15 replies to this topic

[rob12jr]

I am used to posting my hjt log and then starting the assistance but I dont see the download for hjt. So i do not have a log. Thank you in advance.

[inzanity]

Hello,

Please be advised, as I am still in training, all my replies to you will be checked for accuracy by one of our experts to ensure that I am giving you the best possible advise.
This may cause a delay, but I will do my best to keep it as short as possible.

Please download ERUNT from here. A free program that allows you to keep a complete backup of your registry and restore it when needed.

• Double click erunt-setup.
• Choose a language then press Enter or click OK to continue.
• Click Next on the Welcome window.
• Install it using the default settings and choose yes when asked to add ERUNT to the start up folder.
• Upon installation, click Yes when asked if you want to create and ERUNT entry in the start up folder.
• Make sure a check mark is placed beside Show documentation and Launch ERUNT.
• Click Finish.
• Once installed, open ERUNT.exe if it hasn't opened yet then create a registry back up.

To manually create ERUNT back up:

• Open ERUNT.exe
• Click OK on the welcome screen.
• Choose a directory where to save the back up by clicking on "..." or just choosing the default settings.
• Make sure a check mark is placed beside System registry and Current user registry.
• Click OK.
• If the destination folder does not exist, ERUNT will prompt you and just click on Yes.
• Click OK.

--Next--

Please download DDS by sUBs from one of the following links and save it to your desktop.

• • DDS.scr
  • DDS.pif
• Disable any script blocking protection (How to Disable your Security Programs)
• Double click DDS icon to run the tool (may take up to 3 minutes to run)
• When done, DDS.txt will open.
• After a few moments, attach.txt will open in a second window.
• Save both reports to your desktop.

---------------------------------------------------

• Post the contents of the DDS.txt report in your next reply
• Attach the Attach.txt report to your post by scroling down to the Attachments area and then clicking Browse. Browse to where you saved the file, and click Open and then click UPLOAD.

---------------------------------------------------

Please include the contents of the following in your next reply:

DDS.txt

Please attach the second file; Attach.txt. To attach a file, do the following:

• Under the reply panel is the Attachments Panel.
  
• Browse for the attachment file you want to upload, then click the green Upload button.
  
• Once it has uploaded, click the Manage Current Attachments drop down box.
  
• Click on to insert the attachment into your post

Please post both DDS logs in your next reply.

--Next--

We Need to check for Rootkits with RootRepeal
Please download RootRepeal one of these locations and save it to your desktop
Here
Here
Here

• Open on your desktop.
• Click the tab.
• Click the button.
• Check just these boxes:
• 
• Push Ok
• Check the box for your main system drive (Usually C:, and press Ok.
• Allow RootRepeal to run a scan of your system. This may take some time.
• Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your post.

Logs to post in your next reply:
1. DDS log.
2. RootRepeal log.

[rob12jr]

Between when i started the topic and you replied I uninstalled norton internet security in preperation of installing kaspersky After I uninstalled it i did system restore which seem to have removed Green AV But now i cant install kaspersky becuase it seems to have not completely removed norton internet security Could you also help me resolve that issue too if possible?

[rob12jr]

DDS (Ver_09-10-13.01) - NTFSx86 Run by patricia at 18:28:40.44 on Mon 10/19/2009 Internet Explorer: 8.0.6001.18828 Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3963.2338 [GMT -4:00] SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46} ============== Running Processes =============== C:\Windows\system32\wininit.exe C:\Windows\system32\lsm.exe C:\Windows\system32\svchost.exe -k DcomLaunch C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Windows\system32\svchost.exe -k rpcss C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted C:\Windows\system32\svchost.exe -k netsvcs C:\Windows\system32\SLsvc.exe C:\Windows\system32\svchost.exe -k LocalService C:\Windows\system32\svchost.exe -k NetworkService C:\Windows\system32\WLANExt.exe C:\Windows\System32\spoolsv.exe C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork C:\Windows\system32\taskeng.exe C:\Windows\system32\agr64svc.exe C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCameraSrv.exe C:\Program Files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe C:\Program Files\Intel\WiFi\bin\EvtEng.exe C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe C:\Program Files (x86)\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe C:\Program Files\TOSHIBA\rselect\RSelSvc.exe C:\Windows\system32\svchost.exe -k imgsvc C:\Windows\system32\ThpSrv.exe C:\Program Files (x86)\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe C:\Windows\system32\TODDSrv.exe C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe C:\Program Files\TOSHIBA\TECO\TecoService.exe C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe C:\Windows\System32\svchost.exe -k WerSvcGroup C:\Windows\system32\wbem\wmiprvse.exe C:\Windows\system32\taskeng.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Windows\System32\igfxtray.exe C:\Windows\System32\igfxpers.exe C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe C:\Windows\System32\ThpSrv.exe C:\Program Files\TOSHIBA\TECO\Teco.exe C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Windows\ehome\ehtray.exe C:\Program Files (x86)\TOSHIBA\TANU\TANU.exe C:\Program Files (x86)\TOSHIBA\TOSHIBA USB Sleep and Charge Utility\TUSBSleepChargeSrv.exe C:\Program Files (x86)\CyberLink\PowerCinema for TOSHIBA\PCMAgent.exe C:\Program Files (x86)\CyberLink\PowerCinema for TOSHIBA\Kernel\CLML\CLMLSvc.exe C:\Program Files (x86)\TOSHIBA\ConfigFree\NDSTray.exe C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe C:\Program Files (x86)\Napster\napster.exe C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSwMgr.exe C:\Windows\ehome\ehmsas.exe C:\Windows\ehome\ehsched.exe C:\Windows\ehome\ehRecvr.exe C:\Program Files\Synaptics\SynTP\SynTPHelper.exe C:\Windows\system32\igfxext.exe C:\Windows\system32\SearchIndexer.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe C:\Windows\SysWow64\Macromed\Flash\FlashUtil9f.exe C:\Windows\system32\igfxsrvc.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Windows\system32\DllHost.exe C:\Windows\system32\DllHost.exe C:\Users\patricia\Desktop\dds.scr C:\Windows\system32\wbem\wmiprvse.exe ============== Pseudo HJT Report =============== uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB uDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB mDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB mLocal Page = c:\windows\syswow64\blank.htm mWinlogon: Userinit=userinit.exe BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files (x86)\norton internet security\engine\16.7.2.11\coIEPlg.dll BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files (x86)\norton internet security\engine\16.7.2.11\IPSBHO.DLL BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files (x86)\microsoft office\office12\GrooveShellExtensions.dll BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files (x86)\java\jre6\bin\ssv.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files (x86)\google\google toolbar\GoogleToolbar_32.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files (x86)\google\googletoolbarnotifier\5.3.4501.1418\swg.dll BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files (x86)\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files (x86)\java\jre6\bin\jp2ssv.dll TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files (x86)\norton internet security\engine\16.7.2.11\coIEPlg.dll TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files (x86)\google\google toolbar\GoogleToolbar_32.dll uRun: [swg] "c:\program files (x86)\google\googletoolbarnotifier\GoogleToolbarNotifier.exe" uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe uRun: [WMPNSCFG] c:\program files (x86)\windows media player\WMPNSCFG.exe mRun: [TANU] %ProgramFiles%\TOSHIBA\TANU\TANU.exe mRun: [TUSBSleepChargeSrv] %ProgramFiles(x86)%\TOSHIBA\TOSHIBA USB Sleep and Charge Utility\TUSBSleepChargeSrv.exe mRun: [PCMAgent] "c:\program files (x86)\cyberlink\powercinema for toshiba\PCMAgent.exe" mRun: [CLMLServer] "c:\program files (x86)\cyberlink\powercinema for toshiba\kernel\clml\CLMLSvc.exe" mRun: [NDSTray.exe] "c:\program files (x86)\toshiba\configfree\NDSTray.exe" mRun: [cfFncEnabler.exe] "c:\program files (x86)\toshiba\configfree\cfFncEnabler.exe" mRun: [TWebCamera] "%ProgramFiles(x86)%\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun mRun: [GrooveMonitor] "c:\program files (x86)\microsoft office\office12\GrooveMonitor.exe" mRun: [NapsterShell] "c:\program files (x86)\napster\napster.exe" /systray StartupFolder: c:\users\patricia\appdata\roaming\micros~1\windows\startm~1\programs\startup\erunta~1.lnk - c:\program files (x86)\erunt\AUTOBACK.EXE mPolicies-explorer: NoActiveDesktop = 1 (0x1) mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1) mPolicies-explorer: ForceActiveDesktopOn = 0 (0x0) mPolicies-system: EnableUIADesktopToggle = 0 (0x0) IE: E&xport to Microsoft Excel - c:\progra~2\micros~2\office12\EXCEL.EXE/3000 IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~2\micros~2\office12\ONBttnIE.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~2\micros~2\office12\REFIEBAR.DLL DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files (x86)\microsoft office\office12\GrooveSystemServices.dll Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files (x86)\norton internet security\engine\16.7.2.11\CoIEPlg.dll SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files (x86)\microsoft office\office12\GrooveShellExtensions.dll ============= SERVICES / DRIVERS =============== R0 PxHlpa64;PxHlpa64;c:\windows\system32\drivers\pxhlpa64.sys --> c:\windows\system32\drivers\PxHlpa64.sys [?] R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nisx64\1007020.00b\symefa64.sys --> c:\windows\system32\drivers\nisx64\1007020.00b\SYMEFA64.SYS [?] R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys --> c:\windows\system32\drivers\thpdrv.sys [?] R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\thpevm.sys --> c:\windows\system32\drivers\Thpevm.SYS [?] R0 tos_sps64;TOSHIBA tos_sps64 Service;c:\windows\system32\drivers\tos_sps64.sys --> c:\windows\system32\drivers\tos_sps64.sys [?] R1 BHDrvx64;Symantec Heuristics Driver;c:\windows\system32\drivers\nisx64\1007020.00b\bhdrvx64.sys --> c:\windows\system32\drivers\nisx64\1007020.00b\BHDrvx64.sys [?] R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nisx64\1007020.00b\cchpx64.sys --> c:\windows\system32\drivers\nisx64\1007020.00b\ccHPx64.sys [?] R1 IDSVia64;IDSVia64;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090916.003\IDSviA64.sys [2009-9-25 466480] R2 camsvc;TOSHIBA Web Camera Service;c:\program files (x86)\toshiba\toshiba web camera application\TWebCameraSrv.exe [2009-8-25 20544] R2 ConfigFree Gadget Service;ConfigFree Gadget Service;c:\program files (x86)\toshiba\configfree\CFProcSRVC.exe [2009-3-6 36864] R2 ConfigFree Service;ConfigFree Service;c:\program files (x86)\toshiba\configfree\CFSvcs.exe [2009-3-10 46448] R2 Norton Internet Security;Norton Internet Security;c:\program files (x86)\norton internet security\engine\16.7.2.11\ccSvcHst.exe [2009-10-2 117640] R2 rimspci;rimspci;c:\windows\system32\drivers\rimspe64.sys --> c:\windows\system32\drivers\rimspe64.sys [?] R2 rixdpcie;rixdpcie;c:\windows\system32\drivers\rixdpe64.sys --> c:\windows\system32\drivers\rixdpe64.sys [?] R2 RSELSVC;TOSHIBA Modem region select service;c:\program files\toshiba\rselect\RSelSvc.exe [2009-2-19 55808] R2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;c:\program files\toshiba\teco\TecoService.exe [2009-4-14 251392] R2 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\toshiba\toshiba hdd ssd alert\TosSmartSrv.exe [2009-3-17 84480] R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\fwlnk.sys --> c:\windows\system32\drivers\FwLnk.sys [?] R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\intchdmi.sys --> c:\windows\system32\drivers\IntcHdmi.sys [?] R3 NETw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\drivers\netw5v64.sys --> c:\windows\system32\drivers\NETw5v64.sys [?] R3 PGEffect;Pangu effect driver;c:\windows\system32\drivers\pgeffect.sys --> c:\windows\system32\drivers\pgeffect.sys [?] R3 SYMNDISV;Symantec Network Filter Driver;c:\windows\system32\drivers\nisx64\1007020.00b\symndisv.sys --> c:\windows\system32\drivers\nisx64\1007020.00b\SYMNDISV.SYS [?] S3 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe [2009-9-18 93184] S3 PerfHost;Performance Counter DLL Host;c:\windows\syswow64\perfhost.exe [2008-1-20 19968] ============== File Associations =============== JSEFile=c:\windows\syswow64\WScript.exe "%1" %* =============== Created Last 30 ================ 2009-10-18 19:27 <DIR> --d----- c:\programdata\Kaspersky Lab Setup Files 2009-10-18 19:27 <DIR> --d----- c:\progra~3\Kaspersky Lab Setup Files 2009-10-18 18:06 604,672 a------- c:\windows\system32\WMSPDMOD.DLL 2009-10-18 18:06 213,504 a------- c:\windows\system32\msv1_0.dll 2009-10-18 18:05 61,440 a------- c:\windows\system32\msasn1.dll 2009-10-18 13:47 <DIR> --d----- c:\programdata\gta 2009-10-18 13:47 <DIR> --d----- c:\progra~3\gta 2009-10-01 01:34 <DIR> --d----- c:\program files (x86)\common files\Sonic Shared 2009-10-01 01:34 <DIR> --d----- c:\program files (x86)\common files\PX Storage Engine 2009-10-01 01:34 <DIR> --d----- c:\program files (x86)\common files\Napster Shared 2009-10-01 01:33 <DIR> --d----- c:\programdata\Napster 2009-10-01 01:33 <DIR> --d----- c:\progra~3\Napster 2009-10-01 01:33 <DIR> --d----- c:\program files (x86)\Napster 2009-09-25 01:41 <DIR> --d----- c:\program files (x86)\common files\Symantec Shared ==================== Find3M ==================== 2009-10-03 05:17 86,016 a------- c:\windows\inf\infstrng.dat 2009-10-03 05:17 86,016 a------- c:\windows\inf\infstor.dat 2009-10-03 05:17 51,200 a------- c:\windows\inf\infpub.dat 2009-09-18 00:19 13 ---shr-- c:\windows\system32\drivers\fbd.sys 2009-08-27 01:22 916,480 a------- c:\windows\system32\wininet.dll 2009-08-27 01:17 109,056 a------- c:\windows\system32\iesysprep.dll 2009-08-27 01:17 71,680 a------- c:\windows\system32\iesetup.dll 2009-08-26 23:42 133,632 a------- c:\windows\system32\ieUnatt.exe 2009-08-25 14:17 525,792 a------- c:\windows\DIFxAPI.dll 2009-08-18 02:33 1,193,832 a------- c:\windows\system32\FM20.DLL 2009-08-14 12:29 104,960 a------- c:\windows\system32\netiohlp.dll 2009-08-14 12:29 17,920 a------- c:\windows\system32\netevent.dll 2009-08-14 10:16 17,920 a------- c:\windows\system32\ROUTE.EXE 2009-08-14 10:16 9,728 a------- c:\windows\system32\TCPSVCS.EXE 2009-08-14 10:16 11,264 a------- c:\windows\system32\MRINFO.EXE 2009-08-14 10:16 27,136 a------- c:\windows\system32\NETSTAT.EXE 2009-08-14 10:16 19,968 a------- c:\windows\system32\ARP.EXE 2009-08-14 10:16 10,240 a------- c:\windows\system32\finger.exe 2009-08-14 10:16 8,704 a------- c:\windows\system32\HOSTNAME.EXE 2009-05-03 02:40 665,600 a------- c:\windows\inf\drvindex.dat 2008-01-20 23:21 174 a--sh--- c:\program files (x86)\desktop.ini 2006-11-02 11:14 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat 2006-11-02 11:14 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat 2006-11-02 11:14 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat 2006-11-02 11:14 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat 2006-11-02 06:52 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat 2006-11-02 06:52 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat 2006-11-02 06:52 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat 2006-11-02 06:52 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat ============= FINISH: 18:28:58.08 ===============

[rob12jr]

Attach.txt

Attached Files

•  Attach.txt   3.99KB   141 downloads

[rob12jr]

When i attempted to run rootrepeal it reported that it does not support x86 I was going to go into the properties and set it to emulate a system that it does support but I didnt becuase I was not sure as to what would be the result of doing so.

Edited by rob12jr, 19 October 2009 - 04:38 PM.

[inzanity]

Hi rob12jr,

I will be helping you on removing malwares on your computer. Log research takes time, so please be patient and I'd be grateful if you would note the following:

• The fixes are specific to your problem and should only be used for the issues on this machine.
• Do not install/uninstall anything on your computer unless advised.
• Do not run any other scanning tools other than those instructed for you to use.
• Follow the instructions on the order they are given.
• Stay with this thread until advised when your computer is clean. Absence of symptoms does not necessarily mean a clean computer.
• If you are being helped regarding this problem on another forum please advice us so that we can close this thread.
• And lastly, if you have any questions, please ask before proceeding with any of the advised fixes.

As a Vista user, you will need to right click and choose "Run as Administrator" to run the tools we will use.


Click to download the Norton Removal Tool from HERE and save it to your desktop. You will use it later.

You may want to copy these instructions into Notepad and save it to your desktop.

Disconnect from the internet.

Go to add/remove programs and uninstall anthing Norton related.

--Next--

Right click Norton_Removal_Tool.exe and choose Run as Administrator to run the tool.

• Follow the on-screen instructions.
  
• Your computer may be restarted more than once, and you may be asked to repeat some steps after the computer restarts.

When the tool has finished, reboot, if not prompted.

--Next--

Download TFC to your desktop

• Close any open windows.
• Right click the TFC icon and choose Run as Administrator to run the program
• TFC will close all open programs itself in order to run,
• Click the Start button to begin the process.
• Allow TFC to run uninterrupted.
• The program should not take long to finish it's job
• Once its finished it should automatically reboot your machine,
• if it doesn't, manually reboot to ensure a complete clean

--Next--

Please download Malwarebytes' Anti-Malware to your desktop.

• Right click mbam-setup.exe then choose Run as Administrator and follow the prompts to install the program.
  
• At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select Perform quick scan, then click Scan.
  
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Be sure that everything is checked, and click Remove Selected.
  
• When completed, a log will open in Notepad. Please save it to a convenient location and post back the log.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer, please do so immediately.

--Next--

Download Rooter.exe to your desktop

• Right click Rooter.exe then choose Run as Administrator to start the tool.
• A Notepad file containing the report will open, also found at %systemdrive%\Rooter.txt (ex. C:\Rooter.exe). Post that here.

Logs to post in your next reply:
1. Malwarebytes log.
2. Rooter log.

[rob12jr]

After finishing the norton removal tool i recieved an error message in which i took snapshot of and have attached to this post

Attached Files

•  NRTpic.zip   16.38KB   123 downloads

[rob12jr]

Malwarebytes' Anti-Malware 1.41 Database version: 2993 Windows 6.0.6001 Service Pack 1 10/19/2009 11:09:02 PM mbam-log-2009-10-19 (23-09-02).txt Scan type: Quick Scan Objects scanned: 86042 Time elapsed: 2 minute(s), 12 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 1 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)

[rob12jr]

When i ran rooter.exe i recieved another error message in which i have also attached to this post Again thank you for your help And when you believe it is ok can you let me know when to install my new antivirus

Attached Files

•  rooter_error.zip   62.67KB   134 downloads

[inzanity]

Hi,

Please do the following:

• Click on Start > Control Panel and double click on Programs and Features.
• Locate ERUNT and click on the Uninstall button to uninstall it.
• Close Control Panel when done.

--Next--

Try to install your antivirus (Kaspersky). After installation, have it updated then run a scan. Please post back the log it creates. Thank you.

[rob12jr]

Quick Scan: completed 10/20/2009 9:12:02 PM (events: 10, objects: , time: 00:00:00)
10/20/2009 9:12:02 PM Task completed
10/20/2009 9:09:47 PM Task started
Quick Scan: completed 10/20/2009 9:12:02 PM (events: 10, objects: , time: 00:00:00)
10/20/2009 9:22:25 PM Task started
10/20/2009 9:22:57 PM Detected: http://www.viruslist...dvisories/36983 c:\program files (x86)\adobe\reader 9.0\reader\acrord32.exe
10/20/2009 9:33:31 PM Detected: http://www.viruslist...dvisories/36983 c:\program files (x86)\adobe\reader 9.0\reader\acrord32.exe
10/20/2009 9:33:42 PM Detected: http://www.viruslist...dvisories/35948 c:\program files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\NPSWF32.dll
10/20/2009 9:33:43 PM Detected: http://www.viruslist...dvisories/35948 c:\program files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR.dll
10/20/2009 9:36:17 PM Detected: http://www.viruslist...dvisories/34451 c:\program files (x86)\Java\jre6\bin\java.exe
10/20/2009 9:59:18 PM Detected: http://www.viruslist...dvisories/34451 c:\Windows\SysWOW64\java.exe
10/20/2009 10:07:20 PM Task completed

[rob12jr]

Ive recieved messages regarding my firewall saying I dont have one. I am not familiar with kaspersky and i was wondering if it had a firewall incorporated into the program or should i enable the windows firewall.

[inzanity]

Hi,

Those detected by Kaspersky are security vulnerabilities, we'll deal with that later. So far your computer looks clean.

Please delete DDS, RootRepeal and all the logs we've created.

--Next--

Enable your firewall:

• Click Start Orb
• Select Control Panel
• Click Security
• Select the Firewall option
• Click Turn Windows Firewall on or off. Turn it on.
• Click OK to finish.

--Next--

You can keep TFC and use it to clean your computer of some junk atleast once a week. You can also keep Malwarebytes, it is an excellent malware removal tool. Update atleast once a week then run a complete scan.

--Next--

To manually create a new Restore Point

• Go to Control Panel and select System and Maintenance.
  
• Select System.
  
• On the left select Advance System Settings and accept the warning if you get one.
  
• Select System Protection Tab.
  
• Select Create at the bottom.
  
• Type in a name i.e. Clean.
  
• Select Create.

Now we can purge the infected ones

• Go back to the System and Maintenance page.
  
• Select Performance Information and Tools.
  
• On the left select Open Disk Cleanup.
  
• Select Files from all users and accept the warning if you get one.
  
• In the drop down box select your main drive i.e. C
  
• For a few moments the system will make some calculations
  
• Select the More Options tab.
  
• In the System Restore and Shadow Backups select Clean up.
  
• Select Delete on the pop up.
  
• Select OK.
  
• Select Delete.

--Next--

Adobe
You can get the latest version here.
Or you can download and install Foxit Reader.

Java
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:

Please download JavaRa to your desktop and unzip it to its own folder

• Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
• Accept any prompts.
• Open JavaRa.exe again and select Search For Updates.
• Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

The latest update is Java 6 update 16.

Now to Clean out the Java cache:

Go into the Control Panel and double-click the Java Icon.

• Under Temporary Internet Files, click the Settings... button
  
• click the Delete Files button.
  
• There are two options in the window to clear the cache - Leave both Checked
  Applications and Applets
  Trace and Log Files
  
• Click OK on Delete Temporary Files Window
  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  
• Click OK to leave the Temporary Files Settings
  
• Click OK to leave the Java Control Panel.

To keep your operating system up to date visit

• Secunia Software inspector to check your program update status.
• Microsoft Windows Update .

Here are some tips to reduce the potential for spyware infection in the future:

1. Make your Internet Explorer More Secure

• From within Internet Explorer click on the Tools menu and then click on Options.
• Click once on the Security tab.
• Click once on the Internet icon so it becomes highlighted.
• Click once on the Custom Level button.
  
  
  • Change the Download signed ActiveX controls to Prompt.
  • Change the Download unsigned ActiveX controls to Disable.
  • Change the Initialise and script ActiveX controls not marked as safe to Disable.
  • Change the Installation of desktop items to Prompt.
  • Change the Launching programs and files in an IFRAME to Prompt.
  • Change the Navigate sub-frames across different domains to Prompt.
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
• Next press the Apply button and then the OK to exit the Internet Properties page.

2. Update your Anti-Virus Software - I can not overemphasize the need for you to update your Anti-virus application on a regular basis. With the ever increasing number of new variants of malware arriving on the scene daily, you become very susceptible to an attack without updated protection.

3. Make sure you keep your Windows OS current by visiting Windows update regularly to download and install any critical updates and service packs. Without these you are leaving the back door open.

4. Consider a custom hosts file such as MVPS HOSTS. This custom hosts file effectively blocks a wide range of unwanted ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
For information on how to download and install, please read this tutorial by WinHelp2002
Note: Be sure to follow the instructions to disable the DNS Client service before installing a custom hosts file.

5. Download and install the free version of WinPatrol. This program protects your computer in a variety of ways and will work well with your existing security software. Have a look at this tutorial to help you get started with the program.

6. SpywareBlaster - Download and install SpywareBlaster. This program prevents the installation of ActiveX-based spyware and other potentially unwanted programs.

7. SpywareGuard - Download and install SpywareGuard. This provides a real-time protection solution against spyware that is a great addition to SpywareBlaster's protection method.

8. Protect your computer from internet threats with SandboxIE. This program isolates Internet Explorer from the rest of your operating system, 'sandboxing' it away - so malicious websites can't do damage to the rest of your system. There is a Getting Started guide on their website.

9. And finally, please read these excellent articles:
Malware: Help prevent the Infection by Sandi Hardmeier,
Preventing Malware - Tools and Practices for Safe Computing

For more safe computing tips please read the guide by Rorschach112 on how to prevent malware and about safe computing here.



Goodluck, happy computing and stay clean!

[rob12jr]

All completed succesfully