Jump to content

Recommended Posts

I apparently have some kind of malware on my system that redirects me to "clean" websites like Google & some online stores. A friend recommended Malwarebytes but I can't seem to install it on my XP Pro computer. I download the .exe file and it goes through 90+% installation and I get a "Run-time Error: '50003': Unexpected error" and the installation stops...even in Safe Mode. Here is a list of list my security software: Zone Alarm [not using Windows Firewall], AVG Free 8.5 & SuperAntiSpyware.

I'm fairly savvy on the computer and have not been able to figure out a workaround. Any suggestions?

Link to post
Share on other sites

Hello and :)

I will be helping you on removing malwares on your computer. Log research takes time, so please be patient and I'd be grateful if you would note the following:

  • The fixes are specific to your problem and should only be used for the issues on this machine.
  • Do not install/uninstall anything on your computer unless advised.
  • Do not run any other scanning tools other than those instructed for you to use.
  • Follow the instructions on the order they are given.
  • Stay with this thread until advised when your computer is clean. Absence of symptoms does not necessarily mean a clean computer.
  • If you are being helped regarding this problem on another forum please advice us so that we can close this thread.
  • If you do not reply within 3 days after my last response, I will be asking you whether you still need assistance and if you still don't reply within 48 hours then the topic will be closed.
  • And lastly, if you have any questions, please ask before proceeding with any of the advised fixes.

_________________________________________________

That is probably due to a corrupted dll file. Let's check for malware.

Please do the following:

  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Check the boxes beside LOP Check and Purity Check.
  • Under Custom Scan paste this in


    netsvcs

    drivers32 /all

    %SYSTEMDRIVE%\*.*

    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll

    %systemroot%\system32\*.wt

    %systemroot%\system32\*.ruy

    %systemroot%\Fonts\*.com

    %systemroot%\Fonts\*.dll

    %systemroot%\Fonts\*.ini

    %systemroot%\Fonts\*.ini2

    %systemroot%\system32\spool\prtprocs\w32x86\*.tmp

    %systemroot%\*. /mp /s

    %systemroot%\REPAIR\*.bak1

    %systemroot%\REPAIR\*.ini

    %systemroot%\system32\*.jpg

    %systemroot%\*.scr

    %systemroot%\*._sy

    %APPDATA%\Adobe\Update\*.*

    CREATERESTOREPOINT

    %systemroot%\system32\*.dll /lockedfiles

    %systemroot%\Tasks\*.job /lockedfiles

    %systemroot%\System32\config\*.sav

    %systemroot%\system32\user32.dll /md5

    %systemroot%\system32\ws2_32.dll /md5

    %systemroot%\system32\ws2help.dll /md5

    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs


  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.
    • You may need two posts to fit them both in.

--Next--

gmer_zip.gif

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

  • Double click GMER.exe.
    gmer_zip.gif
  • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
      GMER_thumb.jpg
      Click the image to enlarge it

    [*] Then click the Scan button & wait for it to finish.

    [*] Once done click on the [save..] button, and in the File name area, type in "ark.txt"

    [*]Save the log where you can easily find it, such as your desktop.

**Caution**

Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Please copy and paste the report into your Post.

To post in your next reply:

1. OTL logs.

2. GMER log

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Link to post
Share on other sites

Thanks AS :)

SF Shoim,

Please post the entire contents of the OTL logs here.

Regarding GMER, try running it in safe mode.

To do this,

  • Restart your computer.
  • Keep on tapping f8 when windows starts to boot. Do this before you see the windows screen.
  • When a list of menu appears, scroll to Safe Mode using the arrow keys then press Enter.
  • Try running GMER again.

If that still won't do then open GMER, click on the box beside "Files" to uncheck it then have it scan.

Link to post
Share on other sites

Thanks AS :)

SF Shoim,

Please post the entire contents of the OTL logs here.

Regarding GMER, try running it in safe mode.

To do this,

  • Restart your computer.
  • Keep on tapping f8 when windows starts to boot. Do this before you see the windows screen.
  • When a list of menu appears, scroll to Safe Mode using the arrow keys then press Enter.
  • Try running GMER again.

If that still won't do then open GMER, click on the box beside "Files" to uncheck it then have it scan.

Link to post
Share on other sites

Thanks AS :)

SF Shoim,

Please post the entire contents of the OTL logs here.

Regarding GMER, try running it in safe mode.

To do this,

  • Restart your computer.
  • Keep on tapping f8 when windows starts to boot. Do this before you see the windows screen.
  • When a list of menu appears, scroll to Safe Mode using the arrow keys then press Enter.
  • Try running GMER again.

If that still won't do then open GMER, click on the box beside "Files" to uncheck it then have it scan.

================================================================================

======================================================

OTL File:

OTL logfile created on: 7/19/2010 1:52:57 PM - Run 1

OTL by OldTimer - Version 3.2.9.1 Folder = C:\Downloads

Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 68.00% Memory free

4.00 Gb Paging File | 3.00 Gb Available in Paging File | 85.00% Paging File free

Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 149.04 Gb Total Space | 118.89 Gb Free Space | 79.77% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

Drive E: | 37.24 Gb Total Space | 25.11 Gb Free Space | 67.42% Space Free | Partition Type: NTFS

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: SHOIMSPUTER

Current User Name: Dennis

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Downloads\OTL(2).exe (OldTimer Tools)

PRC - C:\Program Files\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)

PRC - C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE (SUPERAntiSpyware.com)

PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

PRC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe (Check Point Software Technologies LTD)

PRC - C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe (Check Point Software Technologies LTD)

PRC - C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)

PRC - C:\Program Files\AVG\AVG8\avgrsx.exe (AVG Technologies CZ, s.r.o.)

PRC - C:\Program Files\AVG\AVG8\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)

PRC - C:\Program Files\Logitech\SetPoint\SetPoint.exe (Logitech, Inc.)

PRC - C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.exe (Logitech, Inc.)

PRC - C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe (Trend Micro Inc.)

PRC - C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe (Trend Micro Inc.)

PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)

PRC - C:\Program Files\OpenOffice.org 2.2\program\soffice.exe (OpenOffice.org)

PRC - C:\Program Files\OpenOffice.org 2.2\program\soffice.bin (OpenOffice.org)

PRC - C:\WINDOWS\system32\WgaTray.exe (Microsoft Corporation)

PRC - C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe (Acronis)

PRC - C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe (Acronis)

PRC - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe (Acronis)

PRC - C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe (Acronis)

PRC - C:\Program Files\Eraser\eraser.exe (Heidi Computers Ltd)

PRC - C:\Program Files\RitzPix E-Z Print & Share\OurPictures.exe (Simple Star, Inc.)

PRC - C:\RAM Idle LE\RAM_XP.exe ()

PRC - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe (Adobe Systems Inc.)

========== Modules (SafeList) ==========

MOD - C:\Downloads\OTL(2).exe (OldTimer Tools)

MOD - C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcr80.dll (Microsoft Corporation)

MOD - C:\Program Files\Logitech\SetPoint\lgscroll.dll (Logitech, Inc.)

MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll (Microsoft Corporation)

MOD - C:\WINDOWS\system32\msscript.ocx (Microsoft Corporation)

========== Win32 Services (SafeList) ==========

SRV - (vsmon) -- C:\WINDOWS\System32\ZoneLabs\vsmon.exe (Check Point Software Technologies LTD)

SRV - (avg8wd) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)

SRV - (getPlusHelper) getPlus® -- C:\Program Files\NOS\bin\getPlus_Helper.dll (NOS Microsystems Ltd.)

SRV - (LBTServ) -- C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe (Logitech, Inc.)

SRV - (RUBotted) -- C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe (Trend Micro Inc.)

SRV - (AcrSch2Svc) -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe (Acronis)

========== Driver Services (SafeList) ==========

DRV - (RimUsb) -- C:\WINDOWS\System32\Drivers\RimUsb.sys File not found

DRV - (Lbd) -- C:\WINDOWS\System32\DRIVERS\Lbd.sys File not found

DRV - (SASKUTIL) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SUPERAdBlocker.com and SUPERAntiSpyware.com)

DRV - (vsdatant) -- C:\WINDOWS\system32\vsdatant.sys (Check Point Software Technologies LTD)

DRV - (SASENUM) -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS ( SUPERAdBlocker.com and SUPERAntiSpyware.com)

DRV - (SASDIFSV) -- C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS (SUPERAdBlocker.com and SUPERAntiSpyware.com)

DRV - (AvgLdx86) -- C:\WINDOWS\System32\Drivers\avgldx86.sys (AVG Technologies CZ, s.r.o.)

DRV - (AvgMfx86) -- C:\WINDOWS\System32\Drivers\avgmfx86.sys (AVG Technologies CZ, s.r.o.)

DRV - (srescan) -- C:\WINDOWS\system32\ZoneLabs\srescan.sys (Check Point Software Technologies LTD)

DRV - (LMouKE) -- C:\WINDOWS\system32\drivers\LMouKE.Sys (Logitech, Inc.)

DRV - (L8042mou) -- C:\WINDOWS\system32\drivers\L8042mou.Sys (Logitech, Inc.)

DRV - (L8042Kbd) -- C:\WINDOWS\system32\drivers\L8042Kbd.sys (Logitech, Inc.)

DRV - (TMPassthruMP) -- C:\WINDOWS\system32\drivers\TMPassthru.sys (Trend Micro Inc.)

DRV - (TMPassthru) -- C:\WINDOWS\system32\drivers\TMPassthru.sys (Trend Micro Inc.)

DRV - (timounter) -- C:\WINDOWS\system32\DRIVERS\timntr.sys (Acronis)

DRV - (tifsfilter) -- C:\WINDOWS\system32\drivers\tifsfilt.sys (Acronis)

DRV - (snapman) -- C:\WINDOWS\system32\DRIVERS\snapman.sys (Acronis)

DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.)

DRV - (LHidFilt) -- C:\WINDOWS\system32\drivers\LHidFilt.Sys (Logitech, Inc.)

DRV - (LMouFilt) -- C:\WINDOWS\system32\drivers\LMouFilt.Sys (Logitech, Inc.)

DRV - (ialm) -- C:\WINDOWS\system32\drivers\igxpmp32.sys (Intel Corporation)

DRV - (rtl8139) Realtek RTL8139(A/B/C) -- C:\WINDOWS\system32\drivers\RTL8139.sys (Realtek Semiconductor Corporation)

DRV - (RTL8023xp) -- C:\WINDOWS\system32\drivers\Rtnicxp.sys (Realtek Semiconductor Corporation )

DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\Hdaudbus.sys (Windows ® Server 2003 DDK provider)

DRV - (FreshIO) -- C:\FreshDevices\FreshDiagnose\FreshIO.sys ()

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.com

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = www.bing.com [binary data]

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = https://connect2.pb.com/dana-na/auth/url_default/welcome.cgi

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultthis.engineName: "radiojazz Customized Web Search"

FF - prefs.js..browser.search.defaulturl: "http://search.conduit.com/ResultsExt.aspx?ctid=CT416758&SearchSource=3&q="

FF - prefs.js..browser.search.selectedEngine: "Yahoo"

FF - prefs.js..browser.search.suggest.enabled: false

FF - prefs.js..browser.search.useDBForOrder: true

FF - prefs.js..browser.startup.homepage: "http://mail.printinc.com"

FF - prefs.js..extensions.enabledItems: {E2883E8F-472F-4fb0-9522-AC9BF37916A7}:1

FF - prefs.js..extensions.enabledItems: 6

FF - prefs.js..extensions.enabledItems: 2

FF - prefs.js..extensions.enabledItems: 44

FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:8.5.0.429

FF - prefs.js..extensions.enabledItems: es-MX@dictionaries.addons.mozilla.org:1.1.1

FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG8\Firefox [2010/01/06 20:41:39 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/07/06 12:03:37 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/07/06 12:03:35 | 000,000,000 | ---D | M]

[2009/02/17 22:33:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dennis\Application Data\Mozilla\Extensions

[2009/02/17 22:33:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dennis\Application Data\Mozilla\Extensions\mozswing@mozswing.org

[2010/07/19 12:44:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dennis\Application Data\Mozilla\Firefox\Profiles\l7nxy5yx.default\extensions

[2010/05/18 06:38:30 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Dennis\Application Data\Mozilla\Firefox\Profiles\l7nxy5yx.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}

[2009/09/16 11:46:58 | 000,000,000 | ---D | M] (Adobe DLM (powered by getPlus®)) -- C:\Documents and Settings\Dennis\Application Data\Mozilla\Firefox\Profiles\l7nxy5yx.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}

[2010/03/25 06:27:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dennis\Application Data\Mozilla\Firefox\Profiles\l7nxy5yx.default\extensions\es-MX@dictionaries.addons.mozilla.org

[2008/06/25 12:39:48 | 000,001,712 | ---- | M] () -- C:\Documents and Settings\Dennis\Application Data\Mozilla\Firefox\Profiles\l7nxy5yx.default\searchplugins\askcom.xml

[2008/10/11 20:27:00 | 000,000,878 | ---- | M] () -- C:\Documents and Settings\Dennis\Application Data\Mozilla\Firefox\Profiles\l7nxy5yx.default\searchplugins\conduit.xml

[2010/04/01 12:45:33 | 000,005,500 | ---- | M] () -- C:\Documents and Settings\Dennis\Application Data\Mozilla\Firefox\Profiles\l7nxy5yx.default\searchplugins\food-network-recipes.xml

[2007/06/18 07:40:45 | 000,001,277 | ---- | M] () -- C:\Documents and Settings\Dennis\Application Data\Mozilla\Firefox\Profiles\l7nxy5yx.default\searchplugins\quintura-search.xml

[2008/06/25 12:39:48 | 000,000,681 | ---- | M] () -- C:\Documents and Settings\Dennis\Application Data\Mozilla\Firefox\Profiles\l7nxy5yx.default\searchplugins\webster.xml

[2008/06/25 12:39:48 | 000,001,108 | ---- | M] () -- C:\Documents and Settings\Dennis\Application Data\Mozilla\Firefox\Profiles\l7nxy5yx.default\searchplugins\wikipedia-en.xml

[2010/07/19 12:44:47 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

[2007/08/28 08:04:12 | 000,028,672 | ---- | M] (WebEx) -- C:\Program Files\Mozilla Firefox\plugins\atgpcdec.dll

[2008/01/30 08:29:40 | 000,094,872 | ---- | M] (WebEx Communications, Inc) -- C:\Program Files\Mozilla Firefox\plugins\atgpcext.dll

[2007/05/22 10:03:56 | 000,057,344 | ---- | M] (WebEx Communications, Inc) -- C:\Program Files\Mozilla Firefox\plugins\npatgpc.dll

[2007/05/03 15:36:48 | 000,493,608 | ---- | M] (iLinc Communications, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\NPil86.dll

[2005/12/05 22:31:00 | 000,114,688 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npmozax.dll

[2005/04/27 13:10:49 | 000,102,400 | ---- | M] (RealNetworks) -- C:\Program Files\Mozilla Firefox\plugins\npracplug.dll

O1 HOSTS File: ([2009/11/16 20:43:31 | 000,000,158 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O1 - Hosts: ::1 localhost

O2 - BHO: (IE7Pro BHO) - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IEPro\IEPro.dll (IE7Pro.com)

O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.)

O2 - BHO: (PCTools Site Guard) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\Program Files\Spyware Doctor\tools\iesdsg.dll ()

O2 - BHO: (AcroIEToolbarHelper Class) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()

O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()

O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()

O4 - HKLM..\Run: [Acronis Scheduler2 Service] C:\Program Files\Common Files\Acro

OTL.Txt

Extras.Txt

Link to post
Share on other sites

Hi,

Sorry for the delay here. I lost my subscription to this thread.

Please do the following:

Download CKScanner by askey127 from Here & save it to your Desktop.

  • Doubleclick CKScanner.exe then click Search For Files
  • When the cursor hourglass disappears, click Save List To File
  • A message box will verify the file saved
  • Double-click the CKFiles.txt icon on your desktop then copy/paste the contents in your next reply

Link to post
Share on other sites

Hi,

Sorry for the delay here. I lost my subscription to this thread.

Please do the following:

Download CKScanner by askey127 from Here & save it to your Desktop.

  • Doubleclick CKScanner.exe then click Search For Files
  • When the cursor hourglass disappears, click Save List To File
  • A message box will verify the file saved
  • Double-click the CKFiles.txt icon on your desktop then copy/paste the contents in your next reply

Contents of CKFiles.txt

CKScanner - Additional Security Risks - These are not necessarily bad

c:\documents and settings\dennis\my documents\photoshow print & share\_photoshow\music\rock\crackthesky_mind.swf

c:\documents and settings\dennis\my documents\photoshow print & share\_photoshow\music\rock\crackthesky_mind_image.swf

c:\program files\corel\corel paint shop pro x\bump maps\cracked desert.pspimage

scanner sequence 3.AB.11

----- EOF -----

Link to post
Share on other sites

Hi,

No need to quote me on your next reply. You may just post your reply or questions.

You have some outdated softwares that are now a security risk. Some of them are your anti virus (AVG 8), windows service pack, open office, etc. We need to update them but we'll hold it off a bit until we determine that your computer is clean.

You also have multiple anti spyware installed, SAS, MBAM, Spyware Doctor and Spybot. Please note that running multiple AS at the same time will slow down your pc and those softwares might target each other.

--Next--

Can you tell me more about this site? http://mail.printinc.com

--Next--

You have LimeWire , a P2P/file sharing programs installed on your computer. P2P applications like it are the largest source of malware we see. You'll be doing yourself a favor by removing it.

P2P (File Sharing ) programs form a direct conduit onto your computer, their security measures are easily circumvented, and Malware writers are increasingly exploiting them to spread their wares onto your computer. Further to that, if your P2P program is not configured correctly you may be sharing more files than you realize. There have been cases where people's Passwords, Address Books and other personal, private, and financial details have been exposed to the file sharing network by a badly configured program.

Many of the programs come bundled with other unwanted programs, but even the ones free of any bundled software are not safe to use.

This article from InfoWorld illustrates the dangers of a poorly configured P2P program.

http://www.infoworld.com/d/security-centra...-p-id-theft-103

When you use them you are downloading software from an unknown source directly onto your computer, bypassing your Firewall and Anti-Virus software. Hardly surprising then that many of these Downloads are being targeted to carry infections.

I would recommend that you uninstall LimeWire , via Control Panel -> Add or Remove Programs.

However, if you do not wish to remove this program please be advised not to use the said program during the course of cleaning your machine.

References for the risk of these programs can be found in these links:

http://www.esecurityguy.com/p2p_file_sharing

http://www.microsoft.com/protect/data/down...ilesharing.aspx

--Next--

Please download MBRCheck.exe to your desktop.

  • Be sure to disable your security programs
  • Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt)
  • A window similar to this should open on your desktop:
    mbrcheck.png
    To post in your next reply:
  • If you are prompted with options, enter N at the prompt and press Enter
  • Press Enter again
  • A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your deskop. Please post the contents of that file.

Link to post
Share on other sites

Contents of MBRCheck file:

MBRCheck, version 1.1.1

© 2010, AD

\\.\C: --> \\.\PhysicalDrive1

\\.\E: --> \\.\PhysicalDrive0

Size Device Name MBR Status

--------------------------------------------

149 GB \\.\PhysicalDrive1 Windows XP MBR code detected

22 GB \\.\PhysicalDrive0 Windows XP MBR code detected

Done! Press ENTER to exit...

http://mail.printinc.com is the webmail portal that I use for work. We were recently purchased by a large corporation and are in the process of incorporating our email into theirs so we have not renewed our certificate...but it's perfectly safe.

When I hit "reply" it seems to include your quote...so I deleted it in this reply window.

I uninstalled LimeWire...I had no luck uninstalling OpenOffice but will do so next time I reboot.

I'm aware that multiple antispyware programs can target each other but I find that if I run them individually one program could detect spy/malware that the other missed. I don't run them simultaneously.

Link to post
Share on other sites

I'm aware that multiple antispyware programs can target each other but I find that if I run them individually one program could detect spy/malware that the other missed. I don't run them simultaneously.

Excellent. :D

Before we continue I would like to ask if this is a company computer?

Link to post
Share on other sites

Hi,

Please read through these instructions to familiarize yourself with what to expect when this tool runs

Download ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

--------------------------------------------------------------------

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty in properly disabling your protective programs, refer to this link - How to Disable your Security Programs

--------------------------------------------------------------------

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RC1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making Internet Explorer the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Please post back with the combofix log.

Link to post
Share on other sites

Hi,

Please do the following:

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    sfcfiles.*


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

--Next--

Please go to VirSCAN

  • Click on Browse.
  • On the File Upload window, copy/paste the text below into the File name box:
    c:\program files\RngInterstitial.dll
  • Click Upload. Allow the file to be scanned. If it says already scanned -- click Reanalyze Now

Repeat the procedure with the following file:

c:\documents and settings\NetworkService\Application Data\szvjyb.dat

C:\WINDOWS\System32\igfxvaws.dll

Please post the results in your next reply.

To post in your next reply:

1. Systemlook log.

2. VirSCAN log.

Link to post
Share on other sites

This is all I could get at this time.:

Scanner results : Scanners did not find malware!

Time : 2010/04/26 16:29:34 (PDT)

Scanner ? Engine Ver Sig Ver Sig Date Scan result Time

a-squared 4.5.0.8 20100427043602 2010-04-27

-

4.843

AhnLab V3 2010.04.27.00 2010.04.27 2010-04-27

-

1.111

AntiVir 8.2.1.224 7.10.6.220 2010-04-26

-

0.253

Antiy 2.0.18 20100426.4277466 2010-04-26

-

0.120

Arcavir 2009 201004261538 2010-04-26

-

0.038

Authentium 5.1.1 201004261718 2010-04-26

-

1.274

AVAST! 4.7.4 100426-0 2010-04-26

-

0.023

AVG 8.5.720 271.1.1/2837 2010-04-27

-

0.239

BitDefender 7.81008.5691035 7.31396 2010-04-27

-

3.591

ClamAV 0.95.3 10826 2010-04-26

-

0.061

Comodo 3.13.579 4684 2010-04-26

-

0.996

CP Secure 1.3.0.5 2010.04.26 2010-04-26

-

0.088

Dr.Web 5.0.2.3300 2010.04.27 2010-04-27

-

6.915

F-Prot 4.4.4.56 20100426 2010-04-26

-

1.311

F-Secure 7.02.73807 2010.04.26.15 2010-04-26

-

0.267

Fortinet 4.0.14 11.746 2010-04-26

-

0.208

GData 21.37/21.13 20100426 2010-04-26

-

7.194

Ikarus T3.1.01.80 2010.04.26.75719 2010-04-26

-

5.846

JiangMin 13.0.900 2010.04.26 2010-04-26

-

1.214

Kaspersky 5.5.10 2010.04.26 2010-04-26

-

0.126

KingSoft 2009.2.5.15 2010.4.26.23 2010-04-26

-

0.838

McAfee 5400.1158 5964 2010-04-26

-

0.019

Microsoft 1.5703 2010.04.26 2010-04-26

-

6.580

Norman 6.04.11 6.04.00 2010-04-25

-

8.007

nProtect 20100426.01 8045820 2010-04-26

-

7.738

Panda 9.05.01 2010.04.26 2010-04-26

-

2.129

Quick Heal 10.00 2010.04.26 2010-04-26

-

2.724

Rising 20.0 22.45.00.04 2010-04-26

-

1.225

Sophos 3.06.0 4.52 2010-04-27

-

3.583

Sunbelt 3.9.2418.2 6225 2010-04-26

-

5.448

Symantec 1.3.0.24 20100426.003 2010-04-26

-

0.058

The Hacker 6.5.2.0 v00269 2010-04-26

-

0.427

Trend Micro 9.120-1004 7.128.20 2010-04-26

-

0.042

VBA32 3.12.12.4 20100425.2027 2010-04-25

-

2.923

ViRobot 20100426 2010.04.26 2010-04-26

-

0.427

VirusBuster 4.5.11.10 10.125.5/2034479 2010-04-27

-

2.472

Link to post
Share on other sites

...also...here's the SystemLock file:

This is all I could get at this time.:

Scanner results : Scanners did not find malware!

Time : 2010/04/26 16:29:34 (PDT)

Scanner ? Engine Ver Sig Ver Sig Date Scan result Time

a-squared 4.5.0.8 20100427043602 2010-04-27

-

4.843

AhnLab V3 2010.04.27.00 2010.04.27 2010-04-27

-

1.111

AntiVir 8.2.1.224 7.10.6.220 2010-04-26

-

0.253

Antiy 2.0.18 20100426.4277466 2010-04-26

-

0.120

Arcavir 2009 201004261538 2010-04-26

-

0.038

Authentium 5.1.1 201004261718 2010-04-26

-

1.274

AVAST! 4.7.4 100426-0 2010-04-26

-

0.023

AVG 8.5.720 271.1.1/2837 2010-04-27

-

0.239

BitDefender 7.81008.5691035 7.31396 2010-04-27

-

3.591

ClamAV 0.95.3 10826 2010-04-26

-

0.061

Comodo 3.13.579 4684 2010-04-26

-

0.996

CP Secure 1.3.0.5 2010.04.26 2010-04-26

-

0.088

Dr.Web 5.0.2.3300 2010.04.27 2010-04-27

-

6.915

F-Prot 4.4.4.56 20100426 2010-04-26

-

1.311

F-Secure 7.02.73807 2010.04.26.15 2010-04-26

-

0.267

Fortinet 4.0.14 11.746 2010-04-26

-

0.208

GData 21.37/21.13 20100426 2010-04-26

-

7.194

Ikarus T3.1.01.80 2010.04.26.75719 2010-04-26

-

5.846

JiangMin 13.0.900 2010.04.26 2010-04-26

-

1.214

Kaspersky 5.5.10 2010.04.26 2010-04-26

-

0.126

KingSoft 2009.2.5.15 2010.4.26.23 2010-04-26

-

0.838

McAfee 5400.1158 5964 2010-04-26

-

0.019

Microsoft 1.5703 2010.04.26 2010-04-26

-

6.580

Norman 6.04.11 6.04.00 2010-04-25

-

8.007

nProtect 20100426.01 8045820 2010-04-26

-

7.738

Panda 9.05.01 2010.04.26 2010-04-26

-

2.129

Quick Heal 10.00 2010.04.26 2010-04-26

-

2.724

Rising 20.0 22.45.00.04 2010-04-26

-

1.225

Sophos 3.06.0 4.52 2010-04-27

-

3.583

Sunbelt 3.9.2418.2 6225 2010-04-26

-

5.448

Symantec 1.3.0.24 20100426.003 2010-04-26

-

0.058

The Hacker 6.5.2.0 v00269 2010-04-26

-

0.427

Trend Micro 9.120-1004 7.128.20 2010-04-26

-

0.042

VBA32 3.12.12.4 20100425.2027 2010-04-25

-

2.923

ViRobot 20100426 2010.04.26 2010-04-26

-

0.427

VirusBuster 4.5.11.10 10.125.5/2034479 2010-04-27

-

2.472

SystemLook.txt

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.