jpaulr Posted February 28, 2010 ID:207368 Share Posted February 28, 2010 I am unable to run MBAM at all. When I tried to download / reinstall it, I get the following message. "Unable to execute file mbam.exeCreateProcess failed; code 2The system cannot find the file specified."The desktop icon resembles an open file folder. I'm getting huge amounts of popups. AntiVir is reporting all kinds of infections. Only able to run SuperAntiSpyware which is returning Vundo along with other problems. Any help is appreciated.After running SAS I got RUNDLL error "Error loading litinika.dll" After looking that up I guess it's a good thing. I am still unable to run the setup file and MBAM will not install. Link to post Share on other sites More sharing options...
Maurice Naggar Posted February 28, 2010 ID:207408 Share Posted February 28, 2010 Do as much as possible of the steps here http://forums.malwarebytes.org/index.php?showtopic=9573Skip those you cannot manage to start (such as MBAM). Please get the GMER & DDS logs and put those into the main body of your next reply.Do NOT use the attach feature to upload your logs. Link to post Share on other sites More sharing options...
jpaulr Posted February 28, 2010 Author ID:207432 Share Posted February 28, 2010 Do as much as possible of the steps here http://forums.malwarebytes.org/index.php?showtopic=9573Skip those you cannot manage to start (such as MBAM). Please get the GMER & DDS logs and put those into the main body of your next reply.Do NOT use the attach feature to upload your logs.the requested URL /defogger.exe was not found on this server. I have verified on 2 machines - the link is bad. Please advise. Link to post Share on other sites More sharing options...
Maurice Naggar Posted February 28, 2010 ID:207495 Share Posted February 28, 2010 Link is good. Just tested & works for me.Skip forward to next steps. Get what you can from GMER & DDS.IF you are totally blocked from downloading on this system, use another one to do downloads, burn to CD/DVD or a clean-fresh USB drive, then copy tools to the Desktop. Link to post Share on other sites More sharing options...
jpaulr Posted February 28, 2010 Author ID:207500 Share Posted February 28, 2010 Link is good. Just tested & works for me.Skip forward to next steps. Get what you can from GMER & DDS.IF you are totally blocked from downloading on this system, use another one to do downloads, burn to CD/DVD or a clean-fresh USB drive, then copy tools to the Desktop.I missed the capital D in Defogger - my bad. Have run Avir, DDS and GMER is running now. Waiting for GMER to finish. Will post results when it completes. Link to post Share on other sites More sharing options...
jpaulr Posted February 28, 2010 Author ID:207538 Share Posted February 28, 2010 I missed the capital D in Defogger - my bad. Have run Avir, DDS and GMER is running now. Waiting for GMER to finish. Will post results when it completes.After 4 attempts at running GMER rootkit scanner I give up. I get the root kit warning, click NO, uncheck the proper boxes, start the scan and it gets to a certain point and reboots the machine automatically. The scan does not complete. I was able to run DDS. Log is below. Attach file has been zipped and attached as instructed.DDS (Ver_09-12-01.01) - NTFSx86 Run by Paul1 at 14:06:43.84 on Sun 02/28/2010Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.112 [GMT -5:00]AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}============== Running Processes ===============C:\WINDOWS\system32\svchost -k DcomLaunchC:\WINDOWS\system32\svchost -k rpcssC:\WINDOWS\System32\svchost.exe -k netsvcsC:\WINDOWS\system32\svchost.exe -k LocalServiceC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Avira\AntiVir Desktop\sched.exeC:\WINDOWS\system32\svchost.exe -k LocalServiceC:\Program Files\Avira\AntiVir Desktop\avguard.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exeC:\Documents and Settings\Paul1\Local Settings\Application Data\av.exeC:\Program Files\Common Files\Motive\McciCMService.exeC:\Program Files\Viewpoint\Common\ViewpointService.exeC:\Program Files\Avira\AntiVir Desktop\avgnt.exeC:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\System32\svchost.exe -k HTTPFilterC:\Program Files\iPod\bin\iPodService.exec:\program files\AIM6\aolsoftware.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Documents and Settings\Paul1\My Documents\Downloads\dds.scr============== Pseudo HJT Report ===============uStart Page = hxxp://www.cnn.com/uSearch Page = hxxp://www.google.comuSearch Bar = hxxp://www.google.com/ieuInternet Settings,ProxyOverride = *.localuURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dllmURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dllBHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dllBHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dllBHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dllBHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dllBHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dllBHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dllBHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dllBHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dllBHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllBHO: {f0f64745-2af9-4899-b978-bd1cab84c9eb} - wisahiri.dllTB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dllTB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dllTB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dlluRun: [ctfmon.exe] c:\windows\system32\ctfmon.exeuRun: [swg] "c:\program files\google\googletoolbarnotifier\googletoolbarnotifier .exe"uRun: [Yahoo! Pager] "c:\progra~1\yahoo!\messen~1\YAHOOM~1.EXE" -quietuRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imAppuRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exeuRun: [TOY5KNQ8OC] c:\docume~1\paul1\locals~1\temp\hn1 .exemRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exemRun: [igfxtray] c:\windows\system32\igfxtray.exemRun: [igfxhkcmd] c:\windows\system32\hkcmd.exemRun: [igfxpers] c:\windows\system32\igfxpers.exemRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startupmRun: [symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"mRun: [EnvyHFCPL] c:\program files\audio deck\EnMixCPL.exe 1mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /minmRun: [Verizon_McciTrayApp] "c:\program files\verizon\McciTrayApp.exe"mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscriptmRun: [QuickTime Task] "c:\program files\quicktime\qttask .exe" -atboottimemRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"mRun: [risakubiza] Rundll32.exe "litinika.dll",smRun: [mitomapuw] Rundll32.exe "c:\windows\system32\pegojehe.dll",aStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXEuPolicies-system: DisableRegistryTools = 1 (0x1)dPolicies-system: DisableRegistryTools = 1 (0x1)IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.htmlIE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exeIE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exeIE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dllIE: {0b83c99c-1efa-4259-858f-bcb33e007a5b} - {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dllIE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dllTrusted Zone: ameritrade.comTrusted Zone: ameritrade.com\researchTrusted Zone: ameritrade.com\wwwsTrusted Zone: tdameritrade.comTrusted Zone: tdameritrade.com\wwwDPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CABDPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemyfios.verizon.net/sdcCommon/download/FIOS/Verizon%20FiOS%20Installer.cabDPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://a1540.g.akamai.net/7/1540/52/20070501/qtinstall.info.apple.com/qtactivex/qtplugin.cabDPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cabDPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cabDPF: {C946EF6D-296D-4907-A6E1-ED0E8E5AF024} - hxxp://mail.lycos.com/hanmail-ax/AttachMail.cabDPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cabDPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cabDPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cabNotify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dllNotify: igfxcui - igfxdev.dllAppInit_DLLs: app_dll.dllSSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dllSSODL: henagakam - {aaa4ca1e-6db4-4d38-a4ac-87509c3dafd5} - c:\windows\system32\pegojehe.dllSTS: mujuzedij: {aaa4ca1e-6db4-4d38-a4ac-87509c3dafd5} - c:\windows\system32\pegojehe.dllSEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLLLSA: Notification Packages = scecli perowimi.dllIFEO: MpCmdRun.exe - c:\windows\system32\svchost.exeIFEO: MSASCui.exe - c:\windows\system32\svchost.exeIFEO: MsMpEng.exe - c:\windows\system32\svchost.exeIFEO: msseces.exe - c:\windows\system32\svchost.exe================= FIREFOX ===================FF - ProfilePath - c:\docume~1\paul1\applic~1\mozilla\firefox\profiles\3x29nyyw.default\FF - prefs.js: browser.startup.homepage - hxxp://www.cnn.com/FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dllFF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dllFF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dllFF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dllFF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dllFF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}---- FIREFOX POLICIES ----FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);============= SERVICES / DRIVERS ===============R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-5-16 11608]R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-9-4 9968]R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-9-4 74480]R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-5-16 108289]R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-5-16 185089]R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-5-16 56816]R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2008-10-28 156968]R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-6-19 24652]R3 Envy24HFS;ICE Envy24 Family Audio Controller WDM;c:\windows\system32\drivers\Envy24HF.sys [2007-11-30 577664]R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-9-4 7408]S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-28 135664]S2 SSHNAS;SSHNAS;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\google\google desktop search\googledesktop.exe [2007-10-2 55808]S3 membus;membus;c:\windows\system32\membus.sys [2004-8-4 2304]=============== Created Last 30 ================2010-02-28 17:14:30 4 ----a-w- c:\program files\2996031.dat2010-02-28 15:55:21 4 ----a-w- c:\program files\746640.dat2010-02-28 15:42:20 94208 ----a-w- c:\windows\system32\app_dll.dll2010-02-28 15:41:23 0 d-----w- c:\windows\_VOIDrtfjwibceg2010-02-28 15:41:08 55808 ----a-w- c:\documents and settings\paul1\rundll32.exe2010-02-28 15:41:08 55808 ----a-w- c:\documents and settings\paul1\rundll32 .exe2010-02-28 15:40:24 189440 ----a-w- c:\windows\system32\sshnas21.dll2010-02-21 15:42:10 18064 ---ha-w- c:\windows\system32\mlfcache.dat2010-02-20 23:26:52 0 d-----w- c:\program files\iPod2010-02-20 23:26:32 0 d-----w- c:\program files\iTunes==================== Find3M ====================2010-02-28 18:53:39 55808 ----a-w- c:\windows\system32\igfxpers.exe2010-02-28 18:53:34 55808 ----a-w- c:\windows\system32\hkcmd.exe2010-02-28 18:53:32 55808 ----a-w- c:\windows\system32\igfxtray.exe2010-01-07 21:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2010-01-07 21:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys2009-12-31 16:50:03 353792 ----a-w- c:\windows\system32\drivers\srv.sys2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\wininet.dll2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll2009-12-08 19:26:15 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe2009-12-08 18:43:51 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe1601-01-01 00:03:28 95232 --sha-w- c:\windows\system32\pegojehe.dll1601-01-01 00:03:52 64000 --sha-w- c:\windows\system32\perowimi.dll2009-03-08 00:42:23 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009030720090308\index.dat============= FINISH: 14:07:34.26 ===============Attach.txtUNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.IF REQUESTED, ZIP IT UP & ATTACH ITDDS (Ver_09-12-01.01)Microsoft Windows XP Home EditionBoot Device: \Device\HarddiskVolume2Install Date: 5/15/2007 10:36:31 AMSystem Uptime: 2/28/2010 1:51:05 PM (1 hours ago)Motherboard: Dell Computer Corp. | | 0TC666Processor: Intel® Pentium® 4 CPU 3.00GHz | Microprocessor | 2992/800mhz==== Disk Partitions =========================C: is FIXED (NTFS) - 149 GiB total, 116.048 GiB free.D: is CDROM ()==== Disabled Device Manager Items ================= System Restore Points ===================RP441: 12/22/2009 9:39:41 AM - System CheckpointRP442: 12/23/2009 3:00:16 AM - Software Distribution Service 3.0RP443: 12/24/2009 3:31:48 AM - System CheckpointRP444: 12/25/2009 3:39:32 AM - System CheckpointRP445: 12/26/2009 4:39:36 AM - System CheckpointRP446: 12/27/2009 5:39:33 AM - System CheckpointRP447: 12/28/2009 6:41:00 AM - System CheckpointRP448: 1/14/2010 8:50:43 AM - Software Distribution Service 3.0RP449: 1/14/2010 9:19:10 AM - Software Distribution Service 3.0RP450: 1/15/2010 10:14:12 AM - System CheckpointRP451: 1/16/2010 11:14:10 AM - System CheckpointRP452: 1/17/2010 12:14:10 PM - System CheckpointRP453: 1/18/2010 1:14:10 PM - System CheckpointRP454: 1/19/2010 2:14:10 PM - System CheckpointRP455: 2/6/2010 1:49:57 PM - System CheckpointRP456: 2/7/2010 3:00:15 AM - Software Distribution Service 3.0RP457: 2/8/2010 3:21:26 AM - System CheckpointRP458: 2/9/2010 4:33:21 AM - System CheckpointRP459: 2/10/2010 3:00:17 AM - Software Distribution Service 3.0RP460: 2/11/2010 3:24:18 AM - System CheckpointRP461: 2/12/2010 4:24:17 AM - System CheckpointRP462: 2/17/2010 7:12:19 PM - System CheckpointRP463: 2/18/2010 7:58:54 PM - System CheckpointRP464: 2/20/2010 6:44:56 PM - System CheckpointRP465: 2/21/2010 7:06:34 PM - System CheckpointRP466: 2/28/2010 9:17:53 AM - Software Distribution Service 3.0==== Installed Programs ======================Adobe Flash Player 10 ActiveXAdobe Flash Player 10 PluginAdobe Reader 8.1.4Adobe Shockwave PlayerAdvanced AnalyzerAIM 6AIM ToolbarApple Application SupportApple Mobile Device SupportApple Software UpdateAvira AntiVir Personal - Free AntivirusBonjourCritical Update for Windows Media Player 11 (KB959772)Disney Pirates of the Caribbean OnlineDownload Updater (AOL LLC)Google DesktopGoogle Toolbar for Internet ExplorerGoogle Update HelperHotfix for Windows Internet Explorer 7 (KB947864)Hotfix for Windows Media Format 11 SDK (KB929399)Hotfix for Windows Media Player 11 (KB939683)Hotfix for Windows XP (KB952287)Hotfix for Windows XP (KB970653-v3)Hotfix for Windows XP (KB976098-v2)Hotfix for Windows XP (KB979306)Intel® Extreme Graphics 2 DriverIntel® PRO Network Adapters and DriversiTunesJ2SE Runtime Environment 5.0 Update 11Java 6 Update 15LiveUpdate 3.2 (Symantec Corporation)LiveUpdate Notice (Symantec Corporation)Malwarebytes' Anti-MalwareMicrosoft Compression Client Pack 1.0 for Windows XPMicrosoft Internationalized Domain Names Mitigation APIsMicrosoft National Language Support Downlevel APIsMicrosoft Office 2000 PremiumMicrosoft User-Mode Driver Framework Feature Pack 1.0Microsoft VC9 runtime librariesMicrosoft Visual C++ 2008 Redistributable - x86 9.0.30729.17Mozilla Firefox (3.5.7)MSXML 4.0 SP2 (KB954430)MSXML 4.0 SP2 (KB973688)PDFCreatorQuickTimeSeagate Manager InstallerSecurity Update for Windows Internet Explorer 7 (KB929969)Security Update for Windows Internet Explorer 7 (KB931768)Security Update for Windows Internet Explorer 7 (KB933566)Security Update for Windows Internet Explorer 7 (KB937143)Security Update for Windows Internet Explorer 7 (KB938127)Security Update for Windows Internet Explorer 7 (KB939653)Security Update for Windows Internet Explorer 7 (KB942615)Security Update for Windows Internet Explorer 7 (KB944533)Security Update for Windows Internet Explorer 7 (KB961260)Security Update for Windows Internet Explorer 7 (KB963027)Security Update for Windows Internet Explorer 8 (KB969897)Security Update for Windows Internet Explorer 8 (KB971961)Security Update for Windows Internet Explorer 8 (KB972260)Security Update for Windows Internet Explorer 8 (KB974455)Security Update for Windows Internet Explorer 8 (KB976325)Security Update for Windows Internet Explorer 8 (KB978207)Security Update for Windows Media Player (KB911564)Security Update for Windows Media Player (KB952069)Security Update for Windows Media Player (KB954155)Security Update for Windows Media Player (KB968816)Security Update for Windows Media Player (KB973540)Security Update for Windows Media Player 11 (KB936782)Security Update for Windows Media Player 11 (KB954154)Security Update for Windows Media Player 6.4 (KB925398)Security Update for Windows Media Player 9 (KB917734)Security Update for Windows XP (KB923561)Security Update for Windows XP (KB923689)Security Update for Windows XP (KB923789)Security Update for Windows XP (KB938464-v2)Security Update for Windows XP (KB938464)Security Update for Windows XP (KB941569)Security Update for Windows XP (KB946648)Security Update for Windows XP (KB950760)Security Update for Windows XP (KB950762)Security Update for Windows XP (KB950974)Security Update for Windows XP (KB951066)Security Update for Windows XP (KB951376-v2)Security Update for Windows XP (KB951698)Security Update for Windows XP (KB951748)Security Update for Windows XP (KB952004)Security Update for Windows XP (KB952954)Security Update for Windows XP (KB954211)Security Update for Windows XP (KB954459)Security Update for Windows XP (KB954600)Security Update for Windows XP (KB955069)Security Update for Windows XP (KB956572)Security Update for Windows XP (KB956744)Security Update for Windows XP (KB956802)Security Update for Windows XP (KB956803)Security Update for Windows XP (KB956841)Security Update for Windows XP (KB956844)Security Update for Windows XP (KB957097)Security Update for Windows XP (KB958644)Security Update for Windows XP (KB958687)Security Update for Windows XP (KB958690)Security Update for Windows XP (KB958869)Security Update for Windows XP (KB959426)Security Update for Windows XP (KB960225)Security Update for Windows XP (KB960715)Security Update for Windows XP (KB960803)Security Update for Windows XP (KB960859)Security Update for Windows XP (KB961371)Security Update for Windows XP (KB961373)Security Update for Windows XP (KB961501)Security Update for Windows XP (KB968537)Security Update for Windows XP (KB969059)Security Update for Windows XP (KB969898)Security Update for Windows XP (KB969947)Security Update for Windows XP (KB970238)Security Update for Windows XP (KB970430)Security Update for Windows XP (KB971468)Security Update for Windows XP (KB971486)Security Update for Windows XP (KB971557)Security Update for Windows XP (KB971633)Security Update for Windows XP (KB971657)Security Update for Windows XP (KB972270)Security Update for Windows XP (KB973346)Security Update for Windows XP (KB973354)Security Update for Windows XP (KB973507)Security Update for Windows XP (KB973525)Security Update for Windows XP (KB973869)Security Update for Windows XP (KB973904)Security Update for Windows XP (KB974112)Security Update for Windows XP (KB974318)Security Update for Windows XP (KB974392)Security Update for Windows XP (KB974571)Security Update for Windows XP (KB975025)Security Update for Windows XP (KB975467)Security Update for Windows XP (KB975560)Security Update for Windows XP (KB975713)Security Update for Windows XP (KB977165)Security Update for Windows XP (KB977914)Security Update for Windows XP (KB978037)Security Update for Windows XP (KB978251)Security Update for Windows XP (KB978262)Security Update for Windows XP (KB978706)SoundMAXSUPERAntiSpyware Free EditionUnInstall Envy24 Family Audio Device DriverUninstall MobWars BotUpdate for Windows Internet Explorer 8 (KB968220)Update for Windows Internet Explorer 8 (KB976662)Update for Windows XP (KB951978)Update for Windows XP (KB955759)Update for Windows XP (KB955839)Update for Windows XP (KB967715)Update for Windows XP (KB968389)Update for Windows XP (KB971737)Update for Windows XP (KB973687)Update for Windows XP (KB973815)Verizon FiOS ActivationVerizon Help and Support ToolVerizon Yahoo! ApplicationsViewpoint Media PlayerVz In Home AgentWebFldrs XPWindows Genuine Advantage Notifications (KB905474)Windows Genuine Advantage Validation Tool (KB892130)Windows Internet Explorer 7Windows Internet Explorer 8Windows Media Format 11 runtimeWindows Media Player 11Windows XP Service Pack 3Yahoo! Browser ServicesYahoo! Toolbar==== Event Viewer Messages From Past Week ========2/28/2010 12:15:45 PM, error: Service Control Manager [7023] - The Network Security service terminated with the following error: The system cannot find the file specified.2/28/2010 12:15:44 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000243' while processing the file 'wisahiri.dll' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.2/28/2010 11:25:37 AM, error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume C:.2/28/2010 10:58:15 AM, information: Windows File Protection [64001] - File replacement was attempted on the protected system file rundll32.exe. This file was restored to the original version to maintain system stability. The file version of the bad file is 4.2.2700.5512, the version of the system file is 5.1.2600.5512.2/28/2010 10:57:20 AM, error: Service Control Manager [7023] - The SSHNAS service terminated with the following error: Invalid access to memory location.2/28/2010 10:57:20 AM, error: Service Control Manager [7000] - The Automatic LiveUpdate Scheduler service failed to start due to the following error: The system cannot find the file specified.2/28/2010 10:44:23 AM, error: Service Control Manager [7034] - The LiveUpdate Notice Service service terminated unexpectedly. It has done this 1 time(s).2/28/2010 10:41:42 AM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file atmarpc.sys. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.5512.2/28/2010 10:41:35 AM, error: Service Control Manager [7000] - The RAS Asynchronous Media Driver service failed to start due to the following error: The system cannot find the file specified.2/28/2010 10:41:31 AM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file asyncmac.sys. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.5512.2/28/2010 10:41:23 AM, error: Service Control Manager [7000] - The Microsoft Kernel Acoustic Echo Canceller service failed to start due to the following error: The system cannot find the file specified.2/28/2010 10:41:00 AM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file aec.sys. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2601.3142.2/28/2010 10:41:00 AM, information: Windows File Protection [64001] - File replacement was attempted on the protected system file ctfmon.exe. This file was restored to the original version to maintain system stability. The file version of the bad file is 4.2.2700.5512, the version of the system file is 5.1.2600.5512.==== End Of File =========================== Link to post Share on other sites More sharing options...
Maurice Naggar Posted February 28, 2010 ID:207552 Share Posted February 28, 2010 Please only use the at bottom of forum window when starting a reply. Do not use quote box replies. Unless you do a very limited quote.You will want to print out or copy these instructions to Notepad for offline reference!If you are a casual viewer, do NOT try this on your system! If you are not jpaulr and have a similar problem, do NOT post here; start your own topicDo not run or start any other programs while these utilities and tools are in use! Do NOT run any other tools on your own or do any fixes other than what is listed here.If you have questions, please ask before you do something on your own.But it is important that you get going on these following steps.=Close any of your open programs while you run these tools.ALSO, do NOT surf the web. Only go to sites I guide you to and this forum.Step 1Download to your Desktop FixPolicies.exe, by Bill Castner, MS-MVP, a self-extracting ZIP archive from >>> here <<< Double-click FixPolicies.exe. Click the "Install" button on the bottom toolbar of the box that will open. The program will create a new Folder called FixPolicies. Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd. A black box will briefly appear and then close. This fix may prove temporary. Active malware may revert these changes at your next startup. You can safely run the utility again.Step 21. Go >> Here << and download ERUNT (ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)2. Install ERUNT by following the prompts (use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)3. Start ERUNT (either by double clicking on the desktop icon or choosing to start the program at the end of the setup)4. Choose a location for the backup (the default location is C:\WINDOWS\ERDNT which is acceptable).5. Make sure that at least the first two check boxes are ticked 6. Press OK7. Press YES to create the folder.Step 3Set Windows to show all files and all folders. On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed. "CHECK" (turn on) Display the contents of system folders. Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders. Next, un-check Hide extensions for known file types. Next un-check Hide protected operating system files. Step 4Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our toolsFor directions on how, see How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware ProgramsDo NOT turn off the firewall Please double-click OTL.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).Copy all the lines in between the **** stars lines **** below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):*****************************************************************:filesc:\windows\system32\litinika.dllc:\windows\system32\wisahiri.dllc:\windows\system32\pegojehe.dllc:\windows\system32\app_dll.dllc:\windows\_VOIDrtfjwibcegc:\documents and settings\paul1\rundll32.exec:\windows\system32\sshnas21.dllc:\windows\system32\mlfcache.datC:\recyclerD:\recyclere:\recyclerf:\recyclerg:\recyclerh:\recycler:reg[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"risakubiza"=-[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"mitomapuw"=-:Commands[purity][emptytemp][CREATERESTOREPOINT]*****************************************************************Return to OTL. Right click in the "Custom Scans/Fixes" window (under the aqua-blue bar) and choose Paste.Close any browser(s) windows that may be open.Using your mouse, click on the red-lettered button Run Fix.Once you see a message box "Fix complete! Click OK to open the fix log."Click the OK buttonThe log will open in Notepad (your default text editor).Save the log. Post a copy of that log in your next reply.Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.Step 5Repeat the steps to disable your real-time AV monitors.Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our toolsFor directions on how, see How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware ProgramsDo NOT turn off the firewallIf you have a prior copy of Combofix, delete it now !Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop. Link 1 Link 2 Link 3 * IMPORTANT !!! SAVE AS Combo-Fix.exe to your DesktopIf your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our toolsDouble click on Combo-Fix.exe & follow the prompts.As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:Click on Yes, to continue scanning for malware.Please watch Combofix as it runs, as you may see messages which require your response, or the pressing of OK button.When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.------------------------------------------------------- A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. RE-Enable your AntiVirus and AntiSpyware applications.Reply with copy of the OTL MovedFiles log andC:\Combofix.txt Link to post Share on other sites More sharing options...
jpaulr Posted February 28, 2010 Author ID:207562 Share Posted February 28, 2010 I am unable to click on OTL.exe or the icon in your post. I tried it on another machine and it doesn't seem to be executable. I am running on XP. Link to post Share on other sites More sharing options...
Maurice Naggar Posted February 28, 2010 ID:207567 Share Posted February 28, 2010 Sorry, I forgot to guide you to get OTL. Download it and save to your Desktop.Download OTL by OldTimer to your desktop: http://oldtimer.geekstogo.com/OTL.exeThen follow the steps I outlined, in the order that I had listed. Link to post Share on other sites More sharing options...
jpaulr Posted February 28, 2010 Author ID:207578 Share Posted February 28, 2010 OLT log (had to reboot a 2nd time b/c the desktop would not come up.)All processes killed========== FILES ==========File\Folder c:\windows\system32\litinika.dll not found.File\Folder c:\windows\system32\wisahiri.dll not found.c:\windows\system32\pegojehe.dll moved successfully.c:\windows\system32\app_dll.dll moved successfully.c:\windows\_VOIDrtfjwibceg folder moved successfully.c:\documents and settings\paul1\rundll32.exe moved successfully.c:\windows\system32\sshnas21.dll moved successfully.c:\windows\system32\mlfcache.dat moved successfully.C:\RECYCLER\S-1-5-21-448539723-616249376-725345543-1005 folder moved successfully.C:\RECYCLER\S-1-5-21-448539723-616249376-725345543-1004 folder moved successfully.C:\RECYCLER\S-1-5-18 folder moved successfully.C:\RECYCLER folder moved successfully.File\Folder D:\recycler not found.File\Folder e:\recycler not found.File\Folder f:\recycler not found.File\Folder g:\recycler not found.File\Folder h:\recycler not found.========== REGISTRY ==========Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\risakubiza deleted successfully.Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\mitomapuw deleted successfully.========== COMMANDS ==========[EMPTYTEMP]User: #1Mom->Temp folder emptied: 22020876 bytes->Temporary Internet Files folder emptied: 53711027 bytes->Java cache emptied: 31545568 bytes->FireFox cache emptied: 40804577 bytesUser: All UsersUser: Default User->Temp folder emptied: 0 bytes->Temporary Internet Files folder emptied: 33170 bytesUser: LocalService->Temp folder emptied: 0 bytes->Temporary Internet Files folder emptied: 10125536 bytesUser: NetworkService->Temp folder emptied: 0 bytes->Temporary Internet Files folder emptied: 73609168 bytesUser: Paul1->Temp folder emptied: 744463194 bytes->Temporary Internet Files folder emptied: 143805308 bytes->Java cache emptied: 69421157 bytes->FireFox cache emptied: 36907671 bytes%systemdrive% .tmp files removed: 0 bytes%systemroot% .tmp files removed: 2162283 bytes%systemroot%\System32 .tmp files removed: 10156049 bytes%systemroot%\System32\dllcache .tmp files removed: 0 bytes%systemroot%\System32\drivers .tmp files removed: 0 bytesWindows Temp folder emptied: 5354278 bytes%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 89156 bytesRecycleBin emptied: 0 bytesTotal Files Cleaned = 1,187.00 mbRestore point Set: OTL Restore Point (64424509440)OTL by OldTimer - Version 3.1.30.3 log created on 02282010_171047Files\Folders moved on Reboot...Registry entries deleted on Reboot...Combo Fix LogComboFix 10-02-27.04 - Paul1 02/28/2010 17:31:56.1.2 - x86Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.93 [GMT -5:00]Running from: c:\documents and settings\Paul1\Desktop\Combo-Fix.exeAV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).c:\documents and settings\Paul1\Local Settings\Application Data\av.exec:\documents and settings\Paul1\rundll32 .exec:\documents and settings\Paul1\rundll32.exec:\program files\Internet Explorer\js.muic:\program files\Internet Explorer\wmpscfgs.exec:\windows\system32\certstore.datc:\windows\system32\ctfmon .exec:\windows\system32\hkcmd .exec:\windows\system32\igfxpers .exec:\windows\system32\igfxtray .exec:\windows\system32\perowimi.dllc:\windows\system32\rundll32 .exec:\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.jobc:\windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job.((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))).-------\Legacy_6TO4-------\Legacy_SSHNAS-------\Legacy__VOIDrtfjwibceg-------\Service__VOIDrtfjwibceg-------\Service_6to4-------\Service_SSHNAS((((((((((((((((((((((((( Files Created from 2010-01-28 to 2010-02-28 ))))))))))))))))))))))))))))))).2010-02-28 22:10 . 2010-02-28 22:10 -------- d-----w- C:\_OTL2010-02-28 21:53 . 2010-02-28 21:53 -------- d-----w- c:\program files\ERUNT2010-02-28 18:33 . 2010-02-28 18:33 -------- d-----w- c:\documents and settings\Paul1\Local Settings\Application Data\Temp2010-02-28 17:14 . 2010-02-28 17:14 4 ----a-w- c:\program files\2996031.dat2010-02-28 16:33 . 2010-02-28 16:33 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google2010-02-28 16:28 . 2010-02-28 16:28 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google2010-02-28 15:59 . 2010-02-28 15:59 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache2010-02-28 15:58 . 2010-02-28 15:58 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE2010-02-28 15:58 . 2010-02-28 15:58 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Yahoo!2010-02-28 15:58 . 2010-02-28 15:58 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\AIM Toolbar2010-02-28 15:58 . 2010-02-28 17:18 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Google2010-02-28 15:55 . 2010-02-28 15:55 4 ----a-w- c:\program files\746640.dat2010-02-20 23:26 . 2010-02-20 23:26 -------- d-----w- c:\program files\iPod2010-02-20 23:26 . 2010-02-28 22:40 -------- d-----w- c:\program files\iTunes1601-01-01 00:00 . 1601-01-01 00:00 0 ----a-w- c:\program files\106250.dat.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2010-02-28 22:40 . 2010-01-20 11:33 -------- d-----w- c:\program files\QuickTime2010-02-28 22:40 . 2009-09-06 00:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2010-02-28 22:40 . 2009-07-04 20:43 -------- d-----w- c:\program files\Verizon2010-02-28 22:40 . 2009-05-02 00:13 -------- d-----w- c:\program files\Audio Deck2010-02-28 22:40 . 2005-09-20 13:36 55808 ----a-w- c:\windows\system32\igfxpers.exe2010-02-28 22:40 . 2007-05-15 15:08 55808 ----a-w- c:\windows\system32\hkcmd.exe2010-02-28 22:40 . 2007-05-15 15:08 55808 ----a-w- c:\windows\system32\igfxtray.exe2010-02-28 22:23 . 2005-09-20 13:36 55808 ----a-w- c:\windows\system32\igfxpers .exe2010-02-28 22:23 . 2007-05-15 15:08 55808 ----a-w- c:\windows\system32\hkcmd .exe2010-02-28 22:23 . 2007-05-15 15:08 55808 ----a-w- c:\windows\system32\igfxtray .exe2010-02-28 22:23 . 2009-09-05 22:34 -------- d-----w- c:\program files\SUPERAntiSpyware2010-02-28 22:23 . 2009-06-19 22:47 -------- d-----w- c:\program files\AIM62010-02-28 17:44 . 2007-09-22 23:15 -------- d-----w- c:\documents and settings\Paul1\Application Data\U32010-02-28 16:28 . 2007-06-02 14:33 -------- d-----w- c:\program files\Google2010-02-20 23:26 . 2007-10-28 23:32 -------- d-----w- c:\program files\Common Files\Apple2010-02-20 23:19 . 2010-02-20 23:19 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe2010-01-12 20:25 . 2010-01-14 23:07 52224 ----a-w- c:\documents and settings\Paul1\Application Data\Mozilla\Firefox\Profiles\3x29nyyw.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll2010-01-12 20:25 . 2010-01-14 23:07 101376 ----a-w- c:\documents and settings\Paul1\Application Data\Mozilla\Firefox\Profiles\3x29nyyw.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll2010-01-07 21:07 . 2009-09-06 00:51 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2010-01-07 21:07 . 2009-09-06 00:51 19160 ----a-w- c:\windows\system32\drivers\mbam.sys2009-12-31 16:50 . 2004-08-04 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys2009-12-25 03:09 . 2009-12-25 03:09 79488 ----a-w- c:\documents and settings\Paul1\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll2009-12-23 13:43 . 2009-05-16 10:30 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys2009-12-21 19:14 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll2009-12-16 18:43 . 2007-05-15 14:31 343040 ----a-w- c:\windows\system32\mspaint.exe2009-12-14 07:08 . 2004-08-04 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll2009-12-08 19:26 . 2004-08-04 12:00 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe2009-12-08 18:43 . 2004-08-03 22:59 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe2009-12-04 18:22 . 2004-08-04 12:00 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys2010-02-07 15:01 . 2010-02-07 15:01 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll.<pre>c:\program files\Adobe\Reader 8.0\Reader\reader_sl .exec:\program files\AIM6\aim6 .exec:\program files\Analog Devices\Core\smax4pnp .exec:\program files\Audio Deck\enmixcpl .exec:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\pifsvc .exec:\program files\Google\Google Desktop Search\googledesktop .exec:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier .exec:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier .exec:\program files\iTunes\ituneshelper .exec:\program files\Java\jre6\bin\jusched .exec:\program files\Malwarebytes' Anti-Malware\mbam .exec:\program files\QuickTime\qttask .exec:\program files\QuickTime\qttask .exec:\program files\QuickTime\qttask .exec:\program files\QuickTime\qttask .exec:\program files\QuickTime\qttask .exec:\program files\QuickTime\qttask .exec:\program files\QuickTime\qttask .exec:\program files\QuickTime\qttask .exec:\program files\QuickTime\qttask .exec:\program files\QuickTime\qttask .exec:\program files\QuickTime\qttask .exec:\program files\QuickTime\qttask .exec:\program files\QuickTime\qttask .exec:\program files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr .exec:\program files\SUPERAntiSpyware\superantispyware .exec:\program files\Verizon\mccitrayapp .exec:\program files\Yahoo!\Messenger\yahoom~1 .exec:\windows\system32\hkcmd .exec:\windows\system32\igfxpers .exec:\windows\system32\igfxtray .exec:\windows\system32\rundll32 .exe</pre>((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"swg"="c:\program files\google\googletoolbarnotifier\googletoolbarnotifier .exe" [2010-02-28 55808]"Aim6"="c:\program files\AIM6\aim6.exe" [2010-02-28 55808]"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-02-28 55808][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"QuickTime Task"="c:\program files\quicktime\qttask .exe -atboottime" [X]"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2010-02-28 55808]"igfxtray"="c:\windows\system32\igfxtray.exe" [2010-02-28 55808]"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2010-02-28 55808]"igfxpers"="c:\windows\system32\igfxpers.exe" [2010-02-28 55808]"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-02-28 55808]"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2010-02-28 55808]"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2010-02-28 55808]"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-02-28 55808]"EnvyHFCPL"="c:\program files\Audio Deck\EnMixCPL.exe" [2010-02-28 55808]"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2010-02-28 55808]"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-02-28 55808]"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-02-28 55808]"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-28 55808]"mitomapuw"="c:\windows\system32\pegojehe.dll" [N/A]"risakubiza"="litinika.dll" [N/A]c:\documents and settings\Paul1\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588][hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll[HKEY_LOCAL_MACHINE\software\microsoft\security center]"AntiVirusOverride"=dword:00000001"FirewallOverride"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]"DisableMonitoring"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]"DisableMonitoring"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]"DisableMonitoring"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)"DisableNotifications"= 1 (0x1)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="c:\\Program Files\\Bonjour\\mDNSResponder.exe"="c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="c:\\Program Files\\AIM6\\aim6.exe"="c:\\Program Files\\iTunes\\iTunes.exe"=R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [9/4/2009 1:50 PM 9968]R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/4/2009 1:49 PM 74480]R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [5/16/2009 5:30 AM 108289]R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [10/28/2008 3:42 PM 156968]R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [6/19/2009 5:48 PM 24652]R3 Envy24HFS;ICE Envy24 Family Audio Controller WDM;c:\windows\system32\drivers\Envy24HF.sys [11/30/2007 9:18 PM 577664]R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/4/2009 1:50 PM 7408]S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/28/2010 11:28 AM 135664]S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\googledesktop.exe [10/2/2007 6:39 AM 55808]S3 membus;membus;c:\windows\system32\membus.sys [8/4/2004 7:00 AM 2304].Contents of the 'Scheduled Tasks' folder2010-02-09 c:\windows\Tasks\AppleSoftwareUpdate.job- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]2010-02-28 c:\windows\Tasks\At1.job- c:\program files\internet explorer\wmpscfgs.exe [2010-02-28 22:40]2010-02-28 c:\windows\Tasks\At10.job- c:\program files\internet explorer\wmpscfgs.exe [2010-02-28 22:40]2010-02-28 c:\windows\Tasks\At11.job- c:\program files\internet explorer\wmpscfgs.exe [2010-02-28 22:40]2010-02-28 c:\windows\Tasks\At12.job- c:\program files\internet explorer\wmpscfgs.exe [2010-02-28 22:40]2010-02-28 c:\windows\Tasks\At13.job- c:\program files\internet explorer\wmpscfgs.exe [2010-02-28 22:40]2010-02-28 c:\windows\Tasks\At14.job- c:\program files\internet explorer\wmpscfgs.exe [2010-02-28 22:40]2010-02-28 c:\windows\Tasks\At15.job- c:\program files\internet explorer\wmpscfgs.exe [2010-02-28 22:40]2010-02-28 c:\windows\Tasks\At16.job- c:\program files\internet explorer\wmpscfgs.exe [2010-02-28 22:40]2010-02-28 c:\windows\Tasks\At17.job- c:\program files\internet explorer\wmpscfgs.exe [2010-02-28 22:40]2010-02-28 c:\windows\Tasks\At18.job- c:\program files\internet explorer\wmpscfgs.exe [2010-02-28 22:40]2010-02-28 c:\windows\Tasks\At19.job- c:\program files\internet explorer\wmpscfgs.exe [2010-02-28 22:40]2010-02-28 c:\windows\Tasks\At2.job- c:\program files\internet explorer\wmpscfgs.exe [2010-02-28 22:40]2010-02-28 c:\windows\Tasks\At20.job- c:\program files\internet explorer\wmpscfgs.exe [2010-02-28 22:40]2010-02-28 c:\windows\Tasks\At21.job- c:\program files\internet explorer\wmpscfgs.exe [2010-02-28 22:40]2010-02-28 c:\windows\Tasks\At22.job- c:\program files\internet explorer\wmpscfgs.exe [2010-02-28 22:40]2010-02-28 c:\windows\Tasks\At23.job- c:\program files\internet explorer\wmpscfgs.exe [2010-02-28 22:40]2010-02-28 c:\windows\Tasks\At24.job- c:\program files\internet explorer\wmpscfgs.exe [2010-02-28 22:40]2010-02-28 c:\windows\Tasks\At3.job- c:\program files\internet explorer\wmpscfgs.exe [2010-02-28 22:40]2010-02-28 c:\windows\Tasks\At4.job- c:\program files\internet explorer\wmpscfgs.exe [2010-02-28 22:40]2010-02-28 c:\windows\Tasks\At5.job- c:\program files\internet explorer\wmpscfgs.exe [2010-02-28 22:40]2010-02-28 c:\windows\Tasks\At6.job- c:\program files\internet explorer\wmpscfgs.exe [2010-02-28 22:40]2010-02-28 c:\windows\Tasks\At7.job- c:\program files\internet explorer\wmpscfgs.exe [2010-02-28 22:40]2010-02-28 c:\windows\Tasks\At8.job- c:\program files\internet explorer\wmpscfgs.exe [2010-02-28 22:40]2010-02-28 c:\windows\Tasks\At9.job- c:\program files\internet explorer\wmpscfgs.exe [2010-02-28 22:40]2010-02-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-28 16:27]2010-02-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-28 16:27]2010-02-28 c:\windows\Tasks\User_Feed_Synchronization-{77B2C48F-EA7F-4F1E-8AB9-11D2601C15A2}.job- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]..------- Supplementary Scan -------.uStart Page = hxxp://www.cnn.com/uInternet Settings,ProxyOverride = *.localIE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.htmlTrusted Zone: ameritrade.comTrusted Zone: ameritrade.com\researchTrusted Zone: ameritrade.com\wwwsTrusted Zone: tdameritrade.comTrusted Zone: tdameritrade.com\wwwDPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CABFF - ProfilePath - c:\documents and settings\Paul1\Application Data\Mozilla\Firefox\Profiles\3x29nyyw.default\FF - prefs.js: browser.startup.homepage - hxxp://www.cnn.com/FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dllFF - plugin: c:\program files\Google\Update\1.2.183.17\npGoogleOneClick8.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dllFF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll---- FIREFOX POLICIES ----FF - user.js: yahoo.homepage.dontask - true.- - - - ORPHANS REMOVED - - - -SharedTaskScheduler-{aaa4ca1e-6db4-4d38-a4ac-87509c3dafd5} - c:\windows\system32\pegojehe.dllSSODL-henagakam-{aaa4ca1e-6db4-4d38-a4ac-87509c3dafd5} - c:\windows\system32\pegojehe.dllAddRemove-LiveUpdate - c:\program files\Symantec\LiveUpdate\LSETUP.EXE**************************************************************************catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2010-02-28 17:39Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... c:\windows\system32\rundll32 .exe 33280 bytes executablec:\windows\system32\hkcmd .exe 55808 bytes executablec:\windows\system32\igfxpers .exe 55808 bytes executablec:\windows\system32\igfxtray .exe 55808 bytes executablescan completed successfullyhidden files: 4**************************************************************************.--------------------- LOCKED REGISTRY KEYS ---------------------[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]@Denied: (2) (LocalSystem)"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,06,d2,3c,f7,e9,5f,6c,47,b8,de,9e,\"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,06,d2,3c,f7,e9,5f,6c,47,b8,de,9e,\.--------------------- DLLs Loaded Under Running Processes ---------------------- - - - - - - > 'winlogon.exe'(632)c:\program files\SUPERAntiSpyware\SASWINLO.dllc:\windows\system32\WININET.dll- - - - - - - > 'explorer.exe'(3988)c:\windows\system32\WININET.dllc:\windows\system32\ieframe.dllc:\windows\system32\webcheck.dllc:\windows\system32\WPDShServiceObj.dllc:\windows\system32\PortableDeviceTypes.dllc:\windows\system32\PortableDeviceApi.dllc:\program files\SUPERAntiSpyware\SASSEH.DLL.------------------------ Other Running Processes ------------------------.c:\program files\Avira\AntiVir Desktop\avguard.exec:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exec:\program files\Bonjour\mDNSResponder.exec:\program files\Java\jre6\bin\jqs.exec:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc .exec:\program files\Common Files\Motive\McciCMService.exec:\program files\analog devices\core\smax4pnp .exec:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc .exec:\program files\google\google desktop search\googledesktop .exec:\program files\seagate\seagatemanager\freeagent status\stxmenumgr .exec:\program files\google\googletoolbarnotifier\googletoolbarnotifier .exec:\program files\verizon\mccitrayapp .exec:\program files\audio deck\enmixcpl .exec:\program files\java\jre6\bin\jusched .exec:\program files\superantispyware\superantispyware .exec:\program files\aim6\aim6 .exec:\program files\itunes\ituneshelper .exec:\program files\AIM6\aolsoftware.exec:\program files\iPod\bin\iPodService.exec:\program files\Mozilla Firefox\firefox.exe.**************************************************************************.Completion time: 2010-02-28 17:46:05 - machine was rebootedComboFix-quarantined-files.txt 2010-02-28 22:45Pre-Run: 126,032,044,032 bytes freePost-Run: 125,935,644,672 bytes freeWindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe[boot loader]timeout=2default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS[operating systems]c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdconsmulti(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect- - End Of File - - 4375A0C5497B3748F8D631BEDEC1B82A Link to post Share on other sites More sharing options...
Maurice Naggar Posted February 28, 2010 ID:207580 Share Posted February 28, 2010 Download The Avenger by Swandog46 from here.Unzip/extract it to a folder on your desktop.Double click on avenger.exe to run The Avenger.Click OK.Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.Files to delete:c:\windows\system32\pegojehe.dllc:\windows\Tasks\At1.jobc:\windows\Tasks\At2.jobc:\windows\Tasks\At3.jobc:\windows\Tasks\At4.jobc:\windows\Tasks\At5.jobc:\windows\Tasks\At6.jobc:\windows\Tasks\At7.jobc:\windows\Tasks\At8.jobc:\windows\Tasks\At9.jobc:\windows\Tasks\At10.jobc:\windows\Tasks\At11.jobc:\windows\Tasks\At12.jobc:\windows\Tasks\At13.jobc:\windows\Tasks\At14.jobc:\windows\Tasks\At15.jobc:\windows\Tasks\At16.jobc:\windows\Tasks\At17.jobc:\windows\Tasks\At18.jobc:\windows\Tasks\At19.jobc:\windows\Tasks\At20.jobc:\windows\Tasks\At21.jobc:\windows\Tasks\At22.jobc:\windows\Tasks\At23.jobc:\windows\Tasks\At24.jobc:\program files\106250.datRegistry values to delete:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | mitomapuwHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | risakubizaIn the avenger window, click the Paste Script from Clipboard icon, button. :!: Make sure that what appears in Avenger matches exactly what you were asked to Copy/Paste from the Code box above.Click the Execute button.You will be asked Are you sure you want to execute the current script?.Click Yes.You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.Click Yes.Your PC will now be rebooted.Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.After your PC has completed the necessary reboots, a log should automatically open. Please copy/paste the contents of c:\avenger.txt into your next reply.Not all the items will be found; so do not worry. Hopefully enough of the rootkit will be removed so that we can continue forward with more cleaning.If you get a blue screen abort when it reboots, please write down all the information, STOP codes and description.and then reboot the system again. Link to post Share on other sites More sharing options...
jpaulr Posted February 28, 2010 Author ID:207585 Share Posted February 28, 2010 I meant to mention I was able to get the Defogger to work - it was run earlier before the OLT / combo fix step. I haven't "re-enabled" yet.Logfile of The Avenger Version 2.0, © by Swandog46http://swandog46.geekstogo.comPlatform: Windows XP*******************Script file opened successfully.Script file read successfully.Backups directory opened successfully at C:\Avenger*******************Beginning to process script file:Rootkit scan active.No rootkits found!Error: file "c:\windows\system32\pegojehe.dll" not found!Deletion of file "c:\windows\system32\pegojehe.dll" failed!Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not existFile "c:\windows\Tasks\At1.job" deleted successfully.File "c:\windows\Tasks\At2.job" deleted successfully.File "c:\windows\Tasks\At3.job" deleted successfully.File "c:\windows\Tasks\At4.job" deleted successfully.File "c:\windows\Tasks\At5.job" deleted successfully.File "c:\windows\Tasks\At6.job" deleted successfully.File "c:\windows\Tasks\At7.job" deleted successfully.File "c:\windows\Tasks\At8.job" deleted successfully.File "c:\windows\Tasks\At9.job" deleted successfully.File "c:\windows\Tasks\At10.job" deleted successfully.File "c:\windows\Tasks\At11.job" deleted successfully.File "c:\windows\Tasks\At12.job" deleted successfully.File "c:\windows\Tasks\At13.job" deleted successfully.File "c:\windows\Tasks\At14.job" deleted successfully.File "c:\windows\Tasks\At15.job" deleted successfully.File "c:\windows\Tasks\At16.job" deleted successfully.File "c:\windows\Tasks\At17.job" deleted successfully.File "c:\windows\Tasks\At18.job" deleted successfully.File "c:\windows\Tasks\At19.job" deleted successfully.File "c:\windows\Tasks\At20.job" deleted successfully.File "c:\windows\Tasks\At21.job" deleted successfully.File "c:\windows\Tasks\At22.job" deleted successfully.File "c:\windows\Tasks\At23.job" deleted successfully.File "c:\windows\Tasks\At24.job" deleted successfully.Registry value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|mitomapuw" deleted successfully.Registry value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|risakubiza" deleted successfully.Completed script processing.*******************Finished! Terminate. Link to post Share on other sites More sharing options...
Maurice Naggar Posted February 28, 2010 ID:207587 Share Posted February 28, 2010 Leave the Defogger & it's re-enable to later. The system has a pretty serious Vundo infection. I'd like for you to do the 3 following scans. Have plenty of patience (infinite patience) as each one of them runs. Do not use the system for other tasks.Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our toolsFor directions on how, see How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware ProgramsDo NOT turn off the firewallStep 1Please download and run the Trend Micro Sysclean Package on your computer.NOTE! This scan will probably take a long time to run on your computer so be patient and don't use it while it's scanning.Trend Micro Damage Cleanup Engine[*]Make sure you read this document to understand how to use the program. Trend Micro Sysclean Package README 1st[*]Basically there are 3 parts that need to be downloaded and SAVED from these links:[*]Download Sysclean Package[*]Download Virus Pattern Files that will be a LPTxxx.ZIP file[*]Download Spyware Pattern Files this is a SSAPIPTNxxx.ZIPIt is the 4th listed file, under title "Detection and Cleanup (Trend Micro Anti-Spyware) Link to post Share on other sites More sharing options...
jpaulr Posted March 1, 2010 Author ID:207690 Share Posted March 1, 2010 Yah you weren't kidding... that took some patience. This is an older PC not a lot of UMPH so... here you go.It is working better for sure... am I clean? Still getting trojan warnings w/ Kaspersky in Adobe? /--------------------------------------------------------------\| Trend Micro System Cleaner || Copyright 2009-2010, Trend Micro, Inc. || http://www.trendmicro.com |\--------------------------------------------------------------/2010-02-28, 18:44:35, Auto-clean mode specified.2010-02-28, 18:44:36, Initialized Rootkit Driver version 2.2.0.1004.2010-02-28, 18:44:36, Running scanner "C:\DCE\TSC.BIN"...2010-02-28, 18:45:20, Scanner "C:\DCE\TSC.BIN" has finished running.2010-02-28, 18:45:20, TSC Log: Link to post Share on other sites More sharing options...
Maurice Naggar Posted March 2, 2010 ID:208207 Share Posted March 2, 2010 I'm going to have OTL remove 3 files tagged by the last scans. I note that the MBAM scan found and removed a rootkit "membus.sys" That plus the notations by SYSCLEAM of a trojan agent TROJ-KRAP.SMD has me concerned. Please double-click OTL.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).Copy all the lines in between the **** stars lines **** below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):*****************************************************************:filesC:\WINDOWS\Temp\wmpscfgs.exeC:\Program Files\Adobe\6729140.oldC:\Program Files\Adobe\6729140.oldC:\recyclerD:\recyclere:\recyclerf:\recyclerg:\recyclerh:\recycler:Commands[purity][emptytemp][CREATERESTOREPOINT]*****************************************************************Return to OTL. Right click in the "Custom Scans/Fixes" window (under the aqua-blue bar) and choose Paste.Close any browser(s) windows that may be open.Using your mouse, click on the red-lettered button Run Fix.Once you see a message box "Fix complete! Click OK to open the fix log."Click the OK buttonThe log will open in Notepad (your default text editor).Save the log. Post a copy of that log in your next reply.Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.Next:Download RootRepeal from one of these links:>> Link 1<<or >>Link 2<<or >>Link 3<<SAVE the zip download to your Desktop. Extract the archive to a folder you create such as C:\RootRepealDouble-click RootRepeal.exe to launch the program (Vista users should right-click and select "Run as Administrator).Click the "File" tab (located at the bottom of the RootRepeal screen)Click the "Scan" buttonIn the popup dialog, check the drives to be scanned - making sure to check your primary operating system drive - normally C:Click OK and the file scan will beginWhen the scan is done, there will be files listed, but most if not all of them will be legitimateClick the "Save Report" ButtonSave the log file to your Documents folderPost the content of the RootRepeal file scan log in your next reply.Next:Disable any script blocker if your antivirus/antimalware has it.Then double click dds.scr to run the tool.DDS will run in a command prompt window and will take 3 to 4 minutes or so.When done, DDS will open two (2) logs: DDS.txt Attach.txtSave both reports to your desktop.Reply with copy of the OTL MOvedFiles log & Rootrepeal logDDS.txt Link to post Share on other sites More sharing options...
jpaulr Posted March 2, 2010 Author ID:208224 Share Posted March 2, 2010 Attached are the 3 specified logs. The attach.txt log was produced but you did not ask for it? I have it if you need it. PaulOLT LogAll processes killed========== FILES ==========File\Folder C:\WINDOWS\Temp\wmpscfgs.exe not found.C:\Program Files\Adobe\6729140.old moved successfully.File\Folder C:\Program Files\Adobe\6729140.old not found.File\Folder C:\recycler not found.File\Folder D:\recycler not found.File\Folder e:\recycler not found.File\Folder f:\recycler not found.File\Folder g:\recycler not found.File\Folder h:\recycler not found.========== COMMANDS ==========[EMPTYTEMP]User: #1Mom->Temp folder emptied: 0 bytes->Temporary Internet Files folder emptied: 0 bytes->Java cache emptied: 0 bytes->FireFox cache emptied: 0 bytesUser: All UsersUser: Default User->Temp folder emptied: 0 bytes->Temporary Internet Files folder emptied: 0 bytesUser: LocalService->Temp folder emptied: 0 bytes->Temporary Internet Files folder emptied: 32902 bytesUser: NetworkService->Temp folder emptied: 0 bytes->Temporary Internet Files folder emptied: 32902 bytesUser: Paul1->Temp folder emptied: 99186637 bytes->Temporary Internet Files folder emptied: 17437735 bytes->Java cache emptied: 128013 bytes->FireFox cache emptied: 32214258 bytes%systemdrive% .tmp files removed: 0 bytes%systemroot% .tmp files removed: 0 bytes%systemroot%\System32 .tmp files removed: 0 bytes%systemroot%\System32\dllcache .tmp files removed: 0 bytes%systemroot%\System32\drivers .tmp files removed: 0 bytesWindows Temp folder emptied: 3284 bytes%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 34320 bytesRecycleBin emptied: 0 bytesTotal Files Cleaned = 142.00 mbRestore point Set: OTL Restore Point (64424509440)OTL by OldTimer - Version 3.1.30.3 log created on 03012010_230207Files\Folders moved on Reboot...Registry entries deleted on Reboot...ROOT REPEAL LOGROOTREPEAL © AD, 2007-2009==================================================Scan Start Time: 2010/03/01 23:14Program Version: Version 1.3.5.0Windows Version: Windows XP SP3==================================================Hidden/Locked Files-------------------Path: C:\hiberfil.sysStatus: Locked to the Windows API!DDS LOGDDS (Ver_09-12-01.01) - NTFSx86 Run by Paul1 at 23:15:52.26 on Mon 03/01/2010Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.237 [GMT -5:00]AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}============== Running Processes ===============C:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcssvchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Avira\AntiVir Desktop\sched.exesvchost.exeC:\Program Files\Avira\AntiVir Desktop\avguard.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Common Files\Motive\McciCMService.exeC:\Program Files\Viewpoint\Common\ViewpointService.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Avira\AntiVir Desktop\avgnt.exeC:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\System32\svchost.exe -k HTTPFilterC:\Program Files\Mozilla Firefox\firefox.exeC:\WINDOWS\system32\wscntfy.exeC:\Documents and Settings\Paul1\Desktop\dds.scr============== Pseudo HJT Report ===============uStart Page = about:blankmStart Page = about:blankuInternet Settings,ProxyOverride = *.localuURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dllmURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dllBHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dllBHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dllBHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dllBHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dllBHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dllBHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dllBHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dllBHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dllBHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllTB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dllTB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dllTB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dlluRun: [Yahoo! Pager] "c:\progra~1\yahoo!\messen~1\YAHOOM~1.EXE" -quietuRun: [ctfmon.exe] c:\windows\system32\ctfmon.exemRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /minStartupFolder: c:\docume~1\paul1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXEStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXEIE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.htmlIE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exeIE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exeIE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dllIE: {0b83c99c-1efa-4259-858f-bcb33e007a5b} - {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dllIE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dllTrusted Zone: ameritrade.comTrusted Zone: ameritrade.com\researchTrusted Zone: ameritrade.com\wwwsTrusted Zone: tdameritrade.comTrusted Zone: tdameritrade.com\wwwDPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CABDPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemyfios.verizon.net/sdcCommon/download/FIOS/Verizon%20FiOS%20Installer.cabDPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://a1540.g.akamai.net/7/1540/52/20070501/qtinstall.info.apple.com/qtactivex/qtplugin.cabDPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cabDPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cabDPF: {C946EF6D-296D-4907-A6E1-ED0E8E5AF024} - hxxp://mail.lycos.com/hanmail-ax/AttachMail.cabDPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cabDPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cabDPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cabNotify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dllNotify: igfxcui - igfxdev.dllSSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dllSEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL================= FIREFOX ===================FF - ProfilePath - c:\docume~1\paul1\applic~1\mozilla\firefox\profiles\3x29nyyw.default\FF - prefs.js: browser.startup.homepage - hxxp://www.cnn.com/FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dllFF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dllFF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dllFF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dllFF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dllFF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}---- FIREFOX POLICIES ----FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);============= SERVICES / DRIVERS ===============R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-5-16 11608]R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-9-4 9968]R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-9-4 74480]R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-5-16 108289]R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-5-16 185089]R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-5-16 56816]R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2008-10-28 156968]R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-6-19 24652]R3 Envy24HFS;ICE Envy24 Family Audio Controller WDM;c:\windows\system32\drivers\Envy24HF.sys [2007-11-30 577664]S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-28 135664]S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-9-4 7408]S4 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589; [x]=============== Created Last 30 ================2010-02-28 23:38:27 0 d-----w- C:\DCE2010-02-28 22:29:01 0 d-sha-r- C:\cmdcons2010-02-28 22:28:08 98816 ----a-w- c:\windows\sed.exe2010-02-28 22:28:08 77312 ----a-w- c:\windows\MBR.exe2010-02-28 22:28:08 261632 ----a-w- c:\windows\PEV.exe2010-02-28 22:28:08 161792 ----a-w- c:\windows\SWREG.exe2010-02-28 22:10:47 0 d-----w- C:\_OTL2010-02-28 21:17:08 0 ----a-w- c:\documents and settings\paul1\defogger_reenable2010-02-28 17:14:30 4 ----a-w- c:\program files\2996031.dat2010-02-28 15:55:21 4 ----a-w- c:\program files\746640.dat2010-02-20 23:26:52 0 d-----w- c:\program files\iPod2010-02-20 23:26:32 0 d-----w- c:\program files\iTunes==================== Find3M ====================2010-01-07 21:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2010-01-07 21:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys2009-12-21 19:14:05 916480 ------w- c:\windows\system32\wininet.dll2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll2009-12-08 19:26:15 2145280 ------w- c:\windows\system32\ntoskrnl.exe2009-12-08 18:43:51 2023936 ------w- c:\windows\system32\ntkrnlpa.exe2009-03-08 00:42:23 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009030720090308\index.dat============= FINISH: 23:16:01.64 =============== Link to post Share on other sites More sharing options...
Maurice Naggar Posted March 2, 2010 ID:208252 Share Posted March 2, 2010 Paul,You did right. I did not want the Attach report.Let's have you do a system restore cleanup & then follow that by a new FULL scan with MBAM.The MBAM scan should run a bit faster than last time, no more than 35 minutes.Please close & save & exit any open documents, and close user apps you started.Run Disk Cleanup with the System Restore Cleanup as outlined here by Bert Kinney, MS MVPhttp://bertk.mvps.org/html/diskclean.htmlStart your MBAM MalwareBytes' Anti-Malware. Click the Settings Tab. Make sure all option lines have a checkmark.Next, Click the Update tab. Press the "Check for Updates" button. When done, click the Scanner tab.Do a FULL Scan. When the scan is complete, click OK, then Show Results to view the results. Make sure that everything is checked, and click Remove Selected. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. Reply with copy of latest MBAM scan log. Link to post Share on other sites More sharing options...
jpaulr Posted March 2, 2010 Author ID:208389 Share Posted March 2, 2010 MBAM log looks clean. I was not prompted to reboot. Malwarebytes' Anti-Malware 1.44Database version: 3811Windows 5.1.2600 Service Pack 3Internet Explorer 8.0.6001.187023/2/2010 6:43:09 AMmbam-log-2010-03-02 (06-43-09).txtScan type: Full Scan (C:\|)Objects scanned: 175460Time elapsed: 37 minute(s), 39 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected) Link to post Share on other sites More sharing options...
jpaulr Posted March 3, 2010 Author ID:208972 Share Posted March 3, 2010 Everything looks ok now? Do I run the un-defogger? Link to post Share on other sites More sharing options...
Maurice Naggar Posted March 3, 2010 ID:209038 Share Posted March 3, 2010 Hello Paul,Your system is good to go after you complete the following update and the cleanup steps.Use the defogger reversion after you are done.Close and save any open documents & any programs you started. Let these updates & utilities run without your starting other tasks.Your Java runtime is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop.Scroll down to where it says "Java SE Runtime Environment (JRE) - JRE 6 Update 18 -"Click the " red Download JRE" button.Select the Windows platform from the dropdown menu.Read the License Agreement and then check the box that says: "Java SE Runtime Environment 6u18 with JavaFX 1 License Agreement . ". Click on Continue.The page will refresh.Click on the link to download Windows Offline Installation and save the file to your desktop.Close any programs you may have running - especially your web browser.Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java) in the name.Remove any prior Java runtime versions.Click the Remove or Change/Remove button.Repeat as many times as necessary to remove each Java versions.Reboot your computer once all Java components are removed.Then from your desktop double-click on jre-6u18-windows-i586.exe to install the newest version.After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup) On the General tab, under Temporary Internet Files, click the Settings button.Next, click on the Delete Files buttonThere are two options in the window to clear the cache - Leave BOTH CheckedApplications and AppletsTrace and Log Files[*]Click OK on Delete Temporary Files WindowNote: This deletes ALL the Downloaded Applications and Applets from the CACHE.[*]Click OK to leave the Temporary Files WindowSmall tweaks for Java runtime, since most all users do not need to load Java at each Windows startup:Click Advanced Tab. Expand the Miscellaneous item.UN-check the line Java quick starterIf you want to also un-check the "Check for updates automatically" you may:Click the Update tab. un-check the line if it is checked.Press Apply then OK. Close the applet when done.To test your Java Run-time, you may go to this page http://www.java.com/en/download/help/testvm.xmlWhen all is well, you should see Java Version: 1.6.0_18 from Sun Microsystems Inc.Cleanups / removalsGo to Control Panel and Add-or-Remove programs.Look for Kaspersky Online and click the line for it. Select Change/Remove to de-install it.OK & Exit out of Control PanelI see that you are clear of your original issues. If you have a problem with these steps, or something does not quite work here, do let me know.The following few steps will remove tools we used; followed by advice on staying safer.The "/uninstall" in the Run line below is to start Combofix for it's cleanup & removal function.Note the space after exe and before the slash mark.The utility must be removed to prevent any un-intentional or accidental usage, PLUS, to free up much space on your hard disk.Click Start, then click Run. Then type in the text box that opens, type or copy/paste Combo-Fix.exe /uninstall and then click OK.IF you run into a hitch removing Combofix, continue forward anyway to the remaining steps. Please double-click OTL.exe to run it. Click on the CleanUp! button at upper Right corner. When you do this a text file named cleanup.txt will be downloaded from the internet. If you get a warning from your firewall or other security programs regarding OTL attempting to contact the internet you should allow it to do so. After the list has been download you'll be asked if you want to Begin cleanup process? Select Yes. This step removes the files, folders, and shortcuts created by the tools I had you download and run. Delete the SYSCLEAN downloads and the C:\DCE folderRun Disk Cleanup with the System Restore Cleanup as outlined here by Bert Kinney, MS MVPhttp://bertk.mvps.org/html/diskclean.html Configure your Antivirus software to check for updates daily, at a time in which you are sure the computer will be on.Check in at Windows Update and install any Critical Updates offered.Check on other update issues as well, visit Secunia Online Software Inspector (OSI)Make certain that Automatic Updates is enabled.How to configure and use Automatic Updates in WinXP: http://support.microsoft.com/kb/306525 Download, install, and keep updated Spyware Blaster (free): http://www.javacoolsoftware.com/spywareblaster.html (all Protections should be enabled at all times)I'd recommend that you get and use MVP Mike Burgess' custom hosts file http://mvps.org/winhelp2002/hosts.htm See the FAQ page http://mvps.org/winhelp2002/hostsfaq.htm That would help to keep your browser away from known spyware/malware sites. Make regular backups of your system to removable media: DVD, USB external hard drive, etc.On some regular schedule, it is a good idea to do an online scan for viruses and malware. Here is a very short list of sites where this may be done:Kaspersky Webscan Online Virus Scanner ESET Online ScannerPanda ActiveScan Trend Micro HousecallF-Secure Online Scanner Read Tony Klein's article How Did I Get Infected In The First Place Never, ever download free games, free tools, smileys, or anything free unless you can be absolutely sure the source is safe !Stay safe. We are done here. Best to you. Link to post Share on other sites More sharing options...
Recommended Posts