I posted my problem on Garden Web Computer forum and was directed here for help by Ravencajun and Zeb.
Dell Vostro laptop, XP, Firefox, Malwarebytes, SuperAntispyware, Spywareblaster, Avast AV free.
Husbands laptop, was traveling and using hotspots and hotel wireless. Visiting a friend who copied our MAC address onto his server so we could access internet. Have no idea what that was but know the connection showed as unsecured.
Suddenly windows started opening saying harddrive failure, critical drive failure, no space on harddrive. A window opened which looked like a Windows window and began running a diagnostic scan which then said it found multiple problems and it would fix. Then Zone Alarm popped up saying WinHex was trying to reach the internet. In the beginning I didn't allow it but Googled WinHex and it appeared to be a legit program to rescue files (forensic program). It asked for $84.00 to try to save my files.
At that point I became suspicious and posted on Garden Web, Computer Forum asking if Win Hex was a legit program. Zep and Ravencajun told me my computer was infected and to come here for help.
My program File is empty. My desktop is empty of icons, Start button shows Docs (empty), Computer, Network connections. Nothing works. I tried getting to Control Panel to try and get Malwarebytes to work but it is dead. Avast will not update saying 'update failed.'
I have noticed others suffering the same fate. I'm not sure how to proceed. I was going to burn Malwarebytes on a disk and try to run it. I thought I'd ask for advice before I do anything more.
Thanks in advance,
Jane
Hi, Jane.
If you are unable to access the Internet on your husband's laptop in Safe Mode with Networking, it will be necessary to download them to your computer and transfer them to his laptop.
Please download RKill from one of the following links and save to your Desktop:
One (http://download.bleepingcomputer.com/grinler/rkill.exe), Two (http://download.bleepingcomputer.com/grinler/rkill.com),Three (http://download.bleepingcomputer.com/grinler/rkill.scr) or Four (http://download.bleepingcomputer.com/grinler/rkill.pif)
- Double-click rkill to run.
- A command window will open then disappear upon completion, this is normal.
- Please leave rkill on the Desktop until otherwise advised.
- Do NOT restart your computer after running rkill as the malware program(s) will start again.
Notes: If you you receive security warnings about rkill, please ignore and allow the download to continue.
Please download
Malwarebytes' Anti-Malware (http://www.malwarebytes.org/mbam.php) to your desktop.
- Double-click mbam-setup.exe and follow the prompts to install the program.
- At the end, be sure a checkmark is placed next to
Update Malwarebytes' Anti-Malware and
Launch Malwarebytes' Anti-Malware - Click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, be sure Quick scan is selected, then click Scan.
- When the scan is complete, click OK, then Show Results to view the results.
- Be sure that everything is checked, EXCEPT items in System Restore as shown in this sample:
(https://www.landzdown.com/proxy.php?request=http%3A%2F%2Fsecuritygarden.googlepages.com%2FMBAM_SR.png&hash=38adbab18bc0003ecf543fafb564e34dadece253) - Click Remove Selected.
- When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See the Note below)
- The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
- Please post contents of that file in your next reply.
** Note **If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click
OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
To make your files visible again, please download the following program to your desktop:
Unhide.exe (http://download.bleepingcomputer.com/grinler/unhide.exe)
Once the program has been downloaded, double-click on the Unhide.exe icon on your desktop and allow the program to run.
This program will remove the +H, or hidden, attribute from all the files on your hard drives. It is important to note that if there are any files that were purposely hidden by you, you will need to hide them again after this tool is run.
Download
DDS.scr by sUBs from one of the following links and save it to your desktop.
Link 1 (http://download.bleepingcomputer.com/sUBs/dds.scr)
Link 2 (http://www.forospyware.com/sUBs/dds)
- Double-Click dds.scr and a command window will appear. This is normal
- Shortly after two logs will appear, DDS.txt & Attach.txt
- A window will open instructing you save & post the logs
- Save the logs to a convenient place such as your desktop
- Copy the contents of both logs & post in your next reply along with the MBAM log.
Ran the scan. Three items show, none appear to be have System Restore in the line. Should I go ahead and hit 'remove?'
Yes, please ... unless you'd like to post them here for us to look at first ...
Went ahead and let MB remove. Downloaded DDS and Attach to my desktop. Not sure how to proceed. Should I attach those in a post or copy in a post? I'm not sure I know how to do that.
Jane
Not sure if this is the way to do it, but this is what I saved on my desktop.
Jane
Please post the MBAM log. If that window isn't open, you can find the log in one of the tabs at the top of MBAM (see picture that Corrine attached earlier). Use your mouse to paint the log, then copy/paste. (Forgive the title of this website, but the instructions are useful: http://www.dummies.com/how-to/content/how-to-cut-copy-and-paste-in-windows-xp.html )
You can also do that with the DDS logs that are saved to your desktop. Double click to open, then copy/paste.
I'll post your logs here so that everyone can look at them easily ... you did well. :D
Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org
Database version: 7321
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13
7/29/2011 1:58:07 PM
mbam-log-2011-07-29 (13-58-07).txt
Scan type: Quick scan
Objects scanned: 187374
Time elapsed: 7 minute(s), 11 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
c:\documents and settings\all users\application data\16375588.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\midumjvairisah.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-06-23.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 3/26/2008 9:07:56 PM
System Uptime: 7/29/2011 2:00:19 PM (0 hours ago)
.
Motherboard: Dell Inc. | | 0WY040
Processor: Intel Pentium III Xeon processor | Microprocessor | 2094/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 146 GiB total, 96.693 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP666: 5/1/2011 11:24:50 PM - System Checkpoint
RP667: 5/2/2011 12:59:01 AM - Software Distribution Service 3.0
RP668: 5/3/2011 1:07:48 PM - System Checkpoint
RP669: 5/13/2011 9:48:19 PM - Avg8 Update
RP670: 5/14/2011 12:57:36 AM - Software Distribution Service 3.0
RP671: 5/16/2011 1:18:05 PM - System Checkpoint
RP672: 5/18/2011 12:47:41 AM - System Checkpoint
RP673: 5/19/2011 1:44:34 AM - System Checkpoint
RP674: 5/20/2011 12:12:43 PM - System Checkpoint
RP675: 5/21/2011 1:10:04 PM - System Checkpoint
RP676: 5/24/2011 12:18:19 AM - System Checkpoint
RP677: 5/25/2011 11:37:42 PM - System Checkpoint
RP678: 5/27/2011 3:24:26 PM - System Checkpoint
RP679: 5/28/2011 7:47:40 PM - System Checkpoint
RP680: 5/30/2011 8:45:12 PM - System Checkpoint
RP681: 6/2/2011 11:57:15 AM - System Checkpoint
RP682: 6/3/2011 1:24:56 PM - System Checkpoint
RP683: 6/4/2011 2:17:13 PM - System Checkpoint
RP684: 6/5/2011 2:26:08 PM - System Checkpoint
RP685: 6/7/2011 12:16:37 PM - System Checkpoint
RP686: 6/8/2011 12:26:32 PM - System Checkpoint
RP687: 6/8/2011 3:40:36 PM - Software Distribution Service 3.0
RP688: 6/11/2011 12:24:47 AM - System Checkpoint
RP689: 6/12/2011 1:35:02 PM - System Checkpoint
RP690: 6/15/2011 9:43:47 PM - System Checkpoint
RP691: 6/16/2011 9:51:19 PM - System Checkpoint
RP692: 6/17/2011 10:16:55 PM - System Checkpoint
RP693: 6/21/2011 1:37:26 AM - Software Distribution Service 3.0
RP694: 6/21/2011 1:18:32 PM - Software Distribution Service 3.0
RP695: 6/23/2011 12:26:43 AM - System Checkpoint
RP696: 6/23/2011 11:06:54 PM - Installed Java(TM) 6 Update 26
RP697: 6/23/2011 11:18:24 PM - Software Distribution Service 3.0
RP698: 6/23/2011 11:26:34 PM - Removed Adobe Photoshop.com Inspiration Browser
RP699: 6/26/2011 12:21:27 AM - System Checkpoint
RP700: 7/28/2011 9:20:41 PM - System Checkpoint
.
==== Installed Programs ======================
.
Adobe AIR
Adobe Download Manager
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Photoshop Elements 8.0
Adobe Reader 8.1.3
Advanced Audio FX Engine
Advanced Video FX Engine
Apple Application Support
Apple Mobile Device Support
Apple Software Update
AVG Free 8.5
Bonjour
Broadcom Management Programs
Browser Address Error Redirector
CCleaner (remove only)
CDDRV_Installer
ClearType Tuning Control Panel Applet
Compatibility Pack for the 2007 Office system
Conexant HDA D330 MDC V.92 Modem
Critical Update for Windows Media Player 11 (KB959772)
Dell Automated PC TuneUp
Dell DataSafe Online
Dell Support Center
Dell Touchpad
Dell Webcam Center
Dell Webcam Manager
Dell Wireless WLAN Card
Digital Line Detect
Documents To Go
Epocrates Essentials
Epson Print CD
EPSON Printer Software
EZClaim Appointment Scheduler
FastStone Image Viewer 4.3
GoToAssist 8.0.0.514
High Definition Audio Driver Package - KB835221
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
Image Resizer Powertoy for Windows XP
IntelliSonic Speech Enhancement
iTunes
Java Auto Updater
Java(TM) 6 Update 26
KhalInstallWrapper
KhalSetup
Laptop Integrated Webcam Driver (1.04.01.1011)
Live! Cam Avatar Creator
Live! Cam Avatar v1.0
Logitech SetPoint
Magnifier Powertoy for Windows XP
Malwarebytes' Anti-Malware version 1.51.1.1800
MDGUSB Drivers
MediaDirect
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Digital Image Library 9 - Blocker
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Basic 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Picture It! Library 10
Microsoft Picture It! Premium 10
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Mobile Broadband Generic Drivers
Modem Diagnostic Tool
Mozilla Firefox (3.6.18)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser (KB933579)
NetWaiting
NVIDIA Drivers
OGA Notifier 2.0.0048.0
OutlookAddinSetup
Palm
PC Pitstop Driver Alert 1.0
QuickSet
QuickTime
RealNetworks - Microsoft Visual C++ 2008 Runtime
RealPlayer
RealUpgrade 1.1
SearchAssist
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2509488)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft Office 2007 System (KB2541012)
Security Update for Microsoft Office Excel 2007 (KB2541007)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB2183461)
Security Update for Windows Internet Explorer 7 (KB2360131)
Security Update for Windows Internet Explorer 7 (KB2416400)
Security Update for Windows Internet Explorer 7 (KB2482017)
Security Update for Windows Internet Explorer 7 (KB2497640)
Security Update for Windows Internet Explorer 7 (KB2530548)
Security Update for Windows Internet Explorer 7 (KB2544521)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 7 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2491683)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2510581)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Sentinel System Driver 5.41.1 (32-bit)
SpywareBlaster 4.4
SUPERAntiSpyware Free Edition
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 System (KB2539530)
Update for Microsoft Office Outlook 2007 (KB2509470)
Update for Outlook 2007 Junk Email Filter (KB2536413)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VC 9.0 Runtime
Verizon Wireless USB760 Firmware Updates
VZAccess Manager
WebFldrs XP
WIDCOMM Bluetooth Software
Windows Desktop Search 3.01
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11
Windows Presentation Foundation
Windows XP Service Pack 3
XML Paper Specification Shared Components Pack 1.0
ZoneAlarm
.
==== Event Viewer Messages From Past Week ========
.
7/29/2011 2:01:23 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: iaStor
.
==== End Of File ===========================
.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_26
Run by jane at 14:20:35 on 2011-07-29
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1374 [GMT -4:00]
.
AV: AVG Anti-Virus Free *Enabled/Outdated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\dlcccoms.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\OEM02Mon.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\DellAutomatedPCTuneUp\PTAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\jane\Desktop\unhide.exe
C:\WINDOWS\system32\attrib.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us-smb
uDefault_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=3080321
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us-smb
mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us-smb
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - No File
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [DellAutomatedPCTuneUp] "c:\program files\dellautomatedpctuneup\PTAgnt.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil9f.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [OEM02Mon.exe] c:\windows\OEM02Mon.exe
mRun: [Logitech Hardware Abstraction Layer] "c:\program files\common files\logitech\khalshared\KHALMNPR.EXE"
mRun: [<NO NAME>]
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [KADxMain] c:\windows\system32\KADxMain.exe
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [nwiz] nwiz.exe /installquiet
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [DLCCCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCCtime.dll,_RunDLLEntry@16
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://pcpitstop.com/pcpitstop/PCPitStop.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: DhcpNameServer = 167.206.251.130 167.206.251.129
TCP: Interfaces\{9B05F599-5C37-46C7-94C0-039941B98530} : DhcpNameServer = 167.206.251.130 167.206.251.129
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\jane\application data\mozilla\firefox\profiles\xvd4mjom.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npampx3.0.84.2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: AVG Safe Search: {3f963a5b-e555-4543-90e2-c3908898db71} - c:\program files\avg\avg8\Firefox
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\Ext
.
============= SERVICES / DRIVERS ===============
.
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-16 335240]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-3-26 27784]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-5-28 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-5-28 55024]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-3-26 532224]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-5-16 297752]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S3 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8;c:\program files\adobe\elements organizer 8.0\PhotoshopElementsFileAgent.exe [2009-9-6 169312]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-10-28 41272]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2004-8-11 14336]
S3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\drivers\NwUsbCdFil.sys [2009-12-18 20480]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [2009-12-18 174720]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-5-28 7408]
S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\verizo~1\vzacce~1\SMSIVZAM5.SYS [2009-5-25 32408]
.
=============== Created Last 30 ================
.
.
==================== Find3M ====================
.
2011-07-06 23:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-24 03:13:48 404640 ---ha-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-04 08:52:22 472808 ---ha-w- c:\windows\system32\deployJava1.dll
2011-05-04 06:25:49 73728 ---ha-w- c:\windows\system32\javacpl.cpl
2011-05-02 15:31:52 692736 ---ha-w- c:\windows\system32\inetcomm.dll
.
============= FINISH: 14:22:01.42 ===============
Many of my Program Files still show as 'empty.' I can't access Firefox only IE. My Documents folders are back as are My Pics. Zone Alarm shows on my task bar but shows empty in Programs Folder. Same with Avg.
Should I run AVG and a full MWB scan?
Jane
Jane, please run an online scan by ESET to see if it uncovers anything that has been missed.
Please go
here (http://www.eset.com/onlinescan/) to run an on-line scan from ESET.
- Note: It is easiest if you use Internet explorer for this scan. (If you use an alternate browser, it will be necessary to download the ESET Smart Installer)
- Turn off the real time scanner of any existing antivirus program while performing the online scan
- Tick the box next to YES, I accept the Terms of Use.
- Click Start
- When asked, allow the ActiveX control to install
- Click Start
- Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
- Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
- Click Scan
- Wait for the scan to finish
- Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
- Copy and paste that log as a reply to this topic.
Quote from: ejane on July 29, 2011, 07:18:10 PM
Many of my Program Files still show as 'empty.' I can't access Firefox only IE. My Documents folders are back as are My Pics. Zone Alarm shows on my task bar but shows empty in Programs Folder. Same with Avg.
Should I run AVG and a full MWB scan?
Jane
Did you run the "UnHide" program that Corrine mentioned?
As DDS reported "AV: AVG Anti-Virus Free *Enabled/
Outdated*", let's run the online ESET instead.
A full system scan by MBAM would be fine to do, just make sure you check for updates first.
AVG updated as soon as the virus was gone (it was being blocked from updating). I will run the online scan but can't find a way to shut off the real-time scanner unless I shut off AVG completely. Also Spywareblaster - should I shut if off?
Sorry to keep posting, I did run UNHIDE numerous times. The files are not appearing. It says to turn off my AV. I'm afraid to do that....should I?
Thanks,
Jane
No need to worry about SpywareBlaster, it doesn't really "run".
QuoteIt says to turn off my AV
What is "it"? The ESET scanner? If so, yes, you are OK as long as you only have the ESET window open, no other IE tabs. You can turn AVG back on once the ESET scan is done. It will take a while, you'll have time to grab some coffee.
If something else is requesting you turn off your AV, then don't do anything just yet.
Odd result with UnHide ... this will require some more research. Let's work on that once we get the other things sorted out.
Did your desktop return to your normal background?
Since you are now able to run MBAM, go ahead and run the full scan option (update first) once you get done with the ESET scanner.
Maybe I should do a restart to see if things return?
I wouldn't reboot until you do the ESET and MBAM scans. If the devil isn't exterminated, it will just come back and put you at square one again.
Scan finished...you were right it took a long time. It found three things.
Jane
Should I tell it to clean? I left it sitting there.
Thanks,
Jane
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=7.00.6000.17098 (vista_gdr.110420-1745)
# OnlineScanner.ocx=1.0.0.6528
# api_version=3.0.2
# EOSSerial=5162a968e101374b9964a0a7914b92bf
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-07-29 10:59:28
# local_time=2011-07-29 06:59:28 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1024 16777175 100 0 100104277 100104277 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# compatibility_mode=9217 16777214 100 74 29293907 95444209 0 0
# scanned=102476
# found=3
# cleaned=0
# scan_time=5859
C:\Documents and Settings\felix\Local Settings\Application Data\Mozilla\Firefox\Profiles\e5kfsihl.default\Cache\7EAF09E1d01 JS/Exploit.Pdfka.OYH trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\felix\Local Settings\Temp\plugtmp-5\plugin-xteobtkqytfzct.pdf JS/Exploit.Pdfka.OYH trojan (unable to clean) 00000000000000000000000000000000 I
C:\RECYCLER\S-1-5-21-3968902737-363820220-2249651152-1005\Dc27.exe Win32/RegistryBooster application (unable to clean) 00000000000000000000000000000000 I
Quote from: ejane on July 29, 2011, 11:46:43 PM
Should I tell it to clean? I left it sitting there.
Thanks,
Jane
No, let's see if a MBAM full scan finds anything.
I am sorry, I don't understand. Do I close the ESET? Do I run MBAM while ESET is still open?
Sorry to confuse you, it was 103 degrees here today, and my brain is fried ...
Go ahead and close ESET, we have a record of what it found. The Firefox item can be removed with another tool. In the meanwhile, I need to verify that your old version of AVG will be compatible with it.
Open MBAM, update it to see if a new definition file was released, and then perform a full system scan. You can have it remove anything it finds, whether in system restore or not.
Will do.
Jane
Hi, Jane.
Please copy/paste the logs in the reply box instead of attaching them. Thanks!
After scanning with MBAM, please post the results here as a reply. In addition, we need you to update AVG to the latest version so that we can have you move on to the next step. See http://www.landzdown.com/index.php/topic,239.msg125329.html#msg125329 for the latest update information.
Sorry about the attachment. I'm still having trouble finding things as many folders still appear empty. I was able to get to Program files after the scan. I'm working between two computers. Malwarebytes is still scanning, I will try to copy the results and paste here.
Thanks again,
Jane
No problem. Its just easier for us.
By the way, Winchester73 pointed out that the latest version of AVG is 2011. I know that version has been tested with the tool we'd like to use so if you're staying with AVG, please update to that version, available from
http://download.cnet.com/AVG-Anti-Virus-Free-Edition-2011/3000-2239_4-10320142.html?part=dl-10044820&subj=dl&tag=button&cdlPid=11014801
In the event you wish to use a different A/V solution, The following antivirus software programs are free for personal use.
avast! 6 Home Edition (http://www.avast.com/eng/download-avast-home.html)
Microsoft Security Essentials (http://www.microsoft.com/security_essentials/default.aspx)
Jane, so as not to confuse you, Corrine and I have been examining things behind the scenes, so don't look for a comment from me about AVG in your thread. :D
Here's the log.
I have no problem changing AV. Should I remove AVG? Another question, what happened to the 'stuff' ESET found? I never told it to remove.
7/29/2011 9:51:19 PM
mbam-log-2011-07-29 (21-51-19).txt
Scan type: Full scan (C:\|)
Objects scanned: 269027
Time elapsed: 56 minute(s), 12 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Hi, Jane.
It is your choice as to whether you wish to keep AVG and update it to the latest version or switch to an alternate antivirus solution.
As to the findings by ESET, we'll take care of that with another tool after you've taken care of the antivirus. :)
Okay, I guess I'll update AVG. I have AVAST on my other computers (the sick one is my dh). If I switch Av's it will complicate things now.
Off to update.
Jane
Updated to AVG version 10.0.1390
Should I scan with this now?
AVG is still scanning. I see one virus listed. I am going to bed now, I'll let it finish overnight and check back with you in the morning.
Thanks,
Jane
Good morning! AVG ran and picked up one virus and fixed it.
Windows updates automatically went in and computer restarted. This morning, when turned on, there was Flash update which I installed. Program files show but are empty.
A bright note is no warnings about hard drive failure.
Jane
Hi, Jane. I'll be away most of the rest of the day and busy much of tomorrow but will do my best to check your log ASAP. Please do the following:
Please follow these instructions carefully.Download ComboFix from one of the following locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.infospyware.net/antimalware/combofix/)
!!! IMPORTANT !!! Save ComboFix.exe to your DesktopDisable your antivirus and anti-malware security applications. If not disabled, these programs will likely interfere with cleanup process. This can usually be accomplished by a right-click on the icon in the System Tray.
Note: If you are unsure how to disable your security software, see the instructions in this topic at Tech Support Forum: How to disable your security applications (http://www.techsupportforum.com/forums/f50/how-to-disable-your-security-applications-490111.html).
Now, please run ComboFix:
- Note: If infections are found, ComboFix will automatically reboot the machine to complete the removal process. Please ensure all opened windows are closed before proceeding.
- Double-click ComboFix.exe on your desktop and follow the prompts.
- As part of the process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it is strongly recommended to have this pre-installed on your machine before doing any malware removal. The Recovery Console will allow you to start up the computer in a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Please note: If the Microsoft Windows Recovery Console is already installed on the computer, ComboFix will continue the malware removal procedures.
- Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
- When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
(https://www.landzdown.com/proxy.php?request=http%3A%2F%2Fsecuritygarden.googlepages.com%2FCF_RC1.png&hash=29e6fe1eb864e58b4b66611caa7d7b6be84a47f8)
- After the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
(https://www.landzdown.com/proxy.php?request=http%3A%2F%2Fsecuritygarden.googlepages.com%2FCF_RC2.png&hash=e111f6aa2d657579d44cabc5fb4258fd1dce26eb)
- Click "Yes" to continue scanning for malware.
- When finished, a log will be produced. Please include the C:\ComboFix.txt in your next reply.
ComboFix Scan
ComboFix 11-07-29.03 - jane 07/30/2011 10:33:34.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1257 [GMT -4:00]
Running from: c:\documents and settings\jane\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *Enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\felix\GoToAssistDownloadHelper.exe
c:\documents and settings\jane\GoToAssistDownloadHelper.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-06-28 to 2011-07-30 )))))))))))))))))))))))))))))))
.
.
2011-07-30 13:54 . 2011-07-30 13:54 -------- d-----w- c:\windows\LastGood
2011-07-30 03:06 . 2011-07-30 03:06 -------- d-----w- c:\documents and settings\jane\Application Data\AVG10
2011-07-30 03:05 . 2011-07-30 03:05 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-07-30 03:04 . 2011-07-30 03:07 -------- d-----w- c:\windows\system32\drivers\AVG
2011-07-30 03:04 . 2011-07-30 03:06 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
2011-07-30 03:03 . 2011-07-30 03:03 -------- d-----w- C:\$AVG
2011-07-30 02:58 . 2011-07-30 03:06 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-07-29 21:15 . 2011-07-29 21:15 -------- d-----w- c:\program files\ESET
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-30 13:53 . 2011-06-24 03:13 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-06 23:52 . 2009-10-28 05:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-02 14:02 . 2004-08-11 23:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-04 08:52 . 2010-06-06 04:26 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-04 06:25 . 2008-03-27 03:52 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-05-02 15:31 . 2004-08-11 23:12 692736 ----a-w- c:\windows\system32\inetcomm.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellAutomatedPCTuneUp"="c:\program files\DellAutomatedPCTuneUp\PTAgnt.exe" [2007-10-11 465136]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-03 851968]
"NVHotkey"="nvHotkey.dll" [2008-01-29 86016]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-08-28 36864]
"Logitech Hardware Abstraction Layer"="c:\program files\Common Files\Logitech\khalshared\KHALMNPR.EXE" [2007-04-11 56080]
"SigmatelSysTrayApp"="stsystra.exe" [2007-06-06 405504]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-11-01 189736]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 76304]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-01-29 8491008]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
"nwiz"="nwiz.exe" [2008-01-29 1626112]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-06-23 1043968]
"DLCCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2006-02-24 73728]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"AVG_TRAY"="c:\program files\AVG\AVG10\avgtray.exe" [2011-04-18 2334560]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 17:41 294912 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2010-11-01 05:01 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 07:42 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^EPSON Status Monitor 3 Environment Check(3).lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\EPSON Status Monitor 3 Environment Check(3).lnk
backup=c:\windows\pss\EPSON Status Monitor 3 Environment Check(3).lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^felix^Start Menu^Programs^Startup^Microsoft Picture-.lnk]
path=c:\documents and settings\felix\Start Menu\Programs\Startup\Microsoft Picture-.lnk
backup=c:\windows\pss\Microsoft Picture-.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^felix^Start Menu^Programs^Startup^Picture-It Library.lnk]
path=c:\documents and settings\felix\Start Menu\Programs\Startup\Picture-It Library.lnk
backup=c:\windows\pss\Picture-It Library.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 05:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DELL Webcam Manager]
2007-07-27 21:43 118784 ------w- c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
2007-10-09 23:57 16384 -c--a-w- c:\program files\Dell Support Center\gs_agent\custom\dsca.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus Photo R2880]
2007-11-16 11:00 185856 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\E_FATICXA.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-01-06 18:06 290088 -c--a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2008-01-29 21:14 81920 ----a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoshopElements8SyncAgent]
2009-09-06 10:07 1893728 ----a-w- c:\program files\Adobe\Elements Organizer 8.0\ElementsOrganizerSyncAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 20:07 2260480 ------w- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2011-01-01 02:14 274608 ----a-w- c:\program files\Real\RealPlayer\Update\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)
"CiSvc"=3 (0x3)
"Bonjour Service"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\dlcccoms.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgmfapx.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgemcx.exe"=
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2/22/2011 8:13 AM 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [3/16/2011 4:03 PM 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [1/7/2011 6:41 AM 248656]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [4/5/2011 12:59 AM 297168]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/28/2008 10:33 AM 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/28/2008 10:33 AM 55024]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG10\avgwdsvc.exe [2/8/2011 5:33 AM 269520]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [4/14/2011 9:28 PM 134480]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2/10/2011 7:53 AM 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2/10/2011 7:53 AM 27216]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [4/18/2011 5:39 PM 7398752]
S3 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8;c:\program files\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe [9/6/2009 6:06 AM 169312]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/11/2004 7:00 PM 14336]
S3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\drivers\NwUsbCdFil.sys [12/18/2009 12:13 PM 20480]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [12/18/2009 12:12 PM 174720]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/28/2008 10:33 AM 7408]
S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS [5/25/2009 3:43 PM 32408]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - AVGIDSEH
*NewlyCreated* - AVGLDX86
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-30 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3968902737-363820220-2249651152-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]
.
2011-07-30 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3968902737-363820220-2249651152-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]
.
2011-06-26 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3968902737-363820220-2249651152-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]
.
2011-06-16 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3968902737-363820220-2249651152-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
TCP: DhcpNameServer = 167.206.251.130 167.206.251.129
FF - ProfilePath - c:\documents and settings\jane\Application Data\Mozilla\Firefox\Profiles\xvd4mjom.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{201f27d4-3704-41d6-89c1-aa35e39143ed} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-30 10:38
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16?*Spammer**Spammer**Spammer**Spammer**Spammer**Spammer**Spammer**Spammer**Spammer**Spammer**Spammer**Spammer**Spammer**Spammer*??????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1100)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll
c:\windows\System32\BCMLogon.dll
.
Completion time: 2011-07-30 10:42:18
ComboFix-quarantined-files.txt 2011-07-30 14:42
.
Pre-Run: 102,824,648,704 bytes free
Post-Run: 102,995,574,784 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 790816EB38EF8B8D7ADC314A28582651
Hi, Jane.
I'm slipping in between events! Please let us know in your next reply if your files are accessible now.
You have an outdated, vulnerable version of Adobe Reader installed. Install the latest version of Adobe Reader from http://www.adobe.com/products/reader/
Next we'll take care of what ESET found in the scan:
Custom CFScript
Note: The following instructions were created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
- Please open Notepad (Click Start -> Run -> type notepad in the Open field -> OK). Copy/Paste all of the text present inside the code box below:
Firefox::
FF - ProfilePath - c:\documents and settings\jane\Application Data\Mozilla\Firefox\Profiles\xvd4mjom.default\
FF - C:\Documents and Settings\felix\Local Settings\Application Data\Mozilla\Firefox\Profiles\e5kfsihl.default\Cache\7EAF09E1d01
File::
C:\Documents and Settings\felix\Local Settings\Temp\plugtmp-5\plugin-xteobtkqytfzct.pdf
- Save this as CFScript.txt and place it on your desktop.
- Close any open browsers.
- Close/disable all antivirus and anti-malware programs so they do not interfere with the running of ComboFix.
(https://www.landzdown.com/proxy.php?request=http%3A%2F%2Fsecuritygarden.googlepages.com%2FCF_CFScript.gif&hash=19cdd291c9ded999b7ed69b7a82ebed7c9d0ab01)
- Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
- ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
- When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Running scan but want to comment ZA keeps popping us asking for permission to let various things reach the internet. It keeps stopping the scan. I have 'allowed' but don't know if it is safe too. I copied down one item: pev.cfxxe
I'll post the log when finished.
Jane
Here's the scan. It took so long because of ZA (see above) and then AVG started up again and kept sending warnings of various virus. I told it to ignore.
ComboFix 11-07-29.03 - jane 07/30/2011 11:33:50.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1337 [GMT -4:00]
Running from: c:\documents and settings\jane\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\jane\Desktop\CFScript.txt
AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *Enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
FILE ::
"c:\documents and settings\felix\Local Settings\Temp\plugtmp-5\plugin-xteobtkqytfzct.pdf"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\felix\Local Settings\Temp\plugtmp-5\plugin-xteobtkqytfzct.pdf
.
.
((((((((((((((((((((((((( Files Created from 2011-06-28 to 2011-07-30 )))))))))))))))))))))))))))))))
.
.
2011-07-30 13:54 . 2011-07-30 13:54 -------- d-----w- c:\windows\LastGood
2011-07-30 03:06 . 2011-07-30 03:06 -------- d-----w- c:\documents and settings\jane\Application Data\AVG10
2011-07-30 03:05 . 2011-07-30 03:05 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-07-30 03:04 . 2011-07-30 03:07 -------- d-----w- c:\windows\system32\drivers\AVG
2011-07-30 03:04 . 2011-07-30 03:06 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
2011-07-30 03:03 . 2011-07-30 03:03 -------- d-----w- C:\$AVG
2011-07-30 02:58 . 2011-07-30 03:06 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-07-29 21:15 . 2011-07-29 21:15 -------- d-----w- c:\program files\ESET
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-30 13:53 . 2011-06-24 03:13 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-06 23:52 . 2009-10-28 05:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-02 14:02 . 2004-08-11 23:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-04 08:52 . 2010-06-06 04:26 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-04 06:25 . 2008-03-27 03:52 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-05-02 15:31 . 2004-08-11 23:12 692736 ----a-w- c:\windows\system32\inetcomm.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-07-30_14.38.50 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-07-30 15:25 . 2011-07-30 15:25 2295808 c:\windows\Installer\5438d6.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellAutomatedPCTuneUp"="c:\program files\DellAutomatedPCTuneUp\PTAgnt.exe" [2007-10-11 465136]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-03 851968]
"NVHotkey"="nvHotkey.dll" [2008-01-29 86016]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-08-28 36864]
"Logitech Hardware Abstraction Layer"="c:\program files\Common Files\Logitech\khalshared\KHALMNPR.EXE" [2007-04-11 56080]
"SigmatelSysTrayApp"="stsystra.exe" [2007-06-06 405504]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-11-01 189736]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 76304]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-01-29 8491008]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
"nwiz"="nwiz.exe" [2008-01-29 1626112]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-06-23 1043968]
"DLCCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2006-02-24 73728]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"AVG_TRAY"="c:\program files\AVG\AVG10\avgtray.exe" [2011-04-18 2334560]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 17:41 294912 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2010-11-01 05:01 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 07:42 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^EPSON Status Monitor 3 Environment Check(3).lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\EPSON Status Monitor 3 Environment Check(3).lnk
backup=c:\windows\pss\EPSON Status Monitor 3 Environment Check(3).lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^felix^Start Menu^Programs^Startup^Microsoft Picture-.lnk]
path=c:\documents and settings\felix\Start Menu\Programs\Startup\Microsoft Picture-.lnk
backup=c:\windows\pss\Microsoft Picture-.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^felix^Start Menu^Programs^Startup^Picture-It Library.lnk]
path=c:\documents and settings\felix\Start Menu\Programs\Startup\Picture-It Library.lnk
backup=c:\windows\pss\Picture-It Library.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DELL Webcam Manager]
2007-07-27 21:43 118784 ------w- c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
2007-10-09 23:57 16384 -c--a-w- c:\program files\Dell Support Center\gs_agent\custom\dsca.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus Photo R2880]
2007-11-16 11:00 185856 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\E_FATICXA.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-01-06 18:06 290088 -c--a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2008-01-29 21:14 81920 ----a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoshopElements8SyncAgent]
2009-09-06 10:07 1893728 ----a-w- c:\program files\Adobe\Elements Organizer 8.0\ElementsOrganizerSyncAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 20:07 2260480 ------w- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2011-01-01 02:14 274608 ----a-w- c:\program files\Real\RealPlayer\Update\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)
"CiSvc"=3 (0x3)
"Bonjour Service"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\dlcccoms.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgmfapx.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgemcx.exe"=
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2/22/2011 8:13 AM 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [3/16/2011 4:03 PM 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [1/7/2011 6:41 AM 248656]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [4/5/2011 12:59 AM 297168]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/28/2008 10:33 AM 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/28/2008 10:33 AM 55024]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [4/18/2011 5:39 PM 7398752]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG10\avgwdsvc.exe [2/8/2011 5:33 AM 269520]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [4/14/2011 9:28 PM 134480]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2/10/2011 7:53 AM 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2/10/2011 7:53 AM 27216]
S3 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8;c:\program files\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe [9/6/2009 6:06 AM 169312]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/11/2004 7:00 PM 14336]
S3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\drivers\NwUsbCdFil.sys [12/18/2009 12:13 PM 20480]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [12/18/2009 12:12 PM 174720]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/28/2008 10:33 AM 7408]
S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS [5/25/2009 3:43 PM 32408]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - AVGIDSEH
*NewlyCreated* - AVGLDX86
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-30 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3968902737-363820220-2249651152-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]
.
2011-07-30 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3968902737-363820220-2249651152-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]
.
2011-06-26 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3968902737-363820220-2249651152-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]
.
2011-06-16 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3968902737-363820220-2249651152-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
TCP: DhcpNameServer = 167.206.251.130 167.206.251.129
FF - ProfilePath - c:\documents and settings\jane\Application Data\Mozilla\Firefox\Profiles\xvd4mjom.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-30 12:36
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16?*Spammer**Spammer**Spammer**Spammer**Spammer**Spammer**Spammer**Spammer**Spammer**Spammer**Spammer**Spammer**Spammer**Spammer*??????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1100)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll
c:\windows\System32\BCMLogon.dll
.
Completion time: 2011-07-30 12:38:14
ComboFix-quarantined-files.txt 2011-07-30 16:38
ComboFix2.txt 2011-07-30 14:42
.
Pre-Run: 102,709,239,808 bytes free
Post-Run: 102,677,151,744 bytes free
.
- - End Of File - - C4FE8BB3C97BFB185D552D7BE79CEA27
Jane
Hi, Jane. Sorry I wasn't here to reassure you and suggest that you disable Zone Alarm while scanning with ComboFix. The file ZA was warning you about is a legitimate file that is part of the intricate workings of ComboFix.
If you aren't seeing the contents of Program Files, delete the copy of Unhide.exe you previously obtained and download a fresh copy in case the infection interfered.
Unhide.exe (http://download.bleepingcomputer.com/grinler/unhide.exe)
Once the program has been downloaded, double-click on the Unhide.exe icon on your desktop and allow the program to run.
This program will remove the +H, or hidden, attribute from all the files on your hard drives. It is important to note that if there are any files that were purposely hidden by you, you will need to hide them again after this tool is run.
How is your computer now?
Please don't apologize, you should be enjoying your weekend!
A few things I need to explain. This computer (husbands) has 2 log-ons - me and his. Everything I have done to this point was through my log-on. I couldn't do anything through his name because i kept getting popups stating 'hard-drive failure, critical failure, etc.) It kept running a scan and I couldn't do a thing to stop it. When I logged on under my name I didn't have that happening. The folders were empty but I could open IE and follow your directions. As of now, some folders say 'empty' but others, like My Pics and Docs have folders and files. Program files still show as empty but I can get to them through My Computer and opening them there. So something has worked.
I just got home and tried to log on under his name and the screen is blank except for the Start button - no icons. When I open Start, IE is there but says 'Internet Explorer without add-ons.' I clicked on it and got Cannot Display Page. I noticed the address bar had Firefox address in it, not IE. Very weird. I am connected to the internet and can get on through my log-on but not his.
AVG started scanning and I will let it finish. I will then log off his name and log on myself and follow your directions.
I'm starting to feel hopeless about this infection.
Jane
Sorry to post again, just wanted to update. I am able to connect to a website by typing the address in the address bar. When I open IE I get 'cannot display page' but FF address is in the address bar. I delete it and can type in this address and get here. I don't know why FF shows in the IE address bar but it does but doesn't go anywhere.
Avg finished and said it didn't find anything. I think I'll try typing Mozilla in the address bar and downloading it. I'll wait until I hear back
Jane
Can't seem to get Unhide to work under husbands log on. The screen just sits blinking. His folders are all empty. I can only shut off AVG for 15 mins at a time. Please advise.
Thanks,
Jane
Ignore previous post, got it to work. Desktop appeared.
Ran Malwarebytes and it shows 2 infections:
PUM.Hijack.Display Properties
PUM.Hijack.Task Manager
I assume I should let it remove?
Jane
Ran ESET Scan again and it found:
C:\Qoobox\Quarantine\C\Documents and Settings\felix\Local Settings\Temp\plugtmp-5\plugin-xteobtkqytfzct.pdf.vir JS/Exploit.Pdfka.OYH trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP706\A0153849.exe Win32/RegistryBooster application deleted - quarantined
Computer seems to be running well.
Jane
Hi, Jane.
Based on what ESET found, it doesn't appear that you have removed ComboFix yet. I'll repeat the instructions here so you won't have to search for them.
Please do the following to implement cleanup procedures and also to reset System Restore points:
Click Start > Run and copy/paste the following bolded text into the Run box and click OK:
ComboFix /Uninstall
Did not see where that was explained. Sorry if I missed that. It is now uninstalled.
Jane
Good job!
Do I need to do anything else?
Jane
Jane, how are things now? Everything back to normal?
Seems to be running fine. Should I run some other scans? How about System Restore - clean out restore points? I'm afraid to trust the computer is clean
Good news.
My preference in general is to leave the restore points alone. It's doubtful that you'll ever need them, but once they are gone they are gone. The restore points will drop out automatically as new ones are created.
However, some people prefer to eliminate them. Here's some Microsoft info on how to do that: http://support.microsoft.com/kb/555367
In your case, that's why Corrine double-checked you had uninstalled ComboFix. As part of its magic, it takes care of infected restore points.
As for what to do now ...
I'd keep the free version of MBAM installed, it's a good on demand scanner. The paid version has some additional features if you choose to go that route. Update and run a scan periodically to see if you have picked anything up.
To check if your system is missing security updates or has insecure applications, install Secunia Personal Software Inspector (http://secunia.com/vulnerability_scanning/personal/) on your computer or, alternatively, visit http://secunia.com/software_inspector/ and run an online version . The Secunia Software Inspector runs through your browser with no installation or download required and does the following:
- Detects insecure versions of applications installed
- Verifies that all Microsoft patches are applied
- Assists you in updating your system and applications
The PSI is more thorough, but can also be a bit confusing to use. The OSI is a good tool for most folks.
Install and update SpywareBlaster to prevent the installation of spyware and other potentially unwanted software: http://www.javacoolsoftware.com/spywareblaster.html
Corrine and I both recommend WinPatrol, a security program which includes the features described at http://www.winpatrol.com/features.html
There is also a support subforum for WinPatrol here at LandzDown should you have any questions about WP.
Both SpywareBlaster and WinPatrol are free, although there is a pay option for auto-updating SB and for the PLUS version of WP. Neither of these will interfere with what you currently have installed. Layered protection is particularly good with older Windows operating systems like XP.
I already installed all you mentioned. Should I run scans now to make sure nothing shows?
Jane
Sure, why not ... :D
I'd do a complete shutdown first, before you run any scans. Not just a restart ... I'd have Windows boot from the off position. That way if anything is lurking in the background, it will pop its ugly head up.
Let us know how things go.
Quote from: ejane on August 01, 2011, 06:33:40 PM
How about System Restore - clean out restore points?
Prior to running, ComboFix creates a fresh restore point. Then, System Restore points are reset as part of the process of uninstalling ComboFix. Thus, the infected restore points are flushed from the system, leaving a clean point.
One thing to understand about System Restore is that it is not an endless repository. As Winchester73 indicated, the restore points will drop out automatically as new ones are created. Even if System Restore wasn't flushed, the only danger would be restoring to an infected point and having to re-do the cleaning process.
As a "learning" for the future, I recommend creating a fresh restore point prior to making any changes to the computer. However, if you wish to "clean up", I recommend the Disk Cleanup tool which helps you free up space on your hard disk by searching your disk for files that you can safely delete. You can choose to delete some or all of the files. It can also be used to clear all but the most recent System Restore point.
First, create a fresh restore point:
1. Click Start, click All Programs, click Accessories, click System Tools, and then click System Restore.
2. Click Create a Restore Point, and then click Next.
3. Name your restore point. (i.e., clean)
4. Click the Create button.
5. When the new restore point has been created, click Close.
Now select the files to be removed as well as all but the new restore points:
- Click start-->Run and type cleanmgr into the run box and then click "OK".
- Select the drive where Windows is installed (if you have more than one drive) and click "OK".
- When the scan completes, check/uncheck desired boxes.
- Next, please click the More Options tab at the top.
- Click the "Clean up..." button under the System Restore section at the bottom.
- Answer Yes to the question "Are you sure you want to delete all but the most recent restore point?".
- Click OK and answer Yes again.
The disk clean up utility will remove the selected items. When it completes, restart the computer to properly record the changes made to the hard disk.
Ran ESET again and it was clean but shows two entries in quarantine. What do you recommend?
Jane
Jane ...
Can you tell us the filepath that ESET reports the quarantine? I wonder if it is your AVG? If so, you'll have to flush them within the anti-virus, unless the ESET scanner gives you the option to do it.
The items in quarantine won't spring back to life, but yes they should be deleted from the computer just to close the loop.
Over the course of the next few days, reboot the computer a few times, and check both of your user log-ons to make sure everything is working normally again. As the ad says, we'll leave the light on for you.
Ha, very cute! Well I'm back, here's what I copied from AVG virus vault.
"Infection";"Virus found JS/Downloader.Agent";"C:\Documents and Settings\felix\Local Settings\Temporary Internet Files\Content.IE5\5MEP9SP9\global[1].js";"N/A";"7/29/2011, 11:55:00 PM""Infection";"Virus found JS/Downloader.Agent";"C:\Documents and Settings\felix\Local Settings\Temporary Internet Files\Content.IE5\5MEP9SP9\global[1].js";"N/A";"7/29/2011, 11:55:00 PM"
I'll don't know how to find the log from ESET. When I closed it it disappeared. I think it said 'restore' in the file path. That's why I asked about Restore.
Can you tell me if ESET makes a log or should I scan again.
Sorry to be such a pest, but I'm not sure what to do.
Thanks so much,
Jane
You are NOT a pest! You are asking good questions.
The ESET log should be located at C:\Program Files\Eset\Eset Online Scanner\log.txt however, if what it found was in the virus vault, you can just empty the vault. Here's the instructions from AVG regarding the virus vault: I h ave some files in the AVG Virus Vault. What next? (http://www.avg-antivirus.com.au/avg_technical_faq_virus_vault.htm#19._I_have_some_files_in_the_AVG_Virus_Vault._What_next__).
One other thing I thought of ... let's run Oldtimer's
TFC (Temp File Cleaner).
TFC will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder. It also cleans out the %systemroot%\temp folder and checks for .tmp files in the %systemdrive% root folder, %systemroot%, and the system32 folder (both 32bit and 64bit on 64bit OSs). It shows the amount removed for each location found (in bytes) and the total removed (in MB).
TFC only cleans temp folders. TFC will not clean URL history, prefetch, or cookies. Depending on how often someone cleans their temp folders, their system hardware, and how many accounts are present, it can take anywhere from a few seconds to a minute or more. TFC will completely clear all temp files where other temp file cleaners may fail.
Download
TFC (http://oldtimer.geekstogo.com/TFC.exe) to your desktop
- First, save any files as TFC will close ALL open programs including your browser. Close all open windows.
- Double-click on the TFC.exe on your desktop to run the program.
- It will close all programs itself when run, make sure to let it run uninterrupted to completion.
- Click the Start button to begin the process. The program should not take long to finish its job.
- Once it is finished it should reboot your machine on its own. If not, do this yourself to ensure a complete clean
Thanks for getting back. I uninstalled ESET and hopefully it took along the virus. I read the info on AVG and will wait a few days and will empty that.
I ran CCleaner and emptied that. Did a registry clean (CCleaner).
I will do the TFC.
I cleaned out a lot of junk (I never use his computer) and shut off a bunch of start-ups, what a mess! I installed WinPatrol, Secunia. Will remove AVG later this week and install AVAST.
The computer seems to be running well. He promised to remove some of the zillion photos and music he has on there.
The only thing which isn't working is the printer. I reinstalled the drivers and will fool with it later this week (have company coming for 3 days so will be busy).
I can't tell you how thrilled I am with the help you provided. I wish there was a way to contribute for your time and help. I will change Win Patrol and Secunia to the paid versions as a contribution. I hope there is some other way I can contribute.
Thank you so much!
Jane
Jane ...
I run ESET's NOD32 on my primary machine, but use the free AVAST 6 on the others, and can recommend it to you with confidence.
I also use CCleaner, but generally don't recommend it for people unfamiliar or uncomfortable with what it can do. It sounds like you are a regular user, however I would suggest you use the registry cleaner section very carefully. TFC might not find much that CCleaner has missed, but it won't hurt to run it.
Back to school time sales are a great excuse to get your husband a large capacity USB thumb drive to store his photos and music. Then he will have a backup should something go wonky with his computer or its internal hard drive.
QuoteI will change Win Patrol and Secunia to the paid versions as a contribution.
I think you meant SpywareBlaster rather than Secunia :D
Now that things are back to normal, don't be a stranger. Feel free to peruse the Lounge section for some relaxing topics, or check out the various updates sections where the moderators post information on new releases and updates to various programs.