Jump to content

Malware Issue - blocks virus programs from downloading and redirects


Recommended Posts

I am having issues with my desk top. I'm using Windows XP. The Windows Media Player will not play video clips. Error Code: OxCood:1197. When I try to download a fix from the internet, they are blocked. I am also blocked from downloading anti spyware from the internet and redirected to eroneous sites. In addition, the computer no longer will work in the hibernate mode. The hibernate box blinks momentarily and then reverts to my home page. I was able to download HiJack This and generate a log file but I'm not sure how to proceed or what to remove. Attached is the HiJackThis Logfile. Professional help is greatly appreciated.

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 6:06:09 PM, on 11/4/2010

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\WINDOWS\System32\tcpsvcs.exe

C:\Program Files\Google\Update\GoogleUpdate.exe

C:\WINDOWS\System32\snmp.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\WINDOWS\system32\PV92Tray.exe

C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe

C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe

C:\Program Files\Picasa2\PicasaMediaDetector.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\WgaTray.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

C:\Program Files\Google\Google Updater\GoogleUpdater.exe

C:\Program Files\Sony Handheld\HOTSYNC.EXE

C:\WINDOWS\System32\svchost.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = 2close2u

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: CitiUS Shared Browser Helper Object - {387EDF53-1CF2-4523-BC2F-13462651BE8C} - C:\WINDOWS\system32\BhoCitUS.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe

O4 - HKLM\..\Run: [PV92TRAY] PV92Tray.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"

O4 - HKLM\..\Run: [CitiVAN] "C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe" /dontopenmycards

O4 - HKLM\..\Run: [Picasa Media Detector] "C:\Program Files\Picasa2\PicasaMediaDetector.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O4 - HKUS\S-1-5-21-1844237615-764733703-842925246-1003\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')

O4 - HKUS\S-1-5-21-1844237615-764733703-842925246-1003\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" (User '?')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe

O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

O9 - Extra button: Citi - {4C730913-3961-439b-83D5-F4E445520422} - C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O17 - HKLM\System\CCS\Services\Tcpip\..\{978B1366-8825-4339-AD87-A4BF57A00E17}: NameServer = 93.188.164.121,93.188.160.201

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.164.121,93.188.160.201

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.164.121,93.188.160.201

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--

End of file - 6993 bytes

Any help is appreciated.

Thanks

closer24

Link to post
Share on other sites

Hi closer24 and Welcome to Malwarebytes Forum!

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

---------------------------------------------------------------------------------------------

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • Click the Report button and copy/paste the contents of it into your next reply

Note:It will also create a log in the C:\ directory.

Link to post
Share on other sites

Hi closer24 and Welcome to Malwarebytes Forum!

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

---------------------------------------------------------------------------------------------

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • Click the Report button and copy/paste the contents of it into your next reply

Note:It will also create a log in the C:\ directory.

2010/11/05 11:26:18.0916 TDSS rootkit removing tool 2.4.6.0 Nov 3 2010 10:11:43

2010/11/05 11:26:18.0916 ================================================================================

=============================================================================

I'm corresponding with you via my note book computer. My desk top would not permit me to get to the malwarebytes site. When I tried to get to the site via goggle, it would indicate it could not find the site. Nonetheless, I downloaded TDSSKiller to a flashdrive from my notebook and then downloaded it to my desk top. I was able to perform a scan. An infected file was found and removed. Here on the contents of the scan after a reboot. Note: I was able to set the computer to hibernate mode. Awaiting further instructions. Thanks for the help. Closer24

2010/11/05 11:26:18.0916 TDSS rootkit removing tool 2.4.6.0 Nov 3 2010 10:11:43

2010/11/05 11:26:18.0916 ================================================================================

2010/11/05 11:26:18.0916 SystemInfo:

2010/11/05 11:26:18.0916

2010/11/05 11:26:18.0916 OS Version: 5.1.2600 ServicePack: 2.0

2010/11/05 11:26:18.0916 Product type: Workstation

2010/11/05 11:26:18.0916 ComputerName: GERRY

2010/11/05 11:26:18.0916 UserName: Gerald

2010/11/05 11:26:18.0916 Windows directory: C:\WINDOWS

2010/11/05 11:26:18.0916 System windows directory: C:\WINDOWS

2010/11/05 11:26:18.0916 Processor architecture: Intel x86

2010/11/05 11:26:18.0916 Number of processors: 1

2010/11/05 11:26:18.0916 Page size: 0x1000

2010/11/05 11:26:18.0916 Boot type: Normal boot

2010/11/05 11:26:18.0916 ================================================================================

2010/11/05 11:26:20.0789 Initialize success

Link to post
Share on other sites

  1. Download ComboFix from below:
    Combofix download
    * IMPORTANT !!! Place combofix.exe on your Desktop
  2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  3. Double click on combofix.exe & follow the prompts.
  4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    cfRC_screen_1.png
    The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.
    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
    Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.
    ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.
    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:
    The Recovery Console was successfully installed.
    cfRC_screen_2.png
    Click on Yes, to continue scanning for malware.
  5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  6. When finished, it shall produce a log for you. Post that log in your next reply
    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
    ---------------------------------------------------------------------------------------------
  7. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
    ---------------------------------------------------------------------------------------------

Link to post
Share on other sites

  1. Download ComboFix from below:
    Combofix download
    * IMPORTANT !!! Place combofix.exe on your Desktop
  2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  3. Double click on combofix.exe & follow the prompts.
  4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    cfRC_screen_1.png
    The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.
    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
    Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.
    ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.
    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:
    The Recovery Console was successfully installed.
    cfRC_screen_2.png
    Click on Yes, to continue scanning for malware.
  5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  6. When finished, it shall produce a log for you. Post that log in your next reply
    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
    ---------------------------------------------------------------------------------------------
  7. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
    ---------------------------------------------------------------------------------------------

KennY94:

Same issue. Can not gain access to Malwarebyes site via my desk top. When attempting to go to the address Google pops up with a screen that gives a message that says: "Opps - Internet Explorer culd not find forums, malwarebyes.org." It then directs me to some eroneous site. Will I be able to download Combo fix to a flash drive and then load it to my computer that way. Is there something else I can do to get to the Malwarebytes site using my desk top? I have a few errands to get done, but will be back in a couple hours to try to download Combo fix using my notebook. Appreciate the help. Thanks

closer24.

Link to post
Share on other sites

KennY94:

Same issue. Can not gain access to Malwarebyes site via my desk top. When attempting to go to the address Google pops up with a screen that gives a message that says: "Opps - Internet Explorer culd not find forums, malwarebyes.org." It then directs me to some eroneous site. Will I be able to download Combo fix to a flash drive and then load it to my computer that way. Is there something else I can do to get to the Malwarebytes site using my desk top? I have a few errands to get done, but will be back in a couple hours to try to download Combo fix using my notebook. Appreciate the help. Thanks

closer24.

Kenny94:

Downloaded Combo Fix via a web site on the internet and from your link to a memory stick. I can not access malwarebyte site on my desk top computer. I disabled AVG 8.5 per instructions. When I run Combo Fix it indicates: "Incompatible OS. ComboFix only works on stations using 2000 and XP....," then it gives me a Warning: "ComboFix cannot run when AVG is installed. This is due to AVG's targeting of ComboFix's files/processes. It would be dangerous to continue. Please uninstall AVG or use another tool."

I'm lost. I don't know what to do at this point. Why would it indicate that ComboFix is incompatible with my operating system? I'm using Windows XP Professional, Version 2002. Do I uninstall AVG 8.5. Is ComboFix compatible with my computer or is there some other issue?

I'm sorry for the inability to get a log to you from ComboFix. Awaiting further instructions and directions. Thanks for the help. Closer24

Link to post
Share on other sites

Lets run ComboFix in Safe Mode:

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode. Then double click ComboFix to run it and be sure to save the log and post it here please.

Note:

Reboot back to normal Windows.

Link to post
Share on other sites

Lets run ComboFix in Safe Mode:

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode. Then double click ComboFix to run it and be sure to save the log and post it here please.

Note:

Reboot back to normal Windows.

Kenny94:

Finally got a copy of ComboFix to start running in safe mode. It was attempting to run a restore point, then backed up registry files to C:\Windows. Got to the point where it asked me if it was xp Home Edition? Yes or No. I'm running XP Pro, but I think that their compatible. I clicked yes. It then took me to the Recovery Console and said it was not installed. I clicked yes. I then got a pop up error. "You do not appear to be connected to the internet. Kindly connect before clicking 'OK'.

I'm not connected to the internet in safe mode. I'm at a stand still. Can I connect to the internet on XP in safe mode. I noticed, I could not access My Yahoo earlier. Do I go back and try to run Combo Fix in Normal Startup? Is there a way to connect to the internet in safe mode?

PLEASE ADVISE AS TO THE NEXT COURSE OF ACTION. Seemed like I was pretty close to getting a ComboFix log. (SO CLOSE, YET SO FAR!) iI'm more then willing to keep pecking away until we get this thing fixed. Sorry things aren't going smoother. Awaiting your response. Thanks again for your patience.

Closer24

Link to post
Share on other sites

Run ComboFix in normal Windows, but right click on ComboFix and drop down to Rename change the name to firefox.com and then run ComboFix please.

No need to install the Recovery Console.

Kenny94:

Renamed the icon firefox.com and tryed to run the program. I disabled AVG Free 8.5 per instructions. I still receive a pop-up message:

"ComboFix can not run when AVG is installed. This is due to AVG's targeting of file processes. It would be dangerous to continue.

Please uninstall AVG or use another tool."

Should I uninstall AVG and try again. Did I do something else wrong? Awaiting your instructions. Thanks again for your time and help.

Closer24

Link to post
Share on other sites

Run ComboFix in normal Windows, but right click on ComboFix and drop down to Rename change the name to firefox.com and then run ComboFix please.

No need to install the Recovery Console.

Kenny94:

Renamed the icon firefox.com and tryed to run the program. I disabled AVG Free 8.5 per instructions. I still receive a pop-up message:

"ComboFix can not run when AVG is installed. This is due to AVG's targeting of file processes. It would be dangerous to continue.

Please uninstall AVG or use another tool."

Should I uninstall AVG and try again. Did I do something else wrong? Awaiting your instructions. Thanks again for your time and help.

Closer24

Link to post
Share on other sites

Remove AVG as it's a old version. Then run ComboFix....... :P

Kenny94:

Attempted to uninstall AVG 8.5 but would not uninstall. Gave me the following po-up error message:

UNINSTALLED FAILED

1 error occurred. Click details for more information.

DETAILS:

"Local machine instalation failed." Instalation: Error Action failed for registry key HKLM\SOFTWARE\Microsoft Windows NT\Current Version\Windows creating registry key Error Ox8007005

Is there another way to get rid of the program? Awaiting your response. Appreciate your attention.

Thanks! closer24

Link to post
Share on other sites

Run AVG removal tool at:

http://forums.avg.com/ww-en/avg-free-forum...ow&id=44013

Select "For 32 bit Windows versions"

Click on Run on the box that pops up and follow the prompts.

Restart your computer completes removal of the Antivirus. Then run ComboFix.

Kenny94:

Sorry that it takes so long to get back. The problem is that I can not access the Malwarebytes site or any other site that offers virus downloads. I'm working off my notebook, saving files to a flash drive and then loading them on the desktop. Finally got ComboFix to run. It took about 20 minutes to run and finally produced a log. While running it said it deleted a file called: WindowsSystem32\info link <2>.dll I don't really know what it did. Can I just close the program and my desk top will boot up with its normal desk top? Do I have to download another AVG Virus protection program. Is there a link. Let me know what to do next. Thanks for your patience. This has been a real task to get ComboFix to run. Hooray!! Finally ran!!!

Here is the ComboFix Log:

ComboFix 10-11-07.05 - Gerald 11/07/2010 17:45:58.1.1 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.255.81 [GMT -5:00]

Running from: F:\ComboFix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\linkinfo(2).dll

.

((((((((((((((((((((((((( Files Created from 2010-10-07 to 2010-11-07 )))))))))))))))))))))))))))))))

.

2010-11-06 15:50 . 2010-11-06 15:50 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Webroot

2010-11-06 02:07 . 2010-11-06 02:08 -------- d-----w- c:\program files\StartCop

2010-11-04 16:41 . 2010-11-04 16:41 1409 ----a-w- c:\windows\QTFont.for

2010-11-01 22:14 . 2010-11-01 22:14 388096 ----a-r- c:\documents and settings\Gerald\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2010-11-01 22:14 . 2010-11-01 22:14 -------- d-----w- c:\program files\Trend Micro

2010-10-30 16:00 . 2010-10-30 16:00 -------- d-----w- c:\documents and settings\LocalService\Application Data\Webroot

2010-10-30 15:59 . 2006-10-08 15:03 128064 ----a-w- c:\windows\system32\drivers\ssidrv.sys

2010-10-30 15:59 . 2006-10-08 15:03 20544 ----a-w- c:\windows\system32\drivers\SSFS0509.sys

2010-10-30 15:59 . 2006-10-08 15:03 21056 ----a-w- c:\windows\system32\drivers\sskbfd.sys

2010-10-30 15:59 . 2006-10-08 15:03 21568 ----a-w- c:\windows\system32\drivers\sshrmd.sys

2010-10-30 15:59 . 2010-10-30 15:59 -------- d-----w- c:\program files\Webroot

2010-10-30 15:59 . 2010-10-30 15:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Webroot

2010-10-30 15:55 . 2010-10-30 15:55 -------- d-----w- c:\documents and settings\Gerald\Application Data\Webroot

2010-10-30 02:57 . 2010-10-30 02:57 -------- d-----w- C:\RFREGBU

2010-10-30 02:57 . 2010-10-30 02:57 -------- d-----w- C:\RFBackups

2010-10-30 02:57 . 2010-10-30 02:57 -------- d-----w- c:\program files\CCleaner

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-11-05 15:18 . 2001-08-18 17:00 68224 ----a-w- c:\windows\system32\drivers\pci.sys

2005-10-20 15:58 . 2005-10-20 15:58 5037072 ----a-w- c:\program files\spybotsd14.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-03-30 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"PCTVOICE"="pctspk.exe" [2003-04-24 180224]

"PV92TRAY"="PV92Tray.exe" [2003-04-24 135168]

"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_09\bin\jusched.exe" [2006-10-12 49263]

"CitiVAN"="c:\program files\Citi Virtual Account Numbers\CitiVAN.exe" [2004-08-12 192512]

"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2007-02-21 366400]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-25 282624]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

Google Updater.lnk - c:\program files\Google\Google Updater\GoogleUpdater.exe [2007-1-9 125624]

HotSync Manager.lnk - c:\program files\Sony Handheld\HOTSYNC.EXE [2006-5-9 299008]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"AVG8_TRAY"=c:\progra~1\AVG\AVG8\avgtray.exe

"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

R3 atirage;atirage;c:\windows\system32\drivers\atiragem.sys [9/24/2005 4:12 PM 70528]

R3 crtaud;Conexant Riptide WDM Audio Driver;c:\windows\system32\drivers\crtaud.sys [9/24/2005 4:12 PM 42112]

R3 N100;Compaq Ethernet or Fast Ethernet NIC Driver;c:\windows\system32\drivers\n100325.sys [1/28/2010 2:31 PM 128000]

R3 rpfun;Conexant Riptide Dummy Driver;c:\windows\system32\drivers\rpfun.sys [9/24/2005 4:11 PM 3840]

R3 rthwcls;Conexant Riptide Bus / Firmware Downloader;c:\windows\system32\drivers\rthwcls.sys [9/24/2005 4:12 PM 30720]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/29/2010 12:34 PM 135664]

S3 NtApm;NT Apm/Legacy Interface Driver;c:\windows\system32\drivers\NtApm.sys [9/24/2005 4:12 PM 9344]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

.

Contents of the 'Scheduled Tasks' folder

2010-07-30 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 22:13]

2010-11-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 17:33]

2010-10-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 17:33]

2010-11-07 c:\windows\Tasks\WGASetup.job

- c:\windows\system32\KB905474\wgasetup.exe [2010-04-13 02:18]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://my.yahoo.com/

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

mWindow Title =

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html

.

- - - - ORPHANS REMOVED - - - -

Notify-avgrsstarter - avgrsstx.dll

SafeBoot-klmdb.sys

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-11-07 18:03

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(680)

c:\windows\system32\WRLogonNTF.dll

.

Completion time: 2010-11-07 18:10:02

ComboFix-quarantined-files.txt 2010-11-07 23:09

Pre-Run: 69,806,161,920 bytes free

Post-Run: 70,286,815,232 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - 53D44D5F41826E5709699D5A3942C294

Link to post
Share on other sites

Nice Job closer24

Please go to Start ----> Run ---> Type cmd and the enter key. Windows command prompt will appear. Type each command one at a time.

ipconfig /flushdns followed by the enter key.

ipconfig /release

ipconfig /renew

Next

In normal mode:

Please try this version of malwarebytes: Click the link here

Save it on your desktop. You'll see it will have a random name, and will look similar like this: mbamrandom.gif

Doubleclick on it, so it will extract the files and will start Malwarebytes automatically.

In case the installer (random named file) won't run either, rename it to firefox.exe or explorer.exe or iexplore.exe and try again.

When Malwarebytes opens, click the "Update" tab FIRST and select to check for updates in order to get the latest updates.

In case Malwarebytes doesn't open, search for the folder mbam-installer on your desktop, open it and doubleclick the file winlogon.exe which will be present in there. This should launch Malwarebytes.

Then perform a scan and let it remove what it found. Reboot afterwards (important).

After reboot, post the malwarebytes log together with a new HijackThislog.

Link to post
Share on other sites

Nice Job closer24

Please go to Start ----> Run ---> Type cmd and the enter key. Windows command prompt will appear. Type each command one at a time.

ipconfig /flushdns followed by the enter key.

ipconfig /release

ipconfig /renew

Next

In normal mode:

Please try this version of malwarebytes: Click the link here

Save it on your desktop. You'll see it will have a random name, and will look similar like this: mbamrandom.gif

Doubleclick on it, so it will extract the files and will start Malwarebytes automatically.

In case the installer (random named file) won't run either, rename it to firefox.exe or explorer.exe or iexplore.exe and try again.

When Malwarebytes opens, click the "Update" tab FIRST and select to check for updates in order to get the latest updates.

In case Malwarebytes doesn't open, search for the folder mbam-installer on your desktop, open it and doubleclick the file winlogon.exe which will be present in there. This should launch Malwarebytes.

Then perform a scan and let it remove what it found. Reboot afterwards (important).

After reboot, post the malwarebytes log together with a new HijackThislog.

Kenny94:

For the first time I was able to access the malwarebyes forum via my desktop. I was able to type cmd and follow the commands successfully. However, when I tried to download the malwarebytes version from your link, it would not work. The first time, it placed a red box with a M in it. It would not run. I renamed it, it with three different names; it would not run. Received error message: MBAM_ERROR_Enumerate_Languages(3,0)

The system can not find the path specified. I searched for the mbam-installer folder on my desktop, but it was not there. I deleted the icon from the desk top.

I walked through your instructions again and tried to download from the link again and an icon appeared on my desktop that looked like a monitor screen with a blue tap at the top. It had a random name (axvpuo2j3d.exe) I double clicked on it. Error Message: C:\\Document and Settings\Gerald\Desktop axvpuo2jed.exe is not a valid Win32 application. Renamed it, still received the same error message. I attempted to download from the link again. It added another icon, like the previous with a different random name. I also tried to download the malwarebytes program from my notebook to a flash drive and then to my desktop. Same result and error message.

Sorry for the cliche in th process of getting this thing fixed. Let me know if I'm doing something wrong. Appreciate your patience and direction. Awaiting further instructions. Thanks! closer24

Link to post
Share on other sites

Received error message: MBAM_ERROR_Enumerate_Languages(3,0)

I get the same message as well. I need to ask about it. Go ahead and download Malwarebytes and it should install over the version you have installed on the PC that is giving us problems

bf_new.gif Please download Malwarebytes Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

Link to post
Share on other sites

I get the same message as well. I need to ask about it. Go ahead and download Malwarebytes and it should install over the version you have installed on the PC that is giving us problems

bf_new.gif Please download Malwarebytes Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

Kenny94:

Got the program to run from the link. Should I download a copy of AVG or some virus protection program to protect my computer? Thanks for all the help. Awaiting further instructions. Here is the log from Malwarebytes:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 5075

Windows 5.1.2600 Service Pack 2

Internet Explorer 6.0.2900.2180

11/8/2010 1:24:25 PM

mbam-log-2010-11-08 (13-24-25).txt

Scan type: Quick scan

Objects scanned: 131232

Time elapsed: 20 minute(s), 21 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

I use Avira AntiVir Personal Free Antivirus on my PC.

  • Avira AntiVir Personal - Free anti-virus software for Windows. Detects and removes more than 50000 viruses. Free support.

Perform a full scan with Avira and let it delete everything it is finding.

Then reboot.

After reboot, open your Avira and select "reports".

There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply together with a new HijackThislog.

Link to post
Share on other sites

I use Avira AntiVir Personal Free Antivirus on my PC.

  • Avira AntiVir Personal - Free anti-virus software for Windows. Detects and removes more than 50000 viruses. Free support.

Perform a full scan with Avira and let it delete everything it is finding.

Then reboot.

After reboot, open your Avira and select "reports".

There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply together with a new HijackThislog.

Kenny94

Attached are the log files. Also, need to know what is safe to remove from my desktop. I have old programs like Adaware, Spybot, SpySweeper, CCleaner, CSShreeder. As well as icons from files I tried to rename when I attempted to download. Also, noticed that ComboFix was no longer on my desktop. Is this normal or should it still be there? I'm running IE6 as my browser. Should I use IE7 or something else? Will it effect my computer? Back to the logs. Thanks for the attention. closer24

Avira AntiVir Personal

Report file date: Monday, November 08, 2010 17:30

Scanning for 3028830 virus strains and unwanted programs.

The program is running as an unrestricted full version.

Online services are available:

Licensee : Avira AntiVir Personal - FREE Antivirus

Serial number : 0000149996-ADJIE-0000001

Platform : Windows XP

Windows version : (Service Pack 2) [5.1.2600]

Boot mode : Normally booted

Username : Gerald

Computer name : GERRY

Version information:

BUILD.DAT : 10.0.0.592 31823 Bytes 8/9/2010 11:00:00

AVSCAN.EXE : 10.0.3.1 434344 Bytes 8/2/2010 21:09:56

AVSCAN.DLL : 10.0.3.0 46440 Bytes 4/1/2010 18:57:04

LUKE.DLL : 10.0.2.3 104296 Bytes 8/2/2010 21:10:00

LUKERES.DLL : 10.0.0.1 12648 Bytes 2/11/2010 05:40:49

VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 15:05:36

VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 01:27:49

VBASE002.VDF : 7.10.3.1 3143680 Bytes 1/20/2010 23:37:42

VBASE003.VDF : 7.10.3.75 996864 Bytes 1/26/2010 22:37:42

VBASE004.VDF : 7.10.4.203 1579008 Bytes 3/5/2010 17:29:03

VBASE005.VDF : 7.10.6.82 2494464 Bytes 4/15/2010 21:10:03

VBASE006.VDF : 7.10.7.218 2294784 Bytes 6/2/2010 21:10:04

VBASE007.VDF : 7.10.9.165 4840960 Bytes 7/23/2010 21:10:06

VBASE008.VDF : 7.10.11.133 3454464 Bytes 9/13/2010 22:25:34

VBASE009.VDF : 7.10.13.80 2265600 Bytes 11/2/2010 22:25:49

VBASE010.VDF : 7.10.13.81 2048 Bytes 11/2/2010 22:25:49

VBASE011.VDF : 7.10.13.82 2048 Bytes 11/2/2010 22:25:50

VBASE012.VDF : 7.10.13.83 2048 Bytes 11/2/2010 22:25:50

VBASE013.VDF : 7.10.13.116 147968 Bytes 11/4/2010 22:25:51

VBASE014.VDF : 7.10.13.147 146944 Bytes 11/7/2010 22:25:52

VBASE015.VDF : 7.10.13.148 2048 Bytes 11/7/2010 22:25:53

VBASE016.VDF : 7.10.13.149 2048 Bytes 11/7/2010 22:25:53

VBASE017.VDF : 7.10.13.150 2048 Bytes 11/7/2010 22:25:53

VBASE018.VDF : 7.10.13.151 2048 Bytes 11/7/2010 22:25:53

VBASE019.VDF : 7.10.13.152 2048 Bytes 11/7/2010 22:25:53

VBASE020.VDF : 7.10.13.153 2048 Bytes 11/7/2010 22:25:54

VBASE021.VDF : 7.10.13.154 2048 Bytes 11/7/2010 22:25:54

VBASE022.VDF : 7.10.13.155 2048 Bytes 11/7/2010 22:25:54

VBASE023.VDF : 7.10.13.156 2048 Bytes 11/7/2010 22:25:54

VBASE024.VDF : 7.10.13.157 2048 Bytes 11/7/2010 22:25:54

VBASE025.VDF : 7.10.13.158 2048 Bytes 11/7/2010 22:25:54

VBASE026.VDF : 7.10.13.159 2048 Bytes 11/7/2010 22:25:55

VBASE027.VDF : 7.10.13.160 2048 Bytes 11/7/2010 22:25:55

VBASE028.VDF : 7.10.13.161 2048 Bytes 11/7/2010 22:25:55

VBASE029.VDF : 7.10.13.162 2048 Bytes 11/7/2010 22:25:55

VBASE030.VDF : 7.10.13.163 2048 Bytes 11/7/2010 22:25:55

VBASE031.VDF : 7.10.13.172 93696 Bytes 11/8/2010 22:25:57

Engineversion : 8.2.4.92

AEVDF.DLL : 8.1.2.1 106868 Bytes 8/2/2010 21:09:54

AESCRIPT.DLL : 8.1.3.46 1364347 Bytes 11/8/2010 22:26:18

AESCN.DLL : 8.1.6.1 127347 Bytes 8/2/2010 21:09:53

AESBX.DLL : 8.1.3.1 254324 Bytes 8/2/2010 21:09:53

AERDL.DLL : 8.1.9.2 635252 Bytes 11/8/2010 22:26:14

AEPACK.DLL : 8.2.3.11 471416 Bytes 11/8/2010 22:26:12

AEOFFICE.DLL : 8.1.1.8 201081 Bytes 8/2/2010 21:09:52

AEHEUR.DLL : 8.1.2.38 2990455 Bytes 11/8/2010 22:26:09

AEHELP.DLL : 8.1.14.0 246134 Bytes 11/8/2010 22:26:02

AEGEN.DLL : 8.1.3.24 401781 Bytes 11/8/2010 22:26:01

AEEMU.DLL : 8.1.2.0 393588 Bytes 8/2/2010 21:09:49

AECORE.DLL : 8.1.17.0 196982 Bytes 11/8/2010 22:26:00

AEBB.DLL : 8.1.1.0 53618 Bytes 8/2/2010 21:09:48

AVWINLL.DLL : 10.0.0.0 19304 Bytes 8/2/2010 21:09:56

AVPREF.DLL : 10.0.0.0 44904 Bytes 8/2/2010 21:09:55

AVREP.DLL : 10.0.0.8 62209 Bytes 6/17/2010 20:27:13

AVREG.DLL : 10.0.3.2 53096 Bytes 8/2/2010 21:09:55

AVSCPLR.DLL : 10.0.3.1 83816 Bytes 8/2/2010 21:09:56

AVARKT.DLL : 10.0.0.14 227176 Bytes 8/2/2010 21:09:54

AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 8/2/2010 21:09:55

SQLITE3.DLL : 3.6.19.0 355688 Bytes 6/17/2010 20:27:22

AVSMTP.DLL : 10.0.0.17 63848 Bytes 8/2/2010 21:09:56

NETNT.DLL : 10.0.0.0 11624 Bytes 6/17/2010 20:27:21

RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 1/28/2010 19:10:20

RCTEXT.DLL : 10.0.58.0 97128 Bytes 8/2/2010 21:10:08

Configuration settings for the scan:

Jobname.............................: Short system scan after installation

Configuration file..................: c:\program files\avira\antivir desktop\setupprf.dat

Logging.............................: low

Primary action......................: interactive

Secondary action....................: ignore

Scan master boot sector.............: on

Scan boot sector....................: on

Process scan........................: on

Scan registry.......................: on

Search for rootkits.................: off

Integrity checking of system files..: off

Scan all files......................: Intelligent file selection

Scan archives.......................: on

Recursion depth.....................: 20

Smart extensions....................: on

Macro heuristic.....................: on

File heuristic......................: medium

Start of the scan: Monday, November 08, 2010 17:30

The scan of running processes will be started

Scan process 'avscan.exe' - '1' Module(s) have been scanned

Scan process 'avcenter.exe' - '1' Module(s) have been scanned

Scan process 'avconfig.exe' - '1' Module(s) have been scanned

Scan process 'avgnt.exe' - '1' Module(s) have been scanned

Scan process 'sched.exe' - '1' Module(s) have been scanned

Scan process 'avshadow.exe' - '1' Module(s) have been scanned

Scan process 'avguard.exe' - '1' Module(s) have been scanned

Scan process 'setup.exe' - '1' Module(s) have been scanned

Scan process 'presetup.exe' - '1' Module(s) have been scanned

Scan process 'avira_antivir_personal_en.exe' - '1' Module(s) have been scanned

Scan process 'NOTEPAD.EXE' - '1' Module(s) have been scanned

Scan process 'mbam.exe' - '1' Module(s) have been scanned

Scan process 'iexplore.exe' - '1' Module(s) have been scanned

Scan process 'wuauclt.exe' - '1' Module(s) have been scanned

Scan process 'iPodService.exe' - '1' Module(s) have been scanned

Scan process 'HOTSYNC.EXE' - '1' Module(s) have been scanned

Scan process 'GoogleUpdater.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'WgaTray.exe' - '1' Module(s) have been scanned

Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned

Scan process 'qttask.exe' - '1' Module(s) have been scanned

Scan process 'alg.exe' - '1' Module(s) have been scanned

Scan process 'PicasaMediaDetector.exe' - '1' Module(s) have been scanned

Scan process 'CitiVAN.exe' - '1' Module(s) have been scanned

Scan process 'jusched.exe' - '1' Module(s) have been scanned

Scan process 'PV92Tray.exe' - '1' Module(s) have been scanned

Scan process 'Explorer.EXE' - '1' Module(s) have been scanned

Scan process 'GoogleUpdate.exe' - '1' Module(s) have been scanned

Scan process 'SpySweeper.exe' - '1' Module(s) have been scanned

Scan process 'snmp.exe' - '1' Module(s) have been scanned

Scan process 'tcpsvcs.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'spoolsv.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'lsass.exe' - '1' Module(s) have been scanned

Scan process 'services.exe' - '1' Module(s) have been scanned

Scan process 'winlogon.exe' - '1' Module(s) have been scanned

Scan process 'csrss.exe' - '1' Module(s) have been scanned

Scan process 'smss.exe' - '1' Module(s) have been scanned

Starting master boot sector scan:

Master boot sector HD0

[iNFO] No virus was found!

Master boot sector HD1

[iNFO] No virus was found!

Start scanning boot sectors:

Starting to scan executable files (registry).

The registry was scanned ( '2295' files ).

End of the scan: Monday, November 08, 2010 17:33

Used time: 03:14 Minute(s)

The scan has been done completely.

0 Scanned directories

2770 Files were scanned

0 Viruses and/or unwanted programs were found

0 Files were classified as suspicious

0 files were deleted

0 Viruses and unwanted programs were repaired

0 Files were moved to quarantine

0 Files were renamed

0 Files cannot be scanned

2770 Files not concerned

5 Archives were scanned

0 Warnings

0 Notes

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 6:01:30 PM, on 11/8/2010

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\WINDOWS\System32\tcpsvcs.exe

C:\Program Files\Google\Update\GoogleUpdate.exe

C:\WINDOWS\System32\snmp.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\PV92Tray.exe

C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe

C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe

C:\Program Files\Picasa2\PicasaMediaDetector.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\WgaTray.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Google\Google Updater\GoogleUpdater.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Sony Handheld\HOTSYNC.EXE

C:\Program Files\Avira\AntiVir Desktop\avcenter.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\notepad.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: CitiUS Shared Browser Helper Object - {387EDF53-1CF2-4523-BC2F-13462651BE8C} - C:\WINDOWS\system32\BhoCitUS.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe

O4 - HKLM\..\Run: [PV92TRAY] PV92Tray.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"

O4 - HKLM\..\Run: [CitiVAN] "C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe" /dontopenmycards

O4 - HKLM\..\Run: [Picasa Media Detector] "C:\Program Files\Picasa2\PicasaMediaDetector.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe

O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

O9 - Extra button: Citi - {4C730913-3961-439b-83D5-F4E445520422} - C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--

End of file - 6427 bytes

Link to post
Share on other sites

I would remove the malware old programs.

Your Computer is Clean

CLEAN-1.jpg

Some final items:

Follow these steps to uninstall Combofix and tools used in the removal of malware

  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the x and /)
    CF_Uninstall-1.jpg
  • Please follow the prompts to uninstall Combofix.
  • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Here are some additional links for you to check out to help you with your computer security.

Browsers

Just because your computer came loaded with Internet Explorer doesn't mean that you have to use it, there are other free alternatives, FIREFOX and OPERA, both are free to use and are more secure than IE.

If you are using firefox you can stay more secure by adding NoScript and WOT (Web Of Trust)

NoScript stops Java scripts from starting on a web page unless you give permission for them, and WOT (Web Of Trust) has a comprehensive list of ratings for different websites allowing you to easily see if a website that you are about to go to has a bad reputation; in fact it will warn you to check if you are sure that you want to continue to a bad website.

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialize and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.

Additional Security Measures

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

SpywareBlaster- SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial for Spywareblaster can be found here.

Cookienator- Scans your PC for tracking cookies in multiple browsers as well as in Adobe Flash.

Secunia software inspector & update checker

Visit My Blog for Malware and Spyware Tips

6567E80CC55576485246E130E48A9FA8.png

Link to post
Share on other sites

I would remove the malware old programs.

Your Computer is Clean

CLEAN-1.jpg

Some final items:

Follow these steps to uninstall Combofix and tools used in the removal of malware

  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the x and /)
    CF_Uninstall-1.jpg
  • Please follow the prompts to uninstall Combofix.
  • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Here are some additional links for you to check out to help you with your computer security.

Browsers

Just because your computer came loaded with Internet Explorer doesn't mean that you have to use it, there are other free alternatives, FIREFOX and OPERA, both are free to use and are more secure than IE.

If you are using firefox you can stay more secure by adding NoScript and WOT (Web Of Trust)

NoScript stops Java scripts from starting on a web page unless you give permission for them, and WOT (Web Of Trust) has a comprehensive list of ratings for different websites allowing you to easily see if a website that you are about to go to has a bad reputation; in fact it will warn you to check if you are sure that you want to continue to a bad website.

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialize and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.

Additional Security Measures

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

SpywareBlaster- SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial for Spywareblaster can be found here.

Cookienator- Scans your PC for tracking cookies in multiple browsers as well as in Adobe Flash.

Secunia software inspector & update checker

Visit My Blog for Malware and Spyware Tips

6567E80CC55576485246E130E48A9FA8.png

Kenny94:

Thanks so much for helping me to get rid of the virus, malware, trojan or whatever it was. Also appreciate the advice on keeping my computer safe and secure. It was a pleasure meeting you. Thank you for your patience and persistance in solving my problem.

In appreciation for your help I have made a small donation to the site. Have a nice day. Keep up the great work. Regards:

closer24

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.