Hello,

Hate to bother you again so soon, but I have another friend's computer here that I think may be infected. It's got the usual symptoms(slow, security pop-ups, etc...) and can't access the internet. Not sure whats up with the inability to access internet though, sometimes it works, sometimes it doesn't(i hate vista).


Any help is greatly appreciated,
Thank you very much,
mike

Hello 111mike,
Welcome to What the Tech.
My name is OCD, I will be helping you today.

Please be advised, as I am still in training, all my replies to you will be checked for accuracy by one of our experts to ensure that I am giving you the best possible advise.
This may cause a delay, but I will do my best to keep it as short as possible.

Before we can make an assessment as to a course of action you will need to provide me with a HijackThis log
If you are unable to download HijackThis to the infected computer please use another computer and download HJT
to a thumb drive or a CD, transfer it to the infected computer and generate a log for review.

- - - - - Next - - - - -

Download HijackThis from http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe .

• Choose the default location of C:\Program Files\Trend Micro\HijackThis as the destination. HJT needs to be in its own folder so that the program itself isn't deleted by accident. Having the backups could be VITAL to restoring your system if something went wrong in the FIX process!
• Click the Install button.
• Accept the license agreement .
• The progam will place a shortcut on your desktop. This will make it easier for you to access the tool when required.
• Click Do a system scan and save a log file. A Notepad file will open.
• To post the text, first you must highlight the entire text and then press the (Ctrl+C) keys which copies it to your clipboard.
• Now paste the log into this thread using the (Ctrl + V) buttons.

DO NOT MAKE ANY CHANGES OR CLICK "FIX CHECKED" UNTIL WE CHECK THE LOG, AS MOST OF THE FILES ARE LEGIT AND VITAL TO THE FUNCTION OF YOUR COMPUTER

- - - - - Next - - - - -

Reboot, on your next post please provide the following:

• HijackThis log
• Tell me how your computer is running at the moment.

Computer isn't running too badly. finally got it connected to net. Not sure if inability to hook to net is virus related or not. Ran Spybot and Mbam, deleted several infections including a few false windows security alerts.

Heres the log

thanks


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:54:52 PM, on 6/2/2009
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16764)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Napster\napster.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html?Ch...P&M=GT5453E
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch...P&M=GT5453E
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.html?Ch...P&M=GT5453E
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\google\BAE.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
O13 - Gopher Prefix:
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL,avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\Gateway Games\Gateway Game Console\GameConsoleService.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 8732 bytes

I should add that I ran Spybot and Mbam soon after my original post and before your reply. Hope that didn't screw up your diagnostic procedures. Will wait for further instructions.

thanks,

Hello 111mike,

• You may want to print out these instructions for reference prior to proceeding.
• This solution is specifically tailored for this particular problem, please do not attempt to use this solution on another computer.
• If you have any questions, or are uncertain about any steps please ask 'before' proceeding.

- - - - - Next - - - - -

Please tell me what Firewall you currently have installed and are using for protection.

- - - - - Next - - - - -

Disable SpyBot's Tea Timer

• Launch Spybot S&D, go to the Mode menu and make sure "Advanced Mode" is selected.
• On the left hand side, click on Tools, then click on the Resident Icon in the list.
• Uncheck the "Resident TeaTimer" (Protection of overall system settings) active." box.
• Click on the "System Startup" icon in the List
• Uncheck the "TeaTimer" box and "OK" any prompts.
• If Teatimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
• Exit Spybot S&D when done.

- - - - - Next - - - - -

Please download ATF Cleaner by Atribune.
Download - http://www.nutnworks.com/downloads/ATF_Cleaner.exe

• Right Click ATF-Cleaner.exe and select "Run As Administrator" to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
• NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
• NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

- - - - - Next - - - - -

You stated in your opening that you ran Malwarebytes and it removed some entries.

Please open MBAM, go to the Logs tab and locate your previous scan's log and post it.
(The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.)
If you no longer have the log, please re-run Malwarebytes by following the steps below.

Right Click mbam-setup.exe and select "Run As Administrator" to install the application.

• Make sure a check mark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.< < Don't forget this!
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
  (The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.)
  
• Copy and Paste the entire report in your next reply.

- - - - - Next - - - - -

Please download DDS by sUBs from one of the following links and save it to your desktop.

• DDS.scr
• DDS.pif
• Disable any script blocking protection (How to Disable your Security Programs)
• Right Click DDS icon and select "Run As Administrator" to run the tool (may take up to 3 minutes to run)
• When done, DDS.txt will open.
• After a few moments, attach.txt will open in a second window.
• Save both reports to your desktop.

- - - - - Next - - - - -

Reboot, on your next post please provide the following:

• MBAM log
• Post the contents of the DDS.txt report in your next reply
• Attach the Attach.txt report to your post by scroling down to the Attachments area and then clicking Browse. Browse to where you saved the file, and click Open and the click UPLOAD.
• Answer firewall question from above

This is a friend's computer. I'm not sure if it's running any firewall at all. All I can find is AVG antivirus and the default Windows firewall. Unless I'm missing something. It also has some sort of a Norton scanner, but I'm fairly certain it's not a firewall.

I've included both the original Mbam log and the new.

Thanks

OLD SCAN


Malwarebytes' Anti-Malware 1.38
Database version: 2387
Windows 6.0.6000

6/2/2009 11:20:03 AM
mbam-log-2009-06-02 (11-20-03).txt

Scan type: Quick Scan
Objects scanned: 76533
Time elapsed: 6 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntiVirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\ieupdates.exe.tmp (Adware.Agent) -> Quarantined and deleted successfully.



NEW SCAN



Malwarebytes' Anti-Malware 1.38
Database version: 2396
Windows 6.0.6000

6/3/2009 3:32:12 PM
mbam-log-2009-06-03 (15-32-12).txt

Scan type: Quick Scan
Objects scanned: 77073
Time elapsed: 6 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)






DDS (Ver_09-06-26.01) - NTFSx86
Run by sister at 15:37:31.84 on Wed 06/03/2009
Internet Explorer: 7.0.6000.16764
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.894.266 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Napster\napster.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10a.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\System32\notepad.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\sister\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
uSearch Bar = hxxp://www.yahoo.com/search/ie.html
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5453E
mDefault_Page_URL = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5453E
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local;<local>
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearchAssistant = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5453E
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common

files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search &

destroy\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\google\BAE.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!

\companion\installs\cpn\YTSingleInstance.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: MyIdentityDefender: {a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} -
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [NapsterShell] c:\program files\napster\napster.exe /systray
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
StartupFolder: c:\users\sister\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program

files\microsoft office\office12\ONENOTEM.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\pokerstars.net\PokerStarsUpdate.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0

\bin\npjpi160.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12

\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12

\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search &

destroy\SDHelper.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL,avgrsstx.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-2-3 335752]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-2-3 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-7-4 907032]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-2-3 298776]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-6-1 1153368]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\google\google desktop

search\GoogleDesktop.exe [2007-3-6 29744]
S3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\drivers\NETw2v32.sys

[2006-11-2 2589184]

=============== Created Last 30 ================

2009-06-02 13:53 <DIR> --d----- c:\program files\Trend Micro
2009-06-02 11:12 <DIR> --d----- c:\users\sister\appdata\roaming\Malwarebytes
2009-06-02 11:12 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-02 11:12 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-02 11:12 <DIR> --d----- c:\programdata\Malwarebytes
2009-06-02 11:12 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-02 11:12 <DIR> --d----- c:\progra~2\Malwarebytes
2009-06-02 10:59 <DIR> --d----- c:\program files\CCleaner
2009-06-01 20:17 <DIR> --d----- c:\programdata\Spybot - Search & Destroy
2009-06-01 20:17 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-06-01 20:17 <DIR> --d----- c:\progra~2\Spybot - Search & Destroy

==================== Find3M ====================

2009-06-04 13:33 620 a------- c:\users\sister\appdata\roaming\wklnhst.dat
2009-05-08 08:25 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-02-03 18:50 86,016 a------- c:\windows\inf\infstrng.dat
2009-02-03 18:50 51,200 a------- c:\windows\inf\infpub.dat
2009-02-03 18:50 86,016 a------- c:\windows\inf\infstor.dat
2008-12-11 04:19 174 a--sh--- c:\program files\desktop.ini
2008-06-11 03:10 665,600 a------- c:\windows\inf\drvindex.dat
2008-02-11 15:09 32 a----r-- c:\programdata\hash.dat
2008-02-11 15:09 32 a----r-- c:\progra~2\hash.dat
2006-11-02 05:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 05:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 05:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 05:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 15:38:50.06 ===============

111mike,

You have/had Limewire, a P2P/file sharing program installed on your computer. P2P applications like it are the largest source of malware we see. You'll be doing yourself a favor by removing it.

References for the risk of these programs can be found in these links:
http://www.microsoft.com/windows/ie/commun...protection.mspx
http://www.techweb.com/wire/160500554
http://www.internetworldstats.com/articles/art053.htm

If you wish to keep it, please do not use it until your computer is cleaned.

I would recommend that you uninstall Limewire, however that choice is up to you.

- - - - - Next - - - - -

You log shows signs of Norton or Symantec Products on your computer. Do you use these anymore?
If not please follow these instructions:

Remove Norton or Symantec Products

Note : You should first attempt to remove your Norton/Symantec product using Add/Remove Programs in the Windows Control Panel (Programs and Features, in Windows Vista). This is the best method.

Uninstall anything with Norton or Symantec in the name

After uninstalling using Windows Add/Remove Programs, run the Norton Removal Tool to ensure successful removal of all Norton references.

If no entries are present in the Windows Add/Remove Programs you still need to run Norton Removal Tool below.

Please go to http://service1.symantec.com/Support/tsgen...005033108162039 and select the product you have

• Download the Norton Removal Tool.
• Save the file to the Windows desktop.
• On the Windows desktop, double-click the Norton Removal Tool icon.
• Follow the on-screen instructions.
  Your computer may be restarted more than once, and you may be asked to repeat some steps after the computer restarts.

- - - - - Next - - - - -

Please go to Start Menu > Control Panel > Add/ Remove Programs
Scroll Down and locate the following programs:

• Norton or Symantec (any product with Norton or Symantec in the name)
• LimeWire
• Java™ SE Runtime Environment 6
  

Select each one of the programs, then select remove.
(if the program is not listed don't be alarmed, just continue with the list)

Exit the Control Panel when finished.

- - - - - Next - - - - -

Please locate the file in red and delete it. Please be sure to only delete the file that is designated.
(Not the folder they are contained in)

• c:\users\sister\appdata\roaming\wklnhst.dat
  

- - - - - Next - - - - -

I need you to run the following scan: Eset Online Scanner
You will need Internet Explorer to run this scan.

• Place a check mark in the box YES, I accept the Terms Of Use
• Click the Start button.
• Now click the Install button.
• Click Start. The scanner engine will initialize and update.
• Place a check mark in the box beside Remove found threats.
• Click the Scan button. The scan will now run, please be patient.
• When the scan finishes click the Details tab.
• Copy and paste the contents of the C:\ProgramFiles\EsetOnlineScanner\log.txt into your next reply.

- - - - - Next - - - - -

Reboot, on your next post please provide the following:

• ESET log.txt
• Tell me how your computer is running at the moment.

Hello,

1. Can't do anything about Limewire, it's a friend's computer. I will explain to them though the risk of getting further infections.

2. Removed Norton System Scan via Add Remove Programs. Removed Java. However, I couldn't use The Norton Removal Tool because I had already removed Norton software and did not know which version to select on the removal tool web site. I think it needed the product key anyway, which I do not have.

3. There is no c:\users\sister\appdata\roaming\wklnhst.dat. In fact, there is no appdata folder at all. As far as I can tell the path is c:\users\sister\roaming\Microsoft\Internet Explorer\Quick Launch

4. Also, I ran ESET. There was no details tab. I ran it again just to make sure. Maybe I missed it. At any rate, no infections were found either time.


Other than that, computer seems to be running up to speed. No problems. Able to access Internet normally. No pop ups and such.

thanks,

111mike,

QUOTE

1. Can't do anything about Limewire, it's a friend's computer. I will explain to them though the risk of getting further infections.

OK, but please refrain from using Limewire until after we are finished.

QUOTE

3. There is no c:\users\sister\appdata\roaming\wklnhst.dat. In fact, there is no appdata folder at all.

I should have been clearer with my instructions. The path is most likely:
c:\users\sister\application data\roaming\wklnhst.dta

QUOTE

4. Also, I ran ESET. There was no details tab. I ran it again just to make sure. Maybe I missed it. At any rate, no infections were found either time.

Please navigate the following path to locate the ESET log.
C:\ProgramFiles\EsetOnlineScanner\log.txt

- - - - - Next - - - - -

So please continue with these steps:

Enable the Viewing of Hidden files, please follow these steps:

• Open Folder Options by clicking the Start button,
• Clicking Control Panel > Appearance and Personalization, and then > Folder Options
• Click the View Tab > Under Advanced Settings, click Show hidden files and folders, and then click OK.

- - - - - Next - - - - -

Please locate the file in red and delete it. Please be sure to only delete the file that is designated.
(Not the folder they are contained in)

• c:\users\sister\application data\roaming\wklnhst.dta
  

- - - - - Next - - - - -

Please navigate the following path to locate the ESET log.
C:\ProgramFiles\EsetOnlineScanner\log.txt

- - - - - Next - - - - -

Reboot, on your next post please provide the following:

• ESET log.txt
• Tell me how your computer is running at the moment.

This post has been edited by OCD: Jul 10 2009, 04:38 AM

ok, deleted file: c:\users\sister\application data\roaming\wklnhst.dta


Can't access Eset log. Get this error message:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - delete file error:Access is denied.

OnlineScanner.ocx - copy file error :The process cannot access the file because it is being used by another process.

OnlineScanner.ocx - registred OK


I'm fairly certain it's Not being used by anything else.

thanks,

111mike,

Please try this scanner by Kaspersky.
The below scan can take up to an hour or longer, please be patient.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.


Please do a scan with Kaspersky Online Scanner or from here
http://www.kaspersky.com/virusscanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

• Click on the Accept button and install any components it needs.
• The program will install and then begin downloading the latest definition files.
• After the files have been downloaded on the left side of the page in the Scan section select My Computer.
• This will start the program and scan your system.
• The scan will take a while, so be patient and let it run. (At times it may appear to stall)
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
    
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  
  
• Once the scan is complete, click on View scan report To obtain the report:
• Click on: Save Report As
• Next, in the Save as prompt, Save in area, select: Desktop
• In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select: Text file [*.txt]
• Then, click: Save
• Please post the Kaspersky Online Scanner Report in your reply.

Animated tutorial
http://i275.photobucket.com/albums/jj285/B...ng/KAS/KAS9.gif

(Note.. for Internet Explorer 7 users:
If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
Or use Firefox with IE-Tab plugin
https://addons.mozilla.org/en-US/firefox/addon/1419

- - - - - Next - - - - -

Reboot, on your next post please provide the following:

• Kaspersky log
• Tell me how your computer is running at the moment.

Here ye be,


KASPERSKY ONLINE SCANNER 7.0 REPORT
Saturday, June 6, 2009
Operating System: Microsoft Windows Vista Home Premium Edition, 32-bit (build 6000)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Saturday, July 11, 2009 08:23:43
Records in database: 2459548


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\

Scan statistics
Files scanned 138299
Threat name 0
Infected objects 0
Suspicious objects 0
Duration of the scan 01:52:07

No malware has been detected. The scan area is clean.
The selected area was scanned.


thanks

111mike,

Congratulations, your computer is clean.

We have a few items to take care of before we get to my "All Clean Speech"

Enable SpyBot's Tea Timer

• Launch Spybot S&D, go to the Mode menu and make sure "Advanced Mode" is selected.
• On the left hand side, click on Tools, then click on the Resident Icon in the list.
• Check the "Resident TeaTimer" (Protection of overall system settings) active." box.
• Click on the "System Startup" icon in the List
• Check the "TeaTimer" box and "OK" any prompts.
• If Teatimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
• Exit Spybot S&D when done.

- - - - - Next - - - - -

Consider changing your Firewall to one that provides better protection than the Windows Firewall you are currently using.
Here are a few FREE ones:

• Please download one (1) of the firewalls below, but do not install it just yet.
• After you have downloaded the new firewall, disable the Windows firewall.
• Then install the newly selected firewall.

Firewall:

• Comodo - http://www.personalfirewall.comodo.com/
• Outpost Firewall FREE - http://www.agnitum.com/products/outpostfree/

- - - - - Next - - - - -

Your Adobe Reader is out of date.
Please go to http://get.adobe.com/reader/ and download Adobe Reader 9
follow the instructions to install Adobe Reader.

- - - - - Next - - - - -

Your Java is outdated.
Please follow these steps to remove any older version Java components we may have missed.

1. Close any programs you may have running, ESPECIALLY your web browser
2. Click Start > Control Panel.
3. Click Add/Remove Programs.
4. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
5. Click the Remove or Change/Remove button.
6. Repeat as many times as necessary to remove all versions of Java.
7. Reboot your computer once all Java components are removed.

Then download the latest version of Java , which is Version 6 Update 14, and click Yes at the page warning. Under "Platform" select Windows, then check the box to accept the Licence Agreement. Click Yes at the second page warning before downloading the Offline file.
There is no need to download the Sun Dowload manager but it is optional.

- - - - - Next - - - - -

Here comes the "All Clean Speech":

Now that your log is clean, you need to set a new clean System Restore Point

Create a new Restore Point

• Click on the Start button to open your Start Menu.
• Click on the Control Panel menu option.
• Click on the System and Maintenance menu option.
• Click on the System menu option.
• Click on System Protection in the left-hand task list.
• Create the manual restore point you should click on the Create button. When you press this button a prompt will appear asking you to provide a title for this manual restore point.
• Type in a title for the manual restore point and press the Create button.
• Close the System window after you have been advised that the procedure has been successfully completed.

- - - - - Next - - - - -

Clear your existing system restore points except for the new clean restore point you just created:

• Go to Start > Run and type in cleanmgr
• Select the More options tab
• Next to System Restore click Clean up
• This will remove all restore points except the new one you just created.

- - - - - Next - - - - -

Delete the Contents of the Temporary Internet Files Folder:

• Quit Internet Explorer and quit any instances of Windows Explorer.
• Click Start, click Control Panel, and then double-click Internet Options.
• On the General tab, click Delete Files under Temporary Internet Files.
• In the Delete Files dialog box, click to select the Delete all offline content check box , and then click OK.
• Click OK

- - - - - Next - - - - -

Automatic Updates:

The easiest way to ensure you don't miss any of the critical Windows Updates is to set your computer up to receive Automatic Updates.
To set your computer up for Automatic Updates please do the following:

• Click Start, and then click Control Panel.
• Depending on which Control Panel view you use, Classic or Category, do one of the following:
• Click System, and then click the Automatic Updates tab.
• Click Performance and Maintenance, click System, and then click the Automatic Updates tab.
• Select Automatic and choose a frequency and time that's convenient for you to get the updates.
• Click Apply, then OK
• Close the Control Panel.

- - - - - Next - - - - -

Here are some tips to reduce the potential for spyware infection in the future:

Make your Internet Explorer more secure - This can be done by following these simple instructions:

• From within Internet Explorer click on the Tools menu and then click on Options.
• Click once on the Security tab.
• Click once on the Internet icon so it becomes highlighted.
• Click once on the Custom Level button.
• Change the Download signed ActiveX controls to Prompt
• Change the Download unsigned ActiveX controls to Disable
• Change the Initialize and script ActiveX controls not marked as safe to Disable
• Change the Installation of desktop items to Prompt
• Change the Launching programs and files in an IFRAME to Prompt
• Change the Navigate sub-frames across different domains to Prompt
• When all these settings have been made, click on the OK button.
• If it prompts you as to whether or not you want to save the settings, press the Yes button.

Next press the Apply button and then the OK to exit the Internet Properties page.

Simple and easy ways to keep your computer safe and secure on the Internet

Alternate Browsers - If you are currently using Internet Explorer you might want to consider changing over to Firefox.
Firefox is one of the most popular alternate browsers. - Mozilla Firefox

Update your AntiVirus Software - You are using AVG8 as your anti virus software. It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

Use a Firewall - You are using Windows Firewall (unless you changed to one of the suggested ones above) I cannot stress how important it is that you keep the Firewall on your computer active at all times. Without a firewall your computer is susceptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly. For a tutorial on Firewalls and a listing of some available ones see the link below:
Understanding and Using Firewalls

Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites into your Internet Explorer
settings that will protect you from running and downloading known malicious programs. A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware

IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that
aren't actually innocent at all. Using IE-SPYAD to help block unwanted sites and activities

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly.
This will ensure your computer always has the latest security updates available installed on your computer.
If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Update all security programs regularly - Make sure you update all the programs regularly.
Without regular updates you WILL NOT be protected when new malicious programs are released.

Remember to have only one (1) Firewall and one (1) Anti-Virus program running at any one time.

I would also suggest you read "So how did I get infected in the first place"?: by Tony Klein

Please reply to this thread once more if you are satisfied so that we can mark the problem as resolved.

Everything's great. Thanks again to you and WTT for all the help.

111mike,

I'm glad everything is working well for you. It has been my pleasure to help.