oaky72 Posted May 7, 2010 ID:246433 Share Posted May 7, 2010 hi there. i have run the scan and using malwarebytes antimalware software. it detects 7 infections and i choose to remove them. when i resetart my laptop the virus is still working.Below is my scan log and DDS log. I have also attached the attach and ark.txt files.any help is appreciated. thanksMalwarebytes' Anti-Malware 1.46www.malwarebytes.orgDatabase version: 4052Windows 5.1.2600 Service Pack 2Internet Explorer 6.0.2900.218007/05/2010 20:51:21mbam-log-2010-05-07 (20-51-21).txtScan type: Quick scanObjects scanned: 130107Time elapsed: 11 minute(s), 12 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 1Registry Values Infected: 0Registry Data Items Infected: 2Folders Infected: 1Files Infected: 3Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Digital Protection (Rogue.DigitalProtection) -> Quarantined and deleted successfully.Registry Values Infected:(No malicious items detected)Registry Data Items Infected:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.Folders Infected:C:\Program Files\Digital Protection (Rogue.DigitalProtection) -> Quarantined and deleted successfully.Files Infected:C:\Documents and Settings\Pauline\Desktop\nudetube.com.lnk (Rogue.Link) -> Quarantined and deleted successfully.C:\Documents and Settings\Pauline\Desktop\pornotube.com.lnk (Rogue.Link) -> Quarantined and deleted successfully.C:\Documents and Settings\Pauline\Desktop\youporn.com.lnk (Rogue.Link) -> Quarantined and deleted successfully.DDS (Ver_10-03-17.01) - NTFSx86 Run by Pauline at 19:50:40.78 on 07/05/2010Internet Explorer: 6.0.2900.2180Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.278 [GMT 1:00]AV: Digital Protection *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Outdated) {FB06448E-52B8-493A-90F3-E43226D3305C}FW: Symantec Client Firewall *enabled* {5CB76A43-5FAD-476B-B9FF-26FA61F13187}============== Running Processes ===============C:\WINDOWS\system32\ibmpmsvc.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcsC:\WINDOWS\system32\svchost.exe -k WudfServiceGroupC:\Program Files\Intel\Wireless\Bin\S24EvMon.exesvchost.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exeC:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exesvchost.exeC:\WINDOWS\system32\IPSSVC.EXEC:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exeC:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exeC:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exeC:\Program Files\Intel\Wireless\Bin\EvtEng.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\Program Files\Intel\Wireless\Bin\RegSrvc.exeC:\WINDOWS\system32\svchost.exe -k imgsvcc:\program files\lenovo\system update\suservice.exeC:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exeC:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exeC:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exeC:\WINDOWS\System32\TPHDEXLG.EXEC:\WINDOWS\system32\TpKmpSVC.exeC:\Program Files\Lenovo\Rescue and Recovery\rrservice.exeC:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exeC:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exeC:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exeC:\Program Files\Common Files\Lenovo\Logger\logmon.exeC:\WINDOWS\system32\wuauclt.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\wbem\wmiapsrv.exeC:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exeC:\Program Files\Lenovo\Client Security Solution\cssauth.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\rundll32.exeC:\Program Files\Synaptics\SynTP\SynTPLpr.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.ExeC:\WINDOWS\system32\TpShocks.exeC:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exeC:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exeC:\Program Files\Analog Devices\Core\smax4pnp.exeC:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exeC:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exeC:\Program Files\Google\Google Desktop Search\GoogleDesktop.exeC:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exeC:\Program Files\ATI Technologies\ATI.ACE\CLI.EXEC:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exeC:\Program Files\Lenovo\Client Security Solution\tvtpwm_tray.exeC:\Program Files\ThinkVantage\AMSG\Amsg.exeC:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exeC:\WINDOWS\System32\DLA\DLACTRLW.EXEC:\WINDOWS\system32\wuauclt.exeC:\Program Files\Common Files\InstallShield\UpdateService\issch.exeC:\Program Files\Lenovo\AwayTask\AwaySch.EXEC:\Program Files\Internet Explorer\iexplore.exeC:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exeC:\Program Files\ThinkPad\ConnectUtilities\ACTray.exeC:\Program Files\Picasa2\PicasaMediaDetector.exeC:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exeC:\Program Files\Lenovo\SafeGuard PrivateDisk\pdservice.exeC:\PROGRA~1\Yahoo!\browser\ybrwicon.exeC:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exeC:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exeC:\PROGRA~1\Yahoo!\browser\ycommon.exeC:\Program Files\Java\jre1.5.0_11\bin\jusched.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeC:\PROGRA~1\MI3AA1~1\wcescomm.exeC:\DOCUME~1\Pauline\LOCALS~1\Temp\asrkn_pfu.exeC:\PROGRA~1\MI3AA1~1\rapimgr.exeC:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exeC:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exeC:\Program Files\Digital Line Detect\DLG.exeC:\Program Files\Dual codec internet relative software\cms\EventLogger.exeC:\Program Files\ATI Technologies\ATI.ACE\cli.exeC:\Program Files\PC Connectivity Solution\ServiceLayer.exeC:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exeC:\Program Files\PC Connectivity Solution\Transports\NclIrSrv.exeC:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exeC:\Documents and Settings\Pauline\Desktop\dds.scr============== Pseudo HJT Report ===============uSearch Page = hxxp://www.google.comuSearch Bar = hxxp://www.google.com/ieuSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8uStart Page = hxxp://www.yahoo.co.uk/mDefault_Page_URL = hxxp://www.lenovo.com/welcome/thinkpadmDefault_Search_URL = hxxp://www.google.com/iemSearch Page = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sp/*http://uk.search.yahoo.com/mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.htmluInternet Settings,ProxyOverride = 127.0.0.1;*.localuSearchURL,(Default) = hxxp://www.google.com/keyword/%smSearchAssistant = hxxp://www.google.com/ieBHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn6\yt.dllBHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dllBHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\progra~1\yahoo!\common\yiesrvc.dllBHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No FileBHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLLBHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dllBHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dllBHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dllBHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dllBHO: CPwmIEBrowserHelper Object: {f040e541-a427-4cf7-85d8-75e3e0f476c5} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dllBHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dllTB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn6\yt.dllTB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dllTB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No FileTB: {A057A204-BACC-4D26-9990-79A187E2698E} - No FileuRun: [ctfmon.exe] c:\windows\system32\ctfmon.exeuRun: [Yahoo! Pager] c:\progra~1\yahoo!\messen~1\ypager.exe -quietuRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"uRun: [H/PC Connection Agent] "c:\progra~1\mi3aa1~1\wcescomm.exe"uRun: [asrkn_pfu.exe] c:\docume~1\pauline\locals~1\temp\asrkn_pfu.exeuRun: [PC Suite Tray] "c:\program files\nokia\nokia pc suite 6\PCSuite.exe" -onlytraymRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitormRun: [bLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLogmRun: [synTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exemRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exemRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.ExemRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helpermRun: [TpShocks] TpShocks.exemRun: [TPHOTKEY] c:\progra~1\lenovo\pkgmgr\hotkey\TPHKMGR.exemRun: [TP4EX] tp4ex.exemRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exemRun: [soundMAX] c:\program files\analog devices\soundmax\Smax4.exe /traymRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startupmRun: [LPManager] c:\progra~1\thinkv~2\prdctr\LPMGR.exemRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exemRun: [AMSG] c:\program files\thinkvantage\amsg\Amsg.exemRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXEmRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startupmRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -startmRun: [AwaySch] c:\program files\lenovo\awaytask\AwaySch.EXEmRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"mRun: [vptray] c:\progra~1\symant~1\symant~2\VPTray.exemRun: [DiskeeperSystray] "c:\program files\diskeeper corporation\diskeeper\DkIcon.exe"mRun: [ACTray] c:\program files\thinkpad\connectutilities\ACTray.exemRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exemRun: [PDService.exe] "c:\program files\lenovo\safeguard privatedisk\pdservice.exe"mRun: [cssauth] "c:\program files\lenovo\client security solution\cssauth.exe" silentmRun: [YBrowser] c:\progra~1\yahoo!\browser\ybrwicon.exemRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"mRun: [speedTouch USB Diagnostics] "c:\program files\thomson\speedtouch usb\Dragdiag.exe" /iconmRun: [sunJavaUpdateSched] "c:\program files\java\jre1.5.0_11\bin\jusched.exe"mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottimedRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXEdRun: [Nokia.PCSync] "c:\program files\nokia\nokia pc suite 6\PcSync2.exe" /NoDialogStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exeStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exeStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\eventl~1.lnk - c:\program files\dual codec internet relative software\cms\EventLogger.exeuPolicies-system: DisableTaskMgr = 1 (0x1)mPolicies-system: DisableTaskMgr = 1 (0x1)IE: {DA320635-F48C-4613-8325-D75A933C549E} - c:\program files\lenovo\system update\sulauncher.exeIE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exeIE: {0045D4BC-5189-4b67-969C-83BB1906C421} - {0FE81B52-73FA-425F-8F06-3F32451AC73F} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dllIE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_11\bin\ssv.dllIE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dllIE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dllIE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dllIE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLLDPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cabDPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dllDPF: {4AC2F548-B920-4A3E-BBA0-9F13A952D525} - hxxp://www.j2kdvr.com/CAB/JMRemoteSetupWeb.cabDPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} - hxxps://moneymanager.egg.com/Pinsafe/accounttracking.cabDPF: {54CFC975-F9FB-45EB-8D18-D2D04FBC4299} - hxxp://www.j2kdvr.com/CAB/RemoteWeb2.cabDPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cabDPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cabDPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cabDPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cabNotify: AtiExtEvent - Ati2evxx.dllNotify: AwayNotify - c:\program files\lenovo\awaytask\AwayNotify.dllNotify: NavLogon - c:\windows\system32\NavLogon.dllNotify: psfus - psqlpwd.dllNotify: tpfnf2 - notifyf2.dllNotify: tphotkey - tphklock.dllAppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLLSSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dllLSA: Notification Packages = scecli psqlpwd ACGina============= SERVICES / DRIVERS ===============R1 avgio;avgio;c:\program files\avira\antivir personaledition classic\avgio.sys [2010-5-4 11840]R1 SAVRT;SAVRT;c:\program files\symantec client security\symantec antivirus\savrt.sys [2005-2-5 324232]R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec client security\symantec antivirus\Savrtpel.sys [2005-2-5 53896]R2 AntiVirScheduler;Avira AntiVir Personal Attach.zipark.txt Link to post Share on other sites More sharing options...
Maniac Posted May 7, 2010 ID:246492 Share Posted May 7, 2010 Hello oaky72! Welcome to MalwareBytes' Anti-Malware Forums!My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following: The process of cleaning your system may take some time, so please be patient.Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.Instructions that I give are for your system only!If you don't know or can't understand something please ask. Do not install or uninstall any software or hardware, while work on.Step 1:First of all, you should not have more than one anti-virus program installed as they will conflict and cause problems. You have two so you need to uninstall one of them. Of the two, I would recommend keeping Avira , so please uninstall:LiveReg (Symantec Corporation)LiveUpdate 2.6 (Symantec Corporation)Symantec Client SecurityStep 2:Please, uninstall the following applications:Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)Adobe Reader 8.1.2Adobe Reader 8.1.2 Security Update 1 (KB403742)You can read, how to this in:Windows XPWindows VistaWindows 7Step 3:Your database version is 4052 , but the current is 4076 , so please update it:Launch Malwarebytes' Anti-MalwareGo to "Update" tab and select "Check for Updates". If an update is found, it will download and install the latest version.Go to "Scanner" tab and select "Perform Quick Scan", then click Scan.The scan may take some time to finish,so please be patient.When the scan is complete, click OK, then Show Results to view the results.Make sure that everything is checked, and click Remove Selected.When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.Copy&Paste the entire report in your next reply.Extra Note:If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.In your next reply, please include these log(s) in this sequence:MalwareBytes' Anti-Malware loga new fresh DDS log only Link to post Share on other sites More sharing options...
oaky72 Posted May 8, 2010 Author ID:246677 Share Posted May 8, 2010 Hello oaky72! Welcome to MalwareBytes' Anti-Malware Forums!My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following: The process of cleaning your system may take some time, so please be patient.Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.Instructions that I give are for your system only!If you don't know or can't understand something please ask. Do not install or uninstall any software or hardware, while work on.Step 1:First of all, you should not have more than one anti-virus program installed as they will conflict and cause problems. You have two so you need to uninstall one of them. Of the two, I would recommend keeping Avira , so please uninstall:Step 2:Please, uninstall the following applications:Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)Adobe Reader 8.1.2Adobe Reader 8.1.2 Security Update 1 (KB403742)You can read, how to this in:Windows XPWindows VistaWindows 7Step 3:Your database version is 4052 , but the current is 4076 , so please update it:Launch Malwarebytes' Anti-MalwareGo to "Update" tab and select "Check for Updates". If an update is found, it will download and install the latest version.Go to "Scanner" tab and select "Perform Quick Scan", then click Scan.The scan may take some time to finish,so please be patient.When the scan is complete, click OK, then Show Results to view the results.Make sure that everything is checked, and click Remove Selected.When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.Copy&Paste the entire report in your next reply.Extra Note:If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.In your next reply, please include these log(s) in this sequence:MalwareBytes' Anti-Malware loga new fresh DDS log onlyHi Borislav,Thanks for your reply.I have completed steps 1 & 2.On step 3 i get an error when i check for Updates on Malwarebytes.The error isMBAM_ERROR_UPDATING (12029, 0, WinHttpSendRequest)i have not continued with instructions after this error.Please advise further.Many thanks. Link to post Share on other sites More sharing options...
Maniac Posted May 8, 2010 ID:246678 Share Posted May 8, 2010 Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)There are 4 different versions. If one of them won't run then download and try to run the other one. Vista and Win7 users need to right click and choose Run as Admin You only need to get one of them to run, not all of them.rkill.exerkill.comrkill.scrrkill.pifWiNlOgOn.exeuSeRiNiT.exePlease post the log in your next reply.Note: The log can be found at the root of your installed hard drive entitled rkill.log Link to post Share on other sites More sharing options...
oaky72 Posted May 8, 2010 Author ID:246682 Share Posted May 8, 2010 Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)There are 4 different versions. If one of them won't run then download and try to run the other one. Vista and Win7 users need to right click and choose Run as Admin You only need to get one of them to run, not all of them.rkill.exerkill.comrkill.scrrkill.pifWiNlOgOn.exeuSeRiNiT.exePlease post the log in your next reply.Note: The log can be found at the root of your installed hard drive entitled rkill.logDoes this mean it ran ok?This log file is located at C:\rkill.log. Please post this only if requested to by the person helping you. Otherwise you can close this log when you wish. Ran as Pauline on 08/05/2010 at 11:35:36. Processes terminated by Rkill or while it was running: C:\DOCUME~1\Pauline\LOCALS~1\Temp\asrkn_pfu.exeC:\Documents and Settings\Pauline\Local Settings\Temporary Internet Files\Content.IE5\ZUPH107H\rkill[1].exeRkill completed on 08/05/2010 at 11:35:41. Link to post Share on other sites More sharing options...
Maniac Posted May 8, 2010 ID:246685 Share Posted May 8, 2010 Yes, it's okay.Step 1:Go into C:\Program Files\Malwarebytes' Anti-Malware and you will see a file called mbam.exe Right click on it and drop down to Rename change the name to firefox.com From mbam.exe to firefox.com . Please, restart your computer.Step 2:Launch Malwarebytes' Anti-MalwareGo to "Update" tab and select "Check for Updates". If an update is found, it will download and install the latest version.Go to "Scanner" tab and select "Perform Quick Scan", then click Scan.The scan may take some time to finish,so please be patient.When the scan is complete, click OK, then Show Results to view the results.Make sure that everything is checked, and click Remove Selected.When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.Copy&Paste the entire report in your next reply.Extra Note:If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly. Link to post Share on other sites More sharing options...
oaky72 Posted May 8, 2010 Author ID:246686 Share Posted May 8, 2010 Yes, it's okay.Step 1:Go into C:\Program Files\Malwarebytes' Anti-Malware and you will see a file called mbam.exe Right click on it and drop down to Rename change the name to firefox.com From mbam.exe to firefox.com . Please, restart your computer.Step 2:Launch Malwarebytes' Anti-MalwareGo to "Update" tab and select "Check for Updates". If an update is found, it will download and install the latest version.Go to "Scanner" tab and select "Perform Quick Scan", then click Scan.The scan may take some time to finish,so please be patient.When the scan is complete, click OK, then Show Results to view the results.Make sure that everything is checked, and click Remove Selected.When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.Copy&Paste the entire report in your next reply.Extra Note:If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.Hi,i dont have a mbam.exe in that folder. regards Link to post Share on other sites More sharing options...
Maniac Posted May 8, 2010 ID:246692 Share Posted May 8, 2010 Follow these instructions without for HiJackThis:http://forums.malwarebytes.org/index.php?showtopic=29028 Link to post Share on other sites More sharing options...
oaky72 Posted May 9, 2010 Author ID:247285 Share Posted May 9, 2010 Follow these instructions without for HiJackThis:http://forums.malwarebytes.org/index.php?showtopic=29028ok thats now done. here is my new scan log ans dds.Please advise next. thanks. Malwarebytes' Anti-Malware 1.46www.malwarebytes.orgDatabase version: 4082Windows 5.1.2600 Service Pack 2Internet Explorer 6.0.2900.218009/05/2010 16:25:50mbam-log-2010-05-09 (16-25-50).txtScan type: Quick scanObjects scanned: 131146Time elapsed: 14 minute(s), 0 second(s)Memory Processes Infected: 1Memory Modules Infected: 0Registry Keys Infected: 2Registry Values Infected: 2Registry Data Items Infected: 2Folders Infected: 3Files Infected: 39Memory Processes Infected:C:\Documents and Settings\Pauline\Local Settings\Temp\asrkn_pfu.exe (Trojan.FakeAlert) -> Unloaded process successfully.Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Digital Protection (Rogue.DigitalProtection) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Digital Protection (Rogue.DigitalProtection) -> Quarantined and deleted successfully.Registry Values Infected:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\asrkn_pfu.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\digital protection (Rogue.DigitalProtection) -> Quarantined and deleted successfully.Registry Data Items Infected:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.Folders Infected:C:\Program Files\Digital Protection (Rogue.DigitalProtection) -> Delete on reboot.C:\Documents and Settings\Pauline\Start Menu\Programs\Digital Protection (Rogue.DigitalProtection) -> Quarantined and deleted successfully.C:\Documents and Settings\Pauline\Application Data\ARManager (Rogue.ARManager) -> Quarantined and deleted successfully.Files Infected:C:\Documents and Settings\Pauline\Local Settings\Temp\asrkn_pfu.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.C:\Documents and Settings\Pauline\Local Settings\Temp\asdC.tmp.exe (Rogue.Installer) -> Quarantined and deleted successfully.C:\Documents and Settings\Pauline\Local Settings\Temp\asdD.tmp.exe (Rogue.Installer) -> Quarantined and deleted successfully.C:\Documents and Settings\Pauline\Local Settings\Temp\asdE.tmp.exe (Rogue.Installer) -> Quarantined and deleted successfully.C:\Documents and Settings\Pauline\Local Settings\Temp\asdF.tmp.exe (Rogue.Installer) -> Quarantined and deleted successfully.C:\Documents and Settings\Pauline\Local Settings\Temp\asdB.tmp.exe (Rogue.Installer) -> Quarantined and deleted successfully.C:\Documents and Settings\Pauline\Local Settings\Temp\dhdhtrdhdrtr5y (Rogue.Installer) -> Quarantined and deleted successfully.C:\Documents and Settings\Pauline\Local Settings\Temp\asd8.tmp.exe (Rogue.Installer) -> Quarantined and deleted successfully.C:\Documents and Settings\Pauline\Local Settings\Temp\asd8D.tmp.exe (Rogue.Installer) -> Quarantined and deleted successfully.C:\Documents and Settings\Pauline\Local Settings\Temp\asd9.tmp.exe (Rogue.Installer) -> Quarantined and deleted successfully.C:\Documents and Settings\Pauline\Local Settings\Temp\asdA.tmp.exe (Rogue.Installer) -> Quarantined and deleted successfully.C:\Program Files\Digital Protection\about.ico (Rogue.DigitalProtection) -> Quarantined and deleted successfully.C:\Program Files\Digital Protection\activate.ico (Rogue.DigitalProtection) -> Quarantined and deleted successfully.C:\Program Files\Digital Protection\buy.ico (Rogue.DigitalProtection) -> Quarantined and deleted successfully.C:\Program Files\Digital Protection\dig.db (Rogue.DigitalProtection) -> Quarantined and deleted successfully.C:\Program Files\Digital Protection\digext.dll (Rogue.DigitalProtection) -> Quarantined and deleted successfully.C:\Program Files\Digital Protection\dighook.dll (Rogue.DigitalProtection) -> Delete on reboot.C:\Program Files\Digital Protection\digprot.exe (Rogue.DigitalProtection) -> Quarantined and deleted successfully.C:\Program Files\Digital Protection\help.ico (Rogue.DigitalProtection) -> Quarantined and deleted successfully.C:\Program Files\Digital Protection\scan.ico (Rogue.DigitalProtection) -> Quarantined and deleted successfully.C:\Program Files\Digital Protection\settings.ico (Rogue.DigitalProtection) -> Quarantined and deleted successfully.C:\Program Files\Digital Protection\splash.mp3 (Rogue.DigitalProtection) -> Quarantined and deleted successfully.C:\Program Files\Digital Protection\Uninstall.exe (Rogue.DigitalProtection) -> Quarantined and deleted successfully.C:\Program Files\Digital Protection\update.ico (Rogue.DigitalProtection) -> Quarantined and deleted successfully.C:\Program Files\Digital Protection\virus.mp3 (Rogue.DigitalProtection) -> Quarantined and deleted successfully.C:\Documents and Settings\Pauline\Start Menu\Programs\Digital Protection\About.lnk (Rogue.DigitalProtection) -> Quarantined and deleted successfully.C:\Documents and Settings\Pauline\Start Menu\Programs\Digital Protection\Activate.lnk (Rogue.DigitalProtection) -> Quarantined and deleted successfully.C:\Documents and Settings\Pauline\Start Menu\Programs\Digital Protection\Buy.lnk (Rogue.DigitalProtection) -> Quarantined and deleted successfully.C:\Documents and Settings\Pauline\Start Menu\Programs\Digital Protection\Digital Protection Support.lnk (Rogue.DigitalProtection) -> Quarantined and deleted successfully.C:\Documents and Settings\Pauline\Start Menu\Programs\Digital Protection\Digital Protection.lnk (Rogue.DigitalProtection) -> Quarantined and deleted successfully.C:\Documents and Settings\Pauline\Start Menu\Programs\Digital Protection\Scan.lnk (Rogue.DigitalProtection) -> Quarantined and deleted successfully.C:\Documents and Settings\Pauline\Start Menu\Programs\Digital Protection\Settings.lnk (Rogue.DigitalProtection) -> Quarantined and deleted successfully.C:\Documents and Settings\Pauline\Start Menu\Programs\Digital Protection\Update.lnk (Rogue.DigitalProtection) -> Quarantined and deleted successfully.C:\Documents and Settings\Pauline\Application Data\ARManager\apmanager.exe (Rogue.ARManager) -> Quarantined and deleted successfully.C:\Documents and Settings\Pauline\Application Data\Microsoft\Internet Explorer\Quick Launch\Digital Protection.LNK (Rogue.DigitalProtection) -> Quarantined and deleted successfully.C:\Documents and Settings\Pauline\Desktop\Digital Protection.LNK (Rogue.DigitalProtection) -> Quarantined and deleted successfully.C:\Documents and Settings\Pauline\Desktop\nudetube.com.lnk (Rogue.Link) -> Quarantined and deleted successfully.C:\Documents and Settings\Pauline\Desktop\pornotube.com.lnk (Rogue.Link) -> Quarantined and deleted successfully.C:\Documents and Settings\Pauline\Desktop\youporn.com.lnk (Rogue.Link) -> Quarantined and deleted successfully.DDS.txt Link to post Share on other sites More sharing options...
Maniac Posted May 9, 2010 ID:247291 Share Posted May 9, 2010 **Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate. Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete. Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper. Please download ComboFix from Here or Here to your Desktop. **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop** If you are using Firefox, make sure that your download settings are as follows: Open Tools -> Options -> Main tab Set to Always ask me where to Save the files. [*]During the download, rename Combofix to Combo-Fix as follows: [*]It is important you rename Combofix during the download, but not after. [*]Please do not rename Combofix to other names, but only to the one indicated. [*]Close any open browsers. [*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. ----------------------------------------------------------- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results. Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask. ----------------------------------------------------------- Close any open browsers. WARNING: Combofix will disconnect your machine from the Internet as soon as it starts Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished. If there is no internet connection after running Combofix, then restart your computer to restore back your connection. ----------------------------------------------------------- [*]Double click on combo-Fix.exe & follow the prompts. [*]When finished, it will produce a report for you. [*]Please post the C:\Combo-Fix.txt for further review. **Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall** Link to post Share on other sites More sharing options...
oaky72 Posted May 9, 2010 Author ID:247363 Share Posted May 9, 2010 **Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate. Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete. Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper. Please download ComboFix from Here or Here to your Desktop. **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop** If you are using Firefox, make sure that your download settings are as follows: Open Tools -> Options -> Main tab Set to Always ask me where to Save the files. [*]During the download, rename Combofix to Combo-Fix as follows: [*]It is important you rename Combofix during the download, but not after. [*]Please do not rename Combofix to other names, but only to the one indicated. [*]Close any open browsers. [*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. ----------------------------------------------------------- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results. Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask. ----------------------------------------------------------- Close any open browsers. WARNING: Combofix will disconnect your machine from the Internet as soon as it starts Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished. If there is no internet connection after running Combofix, then restart your computer to restore back your connection. ----------------------------------------------------------- [*]Double click on combo-Fix.exe & follow the prompts. [*]When finished, it will produce a report for you. [*]Please post the C:\Combo-Fix.txt for further review. **Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**ComboFix 10-05-08.02 - Pauline 09/05/2010 17:48:23.1.2 - x86Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.362 [GMT 1:00]Running from: c:\documents and settings\Pauline\Desktop\Combo-Fix.exeAV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).c:\documents and settings\Pauline\Desktop\Digital Protection Support.lnkc:\documents and settings\Pauline\My Documents\registry backup.regc:\documents and settings\Pauline\Start Menu\Programs\Uninstall.lnk.((((((((((((((((((((((((( Files Created from 2010-04-09 to 2010-05-09 ))))))))))))))))))))))))))))))).2010-05-07 19:00 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2010-05-07 19:00 . 2010-05-09 15:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2010-05-07 19:00 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys2010-05-06 21:30 . 2010-05-06 21:30 -------- d-----w- c:\documents and settings\Pauline\Application Data\Malwarebytes2010-05-06 21:30 . 2010-05-06 21:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes2010-05-05 18:38 . 2010-05-05 18:38 -------- d-sh--w- c:\documents and settings\Pauline\PrivacIE2010-05-05 18:33 . 2010-05-05 18:33 -------- d-sh--w- c:\documents and settings\Pauline\IETldCache2010-05-05 17:53 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll2010-05-05 17:27 . 2008-02-26 11:59 294912 ------w- c:\windows\system32\dllcache\msctf.dll2010-05-05 17:26 . 2010-05-05 17:26 16883056 ----a-w- C:\IE8-WindowsXP-x86-ENU.exe2010-05-04 19:12 . 2008-01-21 17:12 41792 ----a-w- c:\windows\system32\drivers\avgntdd.sys2010-05-04 19:12 . 2008-01-21 17:11 22336 ----a-w- c:\windows\system32\drivers\avgntmgr.sys2010-05-04 19:12 . 2008-03-04 12:28 79424 ----a-w- c:\windows\system32\drivers\avipbb.sys2010-05-04 19:12 . 2010-05-04 19:12 -------- d-----w- c:\program files\Avira2010-05-04 19:12 . 2010-05-04 19:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira2010-05-04 13:50 . 2010-05-04 13:50 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller2010-04-29 18:14 . 2010-04-29 18:42 -------- d-----w- C:\Back Up Caravan Site2010-04-26 21:41 . 2010-04-26 21:41 20539 ----a-w- C:\SetRecordsPerPage.zip.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2010-05-09 15:00 . 2008-02-09 16:54 5427 ----a-w- c:\windows\system32\EGATHDRV.SYS2010-05-08 10:31 . 2008-02-09 16:47 -------- d-----w- c:\program files\Symantec Client Security2010-05-08 10:19 . 2008-03-03 19:03 -------- d-----w- c:\program files\Common Files\Adobe2010-05-08 10:18 . 2008-02-09 16:47 -------- d-----w- c:\program files\Symantec2010-05-08 10:18 . 2008-02-09 16:47 -------- d-----w- c:\program files\Common Files\Symantec Shared2010-05-08 10:17 . 2008-02-09 16:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec2010-05-07 18:45 . 2009-03-26 19:40 -------- d-----w- c:\documents and settings\Pauline\Application Data\uTorrent2010-05-06 21:57 . 2009-10-31 13:46 -------- d-----w- c:\program files\Trojan Remover2010-05-05 19:19 . 2009-10-31 13:47 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP2010-05-04 13:53 . 2008-02-09 16:48 40 ----a-w- c:\windows\system32\profile.dat2010-05-01 12:21 . 2010-03-12 19:20 -------- d-----w- c:\documents and settings\Pauline\Application Data\CoreFTP2010-03-25 12:59 . 2010-03-25 12:59 -------- d-----w- c:\program files\Microsoft2010-03-25 12:59 . 2010-03-25 12:59 -------- d-----w- c:\program files\Windows Live2010-03-12 19:19 . 2010-03-12 19:19 -------- d-----w- c:\program files\CoreFTP2010-02-24 12:31 . 2006-04-30 06:55 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys2010-02-16 17:35 . 2006-04-30 06:55 2143744 ----a-w- c:\windows\system32\ntoskrnl.exe2010-02-16 16:57 . 2004-08-03 22:59 2021888 ----a-w- c:\windows\system32\ntkrnlpa.exe2010-02-12 10:03 . 2010-03-02 12:04 293376 ------w- c:\windows\system32\browserchoice.exe2010-02-12 04:36 . 2006-04-30 06:55 100864 ----a-w- c:\windows\system32\6to4svc.dll2010-02-11 11:08 . 2006-04-30 06:56 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\ypager.exe" [2005-08-31 2478080]"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-23 68856]"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 6\PCSuite.exe" [2007-11-09 688128][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2006-05-25 151552]"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2006-05-25 208896]"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2006-02-14 110592]"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-02-14 512000]"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2006-02-23 237568]"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2006-06-03 856064]"TpShocks"="TpShocks.exe" [2006-03-16 106496]"TPHOTKEY"="c:\progra~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-07-25 94208]"TP4EX"="tp4ex.exe" [2005-10-17 65536]"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-05-09 30192]"LPManager"="c:\progra~1\THINKV~2\PrdCtr\LPMGR.exe" [2006-07-04 110592]"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2006-07-15 503808]"AMSG"="c:\program files\ThinkVantage\AMSG\Amsg.exe" [2005-11-14 487424]"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-02-02 122940]"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-28 221184]"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-28 81920]"AwaySch"="c:\program files\Lenovo\AwayTask\AwaySch.EXE" [2006-08-16 69632]"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-05-19 196696]"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2006-08-26 409600]"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2006-03-15 421888]"PDService.exe"="c:\program files\Lenovo\SafeGuard PrivateDisk\pdservice.exe" [2006-03-14 41472]"cssauth"="c:\program files\Lenovo\Client Security Solution\cssauth.exe" [2006-07-15 2341632]"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-22 129536]"SpeedTouch USB Diagnostics"="c:\program files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 866816]"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 75520]"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\EnjYwyv6S.exe" [2010-05-09 1090952][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-11-07 1294336]c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-5-19 113664]Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-2-9 24576]EventLogger.lnk - c:\program files\Dual codec internet relative software\cms\EventLogger.exe [2008-7-13 94208][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AwayNotify]2006-08-16 17:07 49152 ----a-w- c:\program files\Lenovo\AwayTask\AwayNotify.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]2006-04-26 03:20 40448 ----a-w- c:\windows\system32\psqlpwd.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]2005-07-05 14:45 28672 ----a-w- c:\windows\system32\notifyf2.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]2005-11-30 11:16 24576 ----a-w- c:\windows\system32\tphklock.dll[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]Notification Packages REG_MULTI_SZ scecli psqlpwd[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]"DisableMonitoring"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="c:\\Program Files\\Yahoo!\\Messenger\\ypager.exe"="c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"="c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"c:\\Program Files\\Dual codec internet relative software\\cms\\EventLogger.exe"="c:\\Program Files\\uTorrent\\uTorrent.exe"="c:\\Program Files\\Messenger\\msmsgs.exe"="c:\\Program Files\\Sony\\Media Manager for PSP\\MediaManager.exe"="c:\\Program Files\\Bonjour\\mDNSResponder.exe"="%windir%\\system32\\drivers\\svchost.exe"="c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"="c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync ServiceR2 PrivateDisk;PrivateDisk;c:\program files\Lenovo\SafeGuard PrivateDisk\privatediskm.sys [14/03/2006 01:05 58368]R2 smi2;smi2;c:\program files\SMI2\smi2.sys [15/07/2006 00:55 3968]R2 smihlp;SMI helper driver;c:\program files\ThinkVantage Fingerprint Software\smihlp.sys [26/04/2006 04:00 3456]S1 ghqyadfq;ghqyadfq;\??\c:\windows\system32\drivers\ghqyadfq.sys --> c:\windows\system32\drivers\ghqyadfq.sys [?]S3 alcan5ln;SpeedTouch USB ADSL RFC1483 Networking Driver (NDIS);c:\windows\system32\drivers\alcan5ln.sys [15/03/2009 14:18 36256]S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [09/02/2008 17:41 30192].Contents of the 'Scheduled Tasks' folder2010-04-22 c:\windows\Tasks\AppleSoftwareUpdate.job- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 12:34]2010-05-09 c:\windows\Tasks\PMTask.job- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2008-02-09 16:13]2010-05-09 c:\windows\Tasks\WGASetup.job- c:\windows\system32\KB905474\wgasetup.exe [2009-04-01 21:18]..------- Supplementary Scan -------.uSearch Page = hxxp://www.google.comuSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8uStart Page = hxxp://www.yahoo.co.uk/uSearch Bar = hxxp://www.google.com/iemDefault_Search_URL = hxxp://www.google.com/iemSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.htmluInternet Settings,ProxyOverride = 127.0.0.1;*.localuSearchAssistant = hxxp://www.google.com/ieuSearchURL,(Default) = hxxp://www.google.com/search?q=%smSearchAssistant = hxxp://www.google.com/ieDPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cabDPF: {4AC2F548-B920-4A3E-BBA0-9F13A952D525} - hxxp://www.j2kdvr.com/CAB/JMRemoteSetupWeb.cabDPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} - hxxps://moneymanager.egg.com/Pinsafe/accounttracking.cabDPF: {54CFC975-F9FB-45EB-8D18-D2D04FBC4299} - hxxp://www.j2kdvr.com/CAB/RemoteWeb2.cab.- - - - ORPHANS REMOVED - - - -Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)Notify-NavLogon - (no file)**************************************************************************catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2010-05-09 18:12Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************.--------------------- DLLs Loaded Under Running Processes ---------------------- - - - - - - > 'winlogon.exe'(992)c:\windows\system32\tvt_gina.dllc:\program files\Lenovo\Client Security Solution\css_gina_plugin.dllc:\program files\Lenovo\Client Security Solution\css_wait_bar.dllc:\program files\Lenovo\Client Security Solution\cssuserdatadispatcher.dllc:\program files\Lenovo\Client Security Solution\csswait.dllc:\program files\Common Files\Lenovo\tvt_banner.dllc:\program files\Lenovo\Client Security Solution\cssdlgpwentry.dllc:\program files\Lenovo\Client Security Solution\dlganswerprompt.dllc:\program files\Lenovo\Client Security Solution\tvttsp.dllc:\program files\Lenovo\Client Security Solution\tcsrpc.dllc:\program files\Common Files\Lenovo\tvt_res.dllc:\program files\Bonjour\mdnsNSP.dllc:\program files\ThinkVantage Fingerprint Software\pscssint.dllc:\program files\ThinkVantage Fingerprint Software\infra.dllc:\program files\ThinkVantage Fingerprint Software\VTI.DLLc:\windows\system32\Ati2evxx.dllc:\windows\system32\psqlpwd.dllc:\program files\ThinkVantage Fingerprint Software\homefus2.dllc:\windows\system32\biologon.dllc:\program files\ThinkVantage Fingerprint Software\homepass.dllc:\program files\ThinkVantage Fingerprint Software\bio.dllc:\program files\ThinkVantage Fingerprint Software\remote.dllc:\windows\system32\tphklock.dllc:\program files\ThinkVantage Fingerprint Software\crypto.dllc:\program files\Lenovo\AwayTask\AwayNotify.dll- - - - - - - > 'lsass.exe'(1048)c:\windows\system32\psqlpwd.dllc:\program files\ThinkVantage Fingerprint Software\infra.dllc:\program files\ThinkVantage Fingerprint Software\homefus2.dll- - - - - - - > 'explorer.exe'(5580)c:\windows\system32\PROCHLP.DLLc:\program files\Lenovo\Client Security Solution\tvtpwm_windows_hook.dllc:\windows\system32\WPDShServiceObj.dllc:\program files\Nokia\Nokia PC Suite 6\phonebrowser.dllc:\program files\Nokia\Nokia PC Suite 6\PCSCM.dllc:\program files\Nokia\Nokia PC Suite 6\Lang\PhoneBrowser_eng.nlrc:\program files\Nokia\Nokia PC Suite 6\Resource\PhoneBrowser_Nokia.ngrc:\windows\system32\PortableDeviceTypes.dllc:\windows\system32\PortableDeviceApi.dllc:\windows\system32\netprovcredman.dll.------------------------ Other Running Processes ------------------------.c:\windows\system32\ibmpmsvc.exec:\windows\system32\Ati2evxx.exec:\program files\Intel\Wireless\Bin\S24EvMon.exec:\program files\Avira\AntiVir PersonalEdition Classic\sched.exec:\windows\system32\IPSSVC.EXEc:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exec:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exec:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exec:\program files\Bonjour\mDNSResponder.exec:\program files\Diskeeper Corporation\Diskeeper\DkService.exec:\program files\Intel\Wireless\Bin\EvtEng.exec:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEc:\program files\Intel\Wireless\Bin\RegSrvc.exec:\program files\lenovo\system update\suservice.exec:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exec:\windows\System32\TPHDEXLG.EXEc:\windows\system32\TpKmpSVC.exec:\program files\Lenovo\Client Security Solution\tvttcsd.exec:\program files\Lenovo\Rescue and Recovery\rrservice.exec:\program files\Common Files\Lenovo\Scheduler\tvtsched.exec:\program files\Lenovo\Rescue and Recovery\ADM\IUService.exec:\program files\ThinkPad\ConnectUtilities\AcSvc.exec:\program files\Common Files\Lenovo\Logger\logmon.exec:\windows\system32\wbem\wmiapsrv.exec:\windows\system32\Ati2evxx.exec:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exec:\program files\Intel\Wireless\Bin\Dot1XCfg.exec:\windows\system32\wscntfy.exec:\program files\Lenovo\Client Security Solution\tvtpwm_tray.exec:\windows\system32\rundll32.exec:\windows\system32\TpShocks.exec:\program files\ThinkPad\UltraNav Wizard\UNavTray.EXEc:\program files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exec:\program files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exec:\program files\ATI Technologies\ATI.ACE\CLI.EXEc:\progra~1\Yahoo!\browser\ycommon.exec:\progra~1\MI3AA1~1\wcescomm.exec:\progra~1\MI3AA1~1\rapimgr.exec:\progra~1\Yahoo!\MESSEN~1\ymsgr_tray.exec:\program files\ATI Technologies\ATI.ACE\cli.exec:\program files\PC Connectivity Solution\ServiceLayer.exec:\program files\PC Connectivity Solution\Transports\NclUSBSrv.exec:\program files\PC Connectivity Solution\Transports\NclIrSrv.exec:\program files\PC Connectivity Solution\Transports\NclRSSrv.exec:\windows\system32\rundll32.exe.**************************************************************************.Completion time: 2010-05-09 18:15:19 - machine was rebootedComboFix-quarantined-files.txt 2010-05-09 17:14Pre-Run: 4,536,283,136 bytes freePost-Run: 4,647,464,960 bytes freeWindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe[boot loader]timeout=2default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS[operating systems]c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdconsmulti(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect- - End Of File - - A5476F340B63C3AE26D5688FFC81E5E0 Link to post Share on other sites More sharing options...
Maniac Posted May 9, 2010 ID:247374 Share Posted May 9, 2010 Please go to http://virustotal.comNext to the "Browse" button, in to the blank field, please paste the following:c:\windows\system32\PROCHLP.DLLHit SEND FILE. Please be patient, it will take a while to get it scanned. Once all the scanners are done, post back with the results (copy & paste them here) Link to post Share on other sites More sharing options...
oaky72 Posted May 9, 2010 Author ID:247380 Share Posted May 9, 2010 Please go to http://virustotal.comNext to the "Browse" button, in to the blank field, please paste the following:c:\windows\system32\PROCHLP.DLLHit SEND FILE. Please be patient, it will take a while to get it scanned. Once all the scanners are done, post back with the results (copy & paste them here)It saysFile has already been analysed:Do i need to re analyse? Link to post Share on other sites More sharing options...
Maniac Posted May 9, 2010 ID:247389 Share Posted May 9, 2010 Yes, please. Link to post Share on other sites More sharing options...
oaky72 Posted May 9, 2010 Author ID:247392 Share Posted May 9, 2010 Yes, please.File PROCHLP.DLL received on 2010.05.09 17:36:30 (UTC)Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED Result: 0/41 (0%)Loading server information... Your file is queued in position: ___.Estimated start time is between ___ and ___ .Do not close the window until scan is complete. The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.If you are waiting for more than five minutes you have to resend your file. Your file is being scanned by VirusTotal in this moment,results will be shown as they're generated. Compact Print results Your file has expired or does not exists. Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished. Email: Antivirus Version Last Update Result a-squared 4.5.0.50 2010.05.09 - AhnLab-V3 2010.05.09.00 2010.05.08 - AntiVir 8.2.1.236 2010.05.07 - Antiy-AVL 2.0.3.7 2010.05.07 - Authentium 5.2.0.5 2010.05.09 - Avast 4.8.1351.0 2010.05.09 - Avast5 5.0.332.0 2010.05.09 - AVG 9.0.0.787 2010.05.09 - BitDefender 7.2 2010.05.09 - CAT-QuickHeal 10.00 2010.05.08 - ClamAV 0.96.0.3-git 2010.05.09 - Comodo 4800 2010.05.09 - DrWeb 5.0.2.03300 2010.05.09 - eSafe 7.0.17.0 2010.05.09 - eTrust-Vet None 2010.05.07 - F-Prot 4.5.1.85 2010.05.09 - F-Secure 9.0.15370.0 2010.05.09 - Fortinet 4.1.133.0 2010.05.09 - GData 21 2010.05.09 - Ikarus T3.1.1.84.0 2010.05.09 - Jiangmin 13.0.900 2010.05.09 - Kaspersky 7.0.0.125 2010.05.09 - McAfee 5.400.0.1158 2010.05.09 - McAfee-GW-Edition 2010.1 2010.05.09 - Microsoft 1.5703 2010.05.09 - NOD32 5098 2010.05.09 - Norman 6.04.12 2010.05.09 - nProtect 2010-05-09.01 2010.05.09 - Panda 10.0.2.7 2010.05.09 - PCTools 7.0.3.5 2010.05.07 - Prevx 3.0 2010.05.09 - Rising 22.46.06.04 2010.05.09 - Sophos 4.53.0 2010.05.09 - Sunbelt 6282 2010.05.09 - Symantec 20091.2.0.41 2010.05.09 - TheHacker 6.5.2.0.277 2010.05.09 - TrendMicro 9.120.0.1004 2010.05.09 - TrendMicro-HouseCall 9.120.0.1004 2010.05.09 - VBA32 3.12.12.4 2010.05.06 - ViRobot 2010.5.8.2306 2010.05.08 - VirusBuster 5.0.27.0 2010.05.09 - Additional information File size: 86016 bytes MD5...: eb8b00829956a6db0a483a187e0051ac SHA1..: 55e1fca42790f3350b1001429f92bdeb717f7687 SHA256: 6947c6caab715f10735c97b403aa490bfe8bd7b04e840ddf7e7a6b8e83652bf3 ssdeep: 768:MvVzuiR7qfRX5Thm+mEQGdqxGoBwT4zI5a1IpKoNPtDVCUiB9tz1Gco8tN72lFQU:MvVF7M6EQbwT4zua1Row/YcglSw0PEiD..: - PEInfo: PE Structure information( base data )entrypointaddress.: 0x42b8timedatestamp.....: 0x4495fbf9 (Mon Jun 19 01:20:57 2006)machinetype.......: 0x14c (I386)( 6 sections )name viradd virsiz rawdsiz ntrpy md5.text 0x1000 0x9dd6 0xa000 6.58 e605b9323069027a9deb09f0752e90ca.rdata 0xb000 0x14bb 0x2000 4.06 e498ceb68014ad2076d528fcb2dde249.data 0xd000 0x1108c 0x4000 2.18 9f734fd1b4d9f2f3f0a0e31c3f42d9a1._PROCHL 0x1f000 0x3c 0x1000 0.00 620f0b67a91f7f74151bc5be745b7110.rsrc 0x20000 0x318 0x1000 0.83 1d5073b465021047e54a979af8232118.reloc 0x21000 0x131a 0x2000 3.12 d625706dc48ef9c8e2907d5330becd2b( 3 imports ) > KERNEL32.dll: DeleteFileA, OutputDebugStringA, CopyFileA, lstrcatA, GetEnvironmentVariableA, CreateFileA, SetPriorityClass, GetPriorityClass, LocalAlloc, LocalFree, GetExitCodeProcess, WaitForMultipleObjects, Process32Next, Process32First, CreateToolhelp32Snapshot, DeviceIoControl, OpenProcess, Thread32Next, ResumeThread, SuspendThread, Thread32First, CloseHandle, GetProcessAffinityMask, GetModuleFileNameA, CreateThread, TerminateThread, GetExitCodeThread, FreeLibrary, GetProcAddress, LoadLibraryA, QueryPerformanceCounter, QueryPerformanceFrequency, GetProcessTimes, GetThreadTimes, Sleep, GetVersionExA, CreateEventA, SetEvent, ResetEvent, GetLastError, WaitForSingleObject, ExitThread, SetThreadPriority, GetUserDefaultLangID, GetCommandLineA, GetVersion, GetModuleHandleA, EnterCriticalSection, LeaveCriticalSection, ExitProcess, TerminateProcess, GetCurrentProcess, GetCurrentThreadId, TlsSetValue, TlsAlloc, TlsFree, SetLastError, TlsGetValue, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, DeleteCriticalSection, FreeEnvironmentStringsA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStrings, GetEnvironmentStringsW, HeapDestroy, HeapCreate, VirtualFree, HeapFree, WriteFile, SetFilePointer, HeapAlloc, InterlockedDecrement, InterlockedIncrement, InitializeCriticalSection, GetCPInfo, GetACP, GetOEMCP, VirtualAlloc, HeapReAlloc, SetStdHandle, RtlUnwind, MultiByteToWideChar, GetStringTypeA, GetStringTypeW, LCMapStringA, LCMapStringW, FlushFileBuffers> USER32.dll: GetWindowThreadProcessId, SetWindowsHookExA, UnhookWindowsHookEx, CallNextHookEx, wsprintfA> ADVAPI32.dll: ControlService, OpenServiceA, StartServiceA, CreateServiceA, OpenSCManagerA, CloseServiceHandle, DeleteService( 27 exports ) PH_AddPMonEventCallback, PH_CleanupThread, PH_CloseOptimizedProcess, PH_ConvertProcessTimeToUsage, PH_ConvertSystemTimeToUsage, PH_ConvertThreadTimeToUsage, PH_DelPMonEventCallback, PH_DllCleanup, PH_DllInitialize, PH_FindProcessID, PH_GetConsoleActivity, PH_GetDriverVersion, PH_GetOSVersion, PH_GetProcessEntry, PH_GetProcessListAll, PH_GetProcessTimeInfo, PH_GetProcessUsage, PH_GetSystemTimeInfo, PH_GetSystemUsage, PH_GetThreadTimeInfo, PH_GetThreadUsage, PH_GetVersion, PH_InitializeThread, PH_IsThreadActive, PH_OpenOptimizedProcess, PH_SetActivityCheckParameters, PH_SetOptimizedProcessRDS...: NSRL Reference Data Set- pdfid.: - trid..: Win64 Executable Generic (59.6%)Win32 Executable MS Visual C++ (generic) (26.2%)Win32 Executable Generic (5.9%)Win32 Dynamic Link Library (generic) (5.2%)Generic Win/DOS Executable (1.3%) sigcheck:publisher....: Lenovo Group Limitedcopyright....: Copyright © Lenovo 2005, 2006product......: Away Managerdescription..: IPS Helper DLLoriginal name: PROCHLP.DLLinternal name: PROCHLPfile version.: 2, 0, 6, 0comments.....: n/asigners......: -signing date.: -verified.....: Unsigned Link to post Share on other sites More sharing options...
Maniac Posted May 9, 2010 ID:247396 Share Posted May 9, 2010 Please manually delete the following folders:c:\program files\Symantec Client Securityc:\program files\Symantecc:\program files\Common Files\Symantec Sharedc:\documents and settings\All Users\Application Data\SymantecHow are things now? Link to post Share on other sites More sharing options...
oaky72 Posted May 9, 2010 Author ID:247403 Share Posted May 9, 2010 Please manually delete the following folders:c:\program files\Symantec Client Securityc:\program files\Symantecc:\program files\Common Files\Symantec Sharedc:\documents and settings\All Users\Application Data\SymantecHow are things now?cant find a folder named application data c:\documents and settings\All Users\Application Data\SymantecSystem itself seems lot better. no pop ups for digital protection. Link to post Share on other sites More sharing options...
Maniac Posted May 9, 2010 ID:247405 Share Posted May 9, 2010 First you should active this option:http://www.microsoft.com/windowsxp/using/h...iddenfiles.mspxThen try again to find out this folder. Link to post Share on other sites More sharing options...
oaky72 Posted May 9, 2010 Author ID:247419 Share Posted May 9, 2010 First you should active this option:http://www.microsoft.com/windowsxp/using/h...iddenfiles.mspxThen try again to find out this folder.ok done that and all now deleted.please advise. thanks Link to post Share on other sites More sharing options...
Maniac Posted May 9, 2010 ID:247430 Share Posted May 9, 2010 I think we're ready! Last steps:Step 1:* Go to start > run and copy and paste next command in the field:ComboFix /uninstallMake sure there's a space between Combofix and /Then hit enter.This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.Step 2:Please manually delete Rkill, DDS and GMER.Step 3:Please download and install the latest version of Adobe Reader from:http://www.adobe.com/Step 4:Some malware preventions:http://miekiemoes.blogspot.com/2008/02/how...nt-malware.htmlSafe surfing! Link to post Share on other sites More sharing options...
oaky72 Posted May 10, 2010 Author ID:247678 Share Posted May 10, 2010 I think we're ready! Last steps:Step 1:* Go to start > run and copy and paste next command in the field:ComboFix /uninstallMake sure there's a space between Combofix and /Then hit enter.This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.Step 2:Please manually delete Rkill, DDS and GMER.Step 3:Please download and install the latest version of Adobe Reader from:http://www.adobe.com/Step 4:Some malware preventions:http://miekiemoes.blogspot.com/2008/02/how...nt-malware.htmlSafe surfing! Hi,I am getting an Open file security warning when trying to uninstall combo fix. its asking me to run combofix by the looks of it.cheers Link to post Share on other sites More sharing options...
Maniac Posted May 10, 2010 ID:247766 Share Posted May 10, 2010 Don't worry! Just do it! Link to post Share on other sites More sharing options...
oaky72 Posted May 12, 2010 Author ID:248838 Share Posted May 12, 2010 Don't worry! Just do it! i have done and completed all steps. i left a donation yesterday, many thanks. Link to post Share on other sites More sharing options...
Maniac Posted May 12, 2010 ID:248888 Share Posted May 12, 2010 You're welcome! Link to post Share on other sites More sharing options...
Recommended Posts