Adela Posted March 25, 2010 ID:221719 Share Posted March 25, 2010 [MS WinXP Home 2002 - SP2; OE 6; IE 6; MS Office Pro; Avira Antivir Personal Free anti-virus; Dell Dimension XPS T448MHz Pentium III; 384MB RAM; high speed cable; Windows Media Player; Adobe Reader 8; Adobe Flash Player 10 Activex..]Hello, I just got rid of the Cleanup Antivirus which reported that I had 800 infections! I scanned with Malwarebytes and was surprised it said ZERO INFECTIONS after a 2-hour scan! Someone said to use http://www.surfright.nl/en/shop/hitmanpro which took just 2.5 minutes and found 3 infections! I then posted in "MS Windows" here and 3 wonderful members: mountaintree, noknojon and Firefox showed me how to use the malwarebytes and advised to post here. And this time it found 783 infections, 16 values and 2 files!!! I'm very grateful to them, but I'm still experiencing just one more "error": "This document has moved redirec..." and it takes me to different pages. So I did a full scan with Avira and only found "2 warnings" which I don't know what it means, and another scan with malwarebytes which this time didn't find anything.I was thinking of using "Hijack This" which I never used before, but I'm afraid since I can't tell which items are ok to delete and which items are system files and best left alone....Will appreciate it a lot if you could give me some suggestions? Thanks so much! Adela Link to post Share on other sites More sharing options...
Ltangelic Posted March 31, 2010 ID:224718 Share Posted March 31, 2010 Hey Adela,Welcome to Malwarebytes! I'm Ltangelic and I'll be helping you fix your computer problem.Before we proceed, here are some things that you can take note of so that the cleaning up process will be more smooth and efficient. Do not worry, the points below are not any form of rules, it's just a few pointers that can ensure that you will get the best help from me. To ensure that you are informed of the latest replies to your thread, you may like to right click on Options at the top right hand corner of this page and select "Subscribe to this forum". That way, you will be notified via email when a reply was posted to your thread. If you have any doubts or uncertainty about any part of my instructions, feel free to post on here and ask me about them. Please do NOT attempt to run any tools or do any fixing on your own unless I tell you to, this will avoid any confusion that can occur during the cleaning process. Furthermore, fixing malware problems without sufficient knowledge can be dangerous at times and you can mess up your own computer without knowing. Please do not PM me for malware removal assistance, any request for malware removal assistance should be posted in this thread only. The only time you can and should PM me is when I have not been replying to you for several days (usually around 4 days) and you need an explanation. If that's the case, just send me a message to me on here. Please do not start multiple topics (especially when you are already being assisted by an authorised staff). All staff are volunteers on here, starting multiple topics will waste the limited resource of manpower we have here at Malwarebytes, and this can further hinder our ability to assist other users. Please be considerate and stick to one thread.Meanwhile, please do the following:Please download DDS and save it to your desktop.Disable any script blocking protection Double click dds.scr to run the tool. When done, DDS.txt will open. Click Yes at the next prompt for Optional Scan. Save both reports to your desktop.---------------------------------------------------Please include the contents of the following in your next reply:DDS.txtPlease attach the second file; Attach.txt. To attach a file, do the following:Under the reply panel is the Attachments PanelBrowse for the attachment file you want to upload, then click the green Upload buttonOnce it has uploaded, click the Manage Current Attachments drop down boxClick on to insert the attachment into your post Link to post Share on other sites More sharing options...
Adela Posted March 31, 2010 Author ID:224867 Share Posted March 31, 2010 [*] Please do NOT attempt to run any tools or do any fixing on your own unless I tell you to, this will avoid any confusion that can occur during the cleaning process. Furthermore, fixing malware problems without sufficient knowledge can be dangerous at times and you can mess up your own computer without knowing.Hello and thank you Ltangelic! I just subscribed to receive replies. You are right that's why I wanted to ask you before I start if I should uninstall the 2 current anti-spy/anti-virus programs I have? I installed Hitman 3.5 which is very good because it's catching infections all the time, but when I thought my trial period was over and uninstalled it and got another one: Eset Nod32...then both are working at the same time! Even though I remember clearly uninstalling Hitman from my add/remove and from "All Programs" before getting the other one! NOW I'M CONFUSED! lol! Also in case you need to know it, 2 of the "errors" I had got fixed, except the frequent one with the message: "This program is not responding and it will shut off", and also the computer has become unreasonably slower...I'll wait for your response before starting the instructions that you so very kindly sent me. AdelaP.S. I notice you also know Lavasoft, I used to have it but it never worked properly for me... Link to post Share on other sites More sharing options...
Ltangelic Posted April 1, 2010 ID:225299 Share Posted April 1, 2010 Hi Adela,Thank you for getting back to me. You are right that's why I wanted to ask you before I start if I should uninstall the 2 current anti-spy/anti-virus programs I have? I installed Hitman 3.5 which is very good because it's catching infections all the time, but when I thought my trial period was over and uninstalled it and got another one: Eset Nod32...then both are working at the same time! Even though I remember clearly uninstalling Hitman from my add/remove and from "All Programs" before getting the other one! NOW I'M CONFUSED! lol!Also in case you need to know it, 2 of the "errors" I had got fixed, except the frequent one with the message: "This program is not responding and it will shut off", and also the computer has become unreasonably slower...I'm not sure what you mean by "both are working at the same time". Do you mean that Windows Security Center says you have 2 anti-virus running? If so, there could be a corruption in the Repository folder, please go to the following link to resolve this issue:http://kb.eset.com/esetkb/index?page=content&id=SOLN367We'll look into your computer slowness as we move on with the fix. Now, could you please run DDS and post me the required logs? Thanks. Link to post Share on other sites More sharing options...
Adela Posted April 2, 2010 Author ID:225887 Share Posted April 2, 2010 I'm not sure what you mean by "both are working at the same time". Do you mean that Windows Security Center says you have 2 anti-virus running? If so, there could be a corruption in the Repository folder, please go to the following link to resolve this issue:Hi Ltangelic, I'm sorry that I'm running slow in doing the good instructions you are giving me, but I'm having some health issues and are running around for tests, etc. :-)Oh they aren't 2 anti-virus. They're one anti-virus and one anti-spy, and they are fine, I only thought they were running together. So sorry again!I just downloaded and saved to my desktop the DDS, but don't know where to find and disable the "script blocking protection", please tell me where they are? Thanks. then I'll continue doing my "home work"... Thank you so much for your patience and valuable help! Adela Link to post Share on other sites More sharing options...
Ltangelic Posted April 3, 2010 ID:226394 Share Posted April 3, 2010 Hi Adela,Hi Ltangelic, I'm sorry that I'm running slow in doing the good instructions you are giving me, but I'm having some health issues and are running around for tests, etc. :-)Oh they aren't 2 anti-virus. They're one anti-virus and one anti-spy, and they are fine, I only thought they were running together. So sorry again!I just downloaded and saved to my desktop the DDS, but don't know where to find and disable the "script blocking protection", please tell me where they are? Thanks. then I'll continue doing my "home work"... Thank you so much for your patience and valuable help! AdelaI'm sorry to hear about your health condition, and I hope you will get well soon! No worries, it is my job to guide you through the cleaning up process, so feel free to ask when you don't understand.Since they are not 2 anti-virus programs, you can keep them on your computer just fine. When I mean "script-blocking protection", I am referring to your anti-virus and anti-spyware programs that can prevent DDS from running. Just disable those and you should be fine. Run DDS for me so I can have a look, thanks! Link to post Share on other sites More sharing options...
Adela Posted April 3, 2010 Author ID:226628 Share Posted April 3, 2010 Thank you againf or the explanation. Here's the log from DDS (long and complicated huh? lol!):DDS (Ver_10-03-17.01) - NTFSx86 Run by AdelaMain at 13:31:11.61 on Sat 04/03/2010Internet Explorer: 6.0.2900.2180Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.384.124 [GMT -4:00]AV: CleanUp Antivirus *On-access scanning enabled* (Updated) {1FBE6604-C5C9-446F-9468-DC3B619F8906}AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}FW: CleanUp Antivirus *enabled* {152C1CE9-49D1-4089-8DF9-F53BA020BF66}============== Running Processes ===============C:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\Program Files\Windows Defender\MsMpEng.exeC:\WINDOWS\System32\svchost.exe -k netsvcssvchost.exesvchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Windows Defender\MSASCui.exeC:\Program Files\Iomega\AutoDisk\ADUserMon.exeC:\Program Files\ESET\ESET NOD32 Antivirus\egui.exeC:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exesvchost.exeC:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\Outlook Express\msimn.exeC:\Program Files\Messenger\msmsgs.exeC:\Program Files\Internet Explorer\IEXPLORE.EXEC:\Documents and Settings\AdelaMain\Desktop\DDS.scr============== Pseudo HJT Report ===============uStart Page = hxxp://www.google.com/uSearch Page = hxxp://www.google.comuSearch Bar = hxxp://www.google.com/ieuWindow Title = Microsoft Internet ExploreruSearchAssistant = hxxp://www.google.com/ieuSearchURL,(Default) = hxxp://www.google.com/search?q=%smURLSearchHooks: H - No FilemWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dllBHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dllBHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dllTB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No FileTB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dllTB: {A057A204-BACC-4D26-9990-79A187E2698E} - No FileuRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hidemRun: [ADUserMon] c:\program files\iomega\autodisk\ADUserMon.exemRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservicemRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -kdRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -tStartupFolder: c:\docume~1\adelam~1\startm~1\programs\startup\erunta~1.lnk - c:\documents and settings\adelamain\desktop\erunt bu registry\AUTOBACK.EXEStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXEIE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.htmlIE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exeIE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dllTrusted Zone: microsoft.com\wwwTrusted Zone: tagged.com\wwwDPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cabDPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1178907582593DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1178998893165DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cabDPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cabDPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cabDPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cabFilter: text/html - {28825f12-b20b-492c-9b4d-ce5682eed077} - Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dllHandler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLLSSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dllSEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dllIFEO: image file execution options - svchost.exe============= SERVICES / DRIVERS ===============R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-11-16 108792]R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2009-11-16 96408]R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2009-11-16 735960]R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]S2 DnscacheMSIServer;DNS Client DnscacheMSIServer;c:\windows\system32\aaaamoni.exe srv --> c:\windows\system32\aaaamoni.exe srv [?]S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-3 135664]S3 3dfxvs;3dfxvs;c:\windows\system32\drivers\3dfxvsm.sys [2007-5-11 148352]=============== Created Last 30 ================2010-04-02 14:00:45 0 d-----w- c:\program files\MSXML 6.02010-04-02 03:05:25 2048 ----a-r- c:\windows\system32\msxml6r.dll2010-03-31 15:39:22 12872 ----a-w- c:\windows\system32\bootdelete.exe2010-03-28 23:53:25 0 d-----w- c:\program files\ESET2010-03-28 19:37:32 430 ----a-w- c:\windows\system32\.crusader2010-03-28 17:15:19 0 d-sh--w- c:\windows\system32\lowsec2010-03-28 17:12:36 190 --s-a-w- c:\windows\system32\1197536275.dat2010-03-23 23:22:52 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2010-03-23 23:22:46 19160 ----a-w- c:\windows\system32\drivers\mbam.sys2010-03-21 03:36:58 230808 ----a-r- c:\windows\cpnprt2.cid2010-03-21 03:36:53 230808 ------w- c:\windows\system32\cpnprt2.cid2010-03-21 03:36:49 0 d-----w- c:\windows\Cache2010-03-21 03:36:48 0 d-----w- c:\program files\Coupons2010-03-19 14:55:06 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys2010-03-19 14:54:30 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro2010-03-19 14:54:29 0 d-----w- c:\program files\Hitman Pro 3.52010-03-19 02:17:14 0 d-sh--w- c:\docume~1\alluse~1\applic~1\CUEKFNDA2010-03-19 02:15:21 0 d-sh--w- c:\docume~1\alluse~1\applic~1\ad0b0da==================== Find3M ====================2010-03-28 19:41:49 95360 ----a-w- c:\windows\system32\drivers\atapi.sys2010-02-26 06:12:23 662016 ----a-w- c:\windows\system32\wininet.dll2010-02-26 06:12:17 81920 ----a-w- c:\windows\system32\ieencode.dll2010-02-24 14:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe2010-02-17 08:12:16 31976 -c--a-w- c:\docume~1\adelam~1\applic~1\GDIPFONTCACHEV1.DAT2010-01-22 02:55:45 51716 ----a-w- c:\windows\system32\pdf995mon.dll2010-01-22 02:55:45 249856 ----a-w- c:\windows\system32\pdfmona.dll2010-01-15 03:07:31 2560 ----a-w- c:\windows\_MSRSTRT.EXE============= FINISH: 13:32:59.22 =============== Link to post Share on other sites More sharing options...
Adela Posted April 3, 2010 Author ID:226634 Share Posted April 3, 2010 I'm sorry Ltangelic but I just saw the DDS saying I must attach not just copy to the forum. Should I then re-send as attachment? Thanks. Adela Link to post Share on other sites More sharing options...
Adela Posted April 3, 2010 Author ID:226678 Share Posted April 3, 2010 I did this over and this time I attached the file below and I hope I did it correctly.So for the DDS.txt, would it be the one I already posted?Attach.txtI'm sorry I don't see an "Edit" so I could just insert in the same reply and not occupying more space.... :-( Adela Link to post Share on other sites More sharing options...
Ltangelic Posted April 4, 2010 ID:226885 Share Posted April 4, 2010 Hey Adela,Thank you for the logs. From your log, you seem to have Cleanup Antivirus installed. Cleanup antivirus is a rogue protection software which gives exaggerated reports and false positives, and can even compromise your computer security.Please go to Add or Remove Programs and remove the following (if present):Cleanup Antivirus Then use Windows Explorer and remove the following (if present):C:\Program Files\Cleanup antivirusReboot your computer.Please follow my instructions in the order they were given, and print out a copy of it as you may not have access to the forums during the fix.Before we go on to run the tools, it would be advisable to temporarily disable your protection software(s) (ESET Nod32 antivirus) as it/they may hinder the tools from running. Instructions is in the link below:http://www.bleepingcomputer.com/forums/topic114351.htmlDownload ComboFix from one of these locations:Link 1Link 2Link 3* IMPORTANT !!! Save ComboFix.exe to your DesktopDisable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our toolsDouble click on ComboFix.exe & follow the prompts.As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:Click on Yes, to continue scanning for malware.When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.Next reply (please include in your post):ComboFix.txt Link to post Share on other sites More sharing options...
Adela Posted April 4, 2010 Author ID:227192 Share Posted April 4, 2010 Hello Ltangelic, here is the contents log of C:\ComboFix.txt . Thanks for helping me so hard! AdelaComboFix 10-04-03.02 - AdelaMain 04/04/2010 18:20:12.1.1 - x86Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.384.113 [GMT -4:00]Running from: c:\documents and settings\AdelaMain\Desktop\ComboFix.exeAV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).c:\program files\Commonc:\program files\Common\_helper.sigc:\windows\AppPatch\AcAdProc.dllc:\windows\COUPON~1.OCXc:\windows\CouponPrinter.ocxc:\windows\system32\1197536275.datc:\windows\system32\gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, GBIEHABN.DLL, SCPSSSH2.DLLc:\windows\system32\gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, GBIEHABN.DLL, SCPSSSH2.DLL\conspawn.exec:\windows\system32\gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, GBIEHABN.DLL, SCPSSSH2.DLL\cpcScan.dllc:\windows\system32\gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, GBIEHABN.DLL, SCPSSSH2.DLL\desktop.inic:\windows\system32\gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, GBIEHABN.DLL, SCPSSSH2.DLL\LegitCheckControl.infc:\windows\system32\gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, GBIEHABN.DLL, SCPSSSH2.DLL\mnviewer.dllc:\windows\system32\gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, GBIEHABN.DLL, SCPSSSH2.DLL\Mnviewer.infc:\windows\system32\gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, GBIEHABN.DLL, SCPSSSH2.DLL\muweb.infc:\windows\system32\gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, GBIEHABN.DLL, SCPSSSH2.DLL\swflash.infc:\windows\system32\gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, GBIEHABN.DLL, SCPSSSH2.DLL\wuweb.infc:\windows\system32\lowsecc:\windows\system32\lowsec\local.dsc:\windows\system32\lowsec\user.dsc:\windows\TEMP\Crt5E.tmp\kcpica.coxc:\windows\winhelp.inic:\windows\winload.inf.((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))).-------\Legacy_DNSCACHEMSISERVER-------\Service_DnscacheMSIServer((((((((((((((((((((((((( Files Created from 2010-03-04 to 2010-04-04 ))))))))))))))))))))))))))))))).2010-04-02 14:00 . 2010-04-02 14:00 -------- d-----w- c:\program files\MSXML 6.02010-04-02 03:05 . 2008-05-26 16:19 2048 ----a-r- c:\windows\system32\msxml6r.dll2010-03-31 15:39 . 2010-03-31 15:39 12872 ----a-w- c:\windows\system32\bootdelete.exe2010-03-29 00:26 . 2010-03-29 00:26 -------- d-----w- c:\documents and settings\AdelaMain\Local Settings\Application Data\ESET2010-03-29 00:08 . 2010-03-29 00:08 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET2010-03-28 23:53 . 2010-03-28 23:53 -------- d-----w- c:\program files\ESET2010-03-28 23:53 . 2010-03-28 23:53 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET2010-03-28 19:14 . 2010-03-28 19:14 -------- d-s---w- c:\documents and settings\NetworkService\UserData2010-03-23 23:22 . 2010-01-07 20:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2010-03-23 23:22 . 2010-01-07 20:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys2010-03-21 03:36 . 2010-03-21 03:36 -------- d-----w- c:\windows\Cache2010-03-19 14:55 . 2010-04-04 16:22 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys2010-03-19 14:54 . 2010-03-19 15:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro2010-03-19 14:54 . 2010-03-19 14:54 -------- d-----w- c:\program files\Hitman Pro 3.52010-03-19 02:17 . 2010-03-19 02:17 -------- d-sh--w- c:\documents and settings\All Users\Application Data\CUEKFNDA2010-03-19 02:15 . 2010-03-19 15:01 -------- d-sh--w- c:\documents and settings\All Users\Application Data\ad0b0da.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2010-03-28 19:41 . 2006-02-28 12:00 95360 ----a-w- c:\windows\system32\drivers\atapi.sys2010-03-28 04:12 . 2007-05-11 23:52 -------- d-----w- c:\program files\Common Files\Adobe2010-03-23 23:22 . 2008-12-15 23:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2010-03-19 05:05 . 2008-04-02 18:59 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP2010-02-26 06:12 . 2006-02-28 12:00 662016 ----a-w- c:\windows\system32\wininet.dll2010-02-26 06:12 . 2006-02-28 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll2010-02-24 14:16 . 2009-10-02 15:51 181632 ------w- c:\windows\system32\MpSigStub.exe2010-01-22 03:08 . 2010-01-22 02:55 59 ----a-w- c:\windows\wpd99.drv2010-01-22 02:55 . 2010-01-22 02:55 51716 ----a-w- c:\windows\system32\pdf995mon.dll2010-01-22 02:55 . 2010-01-22 02:55 249856 ----a-w- c:\windows\system32\pdfmona.dll2010-01-15 03:07 . 2010-01-15 03:07 2560 ----a-w- c:\windows\_MSRSTRT.EXE.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-11 68856][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]"ADUserMon"="c:\program files\Iomega\AutoDisk\ADUserMon.exe" [2002-01-24 106496]"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-11-16 2054360][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360][HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]@="Service"[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"=R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [11/16/2009 9:03 AM 108792]R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [11/16/2009 9:06 AM 96408]R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [11/16/2009 9:04 AM 735960]R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 8:19 PM 13592]S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/3/2010 2:29 PM 135664]S3 3dfxvs;3dfxvs;c:\windows\system32\drivers\3dfxvsm.sys [5/11/2007 9:46 AM 148352].Contents of the 'Scheduled Tasks' folder2010-04-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-03 18:29]2010-04-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-03 18:29]2010-04-04 c:\windows\Tasks\MP Scheduled Scan.job- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]2010-03-15 c:\windows\Tasks\Printer Software Update.job- c:\program files\Lexmark\Install\InstallWeb\InstallWeb.exe [2007-05-14 09:05]..------- Supplementary Scan -------.uStart Page = hxxp://www.google.com/uSearch Page = hxxp://www.google.comuSearch Bar = hxxp://www.google.com/ieuSearchAssistant = hxxp://www.google.com/ieuSearchURL,(Default) = hxxp://www.google.com/search?q=%sIE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.htmlTrusted Zone: microsoft.com\wwwTrusted Zone: tagged.com\www.- - - - ORPHANS REMOVED - - - -Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)AddRemove-Coupon Printer for Windows5.0.0.0 - c:\program files\Coupons\uninstall.exeAddRemove-{FD9E03B5-AEEA-4D59-B512-6CE4AA0281D4} - c:\documents and settings\AdelaMain\Local Settings\Application Data\{7D4B3D1D-104E-4507-9123-568BC721B7E2}\BYKI4Installer.exe**************************************************************************catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2010-04-04 18:42Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************.--------------------- LOCKED REGISTRY KEYS ---------------------[HKEY_LOCAL_MACHINE\software\lexmark\web_update]@Class="REG_SZ"@DACL=(02 0000)"InstallDir"="c:\\Program Files\\Lexmark\\Install""Day"=dword:00000000"Frequency"=dword:00000001"Hour"=dword:00000016"Minute"=dword:00000037"Second"=dword:00000034"NextMonthRun"="6""NextDayRun"="10""NextYearRun"="2007""CopyLogFile"="""TempIniFile"="""OilChange"="0""ScheduleUpdate"="0""CDdirectory"="c:\\LEXMARK\\WIN32DRV".--------------------- DLLs Loaded Under Running Processes ---------------------- - - - - - - > 'explorer.exe'(140)c:\windows\system32\shdoclc.dllc:\windows\system32\msi.dllc:\windows\system32\WPDShServiceObj.dllc:\windows\system32\PortableDeviceTypes.dllc:\windows\system32\PortableDeviceApi.dllc:\program files\Microsoft Office\Office10\msohev.dll.------------------------ Other Running Processes ------------------------.c:\windows\system32\wscntfy.exe.**************************************************************************.Completion time: 2010-04-04 18:53:33 - machine was rebootedComboFix-quarantined-files.txt 2010-04-04 22:53Pre-Run: 27,494,178,816 bytes freePost-Run: 27,510,583,296 bytes freeWindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe[boot loader]timeout=2default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS[operating systems]c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdconsmulti(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect- - End Of File - - 277A6EDD666B693B671DA2D36AFB3E60 Link to post Share on other sites More sharing options...
Ltangelic Posted April 6, 2010 ID:228034 Share Posted April 6, 2010 Hi,Sincere apologies for the late reply. I will be unavailable from today and a fellow colleague will take over and help you instead. Please be patient in waiting for a reply, thank you. Link to post Share on other sites More sharing options...
Staff screen317 Posted April 8, 2010 Staff ID:228909 Share Posted April 8, 2010 Adela,I will be helping you while Ltangelic is away.Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.Click Start Scanning.You should get a notification bar (on top) to install the ActiveX control. Click on it and select to install the ActiveX.Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.In case you are having problems with installing the ActiveX/starting the scan, please read here.Click the Full System Scan button.It will start to download scanner components and databases. This can take a while.The main scan will start.Once the scan has finished scanning, click the Automatic cleaning (recommended) buttonIt could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.The cleaning can take a while, so please be patient.Then click the Show report button and Copy/Paste what is present under results in your next reply.Next, download my Security Check from here or here.Save it to your Desktop.Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.A Notepad document should open automatically called checkup.txt; please post the contents of that document.Let me know how things are running now and what issues remain.-screen317 Link to post Share on other sites More sharing options...
Adela Posted April 8, 2010 Author ID:229469 Share Posted April 8, 2010 Hello Chris and thank you for taking over while Ltangelic is away! I'm sorry that I didn't receive notice that you were here already, but it could be that since I receive so many of these notices pertaining to others, I might've inadvertently deleted it. (Is it possible to stop sending me all those emails? I'm sure I'll be receiving the ones in response to my own message since I put a check on "Instant Email Notification". Am I correct?I'll go and back up everything before following your good instructions. Thanks again! :-) Adela Link to post Share on other sites More sharing options...
Adela Posted April 9, 2010 Author ID:229539 Share Posted April 9, 2010 Hello again screen317, and I'm sorry I hit Quick Scan by error and it showed 8 infections all the same temporary file spies (track something?), etc. and it cleaned them. So I did a full scan and here's the report. It Link to post Share on other sites More sharing options...
Staff screen317 Posted April 11, 2010 Staff ID:231035 Share Posted April 11, 2010 Hi Adela,My apologies for the delay.Hello Chris and thank you for taking over while Ltangelic is away! I'm sorry that I didn't receive notice that you were here already, but it could be that since I receive so many of these notices pertaining to others, I might've inadvertently deleted it. (Is it possible to stop sending me all those emails? I'm sure I'll be receiving the ones in response to my own message since I put a check on "Instant Email Notification". Am I correct?It seems like you subscribed to the forum instead of just this topic. That would make you receive many e-mails. There should be link to unsubscribing from topics in the e-mails that you're getting.Hello again screen317, and I'm sorry I hit Quick Scan by error and it showed 8 infections all the same temporary file spies (track something?), etc. and it cleaned them. So I did a full scan and here's the report. It Link to post Share on other sites More sharing options...
Adela Posted April 12, 2010 Author ID:231136 Share Posted April 12, 2010 It seems like you subscribed to the forum instead of just this topic. That would make you receive many e-mails. There should be link to unsubscribing from topics in the e-mails that you're getting.Hi Screen317 and thank you. You're right, I found the way and hopefully it will be quieter. On the topic, I am already subscribed: "Immediate Email Notification"...I hit Quick Scan by error and it showed 8 infections all the same temporary file spies (track something?), etc. and it cleaned them. So I did a full scan and here's the report. It Link to post Share on other sites More sharing options...
Staff screen317 Posted April 13, 2010 Staff ID:232168 Share Posted April 13, 2010 Hi Adela,But it's absurd since they are NOT on my lists! This may not be under this forum and perhaps I should post in a different forum?Which lists are you referring to?Navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following programs (if present):Java Link to post Share on other sites More sharing options...
Staff screen317 Posted April 26, 2010 Staff ID:239709 Share Posted April 26, 2010 Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts