Jump to content

Recommended Posts

I ran rootkit for what seemed like 4 hours then it crashed just as it seemed to be finishing

DDS (Ver_11-03-05.01) - NTFSx86 NETWORK

Run by Administrator at 8:33:51.26 on Tue 04/05/2011

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.767.483 [GMT 8:00]

.

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\system32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe

C:\Program Files\Avant Browser\avant.exe

C:\Program Files\Avant Browser\ybrowser.exe

c:\program files\billeo\billeo.exe

C:\Program Files\Avant Browser\adownloader.exe

C:\Documents and Settings\Administrator.VAIO\My Documents\Downloads\Defogger.exe

C:\Program Files\Avant Browser\ybrowser.exe

C:\Program Files\Avant Browser\ybrowser.exe

C:\Documents and Settings\Administrator.VAIO\Desktop\dds.scr

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8

uSearch Page = hxxp://www.bing.com/?pc=AVBR

uWindow Title = Windows Internet Explorer provided by Yahoo!

uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8

uInternet Settings,ProxyOverride = *.local;<local>

BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Billeo: {465e08e7-f005-4389-980f-1d8764b3486c} - c:\program files\billeo\billeo.dll

BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.6209.1142\swg.dll

BHO: Foxit PDF Creator Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll

TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

TB: Foxit PDF Creator Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll

TB: Billeo: {6adb0f93-1aa5-4bcf-9df4-cea689a3c111} - c:\program files\billeo\billeo.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: {B2DE56E2-907A-4080-AE06-5C2A7BD4364E} - No File

EB: Billeo: {6576ebaa-b570-4345-98e4-96153c77cf24} - c:\program files\billeo\billeo.dll

uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messenger\YahooMessenger.exe" -quiet

uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [Google Update] "c:\documents and settings\administrator.vaio\local settings\application data\google\update\GoogleUpdate.exe" /c

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe

mRun: [C-Media Mixer] Mixer.exe /startup

mRun: [vptray] c:\program files\navnt\vptray.exe

mRun: [WFXSwtch] c:\progra~1\winfax\WFXSWTCH.exe

mRun: [WinFaxAppPortStarter] wfxsnt40.exe

mRun: [CXMon] "c:\program files\hewlett-packard\photosmart\photo imaging\Hpi_Monitor.exe"

mRun: [YMailAdvisor] "c:\program files\yahoo!\common\YMailAdvisor.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE

mRun: [LogitechCameraAssistant] c:\program files\logitech\video\CameraAssistant.exe

mRun: [LogitechVideo[inspector]] c:\program files\logitech\video\InstallHelper.exe /inspect

mRun: [LogitechCameraService(E)] c:\windows\system32\ElkCtrl.exe /automation

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] c:\program files\google\gmail notifier\gnotify.exe

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [b2C_AGENT] c:\documents and settings\all users.windows\application data\lgmobileax\b2c_client\B2CNotiAgent.exe

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent

StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe

StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\billeo.lnk - c:\program files\billeo\billeo.exe

StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\contro~1.lnk - c:\program files\winfax\WFXCTL32.EXE

StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\hpaiod~1.lnk - c:\program files\hewlett-packard\aio\hp psc 900 series\bin\hpobrt07.exe

StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE

IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000

IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html

IE: Handy Password: Clear Fields - c:\program files\handy password\handypasswordtoolbar.dll/menu_clear.html

IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html

IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html

IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html

IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html

IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL

Trusted Zone: intuit.com\ttlc

Trusted Zone: sbcglobal.net

Trusted Zone: yahoo.com

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab

DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} - hxxp://esupport.sony.com/VaioInfo.CAB

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll

DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab

DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

Notify: NavLogon - c:\windows\system32\NavLogon.dll

Notify: WgaLogonOld - WgaLogon.dll

AppInit_DLLs: msmgr.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: WinFax PRO IShellExecuteHook: {a213b520-c6c2-11d0-af9d-008029e1027e} - c:\program files\winfax\WfxSeh32.Dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12

.

============= SERVICES / DRIVERS ===============

.

R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2011-3-10 53816]

S1 RapportCerberus_23945;RapportCerberus_23945;c:\documents and settings\all users.windows\application data\trusteer\rapport\store\exts\rapportcerberus\baseline\RapportCerberus_23945.sys [2011-3-10 55224]

S1 RapportEI;RapportEI;c:\program files\trusteer\rapport\bin\RapportEI.sys [2011-3-10 66360]

S1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2011-3-10 158392]

S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-18 12872]

S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-11 67656]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-3-29 136176]

S2 NAVAPEL;NAVAPEL;c:\program files\navnt\Navapel.sys [2000-12-22 7888]

S2 Norton AntiVirus Server;Norton AntiVirus Client;c:\program files\navnt\rtvscan.exe [2000-12-22 430080]

S2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2011-3-10 821048]

S3 NAVAP;NAVAP;c:\program files\navnt\navap.sys [2000-12-22 171872]

S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110403.002\NAVENG.sys [2011-4-4 86136]

S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110403.002\NAVEX15.sys [2011-4-4 1393144]

S3 Wdm1;USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc.sys [2010-10-21 15576]

.

=============== Created Last 30 ================

.

2011-04-04 21:44:45 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\SUPERAntiSpyware.com

2011-04-04 21:44:45 -------- d-----w- c:\docume~1\admini~1.vai\applic~1\SUPERAntiSpyware.com

2011-04-04 21:44:36 -------- d-----w- c:\program files\SUPERAntiSpyware

2011-04-03 07:34:49 -------- d-----w- c:\docume~1\admini~1.vai\applic~1\Avant Downloader

2011-04-02 02:30:03 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\Norton

2011-04-02 02:29:56 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\NortonInstaller

2011-03-31 19:07:29 -------- d-----w- c:\docume~1\admini~1.vai\applic~1\Trusteer

2011-03-31 19:07:23 -------- d-----w- c:\program files\Trusteer

2011-03-31 19:04:49 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\Trusteer

2011-03-29 21:32:03 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys

2011-03-29 21:32:03 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys

2011-03-29 05:19:08 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\GoodSync

2011-03-29 05:19:06 -------- d-----w- c:\docume~1\admini~1.vai\applic~1\GoodSync

2011-03-28 02:34:21 -------- d-----w- c:\program files\BitPim

2011-03-27 02:10:36 -------- d-----w- C:\LGMobileUpgrade

2011-03-21 13:31:05 25216 ----a-w- c:\windows\system32\drivers\lgusbmodem.sys

2011-03-21 13:31:05 20864 ----a-w- c:\windows\system32\drivers\lgusbdiag.sys

2011-03-21 13:31:04 13056 ----a-w- c:\windows\system32\drivers\lgusbbus.sys

2011-03-21 13:30:58 -------- d-----w- c:\program files\LG Electronics

2011-03-21 13:26:59 -------- d-----w- C:\LGVX5600

2011-03-21 13:19:08 -------- d-----w- C:\LGVX5600PP

2011-03-21 13:15:13 53248 ----a-w- c:\windows\system32\CommonDL.dll

2011-03-21 13:14:42 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\LGMOBILEAX

2011-03-20 18:07:04 221184 ----a-w- c:\windows\system32\wmpns.dll

2011-03-20 18:01:50 -------- d-----w- C:\6260d95b51dde78aeaf22e

2011-03-20 17:09:26 32768 ----a-w- c:\windows\_ds10.tmp

2011-03-18 19:26:00 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-03-18 19:25:29 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-03-15 21:56:23 -------- d-----w- c:\docume~1\admini~1.vai\locals~1\applic~1\Google

2011-03-15 21:55:18 -------- d-----w- c:\docume~1\admini~1.vai\locals~1\applic~1\Deployment

2011-03-10 13:09:26 53816 ----a-w- c:\windows\system32\drivers\RapportKELL.sys

.

==================== Find3M ====================

.

2011-02-15 17:57:20 32768 ----a-w- c:\windows\_ds13.tmp

2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll

2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll

2011-02-02 13:40:23 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-02-02 11:19:39 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll

2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe

2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll

2011-01-17 20:17:48 1409 ----a-w- c:\windows\CerSwfte.FOT

2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll

2001-08-23 05:00:00 94784 --sha-w- c:\windows\twain.dll

2008-04-14 00:12:07 50688 --sha-w- c:\windows\twain_32.dll

2010-09-18 06:53:25 974848 --sha-w- c:\windows\system32\mfc42.dll

2008-04-14 00:12:01 57344 --sha-w- c:\windows\system32\msvcirt.dll

2008-04-14 00:12:01 413696 --sha-w- c:\windows\system32\msvcp60.dll

2008-04-14 00:12:01 343040 --sha-w- c:\windows\system32\msvcrt.dll

2008-04-14 00:12:02 551936 --sha-w- c:\windows\system32\oleaut32.dll

2008-04-14 00:12:02 84992 --sha-w- c:\windows\system32\olepro32.dll

2008-04-14 00:12:32 11776 --sha-w- c:\windows\system32\regsvr32.exe

.

============= FINISH: 8:35:02.39 ===============

Attach.zip

Link to post
Share on other sites

  • Root Admin

Hi Mike,

Please run the following and post back the log.

  1. Download ComboFix from below:
    Combofix download
    * IMPORTANT !!! Place combofix.exe on your Desktop
  2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  3. Double click on combofix.exe & follow the prompts.
  4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    cfRC_screen_1.png
    The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.
    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
    Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.
    ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.
    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:
    The Recovery Console was successfully installed.
    cfRC_screen_2.png
    Click on Yes, to continue scanning for malware.
  5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  6. When finished, it shall produce a log for you. Post that log in your next reply
    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
    ---------------------------------------------------------------------------------------------
  7. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
    ---------------------------------------------------------------------------------------------

Link to post
Share on other sites

ComboFix 11-04-06.01 - Administrator 04/06/2011 13:37:35.1.2 - x86 NETWORK

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.767.396 [GMT 8:00]

Running from: c:\documents and settings\Administrator.VAIO\Desktop\ComboFix.exe

.

ADS - WINDOWS: deleted 24 bytes in 1 streams.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\Administrator.VAIO\WINDOWS

c:\documents and settings\Michael Campbell\WINDOWS

c:\documents and settings\Mike\WINDOWS

C:\install.exe

c:\program files\Altnet

c:\program files\Altnet\DBBackup\Sigfiles.db

c:\program files\Altnet\Download Manager\adm25.dll

c:\program files\Altnet\Download Manager\adm4.dll

c:\program files\Altnet\Download Manager\adm4005.exe

c:\program files\Altnet\Download Manager\admdata.dll

c:\program files\Altnet\Download Manager\admdloader.dll

c:\program files\Altnet\Download Manager\admfdi.dll

c:\program files\Altnet\Download Manager\admprog.dll

c:\program files\Altnet\Download Manager\altnetuninstall.exe

c:\program files\Altnet\Download Manager\dminfo3.cab

c:\program files\Altnet\Download Manager\dminstall7.cab

c:\program files\Altnet\Download Manager\dmsetup.bmp

c:\program files\Altnet\Download Manager\dmsetupbig.bmp

c:\program files\Altnet\Download Manager\jsinstall.cab

c:\program files\Altnet\Download Manager\jslegals.txt

c:\program files\Altnet\Download Manager\selectdir.txt

c:\program files\Altnet\Download Manager\selectdir1st.txt

c:\program files\Need2Find

c:\program files\Need2Find\bar\History\search

c:\windows\system32\Temp

.

.

((((((((((((((((((((((((( Files Created from 2011-03-06 to 2011-04-06 )))))))))))))))))))))))))))))))

.

.

2011-04-04 21:44 . 2011-04-04 21:44 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com

2011-04-04 21:44 . 2011-04-04 21:44 -------- d-----w- c:\documents and settings\Administrator.VAIO\Application Data\SUPERAntiSpyware.com

2011-04-04 21:44 . 2011-04-04 21:44 -------- d-----w- c:\program files\SUPERAntiSpyware

2011-04-03 07:34 . 2011-04-03 07:34 -------- d-----w- c:\documents and settings\Administrator.VAIO\Application Data\Avant Downloader

2011-04-02 02:30 . 2011-04-03 07:33 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Norton

2011-03-31 19:07 . 2011-03-31 19:07 -------- d-----w- c:\documents and settings\Administrator.VAIO\Application Data\Trusteer

2011-03-31 19:07 . 2011-03-31 19:07 -------- d-----w- c:\program files\Trusteer

2011-03-31 19:04 . 2011-03-31 19:04 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Trusteer

2011-03-31 01:02 . 2011-03-31 01:02 -------- d-----w- c:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Google

2011-03-29 21:32 . 2008-04-13 18:39 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys

2011-03-29 21:32 . 2008-04-13 18:39 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys

2011-03-29 05:19 . 2011-03-29 05:19 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\GoodSync

2011-03-29 05:19 . 2011-04-05 00:49 -------- d-----w- c:\documents and settings\Administrator.VAIO\Application Data\GoodSync

2011-03-28 23:33 . 2011-03-28 23:33 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Google

2011-03-28 02:34 . 2011-03-28 03:39 -------- d-----w- c:\program files\BitPim

2011-03-27 02:10 . 2011-03-27 02:10 -------- d-----w- C:\LGMobileUpgrade

2011-03-21 13:31 . 2011-02-13 18:42 20864 ----a-w- c:\windows\system32\drivers\lgusbdiag.sys

2011-03-21 13:31 . 2011-02-13 18:42 25216 ----a-w- c:\windows\system32\drivers\lgusbmodem.sys

2011-03-21 13:31 . 2011-02-13 18:42 13056 ----a-w- c:\windows\system32\drivers\lgusbbus.sys

2011-03-21 13:30 . 2011-03-21 13:32 -------- d-----w- c:\program files\LG Electronics

2011-03-21 13:26 . 2011-03-21 13:26 -------- d-----w- C:\LGVX5600

2011-03-21 13:15 . 2006-05-04 00:33 53248 ----a-w- c:\windows\system32\CommonDL.dll

2011-03-21 13:14 . 2011-03-27 00:01 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\LGMOBILEAX

2011-03-20 18:07 . 2008-04-14 00:12 221184 ----a-w- c:\windows\system32\wmpns.dll

2011-03-20 18:01 . 2011-03-20 18:03 -------- d-----w- C:\6260d95b51dde78aeaf22e

2011-03-20 17:09 . 2011-03-20 17:09 32768 ----a-w- c:\windows\_ds10.tmp

2011-03-18 19:26 . 2010-12-20 10:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-03-18 19:25 . 2010-12-20 10:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-03-15 21:56 . 2011-03-28 23:34 -------- d-----w- c:\documents and settings\Administrator.VAIO\Local Settings\Application Data\Google

2011-03-15 21:55 . 2011-03-15 21:56 -------- d-----w- c:\documents and settings\Administrator.VAIO\Local Settings\Application Data\Deployment

2011-03-13 20:42 . 2011-03-13 20:43 -------- d-----w- c:\documents and settings\Administrator.VAIO\Application Data\FileZilla

2011-03-13 20:30 . 2011-03-13 20:31 -------- d-----w- c:\program files\FileZilla FTP Client

2011-03-10 13:09 . 2011-03-10 13:09 53816 ----a-w- c:\windows\system32\drivers\RapportKELL.sys

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-02-15 17:57 . 2011-02-15 17:57 32768 ----a-w- c:\windows\_ds13.tmp

2011-02-09 13:53 . 2004-08-04 00:56 270848 ----a-w- c:\windows\system32\sbe.dll

2011-02-09 13:53 . 2004-08-04 00:56 186880 ----a-w- c:\windows\system32\encdec.dll

2011-02-02 13:40 . 2010-12-18 04:00 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-02-02 11:19 . 2010-11-26 18:16 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-02-02 07:58 . 2010-10-20 15:49 2067456 ----a-w- c:\windows\system32\mstscax.dll

2011-01-27 11:57 . 2010-10-20 15:49 677888 ----a-w- c:\windows\system32\mstsc.exe

2011-01-21 14:44 . 2004-08-04 00:56 439296 ----a-w- c:\windows\system32\shimgvw.dll

2011-01-17 20:17 . 2011-01-17 20:17 1409 ----a-w- c:\windows\CerSwfte.FOT

2011-01-07 14:09 . 2004-08-04 00:56 290048 ----a-w- c:\windows\system32\atmfd.dll

2001-08-23 05:00 94784 --sha-w- c:\windows\twain.dll

2008-04-14 00:12 50688 --sha-w- c:\windows\twain_32.dll

2010-09-18 06:53 974848 --sha-w- c:\windows\system32\mfc42.dll

2008-04-14 00:12 57344 --sha-w- c:\windows\system32\msvcirt.dll

2008-04-14 00:12 413696 --sha-w- c:\windows\system32\msvcp60.dll

2008-04-14 00:12 343040 --sha-w- c:\windows\system32\msvcrt.dll

2008-04-14 00:12 551936 --sha-w- c:\windows\system32\oleaut32.dll

2008-04-14 00:12 84992 --sha-w- c:\windows\system32\olepro32.dll

2008-04-14 00:12 11776 --sha-w- c:\windows\system32\regsvr32.exe

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]

2011-02-01 11:17 1487240 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-02-01 1487240]

.

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-02-01 1487240]

.

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2010-06-01 5252408]

"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2010-10-21 160328]

"Google Update"="c:\documents and settings\Administrator.VAIO\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2011-03-15 136176]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-03-28 39408]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-03-16 2423752]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"C-Media Mixer"="Mixer.exe" [2003-03-20 1855488]

"vptray"="c:\program files\NavNT\vptray.exe" [2000-12-21 53248]

"WFXSwtch"="c:\progra~1\WinFax\WFXSWTCH.exe" [2002-12-12 28160]

"WinFaxAppPortStarter"="wfxsnt40.exe" [2002-12-12 45568]

"CXMon"="c:\program files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe" [2001-08-09 45056]

"YMailAdvisor"="c:\program files\Yahoo!\Common\YMailAdvisor.exe" [2009-05-08 174424]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-10 421888]

"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-12-09 225280]

"LogitechCameraAssistant"="c:\program files\Logitech\Video\CameraAssistant.exe" [2005-12-07 489472]

"LogitechVideo[inspector]"="c:\program files\Logitech\Video\InstallHelper.exe" [2005-12-07 02:33 73728]

"LogitechCameraService(E)"="c:\windows\system32\ElkCtrl.exe" [2004-11-01 262144]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]

"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]

"B2C_AGENT"="c:\documents and settings\All Users.WINDOWS\Application Data\LGMOBILEAX\B2C_Client\B2CNotiAgent.exe" [2011-01-13 395192]

.

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-9-7 110592]

Billeo.lnk - c:\program files\Billeo\billeo.exe [2010-6-16 1446736]

Controller.LNK - c:\program files\WinFax\WFXCTL32.EXE [2009-11-14 549888]

HPAiODevice(hp psc 900 series) - 2.lnk - c:\program files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe [2002-9-26 487484]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{A213B520-C6C2-11d0-AF9D-008029E1027E}"= "c:\program files\WinFax\WfxSeh32.Dll" [1998-07-26 38400]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

.

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator.VAIO^Start Menu^Programs^Startup^Hewlett-Packard Recorder.lnk]

path=c:\documents and settings\Administrator.VAIO\Start Menu\Programs\Startup\Hewlett-Packard Recorder.lnk

backup=c:\windows\pss\Hewlett-Packard Recorder.lnkStartup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Acrobat Assistant.lnk]

path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Acrobat Assistant.lnk

backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^hp instant support.lnk]

path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\hp instant support.lnk

backup=c:\windows\pss\hp instant support.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HPAiODevice(hp psc 900 series) - 1.lnk]

path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\HPAiODevice(hp psc 900 series) - 1.lnk

backup=c:\windows\pss\HPAiODevice(hp psc 900 series) - 1.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJCFD]

2002-09-10 13:26 368706 ----a-w- c:\program files\BroadJump\Client Foundation\CFD.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]

2001-07-03 01:11 57344 ----a-w- c:\program files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\NavNT\\vpc32.exe"=

"c:\\Program Files\\Avant Browser\\avant.exe"=

"c:\\Program Files\\Java\\jre1.6.0_01\\bin\\javaw.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

.

R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [3/10/2011 9:09 PM 53816]

S1 RapportCerberus_23945;RapportCerberus_23945;c:\documents and settings\All Users.WINDOWS\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus_23945.sys [3/10/2011 9:17 PM 55224]

S1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [3/10/2011 9:09 PM 66360]

S1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [3/10/2011 9:09 PM 158392]

S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/18/2010 2:25 AM 12872]

S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/11/2010 2:41 AM 67656]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/29/2011 7:32 AM 136176]

S2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [3/10/2011 9:09 PM 821048]

S3 Wdm1;USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc.sys [10/21/2010 9:00 AM 15576]

.

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]

2009-03-07 20:32 128512 ----a-w- c:\windows\system32\advpack.dll

.

Contents of the 'Scheduled Tasks' folder

.

2011-04-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-28 23:32]

.

2011-04-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-28 23:32]

.

2011-04-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1275210071-1788223648-682003330-500Core.job

- c:\documents and settings\Administrator.VAIO\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-03-15 21:56]

.

2011-04-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1275210071-1788223648-682003330-500UA.job

- c:\documents and settings\Administrator.VAIO\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-03-15 21:56]

.

2011-04-03 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job

- c:\program files\Ask.com\UpdateTask.exe [2011-02-01 11:17]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8

uInternet Settings,ProxyOverride = *.local;<local>

IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html

IE: Handy Password: Clear Fields - c:\program files\Handy Password\handypasswordtoolbar.dll/menu_clear.html

IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

Trusted Zone: intuit.com\ttlc

Trusted Zone: sbcglobal.net

Trusted Zone: yahoo.com

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

.

- - - - ORPHANS REMOVED - - - -

.

Notify-WgaLogonOld - WgaLogon.dll

MSConfigStartUp-RecoverFromReboot - c:\windows\Temp\RecoverFromReboot.exe

AddRemove-Pandora's Box 1.0 - c:\program files\Microsoft Games\Pandora's Box\setup

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-04-06 13:57

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-1275210071-1788223648-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (Administrator)

@Allowed: (Read) (RestrictedCode)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9b,98,7e,a5,e0,3e,bf,44,a1,a8,f4,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,98,2c,03,f1,29,f8,f6,40,9e,c0,83,\

"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9b,98,7e,a5,e0,3e,bf,44,a1,a8,f4,\

.

[HKEY_USERS\S-1-5-21-1275210071-1788223648-682003330-500\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(608)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\WININET.dll

c:\windows\system32\NavLogon.dll

.

Completion time: 2011-04-06 14:01:32

ComboFix-quarantined-files.txt 2011-04-06 06:01

.

Pre-Run: 105,055,576,064 bytes free

Post-Run: 110,884,737,024 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

.

- - End Of File - - 5481B4CBA1B12BB53A2225E327F3371F

Link to post
Share on other sites

  • Root Admin

Do you really have that old of a version of WinFax still installed?

"{A213B520-C6C2-11d0-AF9D-008029E1027E}"= "c:\program files\WinFax\WfxSeh32.Dll" [1998-07-26 38400]

STEP 01

Let's remove ALL of your Java and when done you can reinstall it.

Java Auto Updater

Java™ 6 Update 24

Java™ SE Runtime Environment 6 Update 1

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

  • Download the latest version of Java Runtime Environment (JRE) 24 and save it to your desktop.
  • Scroll down to where it says JDK 6 Update 24 (JDK or JRE)
  • Click the Download JRE button to the right
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6u24 with JavaFX 1 License Agreement". Click on Continue. The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add or Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java™ 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u24-windows-i586.exe to install the newest version.

  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked

        Applications and Applets
        Trace and Log Files

    [*]Click OK on Delete Temporary Files Window

    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.[*]Click OK to leave the Temporary Files Window[*]Click OK to leave the Java Control Panel.

STEP 02

Start MBAM and check for updates and then do a Quick Scan and post back the log on your next reply.

STEP 03

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner (you can ignore the digital certificate error for now)

**Note**

To optimize scanning time and produce a more sensible report for review:

  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.
  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

STEP 04

I would recommend removing the following toolbar as well from your Control Panel, Add/Remove

Ask Toolbar

STEP 05

Please run a NEW DDS scan as well and post back the logs and LET ME KNOW how the computer is running now and if there are still any issues and what they are.

Download
DDS
and save it to your desktop

Disable any script blocker if your Anti-Virus/Anti-Malware has it.

Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.

Then double click
dds.scr
to run the tool.

When done, the
DDS.txt
will open.

Click Yes at the next prompt for Optional Scan.


    When done, DDS will open two (2) logs:

  1. DDS.txt

  2. Attach.txt

  • Save both reports to your desktop
  • Please include the following logs in your next reply:
    DDS.txt
    and
    Attach.txt

Link to post
Share on other sites

Ron working on this today but a quick assement and a few atemtps this morning the java programs are not uninstalling in safe mode. And when trying to install the new JAVA download it says system adminitrastion has set policys to prevent installation. Note I am the administration. Also ever since last week all downloads are going thru something called AVANT DOWNLOADER, I'm wondering if this has something to do with my problem? I can find any info on it. I use Avant Browser as my browser.

Will keep posting after I've worked on it a bit. Mike

Link to post
Share on other sites

Ron just to verify the above. I've tried to perform your requests but am unable due to only being able to open in safe mode. At the top of the ad/remove programs list is a coffee cup icon and the program is called aaa. I'm wondering if that is my problem? In anycase I can't proceed in the way you have listed above. BTW I use the winfax pro program daily. I love it! lol Regards Mike

Link to post
Share on other sites

Just tried running the kaspersky program and got this message error after about 2 hours.

Update has failed The program could not be started. Please close the window of Kaspersky Online Scanner 7.0 and start the program again from the web site of Kaspersky Lab. Successful updating of Kaspersky Online Scanner 7.0 and scanning of your computer requires uninterrupted Internet connection. Please make sure that the Internet connection is established. [ERROR: Anti-virus database was updated after license expiry]

Link to post
Share on other sites

  • Root Admin

You mean your computer cannot start in NORMAL MODE and can only start in Safe Mode?

Please try running the following AV scanner if the Kaspersky one won't run.

Please download to your Desktop: Dr.Web CureIt

  • After the file has downloaded, disable your current Anti-Virus and disconnect from the Internet
  • Doubleclick the drweb-cureit.exe file, then click the Start button, then the OK button to perform an Express Scan.
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it.
  • Once the short scan has finished, Click on the Complete scan radio button.
  • Then click on the Settings menu on top, the select Change Settings or press the F9 key. You can also change the Language
  • Choose the Scanning tab and I recomend leaving the Heuristic analysis enabled (this can lead to False Positives though)
  • On the File types tab ensure you select All files
  • Click on the Actions tab and set the following:
    • Objects Infected objects = Cure, Incurable objects = Move, Suspicious objects = Report
    • Infected packages Archive = Move, E-mails = Report, Containers = Move
    • Malware Adware = Move, Dialers = Move, Jokes = Move, Riskware = Move, Hacktools = Move
    • Do not change the Rename extension - default is: #??
    • Leave the default save path for Moved files here: %USERPROFILE%\DoctorWeb\Quarantine\
    • Leave prompt on Action checked

    [*]On the Log file tab leave the Log to file checked.

    [*]Leave the log file path alone: %USERPROFILE%\DoctorWeb\CureIt.log

    [*]Log mode = Append

    [*]Encoding = ANSI

    [*]Details Leave Names of file packers and Statistics checked.

    [*]Limit log file size = 2048 KB and leave the check mark on the Maximum log file size.

    [*]On the General tab leave the Scan Priority on High

    [*]Click the Apply button at the bottom, and then the OK button.

    [*]On the right side under the Dr Web Anti-Virus Logo you will see 3 little buttons. Click the left VCR style Start button.

    [*]In this mode it will scan Boot sectors of all disks, All removable media, and all local drives

    [*]The more files and folders you have the longer the scan will take. On large drives it can take hours to complete.

    [*]When the Cure option is selected, an additional context menu will open. Select the necessary action of the program, if the curing fails.

    [*]Click 'Yes to all' if it asks if you want to cure/move the files.

    [*]This will move it to the %USERPROFILE%\DoctorWeb\Quarantine\ folder if it can't be cured. (in this case we need samples)

    [*]After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list

    [*]Save the report to your Desktop. The report will be called DrWeb.csv

    [*]Close Dr.Web Cureit.

    [*]Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.

    [*]After reboot, post the contents of the log from Dr.Web you saved previously to your Desktop in your next reply with a new hijackthis log.

    drweb.jpg

Link to post
Share on other sites

Ron before I make these posts I will say. I tried restarting my pc normally after the DrWeb program finished running and it still restarted itself after a few seconds. I do notice what seems like a update virus definitions box flashs in the middle of the screen before it reboots itself. I can't be sure because it is present for about 1 second. That said I am in safe mode now and will post the files here.

056C0000.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.NtRootKit.5258;Incurable.Moved.;

056C0001.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Program.Keylogger.11;Moved.;

05980000.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.Popuper.9662;Deleted.;

05980001.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.Popuper.9662;Deleted.;

05980002.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.Popuper.9662;Deleted.;

05980003.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.Popuper.9662;Deleted.;

05980004.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.Popuper.9662;Deleted.;

05980005.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.Popuper.9662;Deleted.;

081C0000.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.NtRootKit.2732;Deleted.;

081C0001.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.Packed.365;Incurable.Moved.;

081C0002.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.Obfuscated.based.1;Incurable.Moved.;

081C0004.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.NtRootKit.2732;Deleted.;

081C0005.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.MulDrop.18526;Deleted.;

081C0006.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.MulDrop.18526;Deleted.;

081C0008.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.NtRootKit.2732;Deleted.;

081C0009.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.NtRootKit.2732;Deleted.;

08E40000.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.Popuper.9663;Deleted.;

08E80000.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.Packed.365;Incurable.Moved.;

08E80001.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.Packed.365;Incurable.Moved.;

08E80002.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.Packed.365;Incurable.Moved.;

09600000.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.Popuper.9663;Deleted.;

09600001.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.Popuper.9663;Deleted.;

09600002.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.Popuper.9663;Deleted.;

09600003.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.Popuper.9663;Deleted.;

09600004.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.Popuper.9663;Deleted.;

09840003.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.Obfuscated.based.1;Incurable.Moved.;

09840004.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.Packed.365;Incurable.Moved.;

09840005.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.Obfuscated.based.1;Incurable.Moved.;

09840006.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.Popuper.9663;Deleted.;

09840007.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.Popuper.9663;Deleted.;

09840008.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.Popuper.9663;Deleted.;

09840009.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.Popuper.9663;Deleted.;

0984000A.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.Popuper.9663;Deleted.;

0984000B.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.Popuper.9663;Deleted.;

0984000C.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.Popuper.9663;Deleted.;

0984000D.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.Popuper.9663;Deleted.;

0984000E.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.Packed.365;Incurable.Moved.;

0984000F.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.Packed.365;Incurable.Moved.;

09840010.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.Packed.365;Incurable.Moved.;

09CC0000.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.DownLoad.10051;Deleted.;

09CC0001.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.Popuper.9662;Deleted.;

09CC0002.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.Popuper.9663;Deleted.;

09CC0003.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.Popuper.9663;Deleted.;

0A740000.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.Fakealert.16183;Incurable.Moved.;

0C240001.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.Fakealert.16183;Incurable.Moved.;

0EB00000.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Probably Trojan.Packed.Based;;

0EC00000.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.Popuper.9663;Deleted.;

0EC00001.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.DownLoad.10051;Deleted.;

0EC00002.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.Popuper.9662;Deleted.;

0EC00003.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.Popuper.9663;Deleted.;

0EC00004.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.Popuper.9663;Deleted.;

0FD40000.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.DownLoad.26970;Deleted.;

0FD40001.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.DownLoad1.26293;Incurable.Moved.;

0FD40002.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.DownLoad1.26293;Incurable.Moved.;

0FD40003.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.DownLoad1.26293;Incurable.Moved.;

0FD40004.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.DownLoad1.26293;Incurable.Moved.;

0FD40005.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.NtRootKit.5258;Incurable.Moved.;

0FD40006.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.Siggen1.29124;Incurable.Moved.;

0FD40007.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.NtRootKit.5258;Incurable.Moved.;

0FD40008.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.DownLoad1.26293;Incurable.Moved.;

0FD40009.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.DownLoad1.26293;Incurable.Moved.;

0FD4000A.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.DownLoad1.26293;Incurable.Moved.;

0FD4000B.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.NtRootKit.5258;Incurable.Moved.;

0FD4000C.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.NtRootKit.5258;Incurable.Moved.;

0FD4000D.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.DownLoad1.26293;Incurable.Moved.;

16CC0001.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.Packed.338;Deleted.;

Process.exe;C:\Documents and Settings\Michael Campbell\Desktop\SmitfraudFix;Tool.Killproc.3;Moved.;

restart.exe;C:\Documents and Settings\Michael Campbell\Desktop\SmitfraudFix;Tool.ShutDown.14;Moved.;

CFD.exe;C:\Program Files\BroadJump\Client Foundation;Adware.Cfd;Moved.;

InstallHelper.exe;C:\Program Files\Common Files\Motive;Probably MULDROP.Trojan;;

HPI_Exit.exe;C:\Program Files\Hewlett-Packard\PhotoSmart\Update;BackDoor.Infum.2;Deleted.;

HPI_Exit.exe;C:\Program Files\Hewlett-Packard\Update;BackDoor.Infum.2;Deleted.;

adm25.dll.vir;C:\Qoobox\Quarantine\C\Program Files\Altnet\Download Manager;Adware.Altnet;Moved.;

adm4.dll.vir;C:\Qoobox\Quarantine\C\Program Files\Altnet\Download Manager;Adware.Altnet;Moved.;

adm4005.exe.vir;C:\Qoobox\Quarantine\C\Program Files\Altnet\Download Manager;Adware.Altnet;Moved.;

admdata.dll.vir;C:\Qoobox\Quarantine\C\Program Files\Altnet\Download Manager;Adware.Altnet.37;Moved.;

admdloader.dll.vir;C:\Qoobox\Quarantine\C\Program Files\Altnet\Download Manager;Adware.Altnet;Moved.;

admfdi.dll.vir;C:\Qoobox\Quarantine\C\Program Files\Altnet\Download Manager;Adware.Altnet;Moved.;

admprog.dll.vir;C:\Qoobox\Quarantine\C\Program Files\Altnet\Download Manager;Adware.Altnet;Moved.;

altnetuninstall.exe.vir;C:\Qoobox\Quarantine\C\Program Files\Altnet\Download Manager;Adware.Altnet;Moved.;

A0055200.dll;C:\System Volume Information\_restore{9A5A3754-A7CB-494B-8660-A9916F6DFE31}\RP27;Adware.Altnet;Moved.;

A0055201.dll;C:\System Volume Information\_restore{9A5A3754-A7CB-494B-8660-A9916F6DFE31}\RP27;Adware.Altnet;Moved.;

A0055202.exe;C:\System Volume Information\_restore{9A5A3754-A7CB-494B-8660-A9916F6DFE31}\RP27;Adware.Altnet;Moved.;

A0055203.dll;C:\System Volume Information\_restore{9A5A3754-A7CB-494B-8660-A9916F6DFE31}\RP27;Adware.Altnet.37;Moved.;

A0055204.dll;C:\System Volume Information\_restore{9A5A3754-A7CB-494B-8660-A9916F6DFE31}\RP27;Adware.Altnet;Moved.;

A0055205.dll;C:\System Volume Information\_restore{9A5A3754-A7CB-494B-8660-A9916F6DFE31}\RP27;Adware.Altnet;Moved.;

A0055206.dll;C:\System Volume Information\_restore{9A5A3754-A7CB-494B-8660-A9916F6DFE31}\RP27;Adware.Altnet;Moved.;

A0055207.exe;C:\System Volume Information\_restore{9A5A3754-A7CB-494B-8660-A9916F6DFE31}\RP27;Adware.Altnet;Moved.;

A0057697.exe;C:\System Volume Information\_restore{9A5A3754-A7CB-494B-8660-A9916F6DFE31}\RP27;Tool.Killproc.3;Moved.;

A0057698.exe;C:\System Volume Information\_restore{9A5A3754-A7CB-494B-8660-A9916F6DFE31}\RP27;Tool.ShutDown.14;Moved.;

A0057699.exe;C:\System Volume Information\_restore{9A5A3754-A7CB-494B-8660-A9916F6DFE31}\RP27;Adware.Cfd;Moved.;

A0057700.exe;C:\System Volume Information\_restore{9A5A3754-A7CB-494B-8660-A9916F6DFE31}\RP27;BackDoor.Infum.2;Deleted.;

A0057701.exe;C:\System Volume Information\_restore{9A5A3754-A7CB-494B-8660-A9916F6DFE31}\RP27;BackDoor.Infum.2;Deleted.;

Link to post
Share on other sites

  • Root Admin

Well a reboot can be a few things and might not even be malware. Even an over heated system will reboot but if it can run for long period of time in safe mode then we probably have to assume a critical file or registry setting has been damaged somehow.

Please review the following article to run a file check on your system.

How to Use SFC.EXE to Repair System Files

Link to post
Share on other sites

  • 2 weeks later...

I just wanted to reply since I've been offline for more than a week. I have tried to no avail to run SFC trying to get a different result other than what I've written (a flashing dos screen for seconds) I've tried refollowing the steps on the link to see if the process takes longer etc. I've gone to regedit etc. The result is still the same. I actually got another computer and was going to swap out the HD's to see if it was a hardware issue. Unfortunatly the extra PC is a different HD format (I think ATA or SCSI something like that) in anycase the connectors are not the same. The good news is as I stated in the very begining I do have a back up of my most important things. (weekly if not monthly the latest) and I'm working now with the added PC to make sure I have any nessasary documents from this infected (seemingly) PC. If you have any other ideas I'm willing to try. Otherwise I will restrore this HD back to factory settings in about a month. I guess one question I would have is, would malwarebytes pro take the place of my symantec product? Regards Mike

Link to post
Share on other sites

  • Root Admin

Hi Mike,

No it would not take the place. It helps to fill in where Symantec is missing some of the newer infections and rouge applications.

Not really sure what is affecting your computer at this point. If its rebooting unexpectedly it could even be a hardware issue.

Passmark has some tools to test for hardware issues if needed.

http://www.passmark.com/

Link to post
Share on other sites

Well just in case you are curious. I really suspected it was not a hardware problem. I did use my restore to factory settings. As I said I backed up many of my important files. And after restoring the pc is working once again. I will need virus protection now. Do you have a preference? Thanks for your help. Sorry we couldn't learn what this virus was. Regards Mike

Link to post
Share on other sites

  • Root Admin

I use the new Symantec Internet Security 2011 with MBAM on a couple systems at home and they work quite well. I have a few other systems at work with Kaspersky and MBAM and they too work quite well.

The Symantec has licensing for up to 3 computers which is nice and current detection rates are pretty good in the AV market. Resources are low now days (they use to be a pig and I would not have recommended them in the past).

Between the two the compliment each other well, have had Symantec pick up items before MBAM and have had actually a couple more items picked up before Symantec and MBAM has also blocked some IPs for stuff that Symantec never blinked an eye at.

I'll leave the post open another day or so in case you have any more questions, then I'll go ahead and close it.

Thanks

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.