lilhokie Posted August 15, 2009 ID:110377 Share Posted August 15, 2009 Logfile of Trend Micro HijackThis v2.0.2Scan saved at 8:41:51 AM, on 8/15/2009Platform: Windows Vista SP1 (WinNT 6.00.1905)MSIE: Internet Explorer v8.00 (8.00.6001.18813)Boot mode: NormalRunning processes:C:\Windows\system32\taskeng.exeC:\Windows\system32\Dwm.exeC:\Windows\Explorer.EXEc:\PROGRA~1\mcafee.com\agent\mcagent.exeC:\Program Files\Windows Defender\MSASCui.exeC:\Windows\RtHDVCpl.exeC:\Program Files\Motorola\SMSERIAL\sm56hlpr.exeC:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exeC:\Windows\WindowsMobile\wmdc.exeC:\Program Files\HP\HP Software Update\hpwuSchd2.exeC:\Windows\tsnp2std.exeC:\Windows\vsnp2std.exeC:\Program Files\Java\jre6\bin\jusched.exeC:\Windows\System32\rundll32.exeC:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exeC:\Program Files\Windows Sidebar\sidebar.exeC:\Windows\ehome\ehtray.exeC:\Program Files\MP4 Player\Mp4Player.exeC:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeC:\Program Files\Windows Media Player\wmpnscfg.exeC:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeC:\Program Files\PIXELA\ImageMixer3\HDDCameraMonitor.exeC:\Program Files\Yahoo!\Widgets\YahooWidgets.exeC:\Windows\ehome\ehmsas.exeC:\Windows\system32\wbem\unsecapp.exeC:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://finance.yahoo.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.comR0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dllO1 - Hosts: ::1 localhostO2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dllO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dllO2 - BHO: (no name) - {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - (no file)O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dllO2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dllO2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dllO2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dllO2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dllO2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dllO2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dllO2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dllO3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dllO3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dllO3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dllO3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dllO3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dllO4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hideO4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exeO4 - HKLM\..\Run: [sMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exeO4 - HKLM\..\Run: [eBayToolbar] C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exeO4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdc.exeO4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exeO4 - HKLM\..\Run: [tsnp2std] C:\Windows\tsnp2std.exeO4 - HKLM\..\Run: [snp2std] C:\Windows\vsnp2std.exeO4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkeyO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInitO4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttrayO4 - HKCU\..\Run: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRunO4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exeO4 - HKCU\..\Run: [MP4 Player] "C:\Program Files\MP4 Player\mp4Player.exe" hmwO4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeO4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exeO4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-18\..\Run: [Acer Tour Reminder] C:\Acer\AcerTour\Reminder.exe (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [Acer Tour Reminder] C:\Acer\AcerTour\Reminder.exe (User 'Default user')O4 - Startup: Yahoo! Widgets.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgets.exeO4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeO4 - Global Startup: ImageMixer HDD Camera Monitor.lnk = ?O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXEO8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htmO8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspxO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000O8 - Extra context menu item: eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.htmlO9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dllO9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dllO9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dllO9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dllO9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dllO9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dllO13 - Gopher Prefix: O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dllO16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cabO16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cabO16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cabO16 - DPF: {75A6AEA3-F26E-4608-AE9B-8DA78C87576E} (Wizard101GameLauncher) - https://kingsisle.hs.llnwd.net/e1/static/th...ameLauncher.CABO16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cabO18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dllO18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLLO18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dllO23 - Service: ePerformance Service (AcerMemUsageCheckService) - Unknown owner - C:\Acer\Empowering Technology\ePerformance\MemCheck.exeO23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)O23 - Service: eDataSecurity Service - HiTRSUT - C:\Acer\Empowering Technology\eDataSecurity\eDSService.exeO23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exeO23 - Service: Google Update Service (gupdate1c9aa7d3acff170) (gupdate1c9aa7d3acff170) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exeO23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exeO23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exeO23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exeO23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exeO23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exeO23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exeO23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exeO23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exeO23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe--End of file - 11821 bytesMalwarebytes' Anti-Malware 1.40Database version: 2551Windows 6.0.6001 Service Pack 18/15/2009 8:32:28 AMmbam-log-2009-08-15 (08-32-28).txtScan type: Quick ScanObjects scanned: 93152Time elapsed: 5 minute(s), 53 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 1Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 1Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:C:\Windows\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot. Link to post Share on other sites More sharing options...
lilhokie Posted August 15, 2009 Author ID:110398 Share Posted August 15, 2009 Since posting this, I rebooted my machine. Now it is telling me that I don't have Genuine Microsoft Software and it will only open a browser to let me see what to do. Did the HijackThis program cause this problem? Link to post Share on other sites More sharing options...
Maurice Naggar Posted August 15, 2009 ID:110411 Share Posted August 15, 2009 Hello lil,I seriously doubt that HJT would be the origin of the message regarding Genuine Microsoft Software. I highly suspect it is something else altogether.Please advise if your pc has a Certificate of authenticty sticker on it's case.Given that this is a Vista system, on most all of the following programs and tools, you will need to do a right-click on the program link or shortcut or desktop icon (as appropriate) and then select "Run as Administrator". Please remember that as you go along and use these tools, each in turn.Show all files:Click the Start button, and then click Computer. On the Organize menu, click Folder and Search Options. Click the View tab. Locate and uncheck Hide file extensions for known file types. Locate and uncheck Hide protected operating system files (Recommended). Locate and click Show hidden files and folders. Click Apply > OK.Take out the trash (temporary files & temporary internet files) Please download ATF Cleaner by Atribune, saving it to your desktop. It is used to cleanout temporary files & temp areas used by internet browsers.Start ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. If you use Firefox browser, do this also:Click Firefox at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt.If you use Opera browser, do this also:Click Opera at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt.Click Exit on the Main menu to close the program. ATF-Cleaner should be run per the above in every user-login account {User Profile} = Go here and download RootRepeal to your Desktop. Doubleclick to extract the compressed file to it's own folder and then rightclick on RootRepeal.exe and choose "Run as Administrator" Click on the Report tab and then click on Scan. A Windows will open asking what to include in the scan. Check all of the below and then click Ok.DriversFilesProcessesHidden ServicesYou will then be asked which drive to scan. Check C: (or the drive your operating system is installed on if not C) and click Ok again. The scan will start. It will take a little while so please be patient. When the scan has finished, click on Save Report. Name the log RootRepeal.txt and save it to your Documents folder (it should default there). When you have done this, please copy and paste it in this thread. Link to post Share on other sites More sharing options...
lilhokie Posted August 15, 2009 Author ID:110527 Share Posted August 15, 2009 Root Repeal received an error: 17:10:49: Unrecognized partition type 6 (0x6)!17:10:49: Could not read system registry! Please contact the author!This is the log file it created up to the point of the error:ROOTREPEAL © AD, 2007-2009==================================================Scan Start Time: 2009/08/15 17:10Program Version: Version 1.3.5.0Windows Version: Windows Vista SP1==================================================Drivers-------------------Name: dump_diskdump.sysImage Path: C:\Windows\System32\Drivers\dump_diskdump.sysAddress: 0x8CB70000 Size: 40960 File Visible: No Signed: -Status: -Name: dump_nvstor32.sysImage Path: C:\Windows\System32\Drivers\dump_nvstor32.sysAddress: 0x8CB7A000 Size: 147456 File Visible: No Signed: -Status: -Name: rootrepeal.sysImage Path: C:\Windows\system32\drivers\rootrepeal.sysAddress: 0x9CDC0000 Size: 49152 File Visible: No Signed: -Status: -Name: SKYNETeofmlnks.sysImage Path: C:\Windows\system32\drivers\SKYNETeofmlnks.sysAddress: 0x8C417000 Size: 151552 File Visible: - Signed: -Status: Hidden from the Windows API!Processes-------------------Path: SystemPID: 4 Status: Locked to the Windows API!Path: C:\Windows\System32\audiodg.exePID: 1332 Status: Locked to the Windows API!==EOF== Link to post Share on other sites More sharing options...
Maurice Naggar Posted August 16, 2009 ID:110589 Share Posted August 16, 2009 Since this is on Vista, in most all the tools I will have you use, you will need to First, do a RIGHT-Click on the program shortcut, link, or the executable .... and then select RUN As AdministratorPlease always remember that !!You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!If you are a casual viewer, do NOT try this on your system! If you are not lilhokie and have a similar problem, do NOT post here; start your own topicDo not run or start any other programs while these utilities and tools are in use! Do NOT run any other tools on your own or do any fixes other than what is listed here.If you have questions, please ask before you do something on your own.But it is important that you get going on these following steps.=Close any of your open programs while you run these tools.Start with this:1. Go >> Here << and download ERUNT (ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)2. Install ERUNT by following the prompts (use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)3. Start ERUNT (either by double clicking on the desktop icon or choosing to start the program at the end of the setup)4. Choose a location for the backup (the default location is C:\WINDOWS\ERDNT which is acceptable).5. Make sure that at least the first two check boxes are ticked 6. Press OK7. Press YES to create the folder.=Next, download The Avenger by Swandog46 from here.Unzip/extract it to a folder on your desktop.Right-click on avenger.exe and select Run As Administrator to run The Avenger.Click OK.Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.Files to delete:C:\Windows\system32\drivers\SKYNETeofmlnks.sysDrivers to delete:SKYNETeofmlnks.sysSKYNETeofmlnksIn the avenger window, click the Paste Script from Clipboard icon, button. :!: Make sure that what appears in Avenger matches exactly what you were asked to Copy/Paste from the Code box above.Click the Execute button.You will be asked Are you sure you want to execute the current script?.Click Yes.You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.Click Yes.Your PC will now be rebooted.Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.After your PC has completed the necessary reboots, a log should automatically open. Please copy/paste the contents of c:\avenger.txt into your next reply.Not all the items will be found; so do not worry. Hopefully enough of the rootkit will be removed so that we can continue forward with more cleaning.If you get a blue screen abort when it reboots, please write down all the information, STOP codes and description.and then reboot the system again.=Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our toolsIf you have a prior copy of Combofix, delete it now !Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop. Link 1 Link 2 Link 3 * IMPORTANT !!! SAVE AS Combo-Fix.exe to your Desktop Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.Click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administratorAt the command-prompt window, type in the following to begin CombofixCombo-Fix.exeand press Enter key A window may open with a warning. Type "1" (and Enter) to start the fix. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.A caution - Do not run Combofix more than once without asking me first. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.A file will be created at => C:\Combofix.txt. Note: Do not mouseclick combofix's window nor run any program while Combofix is running. That may cause it to stall. =RE-Enable your AntiVirus and AntiSpyware applications.Reply with copy of C:\Avenger.txt& C:\Combofix.txt Link to post Share on other sites More sharing options...
lilhokie Posted August 16, 2009 Author ID:110634 Share Posted August 16, 2009 Here's the text of avenger.txt. I'm continuing onto the next step of your instructions....Logfile of The Avenger Version 2.0, © by Swandog46http://swandog46.geekstogo.comPlatform: Windows Vista*******************Script file opened successfully.Script file read successfully.Backups directory opened successfully at C:\Avenger*******************Beginning to process script file:Rootkit scan active.No rootkits found!Error: could not delete file "C:\Windows\system32\drivers\SKYNETeofmlnks.sys"Deletion of file "C:\Windows\system32\drivers\SKYNETeofmlnks.sys" failed!Status: 0xc0000156Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\SKYNETeofmlnks.sys" not found!Deletion of driver "SKYNETeofmlnks.sys" failed!Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not existError: registry key "\Registry\Machine\System\CurrentControlSet\Services\SKYNETeofmlnks" not found!Deletion of driver "SKYNETeofmlnks" failed!Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not existCompleted script processing.*******************Finished! Terminate. Link to post Share on other sites More sharing options...
lilhokie Posted August 16, 2009 Author ID:110648 Share Posted August 16, 2009 Combo Fix ran for awhile and rebooted the machine a few times....Before the 1st time, It asked me to jot down some files:c:\windows\system32\drivers\UACrmsdaeinwl.sysc:\windows\system32\UACvvbockrnyv.dllc:\windows\system32\UACcjwxpwtskv.dllc:\windows\system32\UACuveeagtjfc.dllc:\windows\system32\UACsunwombpbj.dbc:\windows\system32\UACppqcaqaknv.dllc:\windows\system32\UACiqbqdeoxtq.dllAfter the 3rd time it rebooted, I got the message that an unauthorized change was made to windows. WHen I click on the "Learn More" button, it takes me to this link:http://www.microsoft.com/genuine/downloads....1033&RFM=2When this happened earlier, I removed Hijack this and the problem went away. My computer came with Windows Vista on it, it has the a Certificate of authenticity sticker on it's case. It's an Acer Aspire with and AMD Athelon processor. Link to post Share on other sites More sharing options...
lilhokie Posted August 16, 2009 Author ID:110650 Share Posted August 16, 2009 When I close the browser that is opened after the Unauthorized change message, then click close, it takes me back to the login screen. It will not actually boot windows, it only allows me to get to a browser to view their knowledge base about the problem. I can then open another tab to reply here. Using the browser, I was able to find out that the file "c:\combofix.txt" does not exist, so it did not complete it's execution.I'll wait to hear back from you before doing anything else. Link to post Share on other sites More sharing options...
Maurice Naggar Posted August 16, 2009 ID:110787 Share Posted August 16, 2009 Do a new run of The Avenger If you must, restart (reboot) your system fresh beforehand.Right-click on avenger.exe and select Run As Administrator to run The Avenger.Click OK.Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.Files to delete:c:\windows\system32\drivers\UACrmsdaeinwl.sysc:\windows\system32\UACvvbockrnyv.dllc:\windows\system32\UACcjwxpwtskv.dllc:\windows\system32\UACuveeagtjfc.dllc:\windows\system32\UACsunwombpbj.dbc:\windows\system32\UACppqcaqaknv.dllc:\windows\system32\UACiqbqdeoxtq.dllDrivers to delete:UACrmsdaeinwl.sysUACrmsdaeinwlUACrUACrservUACd.sysUACdIn the avenger window, click the Paste Script from Clipboard icon, button. Make sure that what appears in Avenger matches exactly what you were asked to Copy/Paste from the Code box above.Click the Execute button.You will be asked Are you sure you want to execute the current script?.Click Yes.You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.Click Yes.Your PC will now be rebooted.Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.After your PC has completed the necessary reboots, a log should automatically open. Please copy/paste the contents of c:\avenger.txt into your next reply.Not all the items will be found; so do not worry. Hopefully enough of the rootkit will be removed so that we can continue forward with more cleaning.If you get a blue screen abort when it reboots, please write down all the information, STOP codes and description.and then reboot the system again.=Download OTL by OldTimer to your desktop: http://oldtimer.geekstogo.com/OTL.exeClose all open windows on the Task Bar. Click the icon (for Vista, right click the icon and Run as Administrator) to start the program.In the lower right corner of the Top Panel, checkmark "LOP Check" and checkmark "Purity Check".Now click Run Scan at Top left and let the program run uninterrupted. It will take about 4 minutes.It will produce two logs for you, one will pop up called OTL.txt, the other will be saved on your desktop and called Extras.txt.Exit Notepad. Remember where you've saved these 2 files as we will need both of them shortly!Exit OTL by clicking the X at top right.Download Security Check by screen317 and save it to your Desktop: here or hereRun Security Check Follow the onscreen instructions inside of the command window.A Notepad document should open automatically called checkup.txt; close Notepad. We will need this log, too, so remember where you've saved it!If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.Then copy/paste the following into your post (in order):the contents of C:\Avenger.txt;the contents of OTL.txt;the contents of Extras.txt ; andthe contents of checkup.txt Be sure to do a Preview prior to pressing Submit because all reports may not fit into 1 single reply. You may have to do more than 1 reply.Do not use the attachment feature to place any of your reports. Always put them in-line inside the body of reply. Link to post Share on other sites More sharing options...
lilhokie Posted August 16, 2009 Author ID:110826 Share Posted August 16, 2009 Can I run Avenger in Safe mode? I think that will be the only way to boot the machine Link to post Share on other sites More sharing options...
lilhokie Posted August 16, 2009 Author ID:110828 Share Posted August 16, 2009 FYI - I turned the computer off (instead of just doing a reboot) and then restarted. This time, windows opened fine and the combofix that I started last night is continuing to run. I will post the log (if it completes) and wait to hear from you before I run Avenger again. Link to post Share on other sites More sharing options...
lilhokie Posted August 16, 2009 Author ID:110833 Share Posted August 16, 2009 Combo Fix Log:ComboFix 09-08-10.06 - momanddad 08/16/2009 1:59.1.2 - NTFSx86Microsoft Link to post Share on other sites More sharing options...
lilhokie Posted August 16, 2009 Author ID:110834 Share Posted August 16, 2009 BTW - Thank you for all of your help so far.... It is truly appreciated. Link to post Share on other sites More sharing options...
Maurice Naggar Posted August 16, 2009 ID:110918 Share Posted August 16, 2009 BTW - Thank you for all of your help so far.... It is truly appreciated.You are quite welcome. Glad to be of assistance.That was a very good move on your part on powering off and getting Combofix to get going.I'm modifying the Avenger scan below and adding a couple of other runs. The Combofix noted a bit of remnant of the rootkit and hopefully this next Avenger pass will complete the task.Right-click on avenger.exe and select Run As Administrator to run The Avenger.Click OK.Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.Files to delete:c:\windows\system32\drivers\UACrmsdaeinwl.sysc:\windows\system32\drivers\SKYNETeofmlnks.sysc:\windows\system32\UACvvbockrnyv.dllc:\windows\system32\UACcjwxpwtskv.dllc:\windows\system32\UACuveeagtjfc.dllc:\windows\system32\UACsunwombpbj.dbc:\windows\system32\UACppqcaqaknv.dllc:\windows\system32\UACiqbqdeoxtq.dllRegistry keys to delete:[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SKYNETedmvxtii]Drivers to delete:SKYNETedmvxtiiUACrmsdaeinwl.sysUACrmsdaeinwlUACrUACrservUACd.sysUACdIn the avenger window, click the Paste Script from Clipboard icon, button. Make sure that what appears in Avenger matches exactly what you were asked to Copy/Paste from the Code box above.Click the Execute button.You will be asked Are you sure you want to execute the current script?.Click Yes.You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.Click Yes.Your PC will now be rebooted.Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.After your PC has completed the necessary reboots, a log should automatically open. Please copy/paste the contents of c:\avenger.txt into your next reply.Not all the items will be found; so do not worry. Hopefully enough of the rootkit will be removed so that we can continue forward with more cleaning.If you get a blue screen abort when it reboots, please write down all the information, STOP codes and description.and then reboot the system again.=Start your MBAM MalwareBytes' Anti-Malware. Click the Settings Tab. Make sure all option lines have a checkmark.Next, Click the Update tab. Press the "Check for Updates" button. At this time of posting, the current definitions are # 2635 or later. The latest program version is 1.40 When done, click the Scanner tab.Do a Quick Scan. When the scan is complete, click OK, then Show Results to view the results. Make sure that everything is checked, and click Remove Selected. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note) The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. =Please download and run the Trend Micro Sysclean Package on your computer.NOTE! This scan will probably take a long time to run on your computer so be patient and don't use it while it's scanning.Trend Micro Damage Cleanup EngineMake sure you read this document to understand how to use the program. Trend Micro Sysclean Package README 1stBasically there are 3 parts that need to be downloaded from these links:Sysclean PackageVirus Pattern FilesSpyware Pattern FilesCreate a brand new folder to copy these files to.As an example: C:\DCEThen open each of the zipped archive files and copy their contents to C:\DCECopy the file sysclean.com to the new folder C:\DCE as well.Double-click on the file sysclean.com that is in the C:\DCE folder and follow the on-screen instructions.After doing all of this, please post back your results, including the log file sysclean.log that will be left behind by sysclean.How To Use Compressed (Zipped) Folders in Windows XPCompress and uncompress files (zip files) in VistaReply with copy of C:\Avenger.txtthe latest MBAM scan logthe Sysclean log Link to post Share on other sites More sharing options...
lilhokie Posted August 16, 2009 Author ID:110935 Share Posted August 16, 2009 When running avenger, after saying Yes to Are you sure you want to execute the script, I got the following Error: "Error: Invalid registry syntax in command: "[-HKEY_LOCAL_MACHINE_SYSTEM]ControlSet001\Services\SKYNETedmvxtii]" Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program. Skipping line. (Registry key deletion mode)."I then selected OK, And OK to continue script execution. Everything else seemed to go as described in your instructions.Was the dash not supposed to be in the script? Link to post Share on other sites More sharing options...
lilhokie Posted August 16, 2009 Author ID:110940 Share Posted August 16, 2009 Avenger Log:////////////////////////////////////////// Avenger Pre-Processor log//////////////////////////////////////////Platform: Windows NT 6.0 (build 6001, Service Pack 1)Sun Aug 16 17:36:25 200917:36:09: Error: Invalid registry syntax in command:"[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SKYNETedmvxtii]"Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.Skipping line. (Registry key deletion mode) //////////////////////////////////////////Logfile of The Avenger Version 2.0, © by Swandog46http://swandog46.geekstogo.comPlatform: Windows Vista*******************Script file opened successfully.Script file read successfully.Backups directory opened successfully at C:\Avenger*******************Beginning to process script file:Rootkit scan active.No rootkits found!Error: file "c:\windows\system32\drivers\UACrmsdaeinwl.sys" not found!Deletion of file "c:\windows\system32\drivers\UACrmsdaeinwl.sys" failed!Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not existError: could not delete file "c:\windows\system32\drivers\SKYNETeofmlnks.sys"Deletion of file "c:\windows\system32\drivers\SKYNETeofmlnks.sys" failed!Status: 0xc0000156Error: file "c:\windows\system32\UACvvbockrnyv.dll" not found!Deletion of file "c:\windows\system32\UACvvbockrnyv.dll" failed!Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not existError: file "c:\windows\system32\UACcjwxpwtskv.dll" not found!Deletion of file "c:\windows\system32\UACcjwxpwtskv.dll" failed!Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not existError: file "c:\windows\system32\UACuveeagtjfc.dll" not found!Deletion of file "c:\windows\system32\UACuveeagtjfc.dll" failed!Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not existError: file "c:\windows\system32\UACsunwombpbj.db" not found!Deletion of file "c:\windows\system32\UACsunwombpbj.db" failed!Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not existError: file "c:\windows\system32\UACppqcaqaknv.dll" not found!Deletion of file "c:\windows\system32\UACppqcaqaknv.dll" failed!Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not existError: file "c:\windows\system32\UACiqbqdeoxtq.dll" not found!Deletion of file "c:\windows\system32\UACiqbqdeoxtq.dll" failed!Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not existDriver "SKYNETedmvxtii" deleted successfully.Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\UACrmsdaeinwl.sys" not found!Deletion of driver "UACrmsdaeinwl.sys" failed!Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not existError: registry key "\Registry\Machine\System\CurrentControlSet\Services\UACrmsdaeinwl" not found!Deletion of driver "UACrmsdaeinwl" failed!Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not existError: registry key "\Registry\Machine\System\CurrentControlSet\Services\UACr" not found!Deletion of driver "UACr" failed!Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not existError: registry key "\Registry\Machine\System\CurrentControlSet\Services\UACrserv" not found!Deletion of driver "UACrserv" failed!Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not existError: registry key "\Registry\Machine\System\CurrentControlSet\Services\UACd.sys" not found!Deletion of driver "UACd.sys" failed!Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not existError: registry key "\Registry\Machine\System\CurrentControlSet\Services\UACd" not found!Deletion of driver "UACd" failed!Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not existCompleted script processing.*******************Finished! Terminate. Link to post Share on other sites More sharing options...
lilhokie Posted August 16, 2009 Author ID:110941 Share Posted August 16, 2009 I still need to run the Trend Micro Sysclean PackageMBAM Log:Malwarebytes' Anti-Malware 1.40Database version: 2636Windows 6.0.6001 Service Pack 18/16/2009 5:44:59 PMmbam-log-2009-08-16 (17-44-59).txtScan type: Quick ScanObjects scanned: 93562Time elapsed: 4 minute(s), 20 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 1Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:C:\Users\momanddad\Desktop\avenger.exe (Trojan.Agent) -> Quarantined and deleted successfully. Link to post Share on other sites More sharing options...
Maurice Naggar Posted August 16, 2009 ID:110960 Share Posted August 16, 2009 When running avenger, after saying Yes to Are you sure you want to execute the script, I got the following Error: "Error: Invalid registry syntax in command: "[-HKEY_LOCAL_MACHINE_SYSTEM]ControlSet001\Services\SKYNETedmvxtii]" Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program. Skipping line. (Registry key deletion mode)."I then selected OK, And OK to continue script execution. Everything else seemed to go as described in your instructions.Was the dash not supposed to be in the script?The dash was intended. We did ok. The rootkit service has been quashed.Do not be concerned. Please keep on with the SYSCLEAN run and when done. post that log, and then await my next reply. Link to post Share on other sites More sharing options...
lilhokie Posted August 17, 2009 Author ID:111029 Share Posted August 17, 2009 Here is the sysclean log. It's a little long and giving me problems pasting in one reply, so I'm going to split it up into a few replies.....Copyright Link to post Share on other sites More sharing options...
lilhokie Posted August 17, 2009 Author ID:111039 Share Posted August 17, 2009 After all of these posts, I'm not even 1/4 of the way through the file. Is there another way to get it to you?It continues through a long list of files and after the files, this is the end:32248 files have been read.32248 files have been checked.32248 files have been scanned.213422 files have been scanned. (including files in archived)0 files containing viruses.Found 0 viruses totally.Maybe 0 viruses totally.Stop At: 8/16/2009 22:26:15 42 minutes 32 seconds (2552.82 seconds) has elapsed.(79.162 msec/file)---------*---------*---------*---------*---------*---------*---------*---------* Link to post Share on other sites More sharing options...
Maurice Naggar Posted August 17, 2009 ID:111052 Share Posted August 17, 2009 Stop posting any further snippets from the Sysclean log. Those are un-useable and just makes one wonder if you downloaded and setup all 3 components of Sysclean as requested. I will remove the others you posted. We cannot make any use of them.Instead, do an online scan.You will want to print out or copy these instructions to Notepad for offline reference!Close all open browsers at this point.Start Internet Explorer (fresh) by pressing Start (Vista Orb) >> Internet Explorer >> Right-Click and select Run As Administrator.Using Internet Explorer browser only, go to ESET Online Scanner website:http://www.eset.com/onlinescan/Accept the Terms of Use and press Start button;Approve the install of the required ActiveX Control, then follow on-screen instructions;Enable (check) the Remove found threats option, and run the scan.After the scan completes, the Details tab in the Results window will display what was found and removed. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt.Look at contents of this file using Notepad or Wordpad.The Frequently Asked Questions for ESET Online Scanner can be viewed herehttp://www.eset.com/onlinescan/cac4.php?page=faqFrom ESET Tech Support: If you have ESET NOD32 installed, you should disable it prior to running this scanner. Otherwise the scan will take twice as long to do: everytime the ESET online scanner opens a file on your computer to scan it, NOD32 on your machine will rescan the file as a result. It is emphasized to temporarily disable any pc-resident {active} antivirus program prior to any on-line scan by any on-line scanner. (And the prompt re-enabling when finished.) If you use Firefox, you have to install IETab, an add-on. This is to enable ActiveX support.Do not use the system while the scan is running. Once the full scan is underway, go take a long break Link to post Share on other sites More sharing options...
lilhokie Posted August 17, 2009 Author ID:111333 Share Posted August 17, 2009 I thought I followed all of the instructions on the last scanner. I downloaded and extracted all three modules and put them in a directly on my hard drive. But I guess I must have missed something.Here's the ESET Log:ESETSmartInstaller@High as CAB hook log:OnlineScanner.ocx - registred OK# version=6# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)# OnlineScanner.ocx=1.0.0.6048# api_version=3.0.2# EOSSerial=8fe4f13c6fa7f44da10e2c063c38ed9d# end=finished# remove_checked=true# archives_checked=false# unwanted_checked=true# unsafe_checked=false# antistealth_checked=true# utc_time=2009-08-17 10:14:32# local_time=2009-08-17 06:14:32 (-0500, Eastern Daylight Time)# country="United States"# lang=1033# osver=6.0.6001 NT Service Pack 1# compatibility_mode=5121 61 100 88 493720621472328# compatibility_mode=5889 61 66 100 498189533375836# scanned=239653# found=1# cleaned=1# scan_time=3915C:\Qoobox\Quarantine\C\Windows\System32\drivers\UACrmsdaeinwl.sys.vir a variant of Win32/Olmarik.HI trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C Link to post Share on other sites More sharing options...
Maurice Naggar Posted August 18, 2009 ID:111428 Share Posted August 18, 2009 Very good. The Eset scan only found a item already in quarantine. This is good to go after these next steps.De-install your Adobe Reader: Use Control Panel's Add-Remove programs, Remove Adobe Reader. Get the latest version from http://www.adobe.com/products/acrobat/readstep2.htmlYour Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop.Scroll down to where it says "Java SE Runtime Environment (JRE) - JRE 6 Update 16 -"Click the "Download" button to the right.Select the Windows platform from the dropdown menu.Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6u16 with JavaFX 1 License Agreement". Click on Continue.The page will refresh.Click on the link to download Windows Offline Installation and save the file to your desktop.Close any programs you may have running - especially your web browser.Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java) in the name.Click the Remove or Change/Remove button.Repeat as many times as necessary to remove each Java versions.Reboot your computer once all Java components are removed.Then from your desktop double-click on jre-6u16-windows-i586-p.exe to install the newest version.After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)On the General tab, under Temporary Internet Files, click the Settings button.Next, click on the Delete Files buttonThere are two options in the window to clear the cache - Leave BOTH CheckedApplications and AppletsTrace and Log Files[*]Click OK on Delete Temporary Files WindowNote: This deletes ALL the Downloaded Applications and Applets from the CACHE.[*]Click OK to leave the Temporary Files Window[*]Click OK to leave the Java Control Panel.To test your Java Run-time, you may go to this page http://www.java.com/en/download/help/testvm.xmlWhen all is well, you should see Java Version: 1.6.0_16 from Sun Microsystems Inc.=Unless you have purchased Malwarebytes' Anti Malware {MBAM}, you should to un-install it. Start button > in Start menu -- Control Panel > Uninstall a Program (listed under Programs).{In Classic view, double click Program and features}.Look for it and click the line for it. Select Change/Remove to de-install it.Un-install Eset online scan.OK & Exit out of Control PanelI see that you are clear of your original issues. If you have a problem with these steps, or something does not quite work here, do let me know.The following few steps will remove tools we used; followed by advice on staying safer.We have to remove Combofix and all its associated folders. By whichever name you named it, ( combofix.exe ), put that name in the RUN box stated just below. The "/u" in the command line below is to start Combofix for it's cleanup & removal function.Note the space after x and before the slash mark.The utility must be removed to prevent any un-intentional or accidental usage, PLUS, to free up much space on your hard disk.Click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.In the command box that opens, type or copy/paste combofix /u and then press ENTER key. Right-click OTL.exe and then select "Run as administrator" to start it. Click on the CleanUp! button at upper Right corner. When you do this a text file named cleanup.txt will be downloaded from the internet. If you get a warning from your firewall or other security programs regarding OTL attempting to contact the internet you should allow it to do so. After the list has been download you'll be asked if you want to Begin cleanup process? Select Yes. This step removes the files, folders, and shortcuts created by the tools I had you download and run.Delete RootRepeal and any of its leftovers.Delete Gmer and any of its leftovers.Delete the SYSCLEAN downloads and the C:\DCE folderRun ATF Cleaner, and checkmark "Empty Recycle Bin", click "Empty Selected" and exit the program. You can delete or keep this utility as you wish.Run Disk Cleanup with the System Restore Cleanup as outlined here by Bert Kinney, MS MVPhttp://bertk.mvps.org/html/diskcleanupv.htmlYou may reset your Windows Explorer {My Computer} Folder Options > VIEW settings back to where they had been before. {under hidden files & folders to not show hidden or system files -and- to "hide protected operating system files" } Configure your Antivirus software to check for updates daily, at a time in which you are sure the computer will be on.Check in at Windows Update and install any Critical Updates offered.Download and Install Windows Defender by Microsoft (free) if you do not already have it: http://www.microsoft.com/downloads/details...A4-F7F14E605A0D Make certain that Automatic Updates is enabled.Download, install, and keep updated Spyware Blaster (free): http://www.javacoolsoftware.com/spywareblaster.html (all Protections should be enabled at all times)I'd recommend that you get and use MVP Mike Burgess' custom hosts file http://mvps.org/winhelp2002/hosts.htm See the FAQ page http://mvps.org/winhelp2002/hostsfaq.htm That would help to keep your browser away from known spyware/malware sites. Make regular backups of your system to removable media: DVD, USB external hard drive, etc.Get and apply Vista Service Pack 2. See this article for tips:Vista SP2 FAQOn some regular schedule, it is a good idea to do an online scan for viruses and malware. Here is a very short list of sites where this may be done:Kaspersky Webscan Online Virus Scanner ESET Online ScannerPanda ActiveScan Trend Micro HousecallF-Secure Online Scanner Read Tony Klein's article How Did I Get Infected In The First Place Never, ever download free games, free tools, smileys, or anything free unless you can be absolutely sure the source is safe !Finally, spend some time reading about how to keep your computer safe on the Internet: http://www.bleepingcomputer.com/tutorials/tutorial82.htmlWe are finished here. Best regards. Link to post Share on other sites More sharing options...
lilhokie Posted August 18, 2009 Author ID:111576 Share Posted August 18, 2009 I just got to the point of clean up where I have to run OTL.EXE. I never did that step. Remember I was having problems with combo-fix.exe, so you gave me the instructions with Avenger, otl.exe and one other scan. But when I turned off the machine and restarted combo fix continued it's run, so I didn't do that step and waited for further instructions. You gave me the new avenger script, but I didn't go back to the original instructions with avenger and run any of the programs after that.So I still have the dce directory, atf cleaner and enrunt1.1 on my machine. I did purchase MBAM. Link to post Share on other sites More sharing options...
Maurice Naggar Posted August 18, 2009 ID:111590 Share Posted August 18, 2009 Look over the log. If the summary sections have 0 items tagged, like this:0 files containing viruses.Found 0 viruses totally.Maybe 0 viruses totally.then I won't need it.I'll check back here late tonight and get back with you. Please be patient meantime. Link to post Share on other sites More sharing options...
Recommended Posts