Temporary Internet Files folder emptied. File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_6b0.dat scheduled to be deleted on reboot. Windows Temp folder emptied. Java cache emptied. Temp folders emptied. Explorer started successfully OTMoveIt3 by OldTimer - Version 1.0.9.0 log created on 03272009_170508 Files moved on Reboot... File C:\DOCUME~1\PETERE~1\LOCALS~1\Temp\Perflib_Perfdata_844.dat not found! File C:\DOCUME~1\PETERE~1\LOCALS~1\Temp\~DFA191.tmp not found! File C:\DOCUME~1\PETERE~1\LOCALS~1\Temp\~DFA1A4.tmp not found! File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot. C:\WINDOWS\temp\Perflib_Perfdata_6b0.dat moved successfully. Thank you. Disable your antivirus and antimalware programs so they do not interfere with the running of Lop S&D. Double click LopSD.exe - If you are using Windows Vista, right-click on the LopSD icon and select Run as administrator to perform this scan.
Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop. Link #1 Link #2 **Note: It is important that it is saved directly to your Desktop Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix. Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them. Double click combofix.exe & follow the prompts. When finished ComboFix will produce a log for you. Post the ComboFix log in your next reply. Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall. Remember to re-enable your antivirus and antispyware protection when ComboFix is complete. If you have problems with ComboFix usage, see How to use ComboFixHi evilfantasy (and many thanks again for all this!), here are the logs: --------------------\\ Lop S&D 4.2.5-0 XP/Vista Microsoft Windows XP Home Edition ( v5.1.2600 ) Service Pack 3 X86-based PC ( Uniprocessor Free : Intel(R) Pentium(R) 4 CPU 3.00GHz ) BIOS : Phoenix ROM BIOS PLUS Version 1.10 A07 USER : Peter ( Administrator ) BOOT : Normal boot Antivirus : Norton Internet Security 2006 2006 (Not Activated) Firewall : Norton Internet Security 2006 2006 (Not Activated) A:\ (USB) C:\ (Local Disk) - NTFS - Total:74 Go (Free:38 Go) E:\ (CD or DVD) "C:\Lop SD" ( MAJ : 19-12-2008|23:40 ) Option : [2] ( 27/03/2009|17:55 ) \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ --------------------\\ Listing folders in APPLIC~1 [04/01/2009|10:48] C:\DOCUME~1\ADMINI~1\APPLIC~1\Microsoft [25/01/2009|11:26] C:\DOCUME~1\ALLUSE~1\APPLIC~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6} [14/03/2009|08:06] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Adobe [25/01/2009|11:17] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple [25/01/2009|11:24] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer [04/01/2009|13:09] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google [01/02/2009|08:35] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Hagel Technologies [27/03/2009|07:06] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft [27/03/2009|06:14] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Malwarebytes [15/02/2009|10:50] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft [08/02/2009|10:37] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft Help [04/01/2009|16:27] C:\DOCUME~1\ALLUSE~1\APPLIC~1\NOS [28/02/2009|09:34] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Skype [26/03/2009|19:26] C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com [16/03/2009|06:30] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec [23/03/2009|21:32] C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP [04/01/2009|11:46] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage [14/02/2009|08:11] C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinZip [04/01/2009|10:48] C:\DOCUME~1\DEFAUL~1\APPLIC~1\Microsoft [11/01/2009|08:32] C:\DOCUME~1\LOCALS~1\APPLIC~1\Microsoft [04/01/2009|11:05] C:\DOCUME~1\NETWOR~1\APPLIC~1\Microsoft [05/01/2009|15:38] C:\DOCUME~1\PETERE~1\APPLIC~1\Adobe [25/01/2009|13:06] C:\DOCUME~1\PETERE~1\APPLIC~1\Apple Computer [04/01/2009|14:23] C:\DOCUME~1\PETERE~1\APPLIC~1\Google [04/01/2009|11:08] C:\DOCUME~1\PETERE~1\APPLIC~1\Identities [04/01/2009|14:58] C:\DOCUME~1\PETERE~1\APPLIC~1\Macromedia [27/03/2009|06:14] C:\DOCUME~1\PETERE~1\APPLIC~1\Malwarebytes [05/03/2009|19:52] C:\DOCUME~1\PETERE~1\APPLIC~1\Microsoft [24/03/2009|18:27] C:\DOCUME~1\PETERE~1\APPLIC~1\Skype [24/03/2009|17:13] C:\DOCUME~1\PETERE~1\APPLIC~1\skypePM [25/01/2009|08:00] C:\DOCUME~1\PETERE~1\APPLIC~1\Steinberg [21/03/2009|17:18] C:\DOCUME~1\PETERE~1\APPLIC~1\Sun [26/03/2009|19:26] C:\DOCUME~1\PETERE~1\APPLIC~1\SUPERAntiSpyware.com [10/01/2009|12:53] C:\DOCUME~1\PETERE~1\APPLIC~1\Symantec [14/02/2009|08:14] C:\DOCUME~1\PETERE~1\APPLIC~1\uniblue [05/02/2009|12:35] C:\DOCUME~1\PETERE~1\APPLIC~1\vlc --------------------\\ Scheduled Tasks located in C:\WINDOWS\Tasks [25/03/2009 19:23][--a------] C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job [16/03/2009 10:51][--a------] C:\WINDOWS\tasks\Uniblue SpeedUpMyPC Nag.job [14/02/2009 08:14][--a------] C:\WINDOWS\tasks\Uniblue SpeedUpMyPC.job [24/03/2009 16:37][--a------] C:\WINDOWS\tasks\AppleSoftwareUpdate.job [21/03/2009 00:22][--a------] C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - Peter.job [27/03/2009 17:43][--ah-----] C:\WINDOWS\tasks\SA.DAT [16/07/2003 20:36][-r-h-----] C:\WINDOWS\tasks\desktop.ini --------------------\\ Listing Folders in C:\Program Files [25/01/2009|07:19] C:\Program Files\7-Zip [14/03/2009|08:05] C:\Program Files\Adobe [04/01/2009|11:34] C:\Program Files\Analog Devices [25/01/2009|11:18] C:\Program Files\Apple Software Update [27/03/2009|16:59] C:\Program Files\BitComet [25/01/2009|11:22] C:\Program Files\Bonjour [26/03/2009|19:06] C:\Program Files\CCleaner [26/03/2009|19:25] C:\Program Files\Common Files [04/01/2009|10:46] C:\Program Files\ComPlus Applications [04/01/2009|12:58] C:\Program Files\CONEXANT [18/03/2009|20:12] C:\Program Files\Creative Element Power Tools [01/02/2009|08:47] C:\Program Files\DU Meter [27/03/2009|07:07] C:\Program Files\Enigma Software Group [04/01/2009|19:06] C:\Program Files\GenoPro [04/01/2009|13:09] C:\Program Files\Google [04/01/2009|18:23] C:\Program Files\HighCriteria [18/01/2009|16:41] C:\Program Files\InstallShield Installation Information [04/01/2009|11:36] C:\Program Files\Intel [14/02/2009|08:35] C:\Program Files\Internet Explorer [25/01/2009|11:25] C:\Program Files\iPod [25/01/2009|11:26] C:\Program Files\iTunes [21/03/2009|17:20] C:\Program Files\Java [27/03/2009|07:06] C:\Program Files\Lavasoft [04/01/2009|12:54] C:\Program Files\Lexmark 5200 Series [27/03/2009|06:14] C:\Program Files\Malwarebytes' Anti-Malware [24/01/2009|09:28] C:\Program Files\M-Audio Fast Track [06/01/2009|20:24] C:\Program Files\Messenger [04/01/2009|11:01] C:\Program Files\microsoft frontpage [04/01/2009|13:18] C:\Program Files\Microsoft Office [04/01/2009|13:32] C:\Program Files\Microsoft Visual Studio [04/01/2009|13:34] C:\Program Files\Microsoft Works [06/01/2009|20:18] C:\Program Files\Movie Maker [13/02/2009|19:56] C:\Program Files\MSBuild [04/01/2009|10:45] C:\Program Files\MSN [04/01/2009|10:45] C:\Program Files\MSN Gaming Zone [06/01/2009|20:14] C:\Program Files\NetMeeting [04/01/2009|17:27] C:\Program Files\Nike+ Utility [21/03/2009|07:08] C:\Program Files\Norton Ghost [16/03/2009|10:19] C:\Program Files\Norton Internet Security [04/01/2009|16:27] C:\Program Files\NOS [04/01/2009|10:47] C:\Program Files\Online Services [06/01/2009|20:14] C:\Program Files\Outlook Express [04/01/2009|12:59] C:\Program Files\PowerISO [25/01/2009|11:21] C:\Program Files\QuickTime [13/02/2009|19:56] C:\Program Files\Reference Assemblies [28/02/2009|09:34] C:\Program Files\Skype [14/02/2009|08:14] C:\Program Files\SpeedupmyPC [15/02/2009|10:29] C:\Program Files\Steinberg [26/03/2009|19:26] C:\Program Files\SUPERAntiSpyware [06/01/2009|06:28] C:\Program Files\Symantec [25/01/2009|07:44] C:\Program Files\Syncrosoft [04/01/2009|17:26] C:\Program Files\TClockEx [14/02/2009|08:14] C:\Program Files\Uniblue [04/01/2009|11:08] C:\Program Files\Uninstall Information [05/02/2009|12:28] C:\Program Files\VideoLAN [07/01/2009|10:27] C:\Program Files\Windows Desktop Search [06/01/2009|21:25] C:\Program Files\Windows Media Connect 2 [06/01/2009|21:25] C:\Program Files\Windows Media Player [06/01/2009|20:14] C:\Program Files\Windows NT [04/01/2009|11:41] C:\Program Files\WindowsUpdate [14/02/2009|08:10] C:\Program Files\WinZip [04/01/2009|11:01] C:\Program Files\xerox [04/01/2009|15:27] C:\Program Files\Yahoo! --------------------\\ Listing Folders in C:\Program Files\Common Files [14/03/2009|08:05] C:\Program Files\Common Files\Adobe [04/01/2009|15:04] C:\Program Files\Common Files\Adobe AIR [25/01/2009|11:25] C:\Program Files\Common Files\Apple [04/01/2009|13:32] C:\Program Files\Common Files\DESIGNER [24/01/2009|09:27] C:\Program Files\Common Files\InstallShield [04/01/2009|12:59] C:\Program Files\Common Files\logishrd [04/01/2009|13:33] C:\Program Files\Common Files\Microsoft Shared [04/01/2009|10:46] C:\Program Files\Common Files\MSSoap [04/01/2009|10:37] C:\Program Files\Common Files\ODBC [04/01/2009|10:47] C:\Program Files\Common Files\Services [28/02/2009|09:34] C:\Program Files\Common Files\Skype [04/01/2009|10:37] C:\Program Files\Common Files\SpeechEngines [27/03/2009|06:16] C:\Program Files\Common Files\Symantec Shared [06/01/2009|20:14] C:\Program Files\Common Files\System [26/03/2009|19:25] C:\Program Files\Common Files\Wise Installation Wizard --------------------\\ Process ( 54 Processes ) ... OK ! --------------------\\ Searching with S_Lop No Lop folder found ! --------------------\\ Searching for Lop Files - Folders No Lop folder found ! --------------------\\ Searching within the Registry ..... OK ! --------------------\\ Checking the Hosts file Hosts file CLEAN --------------------\\ Searching for hidden files with Catchme catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-03-27 17:58:50 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden files: 0 --------------------\\ Searching for other infections --------------------\\ Cracks & Keygens .. C:\DOCUME~1\PETERE~1\Recent\Total_Recorder_v4.x_Generic_Crack.zip.lnk [F:99][D:6]-> C:\DOCUME~1\PETERE~1\LOCALS~1\Temp [F:21][D:0]-> C:\DOCUME~1\PETERE~1\Cookies [F:825][D:9]-> C:\DOCUME~1\PETERE~1\LOCALS~1\TEMPOR~1\content.IE5 1 - "C:\Lop SD\LopR_1.txt" - 27/03/2009| 9:24 - Option : [1] 2 - "C:\Lop SD\LopR_2.txt" - 27/03/2009|17:52 - Option : [2] 3 - "C:\Lop SD\LopR_3.txt" - 27/03/2009|18:06 - Option : [2] --------------------\\ Scan completed at 18:06:09 ComboFix 09-03-26.03 - Peter 2009-03-27 18:19:39.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.122 [GMT 0:00] Running from: c:\documents and settings\Peter \Desktop\ComboFix.exe AV: Norton Internet Security 2006 *On-access scanning disabled* (Updated) FW: Norton Internet Security 2006 *disabled* FW: Norton Internet Worm Protection *disabled* * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\patchw32.dll c:\windows\pw32a.dll c:\windows\system32\_000096_.tmp.dll c:\windows\system32\_000099_.tmp.dll c:\windows\system32\_000109_.tmp.dll c:\windows\system32\_000120_.tmp.dll c:\windows\system32\_000122_.tmp.dll c:\windows\system32\_005487_.tmp.dll c:\windows\system32\_005488_.tmp.dll c:\windows\system32\_005489_.tmp.dll c:\windows\system32\_005490_.tmp.dll c:\windows\system32\_005497_.tmp.dll c:\windows\system32\_005498_.tmp.dll c:\windows\system32\_005499_.tmp.dll c:\windows\system32\_005500_.tmp.dll c:\windows\system32\_005502_.tmp.dll c:\windows\system32\_005503_.tmp.dll c:\windows\system32\_005506_.tmp.dll c:\windows\system32\_005507_.tmp.dll c:\windows\system32\_005510_.tmp.dll c:\windows\system32\_005511_.tmp.dll c:\windows\system32\_005513_.tmp.dll c:\windows\system32\_005516_.tmp.dll c:\windows\system32\_005517_.tmp.dll c:\windows\system32\_005522_.tmp.dll c:\windows\system32\_005524_.tmp.dll c:\windows\system32\_005527_.tmp.dll c:\windows\system32\_005529_.tmp.dll c:\windows\system32\_005530_.tmp.dll c:\windows\system32\_005531_.tmp.dll c:\windows\system32\_005532_.tmp.dll c:\windows\system32\_005533_.tmp.dll c:\windows\system32\_005536_.tmp.dll c:\windows\system32\_005537_.tmp.dll c:\windows\system32\_005538_.tmp.dll c:\windows\system32\_005539_.tmp.dll c:\windows\system32\_005540_.tmp.dll c:\windows\system32\_005545_.tmp.dll c:\windows\system32\_005547_.tmp.dll c:\windows\system32\_005548_.tmp.dll . ((((((((((((((((((((((((( Files Created from 2009-02-27 to 2009-03-27 ))))))))))))))))))))))))))))))) . 2009-03-27 17:05 . 2009-03-27 17:05d--------C:\_OTMoveIt 2009-03-27 09:14 . 2009-03-27 18:06d--------C:\Lop SD 2009-03-27 06:14 . 2009-03-27 06:14d--------c:\program files\Malwarebytes' Anti-Malware 2009-03-27 06:14 . 2009-03-27 06:14d--------c:\documents and settings\Peter \Application Data\Malwarebytes 2009-03-27 06:14 . 2009-03-27 06:14d--------c:\documents and settings\All Users\Application Data\Malwarebytes 2009-03-27 06:14 . 2009-03-26 16:4938,496--a------c:\windows\system32\drivers\mbamswissarmy.sys 2009-03-27 06:14 . 2009-03-26 16:4915,504--a------c:\windows\system32\drivers\mbam.sys 2009-03-26 19:26 . 2009-03-26 19:26d--------c:\program files\SUPERAntiSpyware 2009-03-26 19:26 . 2009-03-26 19:26d--------c:\documents and settings\Peter \Application Data\SUPERAntiSpyware.com 2009-03-26 19:26 . 2009-03-26 19:26d--------c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2009-03-26 19:25 . 2009-03-26 19:25d--------c:\program files\Common Files\Wise Installation Wizard 2009-03-26 19:06 . 2009-03-26 19:06d--------c:\program files\CCleaner 2009-03-25 19:12 . 2009-03-27 07:06d--------c:\program files\Lavasoft 2009-03-23 20:44 . 2009-03-23 21:32d-a------c:\documents and settings\All Users\Application Data\TEMP 2009-03-23 20:07 . 2009-03-23 20:0914,417,922--a------C:\SYM_REGISTRY_BACKUP.reg 2009-03-21 20:49 . 2009-03-27 07:07d--------c:\program files\Enigma Software Group 2009-03-21 18:00 . 2009-03-21 18:22d--------c:\documents and settings\Peter\.housecall6.6 2009-03-21 17:22 . 2009-03-21 17:22d--------c:\windows\Sun 2009-03-21 17:21 . 2009-03-21 17:20410,984--a------c:\windows\system32\deploytk.dll 2009-03-21 17:21 . 2009-03-21 17:2073,728--a------c:\windows\system32\javacpl.cpl 2009-03-21 17:20 . 2009-03-21 17:20d--------c:\program files\Java 2009-03-18 20:12 . 2001-01-20 11:43712,704--a------c:\windows\system32\_ISource21.dll 2009-03-18 20:12 . 2004-10-08 12:15278,016--a------c:\windows\system32\aisExif.dll 2009-03-18 20:12 . 2004-12-06 09:27231,139--a------c:\windows\system32\BtnPlus1.ocx 2009-03-18 20:12 . 1999-10-30 02:00167,936--a------c:\windows\system32\ccrpftv6.ocx 2009-03-18 20:12 . 1996-02-11 01:42113,664--a------c:\windows\system32\APIGID32.DLL 2009-03-18 20:12 . 2001-07-28 11:4757,344--a------c:\windows\system32\mp3SpecX4.dll 2009-03-18 20:12 . 2001-12-07 11:4144,752--a------c:\windows\system32\FMDROP32.OCX 2009-03-18 20:12 . 2000-02-03 08:3039,424--a------c:\windows\system32\rpiAccessProcess.dll 2009-03-18 20:11 . 2004-03-09 00:00224,016--a------c:\windows\system32\TABCTL32.OCX 2009-03-18 20:11 . 2004-03-09 00:00212,240--a------c:\windows\system32\RICHTX32.OCX 2009-03-18 20:11 . 2004-12-06 11:22178,889--a------c:\windows\system32\FraPlus1.ocx 2009-03-18 20:11 . 1999-08-11 13:21129,024--a------c:\windows\system32\vdgt.ocx 2009-03-18 20:11 . 2001-12-07 11:4176,496--a------c:\windows\system32\mftp32.ocx 2009-03-18 20:11 . 1998-01-25 12:5465,536--a------c:\windows\system32\sblist.ocx 2009-03-18 20:07 . 2009-03-18 20:12d--------c:\program files\Creative Element Power Tools 2009-03-18 18:43 . 2009-03-18 18:43d--------c:\documents and settings\Administrator 2009-03-18 17:34 . 2009-03-27 07:06d--------c:\documents and settings\All Users\Application Data\Lavasoft 2009-03-16 11:16 . 2009-03-21 11:1979,515,096--a------C:\SYM_REGISTRY_BACKUP.old 2009-02-28 09:34 . 2009-02-28 09:34d--------c:\program files\Common Files\Skype . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-03-27 18:240----a-wc:\windows\system32\drivers\lvuvc.hs 2009-03-27 18:09---------d-----wc:\program files\BitComet 2009-03-27 06:16---------d-----wc:\program files\Common Files\Symantec Shared 2009-03-24 18:27---------d-----wc:\documents and settings\Peter\Application Data\Skype 2009-03-24 17:13---------d-----wc:\documents and settings\Peter\Application Data\skypePM 2009-03-21 07:08---------d-----wc:\program files\Norton Ghost 2009-03-16 10:19---------d-----wc:\program files\Norton Internet Security 2009-03-16 06:30---------d-----wc:\documents and settings\All Users\Application Data\Symantec 2009-03-14 08:05---------d-----wc:\program files\Common Files\Adobe 2009-02-28 09:34---------d-----wc:\documents and settings\All Users\Application Data\Skype 2009-02-28 09:34---------d-----rc:\program files\Skype 2009-02-15 10:29---------d-----wc:\program files\Steinberg 2009-02-14 08:14---------d-----wc:\program files\Uniblue 2009-02-14 08:14---------d-----wc:\program files\SpeedupmyPC 2009-02-14 08:14---------d-----wc:\documents and settings\Peter\Application Data\uniblue 2009-02-14 08:11---------d-----wc:\documents and settings\All Users\Application Data\WinZip 2009-02-13 19:56---------d-----wc:\program files\Reference Assemblies 2009-02-13 19:56---------d-----wc:\program files\MSBuild 2009-02-08 10:37---------d-----wc:\documents and settings\All Users\Application Data\Microsoft Help 2009-02-05 12:35---------d-----wc:\documents and settings\Peter\Application Data\vlc 2009-02-05 12:28---------d-----wc:\program files\VideoLAN 2009-02-01 08:47---------d-----wc:\program files\DU Meter 2009-02-01 08:35---------d-----wc:\documents and settings\All Users\Application Data\Hagel Technologies . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] "TClockEx"="c:\program files\TClockEx\TCLOCKEX.EXE" [2000-03-09 89088] "DU Meter"="c:\program files\DU Meter\DUMeter.exe" [2009-02-01 2645528] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-04 39408] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-11-03 4800512] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-02-11 53096] "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016] "Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696] "Norton Ghost 10.0"="c:\program files\Norton Ghost\Agent\GhostTray.exe" [2007-04-10 1537640] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-21 148888] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "WUAppSetup"="c:\program files\Common Files\logishrd\WUApp32.exe" [2007-05-11 441120] c:\documents and settings\Peter\Start Menu\Programs\Startup\ Creative Element Power Tools Startup.lnk - c:\program files\Creative Element Power Tools\Startup.exe [2009-03-18 257192] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Nike+ Utility.lnk - c:\program files\Nike+ Utility\Nike+ Utility.exe [2008-04-30 1228800] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2008-12-22 12:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "mixer"= DrvTrNTm.dll "wave"= DrvTrNTm.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk backup=c:\windows\pss\Windows Search.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] --a------ 2009-02-27 17:10 35696 c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H2O] --a------ 2005-05-11 02:46 200069 c:\program files\Syncrosoft\POS\H2O\cledx.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2009-01-06 13:06 290088 c:\program files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark 5200 series] --a------ 2004-06-04 09:58 57344 c:\program files\Lexmark 5200 Series\lxbtbmgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] --a------ 2008-04-14 00:12 1695232 c:\program files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Ghost 10.0] --a------ 2007-04-10 12:01 1537640 c:\program files\Norton Ghost\Agent\GhostTray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE] --a------ 2007-08-07 00:05 200704 c:\program files\PowerISO\PWRISOVM.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2009-01-05 16:18 413696 c:\program files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg] --a------ 2009-01-04 13:09 39408 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TotalRecorderScheduler] --a------ 2003-05-08 23:27 81920 c:\program files\HighCriteria\TotalRecorder\TotRecSched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue SpeedUpMyPC] --a------ 2007-10-22 10:13 9438488 c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "14709:TCP"= 14709:TCP:BitComet 14709 TCP "14709:UDP"= 14709:UDP:BitComet 14709 UDP R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-03-23 9968] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-03-23 72944] R2 DUMeterSvc;DU Meter Service;c:\program files\DU Meter\DUMeterSvc.exe [2009-02-01 1386008] R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [2009-01-25 33792] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-02-25 101936] S3 MA763010;M-Audio Fast Track;c:\windows\system32\drivers\MA763010.sys [2009-01-24 30848] S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408] --- Other Services/Drivers In Memory --- *NewlyCreated* - COMHOST . Contents of the 'Scheduled Tasks' folder 2009-03-25 c:\windows\Tasks\Ad-Aware Update (Weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [] 2009-03-24 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34] 2009-03-21 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - Peter.job - c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2007-05-23 12:13] 2009-03-16 c:\windows\Tasks\Uniblue SpeedUpMyPC Nag.job - c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe [2007-10-22 10:13] 2009-02-14 c:\windows\Tasks\Uniblue SpeedUpMyPC.job - c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe [2007-10-22 10:13] . - - - - ORPHANS REMOVED - - - - MSConfigStartUp-Ad-Watch - c:\program files\Lavasoft\Ad-Aware\AAWTray.exe . ------- Supplementary Scan ------- . uStart Page = hxxp://www.hotmail.com/ uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Settings,ProxyOverride = *.local uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-03-27 18:26:12 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DUMeterSvc] "ImagePath"="c:\program files\DU Meter\DUMeterSvc.exe /startedbyscm:E1F6D4BE-40E33354-DUMeterService" . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C8618CE4-B0B4-4D1D-8336-866A8B88B639}] @Denied: (A 2 3) (Everyone) [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C8618CE4-B0B4-4D1D-8336-866A8B88B639}\InProcServer32] @="%SystemRoot%\\Explorer.exe" "ThreadingModel"="Apartment" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C8618CE4-B0B4-4D1D-8336-866A8B88B639}\ProgID] @="DAO.Client" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C8618CE4-B0B4-4D1D-8336-866A8B88B639}\TypeLib] @="{C8618CE4-0468-2079-8336-66696B6B6E75}" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(752) c:\program files\SUPERAntiSpyware\SASWINLO.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Common Files\Symantec Shared\CCSETMGR.EXE c:\program files\Common Files\Symantec Shared\CCEVTMGR.EXE c:\program files\Common Files\Symantec Shared\CCPROXY.EXE c:\program files\Common Files\Symantec Shared\SNDSrvc.exe c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\M-Audio Fast Track\GBInst.exe c:\windows\system32\gearsec.exe c:\program files\Norton Ghost\Agent\VProSvc.exe c:\windows\system32\nvsvc32.exe c:\program files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE c:\progra~1\Symantec\LIVEUP~1\LUCOMS~1.EXE . ************************************************************************** . Completion time: 2009-03-27 18:29:57 - machine was rebooted ComboFix-quarantined-files.txt 2009-03-27 18:29:54 Pre-Run: 41,062,494,208 bytes free Post-Run: 41,076,527,104 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn 292--- E O F ---2009-03-11 07:42:39 -------------------\\ Cracks & Keygens .. I'm not going to insist you remove this but do be aware that probable over 75% of cracks contain some form of malware and is likely the source of your problems. The people who host these are CROOKS. How can you trust them? Unistall LOP S&D Click START then RUN Now type C:\Lop SD\Uninstal.exe in the runbox. Then click OK. ----------
---------- Use the Kaspersky Lab Online Scanner In Microsoft Windows Vista, you must open the Web browser using the Run as Administrator command. From the Desktop right click the icon to open the browser and choose Run as Administrator.
There is no option to clean/disinfect, however, we need to analyze the information on the report. To obtain the report: Click on: Save Report As
Copy and paste the Kaspersky Online Scanner Report in your next reply. Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%. Hi evilfantasy, yes I'll happily remove that crack file! And here is the Kaspersky log: -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7 REPORT Saturday, March 28, 2009 Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600) Kaspersky Online Scanner 7 version: 7.0.25.0 Program database last update: Saturday, March 28, 2009 08:21:47 Records in database: 1980471 -------------------------------------------------------------------------------- Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: yes Scan area - My Computer: A:\ C:\ E:\ Scan statistics: Files scanned: 54191 Threat name: 1 Infected objects: 2 Suspicious objects: 0 Duration of the scan: 02:24:33 File name / Threat name / Threats count C:\Documents and Settings\Peter\Local Settings\Application Data\Identities\{2294E92E-64C5-4AF2-BF01-297EE7005EFE}\Microsoft\Outlook Express\Deleted Items.bakInfected: Trojan-Spy.HTML.Paylap.fa1 C:\Documents and Settings\Peter\Local Settings\Application Data\Identities\{2294E92E-64C5-4AF2-BF01-297EE7005EFE}\Microsoft\Outlook Express\Deleted Items.dbxInfected: Trojan-Spy.HTML.Paylap.fa1 The selected area was scanned. Empty the Outlook Express deleted items folder. How is the computer running now? You can find free alternatives to almost any software made. This list has some very good picks for all types of software and everything listed in it is 100% free for home use.Done - and in answer to your question, it runs like a brand new car, but without that new car smell. You sir are a prince among men! (Or if female, the princess thing). Many many thanks!Quote from: Arbeloa on March 28, 2009, 10:06:10 AM it runs like a brand new car, but without that new car smell. Click here OK time to finish up. Use the Secunia Software Inspector to check for out of date software.
---------- Go to Microsoft Windows Update and get all critical updates. ---------- I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free. SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox. * Using SpywareBlaster to protect your computer from Spyware and Malware * If you don't know what ActiveX controls are, see here Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future. Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.All this and a fine smelling computer too - thanks again! |
|
| 4104. |
Solve : Malware/Virus problem? |
Answer» Delete An Uninstall Entry
That should be all.Thank you for that. I started HijackThis and opened the uninstall manager but could not find "My Way Search Assistant" on the list. My Way Search Assistant is still on the list when I go to Add Remove Programs in Windows, however. It is listed as being used rarely and it shows nothing for file size. Unlike everything else on the list of currently installed programs, when you click My Way Search Assistant to highlight it, you do not see a "change" or "Remove" button. Any further thoughts? Regards, WJKIVDownload Registry Searchby Bobbi Flekman (see the link titled RegSearch Download Link)
I downloaded and ran regsearch.exe and it PRODUCED a log in Notepad with the following information: Windows Registry Editor Version 5.00 ; Registry Search 2.0 by Bobbi Flekman © 2005 ; Version: 2.0.6.0 ; Results at 3/29/2009 1:16:46 PM for strings: ; 'my way search assistant' ; Strings excluded from search: ; (None) ; Search in: ; Registry Keys Registry Values Registry Data ; HKEY_LOCAL_MACHINE HKEY_USERS [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\7D449D87B79A4004BAA05BDA60389904] "ProductName"="My Way Search Assistant" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\7D449D87B79A4004BAA05BDA60389904\InstallProperties] "DisplayName"="My Way Search Assistant" ; End Of The Log... Let me know your thoughts.....thank you! Regards, WJKIVThis should remove them. Go to Start > Run and type notepad.exe then click OK Copy and paste the below into Notepad and save as fixme.reg to Your Desktop Code: [Select]REGEDIT4 [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\7D449D87B79A4004BAA05BDA60389904] [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\7D449D87B79A4004BAA05BDA60389904\InstallProperties] Locate fixme.reg on your Desktop and double-click it. Answer Yes when prompted to merge with the Registry. Make sure that you tell me if you receive a SUCCESS message about adding the above to the registry. If you do not get a success message, it did not work. Delete the fixme.reg from the Desktop.Thank you. Okay, I copied the code you sent and saved in notepad as fixme.reg. I answered yes and I did indeed receive a message that it was successfully added to the registry. I deleted fixme.reg from the desktop. Regards, WJKIV That should have gotten rid of the leftovers. Let us know if anything else comes up. Safe surfing...Well, that seems to have done it, the leftovers are gone! Again, thank you very MUCH for all your time and patience to help me. There is no way I could have cleared this problem on my own. Please know that you are doing a great service and people like myself, who are completely unknown to you out here in cyberspace, really do appreciate what you're doing. It's nice to know that there are people like you who selflessly seek to do good to help protect those of us from people who seek to do wrong. I hope to soon follow your EXAMPLE. God bless you and thank you. Keep up the good work! Regards, WJKIV |
|
| 4105. |
Solve : Task manager deleting? |
|
Answer» In the Task Manager there's a Windows item running, WgaTray.exe. |
|
| 4106. |
Solve : SUPER antispyware - can I run it alongside AVG Antivirus? |
|
Answer» HELLO I JOINED today because I needed to get rid of a Trojan and I used the advice in your forums. As instructed I downloaded and ran SUPERAnti-spyware and fingers crossed it has detected and sorted the problem. My question is this. Is is okay to have SUPERanti-spyware and AVG running at the same time on my PC? Thank you Sol If you are using the free version of SAS then it offers no real time PROTECTION and adjusting the settings in the guide will ensure it does not run at startup. AVG and SAS will run along with each other as long as you are using the free version of AVG. The paid version of AVG has antispyware protection and just like antivirus and FIREWALLS you only want to run one at a time. 1 antivirus 1 firwall 1 real time antispyware You can have multiple antispyware software installed and run them as needed.Thank you for your speedy reply, it's set my mind at rest. This site is awesome!!! Sol |
|
| 4107. |
Solve : noob needs some help please? |
|
Answer» ok here we go. |
|
| 4108. |
Solve : ntsokrnl infected with trojan? |
|
Answer» OK looks good.
. The above procedure will:
---------- Use the Secunia Software Inspector to check for out of date software.
---------- Go to Microsoft Windows Update and get all critical updates. ---------- I suggest using WOT - Web of Trust. WOT is a free Internet security ADDON for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free. SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like FIREFOX. * Using SpywareBlaster to protect your computer from Spyware and Malware * If you don't know what ActiveX controls are, see here Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future. Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.Ever since i got done with the mallware and rootkit removall I cant seem to be able to play my dvds on my system . Could the removal process have caused that? Please start a new topic in the Windows forum for suggestions on that. |
|
| 4109. |
Solve : microsoft visual c + + runtime library? |
|
Answer» as above i did before i ran the scan as i always do with them all ,harry So I'm now confused.sorry , i use the 4 to scan every 5/6 days but before i do i update them all , and i would get the pop up from sas only , i did check a while ago and there are no updates from m/s and just a few from sas , harry pc is working fine by the wayeverything is back to normal evil , i'm going to have to up-date more often , thank you , harry |
|
| 4110. |
Solve : win32/Heur Virus - an SOS message? |
|
Answer» Hi, |
|
| 4111. |
Solve : SMF Malicious script? |
|
Answer» Hello, Hello, Very unlikely, though possible. The best way to avoid it is to keep the software up-to-date, which can be done via the Package Manager in the Admin CP.Denial-of-service attack also called a DOS Attack.Quote from: evilfantasy on March 28, 2009, 09:47:56 AM Denial-of-service attack also called a DOS Attack. Well, actually the main concern is SQL injection. Basically entering SQL commands into a text field. If the field has no vaildation KEY, entering the RIGHT (or wrong ) code could simply delete the database.DROP or ALTER. Of COURSE you would need to know the table names, but they aren't to hard to get from the smf docs.Quote a malicious script that can overwhelm the Database ? Could they actually mean server? I think a DOS Attack would be the most likely place to begin investigating. Quote from: evilfantasy on March 28, 2009, 10:38:32 AM Could they actually mean server? Ah, I doubt it. SMF is SECURE enough to disallow that.I mean it sounds like the server is being over loaded by a DOS style attack. It's a pretty common way for someone with a grudge against a web site to seek revenge. Thanks for taking the time to answer KPAC ! |
|
| 4112. |
Solve : TestBugID1? |
|
Answer» Can ANYONE advise me please on what to do with thise TestBugID1?I dont knw what really it is but it actualy disabled my ym and some websites from viewing LIKE yahoomail,lycosmail,FACEBOOK and also GMAIL........Why don't you try to scan your browser with a web scanner to see if you have any viruses there. |
|
| 4113. |
Solve : New post of the three logs? |
|
Answer» SUPERAntiSpyware Scan Log |
|
| 4114. |
Solve : Malware possibly causing an application error? |
|
Answer» Hi, |
|
| 4115. |
Solve : Hijack This Laptop Log? |
|
Answer» I'm still unable to connect at the spot when I go to my GRANDMOTHERS. Wondered if this would help any, ASIDE from that I always GET a LOW CONECTION cause of were I am in the house but I'm still able to get on despite. |
|
| 4116. |
Solve : Bad Image errors? |
|
Answer» Hi
Download Alternate download link Note: Vista users must use Run As Administrator
Note that your system will run slower for a reboot or two after having used this tool so don't panic. ---------- Use the Kaspersky Lab Online Scanner In Microsoft Windows Vista, you must open the Web browser using the Run as Administrator command. From the Desktop right click the icon to open the browser and choose Run as Administrator.
There is no option to clean/disinfect, however, we need to analyze the information on the report. To obtain the report: Click on: Save Report As
Copy and paste the Kaspersky Online Scanner Report in your next reply. Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is ACCEPTED, reset to 100%.Hi Have carried out all from last post, here is result and thanks for your time. -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7 REPORT Sunday, March 29, 2009 Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600) Kaspersky Online Scanner 7 version: 7.0.25.0 Program database last update: Sunday, March 29, 2009 19:18:29 Records in database: 1984838 -------------------------------------------------------------------------------- Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: yes Scan area - My Computer: A:\ C:\ D:\ E:\ J:\ Scan statistics: Files scanned: 113202 Threat name: 2 Infected objects: 5 Suspicious objects: 0 Duration of the scan: 03:50:55 File name / Threat name / Threats count C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3B61733D.dllInfected: Trojan-Downloader.Win32.Zlob.atl1 C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\4D63248EInfected: Trojan-Downloader.Win32.Zlob.atp1 C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\54446DDA.dllInfected: Trojan-Downloader.Win32.Zlob.atl1 C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\57756E58.dllInfected: Trojan-Downloader.Win32.Zlob.atl1 C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5FBC5F3B.dllInfected: Trojan-Downloader.Win32.Zlob.atl1 The selected area was scanned. Empty ALL Norton/Symantec Quarantine files. GUIDE: Removing files from Norton AntiVirus Quarantine How is the computer running now?Hi evilfantasy Could not locate files in Norton Quarantine so removed manually, also rebooted, but problems still there. must admit PC seems to be running a little better after all the scans. I am gratefull for all your help, but unless you have any other ideas I guess a new install would be the only option. Great to know there are guys like you to help us lesser mortals.I don't think it is a malware issue. None of the files listed in the Bad Image error are malicious. You could try running sfc /scannow. Place your XP CD ROM drive and follow the instructions below:
Tried your last suggestion and completed scan. Unhappy to say that problems still exist. Would like to thank you for your time and effort in helping to resolve the problem it is most appreciated. I'm not sure what it could be... |
|
| 4117. |
Solve : Trojans and such? |
|
Answer» My parents computer showed signs of infection yesterday, so I'm trying to clean it up. It sounds similar to recent trojans (SHeur2.gas, etc.) that have been DISCUSSED on this forum. It turned the firewall off, turned off automatic updates, wouldn't allow AVG to connect, went to random websites when links from clicked from google search, pop-ups were GALORE EVEN with pop-up blocker on, computer was slower than usual, and the list goes on. I followed Disabled TDSSserv.sys (because it would not allow me to download certain apps needed), Ran AVG update, went through add/remove progams, ran House Cleaning, ran Super Anti-Spyware
Open the SDFix folder and double-click RunThis.bat to start the script.
SDFix: Version 1.236 Run by DIANNA on 2009-03-30 at 16:45 Microsoft Windows XP [Version 5.1.2600] Running From: C:\SDFix Checking Services : Restoring Default Security Values Restoring Default Hosts File Rebooting Checking Files : No Trojan Files Found Removing Temp Files ADS Check : Final Check : catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-03-30 16:54:37 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden services & system hive ... [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TDSSserv.sys] "start"=dword:00000001 "type"=dword:00000001 "imagepath"=str(2):"\systemroot\system32\drivers\TDSSqhvb.sys" "group"="file system" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules] "TDSSserv"="\systemroot\system32\drivers\TDSSqhvb.sys" "TDSSl"="\systemroot\system32\TDSSkwie.dll" "tdssservers"="\systemroot\system32\TDSSerat.dat" "tdssmain"="\systemroot\system32\TDSSkrtj.dll" "tdsslog"="\systemroot\system32\TDSSpfie.dll" "tdssadw"="\systemroot\system32\TDSSoowh.dll" "tdssinit"="\systemroot\system32\TDSSmfjq.dll" "tdssurls"="\systemroot\system32\TDSSnmxh.log" "tdsspanels"="\systemroot\system32\TDSSulhc.dll" "tdsserrors"="\systemroot\system32\TDSSkhwj.log" "TDSSproc"="\systemroot\system32\TDSStmrp.log" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TDSSserv.sys] "start"=dword:00000001 "type"=dword:00000001 "imagepath"=str(2):"\systemroot\system32\drivers\TDSSqhvb.sys" "group"="file system" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules] "TDSSserv"="\systemroot\system32\drivers\TDSSqhvb.sys" "TDSSl"="\systemroot\system32\TDSSkwie.dll" "tdssservers"="\systemroot\system32\TDSSerat.dat" "tdssmain"="\systemroot\system32\TDSSkrtj.dll" "tdsslog"="\systemroot\system32\TDSSpfie.dll" "tdssadw"="\systemroot\system32\TDSSoowh.dll" "tdssinit"="\systemroot\system32\TDSSmfjq.dll" "tdssurls"="\systemroot\system32\TDSSnmxh.log" "tdsspanels"="\systemroot\system32\TDSSulhc.dll" "tdsserrors"="\systemroot\system32\TDSSkhwj.log" "TDSSproc"="\systemroot\system32\TDSStmrp.log" scanning hidden registry entries ... [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLs"="yszsdo.dll,lhaavo.dll,avgrsstx.dll" "DeviceNotSelectedTimeout"="15" "GDIProcessHandleQuota"=dword:00002710 "Spooler"="yes" "swapdisk"="" "TransmissionRetryTimeout"="90" "USERProcessHandleQuota"=dword:00002710 "LoadAppInit_DLLs"=dword:00000001 scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services : Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\aim\\aim.exe"="C:\\Program Files\\aim\\aim.exe:*:Enabled:AOL Instant Messenger" "C:\\WINDOWS\\system32\\LEXPPS.EXE"="C:\\WINDOWS\\system32\\LEXPPS.EXE:*:Enabled:LEXPPS.EXE" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" "C:\\WINDOWS\\system32\\mshta.exe"="C:\\WINDOWS\\system32\\mshta.exe:*:Disabled:Microsoft (R) HTML Application host" "C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe" "C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe" "C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe" "C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe" "C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" Remaining Files : Files with Hidden Attributes : Sun 13 Apr 2008 1,695,232 A.SH. --- "C:\Program Files\Messenger\msmsgs.exe" Sun 13 Apr 2008 60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe" Wed 3 Sep 2008 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak" Wed 25 Mar 2009 9,942,520 A..H. --- "C:\Program Files\Google\Picasa3\setup.exe" Sat 1 Mar 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp" Tue 6 Apr 2004 111,824 A..H. --- "C:\Program Files\Common Files\aolshare\shell\us\shellext.dll" Wed 12 Dec 2001 102,400 A..H. --- "C:\Program Files\Common Files\csshare\shell\us\shellext.dll" Finished! HiJackThis Log Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 17:03, on 2009-03-30 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16791) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\SAVScan.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgnsx.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\wanmpsvc.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\Program Files\AVG\AVG8\avgcsrvx.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\eMachines Bay Reader\shwiconem.exe C:\Program Files\HP\HP Software Update\HPWuSchd.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\AVG\AVG8\aAvgApi.exe C:\Program Files\Trend Micro\HijackThis\sniper.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.google.com/mail/#inbox R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = - O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\eMachines Bay Reader\shwiconem.exe O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe" O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200 O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1187882580390 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187882561656 O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD5/JSCDL/jre/6u11-b90/jinstall-6u11-windows-i586-jc.cab?e=1233358729142&h=e3957e9cb30394e48916270853b9e9da/&filename=jinstall-6u11-windows-i586-jc.cab O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe -- End of file - 9725 bytes |
|
| 4118. |
Solve : Avast? |
|
Answer» Hello everyone, |
|
| 4119. |
Solve : Will USA move up from second place in Malware servers?? |
|
Answer» Will USA move up from second place in Malware SERVERS? *censored* is a "malware factory"? ... well, their similar, they both make questionable claims, and then end up doing something negative most of the time... |
|
| 4120. |
Solve : AVG 8..5? |
|
Answer» I KEEP getting this message from AVG, it doesn't say anything about AVG 8.5 being free. if I click (Install Now) will I be fooled into paying for something I don't want ?
Agreed. They try to trick you into the paid version. Too many click here links to GET to the free download and they make each one more obscure then the last!LESS RUN around ar MajorGeeks. http://majorgeeks.com/download886.html |
|
| 4121. |
Solve : Spyware, Viruses, etc.? |
|
Answer» Got instance of the vundo, I've run through the CCCleaner, SuperAntiSpyware, and the Anti-Malware. Here are my logs. attched.
---------- Open HijackThis and select Do a system scan only. Place a check mark next to the following entries: (if there)
Important: Close all windows except for HijackThis and then click Fix checked. Exit HijackThis. ---------- Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop. Link #1 Link #2 **Note: It is important that it is saved directly to your Desktop Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix. Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them. Double click combofix.exe & follow the prompts. When finished ComboFix will produce a log for you. Post the ComboFix log in your next reply. Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall. Remember to re-enable your antivirus and antispyware protection when ComboFix is complete. If you have problems with ComboFix usage, see How to use ComboFixThanx so much for your help, it's greatly appreciated. I've attached the combofix log, let me know how it looks. I'd be more than happy to make a donation for the softwar and help, let me know where you would prefer I donate. You guys are the best. [attachment deleted by admin]Please go to VirusTotal.com (If more than one file needs scanned they must be done separately and logs POSTED for each one) 1. Copy the file path in the below Code box: Code: [Select]c:\windows\system32\melisise.exe 2. At the upload site, click once inside the window next to Browse. 3. Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window. 4. Next click Send File Your file will possibly be entered into a queue which normally takes less than a minute to clear. This will perform a scan across multiple different virus scanning engines. Important: Wait for all of the scanning engines to complete. 5. Copy and then Paste the link to the results in the next reply. Also scan this file please and post the link to it's results. Code: [Select]c:\\windows\\system32\\notetafa.dll ---------- Please go to Start > Run and copy/paste the following, then press Enter: C:\QooBox\Add-Remove Programs.txt A text file should open. Please post the contents of that file in your next reply. Here is the info. I'll be donating to your site tonight. Worth every penny, again, really appreciate the help. c:\windows\system32\melisise.exe http://www.virustotal.com/analisis/84a21b210d86e0ffce2c444256f13c98 c:\windows\system32\notetafa.dll 0 bytes received From the txt file: Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742) Adobe Flash Player ActiveX Adobe Reader 8.1.2 Adobe Reader 8.1.2 Security Update 1 (KB403742) AIM 6 Apple Mobile Device Support Apple Software Update Bonjour CCleaner (remove only) Civilization II Multiplayer Gold Edition Critical Update for Windows Media Player 11 (KB959772) Dimension 4 v5.0 Download Updater (AOL LLC) FW LiveUpdate Half-Life Half-Life: Blue Shift High DEFINITION Audio Driver Package - KB888111 HijackThis 2.0.2 Hotfix for Microsoft .NET Framework 3.0 (KB932471) Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595) Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484) Hotfix for Windows Internet Explorer 7 (KB947864) Hotfix for Windows Media Format 11 SDK (KB929399) Hotfix for Windows Media Player 11 (KB939683) Hotfix for Windows XP (KB915800-v4) Hotfix for Windows XP (KB952287) Hotfix for Windows XP (KB954550-v5) InCD iTunes Java(TM) 6 Update 12 jGRASP Lexmark 2600 Series Lexmark Toolbar Lexmark Z23-Z33 LightScribe 1.4.97.1 LucasArts' Star Wars: Episode I Racer LucasArts' X-Wing vs. TIE Fighter Malwarebytes' Anti-Malware McAfee SecurityCenter Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Hotfix (KB928366) Microsoft .NET Framework 2.0 Service Pack 2 Microsoft .NET Framework 3.0 Service Pack 2 Microsoft .NET Framework 3.5 SP1 Microsoft Base Smart Card Cryptographic Service Provider Package Microsoft Compression Client Pack 1.0 for Windows XP Microsoft Flight Simulator 2002 Microsoft Game Studios Common Redistributables Pack 1 Microsoft Internationalized Domain Names Mitigation APIs Microsoft National Language Support Downlevel APIs Microsoft Office Professional Edition 2003 Microsoft User-Mode Driver Framework Feature Pack 1.0 Microsoft Visual C++ 2005 Redistributable Microsoft XML Parser MSXML 4.0 SP2 (KB936181) MSXML 4.0 SP2 (KB954430) MSXML 4.0 SP2 and SOAP Toolkit 3.0 MSXML 4.0 SP2 Parser and SDK MSXML 6 Service Pack 2 (KB954459) Nero Suite NVIDIA Drivers NVIDIA ForceWare Network Access Manager Oblivion Portal Project64 1.6 QuickTime Realtek High Definition Audio Driver Security Update for Windows Internet Explorer 7 (KB929969) Security Update for Windows Internet Explorer 7 (KB933566) Security Update for Windows Internet Explorer 7 (KB938127) Security Update for Windows Internet Explorer 7 (KB939653) Security Update for Windows Internet Explorer 7 (KB942615) Security Update for Windows Internet Explorer 7 (KB944533) Security Update for Windows Internet Explorer 7 (KB950759) Security Update for Windows Internet Explorer 7 (KB953838) Security Update for Windows Internet Explorer 7 (KB956390) Security Update for Windows Internet Explorer 7 (KB958215) Security Update for Windows Internet Explorer 7 (KB960714) Security Update for Windows Internet Explorer 7 (KB961260) Security Update for Windows Media Player (KB911564) Security Update for Windows Media Player (KB952069) Security Update for Windows Media Player 11 (KB936782) Security Update for Windows Media Player 11 (KB954154) Security Update for Windows Media Player 6.4 (KB925398) Security Update for Windows Media Player 9 (KB917734) Security Update for Windows XP (KB923689) Security Update for Windows XP (KB923789) Security Update for Windows XP (KB938464-v2) Security Update for Windows XP (KB938464) Security Update for Windows XP (KB941569) Security Update for Windows XP (KB946648) Security Update for Windows XP (KB950760) Security Update for Windows XP (KB950762) Security Update for Windows XP (KB950974) Security Update for Windows XP (KB951066) Security Update for Windows XP (KB951376-v2) Security Update for Windows XP (KB951376) Security Update for Windows XP (KB951698) Security Update for Windows XP (KB951748) Security Update for Windows XP (KB952954) Security Update for Windows XP (KB953839) Security Update for Windows XP (KB954211) Security Update for Windows XP (KB954600) Security Update for Windows XP (KB955069) Security Update for Windows XP (KB956391) Security Update for Windows XP (KB956802) Security Update for Windows XP (KB956803) Security Update for Windows XP (KB956841) Security Update for Windows XP (KB957095) Security Update for Windows XP (KB957097) Security Update for Windows XP (KB958644) Security Update for Windows XP (KB958687) Security Update for Windows XP (KB958690) Security Update for Windows XP (KB960225) Security Update for Windows XP (KB960715) Sibelius 3 Spy Sweeper Spy Sweeper Core Spybot - Search & Destroy Steam SUPERAntiSpyware Free Edition TRENDnet TEW-424UB Update for Windows XP (KB943729) Update for Windows XP (KB951072-v2) Update for Windows XP (KB951978) Update for Windows XP (KB955839) Update for Windows XP (KB967715) Ventrilo Client WC3Banlist WebFldrs XP Windows Genuine Advantage Notifications (KB905474) Windows Genuine Advantage Validation Tool (KB892130) Windows Imaging Component Windows Internet Explorer 7 Windows Media Format 11 runtime Windows Media Format SDK Hotfix - KB891122 Windows Media Player 11 Windows Presentation Foundation Windows Search 4.0 Windows XP Service Pack 3 WinPcap 3.1 WinRAR archiver World of Warcraft XML Paper Specification Shared Components Pack 1.0
---------- Use the This scanner requires Internet Explorer 1. Check the box next to YES, I accept the Terms of Use. 2. Click Start 3. When asked, allow the activex control to install 4. Click Start 5. Make sure that the option Remove found threats and the option Scan unwanted applications is check marked. 6. Click Scan 7. Wait for the scan to finish 8. Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt 9. Add the C:\Program Files\EsetOnlineScanner\log.txt log into your next reply. Here's the log from ESET: # version=4 # OnlineScanner.ocx=1.0.0.635 # OnlineScannerDLLA.dll=1, 0, 0, 79 # OnlineScannerDLLW.dll=1, 0, 0, 78 # OnlineScannerUninstaller.exe=1, 0, 0, 49 # vers_standard_module=3975 (20090330) # vers_arch_module=1.064 (20080214) # vers_adv_heur_module=1.066 (20070917) # EOSSerial=8e505f341efe5c409b0346d308e28f77 # end=finished # remove_checked=true # unwanted_checked=true # utc_time=2009-03-30 06:45:32 # local_time=2009-03-30 02:45:32 (-0500, Eastern Daylight Time) # country="United States" # osver=5.1.2600 NT Service Pack 3 # scanned=271876 # found=0 # scan_time=3685 And again, many many thanx. Let me know if we need to do anything further.Looks good. Time to finish up. Use the Secunia Software Inspector to check for out of date software.
---------- Go to Microsoft Windows Update and get all critical updates. ---------- I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free. SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox. * Using SpywareBlaster to protect your computer from Spyware and Malware * If you don't know what ActiveX controls are, see here Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future. Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.OK, before I do that, I just had a very strange thing happen. There are 2 accounts on this box, mine, which is Fred, and my son's, which is Alex. I just went in and changed his home page in IE7, after doing that, he re-booted, and the Alex account no longer seems to work. The name of this computer is IONE-amd-ABIT, for the case, cpu and motherboard. Under c:\documentsandsettings, my account is still there, and his old one, for Alex is still there also. But now there's one called Alex.IONE-amd-ABIT, and when he logs in, that's the one he gets, and all his old setting are gone. Did we do something wrong, and is there any way to fix it so when he logs in, the old Alex account will be the one we access?We haven't done anything since running ComboFix yesterday. Try a System Restore to when you uninstalled ComboFix. How do I restore Windows XP back to an earlier copy?Got no restore points. I do remember when I started all this, I got a message somewhere that said the "Recovery console wasn't installed, do I want to install it now?" I skipped that. Is the recovery console the same as system restore? I thought not.Quote Is the recovery console the same as system restore? No it's basically a partition which can be used for emergency repairs. You don't need it now. I'm really not sure why the settings "forgot" where they were. I'm also not sure how you would get them back to where they were without manually adjusting them again. I've seen browsers "forget" before but I'm not sure I've seen a profile do this before.After doing some searches on "corrupt ntuser.dat", it looks like that's what happened. I did and XP repair from the XP SP3 CD, and just moved his old folders to his new identity. All is good. I'm going to do the final Secunia check and make sure all is up to date, and then download the free programs you suggest. Again, i can' t thank you enough for your help. This forum is a life saver. I'll be keeping and EYE on it in the future, as well as watching out for conficker. If there's anything else I can do for you, pls let me know. |
|
| 4122. |
Solve : Boot Sector/MBR Infection? |
|
Answer» Is there a free program that can remove BOOT Sector/MBR Infections?Yes there is. You have to make sure it's infected first.
Yes there is. You have to make sure it's infected first. That's great. But what do you do when you can't boot into Windows. I can't GET into the safe mode either. It's XP.That's most likely not a virus. Not in the MBR anyway. Windows Repair Install?Quote from: evilfantasy on March 30, 2009, 02:19:30 PM That's most likely not a virus. Not in the MBR anyway. It does not see the repair option in Windows Installation. You can give this a try. Avira AntiVir Rescue System * Download the Avira AntiVir Rescue System * Place a blank CD in your burner and double-click on the downloaded file. * The program will automatically burn the CD for you. * Place the burned CD into the affected computer and start the computer with the CD in the CD TRAY. * On the bottom left side of the screen there are 2 flags. Using your mouse click on the BRITISH flag to use English. * Click on the Configuration button. - Select Scan all files - Select Try to repair infected files and Rename files, if they cannot be removed - Select Scan for dialers - Select Scan for joke programs (Jokes) - Select Scan for games - Select Scan for spyware (SPR) * Click on Virus scanner * Click on Start scanner at the bottom of the screenQuote from: evilfantasy on March 30, 2009, 04:05:30 PM You can give this a try. Umm it would be great if it was in English and at LEAST 800x600 Resolution. |
|
| 4123. |
Solve : My questions...? |
|
Answer» Has ANYONE ever got a bug in the pc that is saying:"WINDOWS INSTALLER". I bought this pc used for a year, and no expert( aquaintances) has been able to even remember anyone getting this "Bug?". |
|
| 4124. |
Solve : stuck at login window? |
|
Answer» I am having a problem getting past my LOGIN screen i type password and it starts to load then it says saving your setting then bammm RIGHT back to login screen....... I am EVEN tryin to reinstall 2000 it will not read from the cd even after changing bios OPTIONS....it goes right to login in screen and will not LET me passyou should not post the same topic in 2 forumssorry new to this ......I goofed .......just extremly frustrated again sorry |
|
| 4125. |
Solve : Can you take a look at my Log : )? |
|
Answer» Yes, he could have downloaded something that would make the computer act funny.
---------- Go to http://secunia.com/software_inspector
Please use Panda's NanoScan
Next post Nanoscan logOk here is this first: The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from UPLOADING this fileOf all the sites I can't load that Java is one of them Try this one. http://java.sun.com/javase/downloads/?intcmp=1281 Go down to the 4th download Nope. Just a blank screen. It's like it wants to load, but it won't. I just see the little circle going around and around on the bar. I just noticed that on the bottom of my screen on the right side, it says Unknown Zone when I try to load the Java site.Click here (direct download link) http://filehippo.com/download/f02d30cdfe56c8b0fdae60a597b011cb/download/Okay I got onto that site you just posted. There is a yellow bar message on top stating: To help protect your security, IE blocked this site from downloading files to your computer. Click here for options.... What do I do?Allow it to download.Is it under Popular Downloads? Java Runtime Environment 1.6.0.4Java Runtime Environment 1.6.0.4 is the one you want. After it is installed go into add/remove programs and uninstall the old version, it should be Java jre1.5.0_10 (or similar).Just want to make sure before I start this. I currently have J2SE Runtime Environment 5.0 Update 10 on my programs. This one is out of date? And if it is, don't uninstall it yet, but first download the current one?Download the current one then delete the J2SE Runtime Environment 5.0 |
|
| 4126. |
Solve : (Flash?) Cookies Problem? |
|
Answer» Hello again, |
|
| 4127. |
Solve : startup virus yoyo? |
|
Answer» help please, when i go to log on i get this error yoyo_ it happens as soon as you hear the hard drive make that noise scratch scratch scratch and the screen is displaying what divices you have. It stops you at your boot sequence and doesn't allow you to go any further when you reboot. At the bottom of the page it has the 'YoYo' emblem where the o's look like sideway 8's. http://forums.techguy.org/malware-removal-hijackthis-logs/434113-serious-virus-problem-yoyo-1271-a.html http://discuss.extremetech.com/forums/1/1004304692/ShowThread.aspx Wow!ULAMAN ses thanks to everybody who helped with my ( yoyo) problem, I have not been able to fix the problem so i am going format the drive . thanks again ULAMAN 2/2/08 10/45/pm ps. do i have to delete all these post. Quote from: ULAMAN on FEBRUARY 02, 2008, 04:49:44 AM do i have to delete all these post.No, we keep all threads. If anyone else comes by with the word yoyo written at their post screen we will know what to recommend. |
|
| 4128. |
Solve : HJT Runover please....? |
|
Answer» Hey guys, if someone COULD just look over this for me i'd really appreciate it, though first ill state the problem. |
|
| 4129. |
Solve : Is my computer the most infected in the world ever???? |
|
Answer» Just a quick note. |
|
| 4130. |
Solve : Plz read first, step 6 Java download question.? |
|
Answer» It say's to select the files you want. How do I know which of the three I want? I already downloaded the first choice 64 bit.You didn't install it, because it'd not let you, right?Search your computer for: jre-6u4-windows-x64.exe and delete it.It's icon is displayed on my desktop, it's properties path shows it sitting in the desktop. I don't know if it INSTALLED or not. I don't know how to find it to get rid of it before I mess something up. I see another response has already been sent to me and I will 'search' for it.You must know whether you've installed it or not. To install something you double click the file and go through a setup PROCESS. If you haven't done that it isn't installed and you can simply delete the file sitting on your desktop.Deerpark... As you said before 64-bit in no way will install on 32-bit. He'd receive an error message.The search did it, I looked at it's properties again and it read as: jre-6u4-windows-i586-p-iftw.exe Either way I found it now. Thanks, you guy's have not only taught me alot, one of the things is some confidence.Cool By the TIME we completely bugger your machine you'll be as confident as the rest of us... Actually it is clearly stated (even has a picture) |
|
| 4131. |
Solve : maindwxp? |
Answer»
To remove IE7 First download the IE6 installer to the desktop just in case you need it. (don't install it) If you are unable to see IE7 in Add or Remove Programs follow these steps:
Now try to open internet explorer. If it doesn't work the run the installer for IE6 you just downloaded. If IE6 does work then delete the installer from the desktop. thanks evilfantasy and broni... now ie7 problem is solved. i downloded it again frm microsoft. and it remove previous explorer automatically at the time of downloding. now the problem left is maindwxp. plz see my hijack log and tell me what to do know. and also i want to know uptil know what the problem with my system. actually i am computer science student so want to know details for knowledge.Thanks, evil varun 1. Turn off System Restore: 1. Click Start. 2. Right-click the My Computer icon, and then click Properties. 3. Click the System Restore tab. 4. Check "Turn off System Restore". 5. Click Apply. 6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this. 7. Click OK. 2. Restart in Safe Mode. 3. Go Start>Run, type in: regedit Click OK. Registry Editor will open. Click FILE>Export, and save your registry to safe location.Navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services One of the services listed there will be Partizan, and its value: "Group" = "Boot But Extender" Right click on Partizan entry, and click Delete. 4. Close Registry Editor, and open Windows Explorer. Navigate to: C:\windows\pss and delete maindwxp.exe file 5. Restart in Normal Mode. Turn System Restore on. Create fresh Restore Point. hi broni sorry for late reply i deleted maindwxp from the location but dint see any file named as partizen in location given by you. i also attached the recent highjack log, i saw again rediff toolbar in the log, but this time it is not present in the add/remove. is my system safe now, also plz decribe me actually what was the problem with my system. in add/remove yahoo toolbar is present can i delete it also. is toolbar harmful for system. why??here is the log [recovering space - attachment deleted by admin]Open HJT, and checkmark following lines: - R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://server.toolbar.rediff.com/toolbar/3.0/sidesearch.html?mode=toolbar - R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server.toolbar.rediff.com/toolbar/3.0/sidesearch.html?mode=toolbar - R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://server.toolbar.rediff.com/toolbar/3.0/sidesearch.html?mode=toolbar - R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://server.toolbar.rediff.com/toolbar/3.0/sidesearch.html?mode=toolbar Click "Fix checked". Restart computer, and post new HJT log. P. S. You were infected with The Orkut Worm (maindwxp.exe). More info: http://www.symantec.com/enterprise/security_response/weblog/2008/02/the_orkut_worm_digging_deeper.html NEW LOG [recovering space - attachment deleted by admin]Looks good... HJT log is clean. 1. Turn off System Restore: - Windows XP: 1. Click Start. 2. Right-click the My Computer icon, and then click Properties. 3. Click the System Restore tab. 4. Check "Turn off System Restore". 5. Click Apply. 6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this. 7. Click OK. - Windows Vista: 1. Click Start. 2. Right-click the Computer icon, and then click Properties. 3. Click on System Protection under the Tasks column on the left side 4. Click on Continue on the "User Account Control" window that pops up 5. Under the System Protection tab, find Available Disks 6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:") 7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this. 8. Click OK 2. Restart computer. 3. Turn System Restore on. Create new Restore Point. 4. Run CCleaner one more time. 6. Download, and install free ThreatFire: http://www.threatfire.com/, which will give you REAL-time protection against malwares. It won't interfere with your ANTIVIRUS, nor firewall. 7. Let me know, how your computer is doing. rest is normal but sometimes on system tray i saw mcafee icon.. my antivirus is nortan previosly it was mcafee and when i tried to click that icon it disappeared surprisngly can i delete registry backup files that was save during ccleanerQuote but sometimes on system tray i saw mcafee icon..Thank you for sharp eye. Apparently, I missed something. Disable Windows Defender, as it'll interfere with cleaning process: * Open Windows Defender * Click Tools * Click General Settings * Scroll down to Real Time Protection Options * Uncheck Turn on Real Time Protection * After you uncheck this, click on the Save button * Close Windows Defender Open HijackThis, and checkmark following lines: - O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey - O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe Click "Fix checked". Restart computer, and post new HJT log. As for CCleaner backup, I'd leave it for a week, or so. If everything works fine, you may delete it.Quote from: varun on March 31, 2008, 10:41:49 AM sometimes on system tray i saw mcafee icon.. why this happened.... why this disappeared..... i post a new log.... now can i on windows defender or remain it off..... [recovering space - attachment deleted by admin]also in msconfig under services i can see mcafee framework service which is marked (right). and in c drive under program files this folder mcafee in which frame work services is present.... so can i delete this folder or uncheak service in msconfig......You can KEEP Windows Defender on, no problem. We'll delete McAfee folder in a moment. We must stop its service, first. Go Start>Run, type in: services.msc Click OK. Services window will open. Find McAfee Framework Service in the list, right click on it, click Stop. Right click again, click Properties, and under Startup type select Disabled from drop-down menu. Restart computer. Post new HJT log.i got the message cant stop MCAFFE framework service error 5 : accesss is deniedRestart in Safe Mode, and follow very same procedure. |
|
| 4132. |
Solve : Malware/Spyware of some sort...? |
|
Answer» My problem: What would you like me to do if I cannot download AVG? I cannot download it at school as the link to it is blocked and it won't finish the download on dial-up. http://filehippo.com/download_avg_antivirus/ try downloading thru this link ... once you visit above page, then on right side, click the link that say "Download Latest Version" maybe it'll get done at school now. i hope it ain't blocked unless school is trying to be careful about getting it's network infected. Big drawback against clamwin is that nothing is automated. AVG has automated updates and it automatically blocks the bad stuff. Quote it won't finish the download on dial-upLeave download overnight, ask a friend to download it for you...Broni, the download stops at 1 MB. It's not a problem of leaving it on. Elxr06, thanks, that link worked. I'll do the following requests when I get home.Quote from: Yoko_Kisaragi on April 18, 2008, 09:46:18 AM Broni, the download stops at 1 MB. It's not a problem of leaving it on. Elxr06, thanks, that link worked. I'll do the following requests when I get home. no problem. i always get the files thru filehippo unless something prompts me to go to the vendor's own website to get it and filehippo is always updating their file servers with the latest versions (including beta's) of the programs that I typically use.AVG seemed to get rid of the major problem, but my search engines are still screwed up. They still crash repeatedly and when I click on any of the links I'm given, it takes me somewhere else. Here are my HijackThis and MalwareBytes logs: [recovering space - attachment deleted by admin]*** Is Windows firewall on? *** You need to update your Java: http://java.sun.com/javase/downloads/index.jsp Java Runtime Environment (JRE) 6 Update 6 Uninstall all previous versions of Java through Add\Remove. 1. Print this post out, since you won't have an access to it, at some point. 2. Close all windows, except for HijackThis. 3. Put a checkmark next to the following HijackThis entries (some entries will be checkmarked to disable unnecessary STARTUPS; in those cases (marked with *), no actual program will be removed): - O2 - BHO: PC-Antispyware Site Blocker Button - {10F0C2A9-8E38-43e3-204D-45524C494E20} - C:\Program Files\PC-Antispyware\IeExtension.dll (file missing) - O2 - BHO: (no name) - {343029F8-2E2B-0CB8-3425-03B0077D5011} - C:\WINDOWS\system32\rgblocie.dll - O2 - BHO: (no name) - {35EFCE3A-0D76-B449-A114-04380A544E37} - C:\WINDOWS\system32\kefgehrj.dll (file missing) - O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) - O2 - BHO: (no name) - {94BC3D1D-22E9-4744-8ED1-3E08A3B74078} - C:\WINDOWS\system32\hgGayASj.dll (file missing) - O2 - BHO: (no name) - {E7600662-66CA-4F16-ACEF-A44EDAE65E67} - C:\WINDOWS\system32\browseu.dll (file missing) - O4 - HKLM\..\Run: [SBI] C:\Documents and Settings\Administrator\My Documents\install_sbd_en.exe - O4 - HKLM\..\Run: [lclatips] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\lclatips.dll" - O4 - HKLM\..\Run: [483c6bdd] rundll32.exe "C:\WINDOWS\system32\tylhpnch.dll",b - *O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background - *O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe - O4 - HKLM\..\Policies\Explorer\Run: [ZVQRBHoSK3] C:\WINDOWS\rqlaperg.exe - O20 - AppInit_DLLs: C:\WINDOWS\system32\wowfx.dll - *O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - O20 - Winlogon Notify: hgGayASj - hgGayASj.dll (file missing) 4. Click on Fix checked button. 5. Restart your computer in Safe Mode (keep tapping F8 key, when your computer starts, until menu appears) 6. Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders. 7. Delete following files/folders (if present): - PC-Antispyware folder from C:\Program Files - rgblocie.dll, wowfx.dll files from C:\WINDOWS\system32 - install_sbd_en.exe file from C:\Documents and Settings\Administrator\My Documents - rqlaperg.exe file from C:\WINDOWS 8. Restart in Normal Mode. 9. Post new HijackThis log. |
|
| 4133. |
Solve : Spools.exe? |
|
Answer» I found the FILE spools.exe running in my task manager and I had never seen it before, so I deleted it because my computer was almost fried by a fake anti virus software, and I thought it could of been some leftover part. After I deleted it, every time I open any program, it goes to the "Open With" BOX, and does that every single time even if I choose the program file to go with it. Is spools.exe a normal system process? And what can I do to get my programs to open normally?Spools.exe is a network aware worm that will try and disable programs installed by a user and creates a back door connection to a hacker site and will transmit user data and internet activity back that outside hacker. It was wise of you to try and delete the it from your system. However it sounds like you went the wrong way about getting rid of it. I need more information though to make any conclusions. How did you delete it? Most modern day anti-virus software can immediately spools.exe and remove it. Run this EXE File Association Fix.zipWow thanks, worked perfectly. |
|
| 4134. |
Solve : Sytem error? |
|
Answer» Hello there, i have a seriouse question that i have tryed everything but nothing happens this is what happens . Get AVG, Avast and Comodo firewall Not AVG and Avast...1 or the other. 2 AV programs will cause havpc and bang heads.which one is better ?They are both very good...the newest ver. of AVG loads a toolbar onto the system which many people detest so try Avast first. The rest of these apps should be added to your arsenal as well : Spybot Search and Destroy. AdAware AVG Anti-Spyware or aSquared. WinPatrol Comodo Firewall. All of the above are FREE. It's up to you to update them and run the scans on a regular basis. BTW Welcome to CH ! !ty very muchWhat is ty ? ?Thank you = tyI know and I'm sorry Broni and to you too trolo8. |
|
| 4135. |
Solve : hidden trojan? |
|
Answer» I have XP and have reformatted the hard drive several times. The computer is protect with Norton. After a day or two the machine finds the trjan horse in a diffrent place each time and then cannot delete it and I can't delete it either. Help. Is it staying on the drive somewhere even though I am reformatting ? What do I do?Start hereII am reformatting again. Then I will run these programs and supply the logs. Thanks.I did EVERYTHING in the instructions. However Norton poped up that \system volume information\_restore\a0001389.exe was INFECTED with a trojan horse and it is unable to access the file. I have attached all my logs please reply.
Now see if it is found in the Norton scan. Go to Windows updates and get any of the needed updates. |
|
| 4136. |
Solve : Help with HijackThis Log? |
|
Answer» I have recently found a "Trojan.Win32.blackBird.exe" icon on my desk top. I have tried deleting it many times but says it is being used by another progam and can not be deleted. Additionally, since this showed up on my computer I am continueing to get messages about my computer being infected, etc. I have ran McAfee, Spybot SEARCH and destroy, Ad-aware, FixIEDef (which help a little) and now Hijackthis. I have posted my Hijackthis log and was wondering if someone could help me understand what it is I need to do. Thanks. |
|
| 4137. |
Solve : Is it possible this email could have contained something nasty?? |
|
Answer» Hey everyone, |
|
| 4138. |
Solve : Please help..... malware infection (hijackthis log included)? |
|
Answer» there was something that was closely related to that name, cant remember exactly what it was called, so I removed that, then i went to hijackthis and removed it from there.Restart. Give me new HJT log.Logfile of Trend Micro HijackThis v2.0.2 but in the windo, it wasnt thereIn what window, what wasn't there?In the registry editor, where all of the files from the folder "main" are located. After I tried to delete the value, it said I couldnt. However, when I went back to the Registry Editor after I clicked OK, the Http:\\(whole URL) disappeared, but that might not mean too muchOK. Give me new HJT log.Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:31:36 AM, on 4/29/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\wltrysvc.exe C:\WINDOWS\System32\bcmwltry.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe C:\WINDOWS\system32\HPZipm12.exe C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\Program Files\Trend Micro\BM\TMBMSRV.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\ehome\ehtray.exe C:\WINDOWS\stsystra.exe C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\WINDOWS\system32\wltray.exe C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\AIM6\aim6.exe C:\Program Files\Logitech\SetPoint\KEM.exe C:\WINDOWS\eHome\ehmsas.exe C:\Program Files\ArcSoft\PhotoImpression 5\PI Monitor.exe C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE C:\Program Files\Trend Micro\Internet Security\TmProxy.exe C:\Program Files\AIM6\aolsoftware.exe C:\Program Files\Webroot\Spy Sweeper\SSU.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DE R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [wltray.exe] C:\WINDOWS\system32\wltray.exe O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe" O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe O4 - Global Startup: PI Monitor.lnk = C:\Program Files\ArcSoft\PhotoImpression 5\PI Monitor.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.yorkphoto.com/YorkActivia.cab O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe -- End of file - 7037 bytes Sometimes, I have to kick myself in the HEAD to doublecheck things. That entry is OK. It came with your Dell. That's why, it can't be removed. HJT log is clean. 1. Download, and install CCleaner: http://www.ccleaner.com/download/builds. Get "Slim" version. Read CCleaner instruction here: http://www.jahewi.nl/ccleaner/ccleaner.html. Run CCleaner. 2. Turn off System Restore: - Windows XP: 1. Click Start. 2. Right-click the My Computer icon, and then click Properties. 3. Click the System Restore tab. 4. Check "Turn off System Restore". 5. Click Apply. 6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this. 7. Click OK. - Windows Vista: 1. Click Start. 2. Right-click the Computer icon, and then click Properties. 3. Click on System Protection under the TASKS column on the left side 4. Click on Continue on the "User Account Control" window that pops up 5. Under the System Protection tab, find Available Disks 6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:") 7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this. 8. Click OK 3. Restart computer. 4. Turn System Restore on. 5. Download, and install free ThreatFire: http://www.threatfire.com/, which will give you real-time protection against malwares. It won't interfere with your antivirus, nor firewall. 6. Let me know, how your computer is doing. In the process of downloading threatfire. You have been VERY helpful, thank you so much for your time and help. Is there any way to like donate to the site? Like I said, you have been EXTREMELY helpful. Thank you so much. My comp runs so much quicker in GENERAL |
|
| 4139. |
Solve : Nasty Trojan, Please Help!? |
|
Answer» JRE1.6.0_04 isnt listed in the Java Folder.... |
|
| 4140. |
Solve : Window Live Messenger Virus? |
|
Answer» Very GOOD |
|
| 4141. |
Solve : My HJT: What's next?? |
|
Answer» Newbie here. From the Philippines. Just read the guidelines and got the HJT log. So, here it is. Hope you can help me guys. Id really appreciate it. Thanks a lot! Just read the guidelines and got the HJT log. There are two other scan logs that should be included. Quote SSCVIHOST.exe still persists though. Need the other logs. SSCVIHOST.exe is different then the legit svchost.exe. |
|
| 4142. |
Solve : TrojanDownloader.XS??? HELP? |
|
Answer» I don't know where I got this from, but I've been knocked off as the administrator for my computer. I'm unable to download anything. PLEASE HELPDownload programs listed below on good computer, burn it to CD, and run them on bad computer... |
|
| 4143. |
Solve : Avast Home Edition 4.8? |
|
Answer» I recently downloaded it and every time i try to RUN it it says, A serious error has occurred and it doesn't run. I tried Re-downloading it 3 times now and its all the same. Any suggestions? Try AVG FREEWHERE you downloading avast from? |
|
| 4144. |
Solve : Unable to Click Anything, possibly other problems? |
|
Answer» Ok ty. Perhaps having ESET Security will FIX my gameMon ERRORS aswell.Let me know.Nod doesn't SEEM to have helped my error. It's just so odd that I was ABLE to play my GAME before the infection but im getting no luck now.I don't know waht to tell you... |
|
| 4145. |
Solve : tons of spyware on brother's computer? |
|
Answer» Hi I'm trying to fix my brothers computer it's a dell pentium 4 1.8 gig right now it has alot of spyware and I'm using spybot search and destroy to do so but every time I click on fix problems it freezes up on me not the computer jus the programPrint these instructions out. he also didn't have a antivirus program running I installed avgVery good silly me I should have REBOOTED in safe mode with networking now I can't download the updates Read instruction (always). You update in Normal Mode, and THEN go to Safe Mode.just finished the scan I will post the sas log in a few Cool sorry it took me so long it should be posted now on top of all this there's only 128mb of ram in my brother's computer so everything took about 2 or 3 times as long.Quote it should be posted now on top of all??He threw it in another Topic and has been advised...IC |
|
| 4146. |
Solve : Severe spyware found by NoAdware v5.0 after AVG v7.5 full to v8.0 full upgrade? |
|
Answer» Is there an entry in add/remove for Logitec Desktop Messenger? There is again multiple entries in the HJT log for this and it is un-necessary. Other than that it all LOOKS OK.Yes, it was available in 'Add Remove Programs' and I removed it. My Logitech Bluetooth wireless keyboard and mouse still work fine after re-start so I guess I don't need Logitech messenger anyway. |
|
| 4147. |
Solve : Can not remove!!? |
|
Answer» I have 2 programme's that I would like to remove, they are IE-anti virus and Malware Bell, when I try to remove them I get a MESSAGE SAYING " make sure the disc is not full or write-protected, how can I remove them please, as they keep popping up wanting to do a scan. |
|
| 4148. |
Solve : Quarantine Question? |
|
Answer» When your antivirus PUTS a virus In the QUARANTINE folder, can you delete the CONTENTS of that folder without harming your computer. And why does the antivirus quarantine the virus INSTEAD of deleting It or removing.This is just in case, AV quarantined wrong file. |
|
| 4149. |
Solve : Will I lose information?? |
|
Answer» Okay so im using Avast and apparently i have a bunch of Viruses. To get rid of them do i have to do a system restore or is there another way of getting rid of it. And if I do a system restore , will I LOSE all my information? (E.X. My Father's tax files) Because if i do my dad will kill me. Like seriously. He also has a bunch of other business files he uses for work so................. HELPSystem Restore will NOT get rid of viruses.... |
|
| 4150. |
Solve : email page cannot be displayed message? |
|
Answer» Yesterday morning, for some REASON I was not able to get into my hotmail. It keeps saying "page cannot be displayed. My wife and I each have our own computers and they are net WORKED together. Hers is doing the same thing. I have also noticed this morning that my yahoo email account, while i can get into it, there is almost no mail. This is very unusual. If ANYTHING, I have sever mails in the junk box. I read about this in here but when I followed the intructions it gave I was unsure of following them because my advanced tab did have a putton described in the instructions.What instructions are you talking about?the instructions told me to go to control panel. Select internet OPTIONS. Click advanced tab. Then it said to select the delete tab to remove something. I can't find the message I read this morning that had these instructions. The only two things I have on the advanced tab are (restore advanced settings) it will take place after restarting my computer. The other is ( reset internet settings) It says this deletes all internet files, disables browser add ons and resets all and resets all the changed settings. then to the right is the rest button. below that is gives a caution note (you should only use this if your browser is in an unstable state. Not knowing what that meant, I didn't do anything. I just closed the window and posted the question.What instructions? Where did you get them from?I got the answer from the forum. Some one had asked the very same question I was going to. It had been asked about 5 months or so ago. Also it was only a single page in the forum. Buy that I mean there were no 2nd 3rd 4th and so on. I really tried to find it so I could copy and past it. I look for almost half an hour but came up empty. I am going to continue looking.....Quote then to the right is the rest button.Click on "Reset" button. It'll only disable add-ons, not delete them. Restart computer, and try to access your mail again. Also, since your wife computer is having same problem.... Turn off both computers, and disconnect router, and modem from power source. Wait 30 seconds. Reconnect everything. Restart computers. |
|
