Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 92379 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] Help - My computer is under assalt!


  • This topic is locked This topic is locked
14 replies to this topic

#1 lazycoach1

lazycoach1

    New Member

  • Authentic Member
  • Pip
  • 13 posts

Posted 24 November 2009 - 09:07 PM

My son got on my computer today and played on-line video games. I am running the most recent version of the AVG virus protection and received a sheild alert. I ran a scan and found a virus and removed it. However, I am getting the following message at start up; "error loading c;\windows\system32\miboduka" My computer is now running slow. I am not the most computer literate person and need help please.......

    Advertisements

Register to Remove


#2 SweetTech

SweetTech

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,368 posts

Posted 24 November 2009 - 09:15 PM

Hello lazycoach1. Welcome to WTT! Please be advised, as I am still in training, all my replies to you will be checked for accuracy by one of our experts to ensure that I am giving you the best possible advise. This may cause a delay, but I will do my best to keep it as short as possible. I am checking over your log , I will post back shortly with instructions.

Posted Image
 

Proud Graduate of the WTT Classroom
 
Posted Image


#3 lazycoach1

lazycoach1

    New Member

  • Authentic Member
  • Pip
  • 13 posts

Posted 24 November 2009 - 09:29 PM

I read more of the forum and have now ran the DDS.txt log, Attach.txt and RootRepeal.
ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/11/24 21:24
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: ACPI.sys
Image Path: ACPI.sys
Address: 0xF739B000 Size: 187776 File Visible: - Signed: -
Status: -

Name: ACPI_HAL
Image Path: \Driver\ACPI_HAL
Address: 0x804D7000 Size: 2066048 File Visible: - Signed: -
Status: -

Name: ACPIEC.sys
Image Path: ACPIEC.sys
Address: 0xF78E6000 Size: 11648 File Visible: - Signed: -
Status: -

Name: afd.sys
Image Path: C:\WINDOWS\System32\drivers\afd.sys
Address: 0xF1904000 Size: 138496 File Visible: - Signed: -
Status: -

Name: AGRSM.sys
Image Path: C:\WINDOWS\system32\DRIVERS\AGRSM.sys
Address: 0xF6FC8000 Size: 1270464 File Visible: - Signed: -
Status: -

Name: ALCXWDM.SYS
Image Path: C:\WINDOWS\system32\drivers\ALCXWDM.SYS
Address: 0xF6D93000 Size: 2311680 File Visible: - Signed: -
Status: -

Name: AmdK8.sys
Image Path: C:\WINDOWS\system32\DRIVERS\AmdK8.sys
Address: 0xF754A000 Size: 61440 File Visible: - Signed: -
Status: -

Name: atapi.sys
Image Path: atapi.sys
Address: 0xF7335000 Size: 96512 File Visible: - Signed: -
Status: -

Name: audstub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\audstub.sys
Address: 0xF71E7000 Size: 3072 File Visible: - Signed: -
Status: -

Name: avgldx86.sys
Image Path: C:\WINDOWS\System32\Drivers\avgldx86.sys
Address: 0xF1819000 Size: 326528 File Visible: - Signed: -
Status: -

Name: avgmfx86.sys
Image Path: C:\WINDOWS\System32\Drivers\avgmfx86.sys
Address: 0xF7802000 Size: 21760 File Visible: - Signed: -
Status: -

Name: avgrkx86.sys
Image Path: avgrkx86.sys
Address: 0xF725B000 Size: 155136 File Visible: - Signed: -
Status: -

Name: avgtdix.sys
Image Path: C:\WINDOWS\System32\Drivers\avgtdix.sys
Address: 0xF1974000 Size: 353920 File Visible: - Signed: -
Status: -

Name: BATTC.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\BATTC.SYS
Address: 0xF78E2000 Size: 16384 File Visible: - Signed: -
Status: -

Name: bcmwl5.sys
Image Path: C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
Address: 0xF6CCD000 Size: 369024 File Visible: - Signed: -
Status: -

Name: Beep.SYS
Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS
Address: 0xF79DA000 Size: 4224 File Visible: - Signed: -
Status: -

Name: BOOTVID.dll
Image Path: C:\WINDOWS\system32\BOOTVID.dll
Address: 0xF78DA000 Size: 12288 File Visible: - Signed: -
Status: -

Name: CLASSPNP.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Address: 0xF750A000 Size: 53248 File Visible: - Signed: -
Status: -

Name: CmBatt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\CmBatt.sys
Address: 0xF796A000 Size: 13952 File Visible: - Signed: -
Status: -

Name: compbatt.sys
Image Path: compbatt.sys
Address: 0xF78DE000 Size: 10240 File Visible: - Signed: -
Status: -

Name: disk.sys
Image Path: disk.sys
Address: 0xF74FA000 Size: 36352 File Visible: - Signed: -
Status: -

Name: DKbFltr.sys
Image Path: C:\WINDOWS\System32\Drivers\DKbFltr.sys
Address: 0xF776A000 Size: 16896 File Visible: - Signed: -
Status: -

Name: drmk.sys
Image Path: C:\WINDOWS\system32\drivers\drmk.sys
Address: 0xF756A000 Size: 61440 File Visible: - Signed: -
Status: -

Name: DSI_SiUSBXp_3_1.sys
Image Path: C:\WINDOWS\system32\drivers\DSI_SiUSBXp_3_1.sys
Address: 0xF769A000 Size: 40960 File Visible: - Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF17D9000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF79E0000 Size: 8192 File Visible: No Signed: -
Status: -

Name: Dxapi.sys
Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys
Address: 0xF6C91000 Size: 12288 File Visible: - Signed: -
Status: -

Name: dxg.sys
Image Path: C:\WINDOWS\System32\drivers\dxg.sys
Address: 0xBF9C4000 Size: 73728 File Visible: - Signed: -
Status: -

Name: dxgthk.sys
Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys
Address: 0xF7B45000 Size: 4096 File Visible: - Signed: -
Status: -

Name: Fastfat.sys
Image Path: Fastfat.sys
Address: 0xF72DF000 Size: 143744 File Visible: - Signed: -
Status: -

Name: Fips.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fips.SYS
Address: 0xF767A000 Size: 44544 File Visible: - Signed: -
Status: -

Name: fltmgr.sys
Image Path: fltmgr.sys
Address: 0xF7315000 Size: 129792 File Visible: - Signed: -
Status: -

Name: Fs_Rec.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Address: 0xF79D8000 Size: 7936 File Visible: - Signed: -
Status: -

Name: ftdisk.sys
Image Path: ftdisk.sys
Address: 0xF734D000 Size: 125056 File Visible: - Signed: -
Status: -

Name: gagp30kx.sys
Image Path: gagp30kx.sys
Address: 0xF752A000 Size: 46464 File Visible: - Signed: -
Status: -

Name: hal.dll
Image Path: C:\WINDOWS\system32\hal.dll
Address: 0x806D0000 Size: 131840 File Visible: - Signed: -
Status: -

Name: HIDCLASS.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS
Address: 0xF768A000 Size: 36864 File Visible: - Signed: -
Status: -

Name: HIDPARSE.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS
Address: 0xF780A000 Size: 28672 File Visible: - Signed: -
Status: -

Name: hidusb.sys
Image Path: C:\WINDOWS\system32\DRIVERS\hidusb.sys
Address: 0xF721E000 Size: 10368 File Visible: - Signed: -
Status: -

Name: HTTP.sys
Image Path: C:\WINDOWS\System32\Drivers\HTTP.sys
Address: 0xF0804000 Size: 264832 File Visible: - Signed: -
Status: -

Name: i8042prt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\i8042prt.sys
Address: 0xF755A000 Size: 52480 File Visible: - Signed: -
Status: -

Name: intelide.sys
Image Path: intelide.sys
Address: 0xF79CE000 Size: 5504 File Visible: - Signed: -
Status: -

Name: ipnat.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipnat.sys
Address: 0xF194E000 Size: 152832 File Visible: - Signed: -
Status: -

Name: ipsec.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipsec.sys
Address: 0xF1A24000 Size: 75264 File Visible: - Signed: -
Status: -

Name: isapnp.sys
Image Path: isapnp.sys
Address: 0xF74CA000 Size: 37248 File Visible: - Signed: -
Status: -

Name: kbdclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Address: 0xF7772000 Size: 24576 File Visible: - Signed: -
Status: -

Name: KDCOM.DLL
Image Path: C:\WINDOWS\system32\KDCOM.DLL
Address: 0xF79CA000 Size: 8192 File Visible: - Signed: -
Status: -

Name: kmixer.sys
Image Path: C:\WINDOWS\system32\drivers\kmixer.sys
Address: 0xEFF13000 Size: 172416 File Visible: - Signed: -
Status: -

Name: ks.sys
Image Path: C:\WINDOWS\system32\drivers\ks.sys
Address: 0xF6D4C000 Size: 143360 File Visible: - Signed: -
Status: -

Name: KSecDD.sys
Image Path: KSecDD.sys
Address: 0xF72C8000 Size: 92928 File Visible: - Signed: -
Status: -

Name: mnmdd.SYS
Image Path: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Address: 0xF79DC000 Size: 4224 File Visible: - Signed: -
Status: -

Name: Modem.SYS
Image Path: C:\WINDOWS\System32\Drivers\Modem.SYS
Address: 0xF7782000 Size: 30080 File Visible: - Signed: -
Status: -

Name: mouclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mouclass.sys
Address: 0xF777A000 Size: 23040 File Visible: - Signed: -
Status: -

Name: mouhid.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mouhid.sys
Address: 0xF721A000 Size: 12160 File Visible: - Signed: -
Status: -

Name: MountMgr.sys
Image Path: MountMgr.sys
Address: 0xF74DA000 Size: 42368 File Visible: - Signed: -
Status: -

Name: mrxdav.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mrxdav.sys
Address: 0xF13F4000 Size: 180608 File Visible: - Signed: -
Status: -

Name: mrxsmb.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
Address: 0xF1869000 Size: 455296 File Visible: - Signed: -
Status: -

Name: Msfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS
Address: 0xF77F2000 Size: 19072 File Visible: - Signed: -
Status: -

Name: msgpc.sys
Image Path: C:\WINDOWS\system32\DRIVERS\msgpc.sys
Address: 0xF75AA000 Size: 35072 File Visible: - Signed: -
Status: -

Name: mssmbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mssmbios.sys
Address: 0xF797E000 Size: 15488 File Visible: - Signed: -
Status: -

Name: Mup.sys
Image Path: Mup.sys
Address: 0xF7281000 Size: 105344 File Visible: - Signed: -
Status: -

Name: NDIS.sys
Image Path: NDIS.sys
Address: 0xF729B000 Size: 182656 File Visible: - Signed: -
Status: -

Name: ndistapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndistapi.sys
Address: 0xF796E000 Size: 10112 File Visible: - Signed: -
Status: -

Name: ndisuio.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndisuio.sys
Address: 0xF16A9000 Size: 14592 File Visible: - Signed: -
Status: -

Name: ndiswan.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndiswan.sys
Address: 0xF6CB6000 Size: 91520 File Visible: - Signed: -
Status: -

Name: NDProxy.SYS
Image Path: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Address: 0xF75CA000 Size: 40576 File Visible: - Signed: -
Status: -

Name: netbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbios.sys
Address: 0xF764A000 Size: 34688 File Visible: - Signed: -
Status: -

Name: netbt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbt.sys
Address: 0xF1926000 Size: 162816 File Visible: - Signed: -
Status: -

Name: Npfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS
Address: 0xF77FA000 Size: 30848 File Visible: - Signed: -
Status: -

Name: ntkrnlpa.exe
Image Path: C:\WINDOWS\system32\ntkrnlpa.exe
Address: 0x804D7000 Size: 2066048 File Visible: - Signed: -
Status: -

Name: Null.SYS
Image Path: C:\WINDOWS\System32\Drivers\Null.SYS
Address: 0xF71CB000 Size: 2944 File Visible: - Signed: -
Status: -

Name: OPRGHDLR.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
Address: 0xF7A93000 Size: 4096 File Visible: - Signed: -
Status: -

Name: PartMgr.sys
Image Path: PartMgr.sys
Address: 0xF7752000 Size: 19712 File Visible: - Signed: -
Status: -

Name: pci.sys
Image Path: pci.sys
Address: 0xF738A000 Size: 68224 File Visible: - Signed: -
Status: -

Name: pciide.sys
Image Path: pciide.sys
Address: 0xF7A92000 Size: 3328 File Visible: - Signed: -
Status: -

Name: PCIIDEX.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Address: 0xF774A000 Size: 28672 File Visible: - Signed: -
Status: -

Name: pcmcia.sys
Image Path: pcmcia.sys
Address: 0xF736C000 Size: 120192 File Visible: - Signed: -
Status: -

Name: PnpManager
Image Path: \Driver\PnpManager
Address: 0x804D7000 Size: 2066048 File Visible: - Signed: -
Status: -

Name: portcls.sys
Image Path: C:\WINDOWS\system32\drivers\portcls.sys
Address: 0xF6D6F000 Size: 147456 File Visible: - Signed: -
Status: -

Name: psched.sys
Image Path: C:\WINDOWS\system32\DRIVERS\psched.sys
Address: 0xF6CA5000 Size: 69120 File Visible: - Signed: -
Status: -

Name: ptilink.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ptilink.sys
Address: 0xF77AA000 Size: 17792 File Visible: - Signed: -
Status: -

Name: rasacd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasacd.sys
Address: 0xF79AE000 Size: 8832 File Visible: - Signed: -
Status: -

Name: rasl2tp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
Address: 0xF757A000 Size: 51328 File Visible: - Signed: -
Status: -

Name: raspppoe.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspppoe.sys
Address: 0xF758A000 Size: 41472 File Visible: - Signed: -
Status: -

Name: raspptp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspptp.sys
Address: 0xF759A000 Size: 48384 File Visible: - Signed: -
Status: -

Name: raspti.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspti.sys
Address: 0xF77B2000 Size: 16512 File Visible: - Signed: -
Status: -

Name: RAW
Image Path: \FileSystem\RAW
Address: 0x804D7000 Size: 2066048 File Visible: - Signed: -
Status: -

Name: rdbss.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rdbss.sys
Address: 0xF18D9000 Size: 175744 File Visible: - Signed: -
Status: -

Name: RDPCDD.sys
Image Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Address: 0xF79DE000 Size: 4224 File Visible: - Signed: -
Status: -

Name: rootrepeal[1].sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal[1].sys
Address: 0xF03FC000 Size: 49152 File Visible: No Signed: -
Status: -

Name: serscan.sys
Image Path: C:\WINDOWS\system32\DRIVERS\serscan.sys
Address: 0xF79D2000 Size: 6784 File Visible: - Signed: -
Status: -

Name: SiLib.sys
Image Path: C:\WINDOWS\system32\drivers\SiLib.sys
Address: 0xF76AA000 Size: 45056 File Visible: - Signed: -
Status: -

Name: SISAGPX.sys
Image Path: SISAGPX.sys
Address: 0xF751A000 Size: 36992 File Visible: - Signed: -
Status: -

Name: sisgrp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\sisgrp.sys
Address: 0xF7141000 Size: 258048 File Visible: - Signed: -
Status: -

Name: SiSGRV.dll
Image Path: C:\WINDOWS\System32\SiSGRV.dll
Address: 0xBF9D6000 Size: 1216512 File Visible: - Signed: -
Status: -

Name: sisnicxp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\sisnicxp.sys
Address: 0xF779A000 Size: 32768 File Visible: - Signed: -
Status: -

Name: sr.sys
Image Path: sr.sys
Address: 0xF7303000 Size: 73472 File Visible: - Signed: -
Status: -

Name: srv.sys
Image Path: C:\WINDOWS\system32\DRIVERS\srv.sys
Address: 0xF0EFD000 Size: 333952 File Visible: - Signed: -
Status: -

Name: srvkp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\srvkp.sys
Address: 0xF79C6000 Size: 13312 File Visible: - Signed: -
Status: -

Name: swenum.sys
Image Path: C:\WINDOWS\system32\DRIVERS\swenum.sys
Address: 0xF79D4000 Size: 4352 File Visible: - Signed: -
Status: -

Name: SynTP.sys
Image Path: C:\WINDOWS\system32\DRIVERS\SynTP.sys
Address: 0xF70FF000 Size: 185824 File Visible: - Signed: -
Status: -

Name: sysaudio.sys
Image Path: C:\WINDOWS\system32\drivers\sysaudio.sys
Address: 0xF1529000 Size: 60800 File Visible: - Signed: -
Status: -

Name: tcpip.sys
Image Path: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Address: 0xF19CB000 Size: 361600 File Visible: - Signed: -
Status: -

Name: TDI.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\TDI.SYS
Address: 0xF77A2000 Size: 20480 File Visible: - Signed: -
Status: -

Name: termdd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\termdd.sys
Address: 0xF75BA000 Size: 40704 File Visible: - Signed: -
Status: -

Name: update.sys
Image Path: C:\WINDOWS\system32\DRIVERS\update.sys
Address: 0xF6C1F000 Size: 384768 File Visible: - Signed: -
Status: -

Name: USBD.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Address: 0xF79D0000 Size: 8192 File Visible: - Signed: -
Status: -

Name: usbehci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Address: 0xF7792000 Size: 30208 File Visible: - Signed: -
Status: -

Name: usbhub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Address: 0xF761A000 Size: 59520 File Visible: - Signed: -
Status: -

Name: usbohci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbohci.sys
Address: 0xF778A000 Size: 17152 File Visible: - Signed: -
Status: -

Name: USBPORT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Address: 0xF6D28000 Size: 147456 File Visible: - Signed: -
Status: -

Name: vga.sys
Image Path: C:\WINDOWS\System32\drivers\vga.sys
Address: 0xF77EA000 Size: 20992 File Visible: - Signed: -
Status: -

Name: VIDEOPRT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Address: 0xF712D000 Size: 81920 File Visible: - Signed: -
Status: -

Name: VolSnap.sys
Image Path: VolSnap.sys
Address: 0xF74EA000 Size: 52352 File Visible: - Signed: -
Status: -

Name: wanarp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\wanarp.sys
Address: 0xF763A000 Size: 34560 File Visible: - Signed: -
Status: -

Name: watchdog.sys
Image Path: C:\WINDOWS\System32\watchdog.sys
Address: 0xF7812000 Size: 20480 File Visible: - Signed: -
Status: -

Name: wdmaud.sys
Image Path: C:\WINDOWS\system32\drivers\wdmaud.sys
Address: 0xF12EF000 Size: 83072 File Visible: - Signed: -
Status: -

Name: Win32k
Image Path: \Driver\Win32k
Address: 0xBF800000 Size: 1851392 File Visible: - Signed: -
Status: -

Name: win32k.sys
Image Path: C:\WINDOWS\System32\win32k.sys
Address: 0xBF800000 Size: 1851392 File Visible: - Signed: -
Status: -

Name: WMILIB.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\WMILIB.SYS
Address: 0xF79CC000 Size: 8192 File Visible: - Signed: -
Status: -

Name: WMIxWDM
Image Path: \Driver\WMIxWDM
Address: 0x804D7000 Size: 2066048 File Visible: - Signed: -
Status: -

DDS (Ver_09-06-26.01) - FAT32x86
Run by Owner at 21:17:50.54 on Tue 11/24/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.958.378 [GMT -6:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
SVCHOST.EXE
C:\WINDOWS\system32\spoolsv.exe
SVCHOST.EXE
C:\Acer\eManager\anbmServ.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Arcade\PCMService.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Garmin\ANT Agent\ANT Agent.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AVG\AVG9\avgscanx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\AVG\AVG9\avgui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://global.acer.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: H - No File
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
mWinlogon: Shell=Explorer.exe logon.exe
BHO: {34758a84-f5cc-4d6f-bfbe-4ef26ab5f1c8} - c:\windows\system32\efccyVmm.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: {f4666422-6c70-8bda-63a4-33223e7b6c76}: {67c6b7e3-2233-4a36-adb8-07c62246664f} - c:\windows\system32\smqfpb.dll
BHO: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\urqOHWon.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Browser Helper Object: {afd4ad01-58c1-47db-a404-fbe00a6c5486} - c:\program files\common\helper.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ANT Agent] c:\garmin\ant agent\ANT Agent.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
mRun: [PCMService] "c:\program files\arcade\PCMService.exe"
mRun: [LManager] c:\program files\launch manager\QtZgAcer.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [<NO NAME>]
mRun: [rotatigov] Rundll32.exe "c:\windows\system32\miboduka.dll",a
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\utilit~1.lnk - c:\windows\system32\sistray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\msoffice\office\FINDFAST.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~2.lnk - c:\msoffice\office\FASTBOOT.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~3.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
IE: &Search - http://edits.mywebse...?p=ZJxdm398YYUS
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {10ECCE17-29B5-4880-A8F5-EAD298611484} - hxxp://cdnrep.reimage.com/reix1212.cab
DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-4/ZwinkyInitialSetup1.0.1.1.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo.walgreens.com/WalgreensActivia.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1231365948625
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1194827929578
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
TCP: {9E51DBA0-9151-4D94-82B5-4C1886AA5022} = 83.149.115.182
TCP: {F0AE906D-0F39-43EE-8F60-8FDDA9E17169} = 83.149.115.182
Filter: text/html - {778a0a5d-b6fd-47f6-87b6-2c54869386b9} -
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: urqOHWon - urqOHWon.dll
AppInit_DLLs: jowosepe.dll c:\windows\system32\miboduka.dll
SSODL: bebudigop - {be829f45-2783-4b60-b94b-643cdf5acf1e} - c:\windows\system32\miboduka.dll
STS: mujuzedij: {be829f45-2783-4b60-b94b-643cdf5acf1e} - c:\windows\system32\miboduka.dll
SEH: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\urqOHWon.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\efccyVmm
LSA: Notification Packages = scecli mafutaje.dll

============= SERVICES / DRIVERS ===============

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-1-2 161800]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-2 333192]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-1-2 28424]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-1-2 360584]
R2 avg9emc;AVG E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2009-11-24 906520]
R2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-11-24 285392]
S3 COH_Mon;COH_Mon;\??\c:\windows\system32\drivers\coh_mon.sys --> c:\windows\system32\drivers\COH_Mon.sys [?]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\common files\symantec shared\eengine\eraserutilrebootdrv.sys --> c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [?]
S4 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2007-11-9 1245064]

=============== Created Last 30 ================


==================== Find3M ====================

2009-11-24 20:43 360,584 a------- c:\windows\system32\drivers\avgtdix.sys
2009-11-24 20:43 333,192 a------- c:\windows\system32\drivers\avgldx86.sys
2009-11-24 20:43 12,464 a------- c:\windows\system32\avgrsstx.dll
2009-11-24 20:42 161,800 a------- c:\windows\system32\drivers\avgrkx86.sys
2009-10-22 03:19 5,939,712 -------- c:\windows\system32\dllcache\mshtml.dll
2009-09-11 09:18 136,192 a------- c:\windows\system32\msv1_0.dll
2009-09-11 09:18 136,192 a------- c:\windows\system32\dllcache\msv1_0.dll
2009-09-04 16:03 58,880 a------- c:\windows\system32\msasn1.dll
2009-09-04 16:03 58,880 a------- c:\windows\system32\dllcache\msasn1.dll
2009-08-28 05:35 173,056 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-04-13 16:55 55,464 a------- c:\docume~1\owner\applic~1\GDIPFONTCACHEV1.DAT
2009-08-24 15:54 52,736 a--sh--- c:\windows\system32\mafutaje.dll
2009-08-24 15:54 52,736 a--sh--- c:\windows\system32\jevuwuwa.dll
2009-08-24 15:54 52,736 a--sh--- c:\windows\system32\jowosepe.dll
2009-08-24 16:00 39,424 a--sh--- c:\windows\system32\zozomoju.dll
2009-08-24 16:00 45,056 a--sh--- c:\windows\system32\nofujebu.dll
2009-01-03 12:38 694,907 a--sh--- c:\windows\system32\mmVyccfe.ini2
2008-10-25 08:30 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008102520081026\index.dat
2008-12-29 18:25 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008122920081230\index.dat
2009-01-02 09:00 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009010220090103\index.dat

============= FINISH: 21:19:02.40 ===============

Attached Files



#4 SweetTech

SweetTech

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,368 posts

Posted 25 November 2009 - 01:56 AM

Running ComboFix
Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.


Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Posted Image
 

Proud Graduate of the WTT Classroom
 
Posted Image


#5 lazycoach1

lazycoach1

    New Member

  • Authentic Member
  • Pip
  • 13 posts

Posted 25 November 2009 - 07:06 AM

It is still running a little bit slower, but much better overall. I did a reboot to see if I would get any messages at start up and I did not. Here is my log:

ComboFix 09-11-24.04 - Owner 11/25/2009 6:35.1.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.958.438 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Application Data\FunWebProducts
c:\documents and settings\Owner\Application Data\FunWebProducts\Data\Owner\avatar.dat
c:\documents and settings\Owner\Application Data\FunWebProducts\Data\Owner\zbucks.dat
c:\program files\Common
c:\program files\Common\helper.sig
c:\program files\FunWebProducts
c:\program files\MyWebSearch
c:\program files\MyWebSearch\bar\History\search3
c:\program files\MyWebSearch\bar\Settings\s_pid.dat
c:\program files\MyWebSearch\bar\Settings\setting2.htm
c:\program files\MyWebSearch\bar\Settings\settings.dat
c:\windows\COUPON~1.OCX
c:\windows\CouponPrinter.ocx
c:\windows\desktop
c:\windows\desktop\Cook'n with Betty Crocker.lnk
c:\windows\system32\drivers\senekaxbctyayx.sys
c:\windows\system32\fitelote.dll
c:\windows\system32\gajonosu.dll
c:\windows\system32\jevuwuwa.dll.tmp
c:\windows\system32\jowosepe.dll.tmp
c:\windows\system32\lanikuwo.dll
c:\windows\system32\lopohopi.dll
c:\windows\system32\mafutaje.dll.tmp
c:\windows\system32\mmVyccfe.ini
c:\windows\system32\mmVyccfe.ini2
c:\windows\system32\munigero.dll
c:\windows\system32\ntnet.drv
c:\windows\system32\ovebykuc.ini
c:\windows\system32\seneka.dat
c:\windows\system32\senekadf.dat
c:\windows\system32\senekahxvmyowm.dll
c:\windows\system32\senekaimpuyusr.dll
c:\windows\system32\senekakounkvas.dll
c:\windows\system32\senekalog.dat
c:\windows\system32\yasatuji.dll
c:\windows\system32\zozomoju.dll
c:\windows\Tasks\zoaevzee.job
c:\windows\winhelp.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_seneka
-------\Service_seneka


((((((((((((((((((((((((( Files Created from 2009-10-25 to 2009-11-25 )))))))))))))))))))))))))))))))
.

2009-11-25 03:15 . 2009-11-25 03:15 -------- d-----w- c:\program files\ERUNT
2009-11-25 02:43 . 2009-11-25 02:43 -------- d-----w- C:\$AVG
2009-11-25 02:42 . 2009-11-25 02:42 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-11-11 23:30 . 2009-11-11 23:30 -------- d-----w- C:\FOUND.019
2009-11-06 19:09 . 2009-11-12 14:48 79488 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-10-26 19:17 . 2009-10-26 19:18 -------- d-----w- c:\documents and settings\Owner\Application Data\HpUpdate
2009-10-26 19:17 . 2009-10-26 19:17 -------- d-----w- c:\windows\Hewlett-Packard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-25 02:43 . 2009-01-02 21:43 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-25 02:43 . 2009-01-02 21:43 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-25 02:43 . 2009-01-02 21:43 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-11-25 02:43 . 2009-01-02 21:43 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-25 02:42 . 2009-01-02 21:43 161800 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2009-11-18 14:53 . 2009-10-24 22:36 3775256 ----a-w- c:\documents and settings\All Users\Application Data\TEMP\AVG\setup.exe
2009-10-25 14:09 . 2009-04-13 22:23 1 ----a-w- c:\documents and settings\Owner\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-10-15 18:47 . 2009-10-15 18:47 -------- d-----w- c:\program files\iPod
2009-10-15 18:47 . 2009-10-15 18:47 -------- d-----w- c:\program files\iTunes
2009-10-15 18:47 . 2009-10-15 18:47 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-10-15 18:45 . 2009-10-15 18:45 -------- d-----w- c:\program files\QuickTime
2009-10-15 18:40 . 2009-10-15 18:40 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.1.8\SetupAdmin.exe
2009-09-11 15:18 . 1980-01-01 06:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 22:03 . 1980-01-01 06:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 09:08 . 1980-01-01 06:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-25 12:25 . 2009-08-25 12:25 61440 --sha-w- c:\windows\system32\fotobike.dll
2009-08-24 22:00 . 2009-08-24 22:00 45056 --sha-w- c:\windows\system32\nofujebu.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1115392]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-10-16 18:13 1115392 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1115392]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1115392]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-09 68856]
"ANT Agent"="c:\garmin\ANT Agent\ANT Agent.exe" [2009-07-30 11017728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCMService"="c:\program files\Arcade\PCMService.exe" [2005-03-10 49152]
"LManager"="c:\program files\Launch Manager\QtZgAcer.EXE" [2005-03-28 315392]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-11 136600]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-11-25 2020120]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2005-02-24 77824]
"SiSPower"="SiSPower.dll" - c:\windows\system32\SiSPower.dll [2005-02-26 49152]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-12-15 384000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Utility Tray.lnk - c:\windows\system32\sistray.exe [2005-3-7 331776]
Microsoft Office Find Fast Indexer.lnk - c:\msoffice\Office\FINDFAST.EXE [1996-3-20 86528]
Microsoft Office Fast Start.lnk - c:\msoffice\Office\FASTBOOT.EXE [1996-3-20 14848]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-4 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-11-25 02:43 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Magnifier.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\Magnifier.lnk
backup=c:\windows\pss\Magnifier.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Symantec Core LC"=3 (0x3)
"LiveUpdate Notice"=2 (0x2)
"LiveUpdate"=3 (0x3)
"gusvc"=2 (0x2)
"CLTNetCnService"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"Automatic LiveUpdate Scheduler"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\MSMSGS.EXE"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [1/2/2009 3:43 PM 161800]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [1/2/2009 3:43 PM 333192]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [1/2/2009 3:43 PM 360584]
R2 avg9emc;AVG E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [11/24/2009 8:42 PM 906520]
R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [11/24/2009 8:42 PM 285392]
S3 COH_Mon;COH_Mon;\??\c:\windows\system32\Drivers\COH_Mon.sys --> c:\windows\system32\Drivers\COH_Mon.sys [?]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-11-25 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-11-09 13:43]

2009-11-25 c:\windows\Tasks\shutdown.job
- c:\windows\system32\shutdown.exe [1980-01-01 01:12]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://global.acer.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Search - http://edits.mywebse...?p=ZJxdm398YYUS
TCP: {9E51DBA0-9151-4D94-82B5-4C1886AA5022} = 83.149.115.182
TCP: {F0AE906D-0F39-43EE-8F60-8FDDA9E17169} = 83.149.115.182
DPF: {10ECCE17-29B5-4880-A8F5-EAD298611484} - hxxp://cdnrep.reimage.com/reix1212.cab
.
- - - - ORPHANS REMOVED - - - -

BHO-{34758A84-F5CC-4D6F-BFBE-4EF26AB5F1C8} - c:\windows\system32\efccyVmm.dll
BHO-{67c6b7e3-2233-4a36-adb8-07c62246664f} - c:\windows\system32\smqfpb.dll
BHO-{fef7ca23-cad4-4291-ae40-fe4c71b6ac44} - fitelote.dll
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKLM-Run-rotatigov - c:\windows\system32\lopohopi.dll
HKLM-Run-rirawapola - yasatuji.dll
SharedTaskScheduler-{be829f45-2783-4b60-b94b-643cdf5acf1e} - c:\windows\system32\miboduka.dll
SharedTaskScheduler-{dbf58b09-e433-400b-b938-aa48885b27dc} - c:\windows\system32\lopohopi.dll
SSODL-bebudigop-{be829f45-2783-4b60-b94b-643cdf5acf1e} - c:\windows\system32\miboduka.dll
SSODL-figehekay-{dbf58b09-e433-400b-b938-aa48885b27dc} - c:\windows\system32\lopohopi.dll
Notify-urqOHWon - urqOHWon.dll
AddRemove-GridVista - c:\windows\UnInst32.exe GridV.UNI
AddRemove-LManager - c:\windows\UnInst32.exe QtZgAcer.UNI
AddRemove-Pdf995 - c:\program files\pdf995\setup.exe uninstall



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-25 06:43
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-196467754-4231030674-3399471592-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(264)
c:\windows\system32\WININET.dll
c:\program files\CyberLink\Shared Files\CLRCEngine.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\acer\eManager\anbmServ.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\HPZipm12.exe
c:\program files\AVG\AVG9\avgam.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\Rundll32.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\HP\Digital Imaging\bin\hpqgalry.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\HPZinw12.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\msiexec.exe
.
**************************************************************************
.
Completion time: 2009-11-25 06:50 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-25 12:50

Pre-Run: 11,844,485,120 bytes free
Post-Run: 14,069,366,784 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 3DD77A5B454743B03A000BF2E09B010A

#6 SweetTech

SweetTech

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,368 posts

Posted 25 November 2009 - 06:34 PM

Hello,
I have a quick question before we continue. You logs show signs of Norton still on your computer. Is it correct to assume that you recently uninstalled Norton and installed AVG?

ComboFix Script
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

http://forums.whatthetech.com/Help_My_computer_under_assalt_t108494.html&view=findpost&p=613285#entry613285
KillAll::
Collect::
c:\windows\system32\fotobike.dll
c:\windows\system32\nofujebu.dll
DDS::
IE: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZJxdm398YYUS

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
    **Note**
    When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
    • Ensure you are connected to the internet and click OK on the message box.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Scanning with MalwareBytes' Anti-Malware
Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

ESET Online Scanner
I'd like us to scan your machine with ESET OnlineScan

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.



  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Make sure that the option "Remove found threats" is Unchecked
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin
    scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as
    ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
Please make sure you include the following items in your next post:
1. An answer to my question regarding your anti-virus situation.
2. The log that was produced after running ComboFix.
3. The log that was produced after running MalwareByes' Anti-Malware.
4. The log that was produced after running ESET Online Scanner.
5. An update on how your computer is currently running.

Posted Image
 

Proud Graduate of the WTT Classroom
 
Posted Image


#7 lazycoach1

lazycoach1

    New Member

  • Authentic Member
  • Pip
  • 13 posts

Posted 25 November 2009 - 09:53 PM

1. Yes, I did uninstall Norton and install AVG.
2. ComboFix 09-11-24.04 - Owner 11/25/2009 19:59.2.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.958.454 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: AVG Anti-Virus plus Firewall *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

file zipped: c:\windows\system32\fotobike.dll
file zipped: c:\windows\system32\nofujebu.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\fotobike.dll
c:\windows\system32\nofujebu.dll

.
((((((((((((((((((((((((( Files Created from 2009-10-26 to 2009-11-26 )))))))))))))))))))))))))))))))
.

2009-11-25 03:15 . 2009-11-25 03:15 -------- d-----w- c:\program files\ERUNT
2009-11-25 02:43 . 2009-11-25 02:43 -------- d-----w- C:\$AVG
2009-11-25 02:42 . 2009-11-25 02:42 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-11-11 23:30 . 2009-11-11 23:30 -------- d-----w- C:\FOUND.019
2009-11-06 19:09 . 2009-11-12 14:48 79488 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-25 02:43 . 2009-01-02 21:43 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-25 02:43 . 2009-01-02 21:43 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-25 02:43 . 2009-01-02 21:43 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-11-25 02:43 . 2009-01-02 21:43 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-25 02:42 . 2009-01-02 21:43 161800 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2009-11-18 14:53 . 2009-10-24 22:36 3775256 ----a-w- c:\documents and settings\All Users\Application Data\TEMP\AVG\setup.exe
2009-10-26 19:18 . 2009-10-26 19:17 -------- d-----w- c:\documents and settings\Owner\Application Data\HpUpdate
2009-10-25 14:09 . 2009-04-13 22:23 1 ----a-w- c:\documents and settings\Owner\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-10-15 18:47 . 2009-10-15 18:47 -------- d-----w- c:\program files\iPod
2009-10-15 18:47 . 2009-10-15 18:47 -------- d-----w- c:\program files\iTunes
2009-10-15 18:47 . 2009-10-15 18:47 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-10-15 18:45 . 2009-10-15 18:45 -------- d-----w- c:\program files\QuickTime
2009-10-15 18:40 . 2009-10-15 18:40 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.1.8\SetupAdmin.exe
2009-09-11 15:18 . 1980-01-01 06:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 22:03 . 1980-01-01 06:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 09:08 . 1980-01-01 06:00 916480 ------w- c:\windows\system32\wininet.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-11-25_12.43.38 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-26 02:04 . 2009-11-26 02:04 16384 c:\windows\temp\Perflib_Perfdata_79c.dat
+ 2009-11-25 12:47 . 2009-11-25 12:47 38240 c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
- 2009-11-12 09:01 . 2009-11-12 09:01 38240 c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
+ 2006-10-27 02:49 . 2006-10-27 02:49 509200 c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6021\WRD12CVR.DLL
+ 2009-04-04 13:35 . 2009-04-04 13:35 38325760 c:\windows\Installer\3efef.msp
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1115392]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-10-16 18:13 1115392 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1115392]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1115392]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-09 68856]
"ANT Agent"="c:\garmin\ANT Agent\ANT Agent.exe" [2009-07-30 11017728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCMService"="c:\program files\Arcade\PCMService.exe" [2005-03-10 49152]
"LManager"="c:\program files\Launch Manager\QtZgAcer.EXE" [2005-03-28 315392]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-11 136600]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-11-25 2020120]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2005-02-24 77824]
"SiSPower"="SiSPower.dll" - c:\windows\system32\SiSPower.dll [2005-02-26 49152]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-12-15 384000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Utility Tray.lnk - c:\windows\system32\sistray.exe [2005-3-7 331776]
Microsoft Office Find Fast Indexer.lnk - c:\msoffice\Office\FINDFAST.EXE [1996-3-20 86528]
Microsoft Office Fast Start.lnk - c:\msoffice\Office\FASTBOOT.EXE [1996-3-20 14848]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-4 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-11-25 02:43 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Magnifier.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\Magnifier.lnk
backup=c:\windows\pss\Magnifier.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Symantec Core LC"=3 (0x3)
"LiveUpdate Notice"=2 (0x2)
"LiveUpdate"=3 (0x3)
"gusvc"=2 (0x2)
"CLTNetCnService"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"Automatic LiveUpdate Scheduler"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\MSMSGS.EXE"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [1/2/2009 3:43 PM 161800]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [1/2/2009 3:43 PM 333192]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [1/2/2009 3:43 PM 360584]
R2 avg9emc;AVG E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [11/24/2009 8:42 PM 906520]
R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [11/24/2009 8:42 PM 285392]
S3 COH_Mon;COH_Mon;\??\c:\windows\system32\Drivers\COH_Mon.sys --> c:\windows\system32\Drivers\COH_Mon.sys [?]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-11-26 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-11-09 13:43]

2009-11-25 c:\windows\Tasks\shutdown.job
- c:\windows\system32\shutdown.exe [1980-01-01 01:12]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://global.acer.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
TCP: {9E51DBA0-9151-4D94-82B5-4C1886AA5022} = 83.149.115.182
TCP: {F0AE906D-0F39-43EE-8F60-8FDDA9E17169} = 83.149.115.182
DPF: {10ECCE17-29B5-4880-A8F5-EAD298611484} - hxxp://cdnrep.reimage.com/reix1212.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-25 20:05
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-196467754-4231030674-3399471592-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(4088)
c:\windows\system32\WININET.dll
c:\program files\CyberLink\Shared Files\CLRCEngine.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\acer\eManager\anbmServ.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\HPZipm12.exe
c:\program files\AVG\AVG9\avgam.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\Rundll32.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\HP\Digital Imaging\bin\hpqgalry.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\HPZinw12.exe
.
**************************************************************************
.
Completion time: 2009-11-25 20:09 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-26 02:09
ComboFix2.txt 2009-11-25 12:50

Pre-Run: 13,993,639,936 bytes free
Post-Run: 14,032,175,104 bytes free

- - End Of File - - 37FB4539375314347F8CDDECB75DCF3A
Upload was successful
3. Malwarebytes' Anti-Malware 1.41
Database version: 3235
Windows 5.1.2600 Service Pack 3

11/25/2009 8:21:52 PM
mbam-log-2009-11-25 (20-21-52).txt

Scan type: Quick Scan
Objects scanned: 104135
Time elapsed: 3 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 18
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a4730ebe-43a6-443e-9776-36915d323ad3} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
4. C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine\AP6A0C17F8.pdf PDF/Exploit.Gen trojan
C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP767\A0096961.ini Win32/Adware.Virtumonde.NEO application
C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP767\A0096963.ini Win32/Adware.Virtumonde.NEO application
C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP768\A0097123.dll a variant of Win32/Kryptik.BBO trojan
C:\Qoobox\Quarantine\[4]-Submit_2009-11-25_19.59.46.zip a variant of Win32/Kryptik.BBO trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\fitelote.dll.vir a variant of Win32/Adware.SuperJuan.O application
C:\Qoobox\Quarantine\C\WINDOWS\system32\gajonosu.dll.vir a variant of Win32/Adware.SuperJuan.O application
C:\Qoobox\Quarantine\C\WINDOWS\system32\lanikuwo.dll.vir a variant of Win32/Adware.SuperJuan.O application
C:\Qoobox\Quarantine\C\WINDOWS\system32\mmVyccfe.ini.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\system32\mmVyccfe.ini2.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\system32\ovebykuc.ini.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\system32\yasatuji.dll.vir a variant of Win32/Adware.SuperJuan.O application
C:\Qoobox\Quarantine\C\WINDOWS\system32\fotobike.dll.vir a variant of Win32/Kryptik.BBO trojan
5. It seems to be running slower then before. No troubles at start up.

I did not remove the threats found during the ESET scan, becasue of your instructions. Was that correct?

#8 SweetTech

SweetTech

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,368 posts

Posted 25 November 2009 - 11:26 PM

VirusTotal File Scan
Please go to: VirusTotal
  • Posted Image
  • Click the Browse button and search for the following file: c:\windows\Installer\3efef.msp
  • Click Open
  • Then click Send File
  • Please be patient while the file is scanned.
  • Once the scan results appear, please provide them in your next reply.
If it says already scanned -- click "reanalyze now"

Please post the results in your next reply

Remove Norton Tool

ONLY if you don't have an active subscription, use below link to uninstall Norton.

Please click HERE and follow the instructions to download and run the Norton Removal Tool for your own version.

It is strongly recommended that you run only one anti-virus program at a time. Having more than one anti-virus program active in memory uses additional resources and can result in program conflicts and false virus alerts.

Java Outdated
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

  • Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop.
  • Scroll down to where it says "Java SE Runtime Environment (JRE) 6 Update 17. The Java SE Runtime Environment (JRE) allows end-users to run Java applications."
  • Click the "Download" button to the right.
  • Select the Windows platform from the drop-down menu.
  • Read the License Agreement and then check the box that says: " I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue.The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Now go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java™ 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u17-windows-i586-p.exe to install the newest version.
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH CheckedApplications and AppletsTrace and Log Files
  • Click OK on Delete Temporary Files Window

    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.
Post the log that was produced after running the VirusTotal.

Posted Image
 

Proud Graduate of the WTT Classroom
 
Posted Image


#9 lazycoach1

lazycoach1

    New Member

  • Authentic Member
  • Pip
  • 13 posts

Posted 26 November 2009 - 07:06 PM

When I try to run the Virus total scan it wont run. It gives the message " Bigger than max permitted size" I was able to get all the Norton stuff off. I unistalled the old Java and loaded the latest verision.

#10 SweetTech

SweetTech

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,368 posts

Posted 26 November 2009 - 08:52 PM

When I try to run the Virus total scan it wont run. It gives the message " Bigger than max permitted size"

I should have realized that the file I was asking you to upload was too big. Don't worry about it.

At this point I believe your logs are clean. We just have a few housekeeping issues to take care of first. Please make sure you read this post fully.

Time for some housekeeping
The following will implement some cleanup procedures as well as reset System Restore points:
Posted Image
Click Start > Run and copy/paste the following bolded text into the Run box and click OK: ComboFix /Uninstall

OTS Clean-Up
  • Make sure you have an Internet Connection.
  • Double-click OTS.exe to run it. (Vista users, please right click on OTS.exe and select "Run as an Administrator")
  • Click on the CleanUp! button
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OTS to reach the Internet, please allow the application to do so.
  • Click Yes to begin the Cleanup process and remove these components, including this application.
  • You should be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.
Looking over your log it seems you don't have any evidence of a third party FIREWALL. As the term conveys a firewall is an extra layer of security installed onto computers which restricts access to systems from the outside world. Firewalls protect against hackers and malicious intruders.

If you are using the built-in Windows XP firewall it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to phone home for more instructions. Simply put Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.

I would recommend to install install a free firewall for personal use from one of these excellent vendors. Choice is yours:

Update Adobe Reader
Earlier versions of Adobe Reader have known security flaws so it is recommended that you update your copy
  • Go to Start > Control Panel > Add/Remove Programs
  • Remove ALL instances of Adobe Reader
  • Re-boot your computer as required.
  • Once ALL versions of Adobe Reader have been uninstalled, visit: <<here>> and download the latest version of Adobe Reader
Alternative Option: after uninstalling Adobe Reader, you could try installing Foxit Reader from >here< Foxit Reader has fewer add-ons therefore loads more quickly.

All Clean Speech

===> Make sure you've re-enabled any Security Programs that we may have disabled during the malware removal process. <===

Below I have included a number of recommendations for how to protect your computer against malware infections.
  • It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
    Strong passwords: How to create and use them
    then consider a password keeper, to keep all your passwords safe.
  • Keep Windows updated by regularly checking their website at: http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.
  • SpywareBlaster protects against bad ActiveX, it immunizes your PC against them.
  • SpywareGuard offers realtime protection from spyware installation attempts. Make sure you are only running one real-time anti-spyware protection program ( eg : TeaTimer, Windows Defender ) or there will be a conflict.
  • Make Internet Explorer more secure
    • Click Start > Run
    • Type Inetcpl.cpl & click OK
    • Click on the Security tab
    • Click Reset all zones to default level
    • Make sure the Internet Zone is selected & Click Custom level
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Next Click OK, then Apply button and then OK to exit the Internet Properties page.
  • ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  • MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.
  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an addon available for both Firefox and IE
  • Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
    secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
    blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from Here
    • If you choose to use Firefox, I highly recommend this add-on to keep your PC even more secure.
      • NoScript - for blocking ads and other potential website attacks
  • Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.
  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
  • In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:
    Think Prevention.
    PC Safety and Security--What Do I Need?.
**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.

Posted Image
 

Proud Graduate of the WTT Classroom
 
Posted Image


#11 lazycoach1

lazycoach1

    New Member

  • Authentic Member
  • Pip
  • 13 posts

Posted 26 November 2009 - 10:19 PM

For the OTS clean up, where am I going to double click OTS.exe?

#12 SweetTech

SweetTech

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,368 posts

Posted 26 November 2009 - 11:54 PM

For the OTS clean up, where am I going to double click OTS.exe?

Whoops.. Sorry about that. Try this instead:

Now to remove most of the tools that we have used in fixing your machine:
  • Make sure you have an Internet Connection.
  • Download OTC to your desktop and run it
  • A list of tool components used in the cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
  • Click Yes to begin the cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the cleanup process. If you are asked to reboot the machine choose Yes.

Posted Image
 

Proud Graduate of the WTT Classroom
 
Posted Image


#13 lazycoach1

lazycoach1

    New Member

  • Authentic Member
  • Pip
  • 13 posts

Posted 27 November 2009 - 07:20 AM

I got everything completed this morning. Thank you, Thank you, Thank you!!!!! You have been great.

#14 SweetTech

SweetTech

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,368 posts

Posted 27 November 2009 - 11:02 AM

lazycoach1, You are very welcome! Stay Safe & Stay Clean! SweetTech.

Posted Image
 

Proud Graduate of the WTT Classroom
 
Posted Image


#15 oldman960

oldman960

    Forum God

  • Retired Classroom Teacher
  • 14,755 posts

Posted 28 November 2009 - 10:08 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.

Proud Graduate of the WTT Classroon
If you are happy with the help you recieved, please consider making a Donation 5Iv60h9.jpg
Curiosity didn't kill the cat. Ignorance did, curiosity was framed.
Learn how to protect Yourself

Microsoft MVP 2011-2015

Threads will be closed if no response after 5 days.

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users