Page 4 of 5 FirstFirst 12345 LastLast
Results 31 to 40 of 41

Thread: Can't remove Win32.Autorun.tmp

  1. #31
    Junior Member
    Join Date
    Sep 2010
    Posts
    21

    Default

    Aha! Finally...Combo fix worked!

    Here's the log:


    ComboFix 10-09-09.04 - willmonotti 11/09/2010 23:31:51.1.1 - FAT32x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1015.550 [GMT 10:00]
    Running from: c:\documents and settings\willmonotti\Desktop\commy.exe
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\Uninstall.ini

    .
    ((((((((((((((((((((((((( Files Created from 2010-08-11 to 2010-09-11 )))))))))))))))))))))))))))))))
    .

    2010-09-09 13:11 . 2010-09-09 13:11 -------- d-----w- C:\_OTL
    2010-09-09 13:09 . 2010-09-09 13:09 -------- d-----w- c:\program files\ERUNT
    2010-09-08 12:11 . 2010-09-08 12:11 -------- d-----w- c:\documents and settings\willmonotti\Application Data\Malwarebytes
    2010-09-08 12:11 . 2010-04-29 05:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-09-08 12:11 . 2010-09-08 12:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-09-08 12:11 . 2010-09-08 12:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-09-08 12:11 . 2010-04-29 05:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-09-08 09:57 . 2010-09-08 09:57 -------- d-----w- C:\ComboFix
    2010-09-01 13:56 . 2010-09-01 13:56 -------- d-----w- c:\program files\Safer Networking
    2010-08-15 10:24 . 2010-08-15 10:24 503808 ----a-w- c:\documents and settings\willmonotti\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-4d9ba47b-n\msvcp71.dll
    2010-08-15 10:24 . 2010-08-15 10:24 499712 ----a-w- c:\documents and settings\willmonotti\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-4d9ba47b-n\jmc.dll
    2010-08-15 10:24 . 2010-08-15 10:24 61440 ----a-w- c:\documents and settings\willmonotti\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-40226f48-n\decora-sse.dll
    2010-08-15 10:24 . 2010-08-15 10:24 348160 ----a-w- c:\documents and settings\willmonotti\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-4d9ba47b-n\msvcr71.dll
    2010-08-15 10:24 . 2010-08-15 10:24 12800 ----a-w- c:\documents and settings\willmonotti\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-40226f48-n\decora-d3d.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-09-11 12:32 . 2005-05-24 05:18 12 ----a-w- c:\windows\bthservsdp.dat
    2010-08-03 07:15 . 2009-05-23 10:52 664 ----a-w- c:\windows\system32\d3d9caps.dat
    2008-10-16 01:46 . 2008-10-16 01:46 700 ----a-w- c:\program files\studentVPN.pcf
    2008-08-29 04:00 . 2008-08-29 04:00 1073 ----a-w- c:\program files\sig.dat
    2008-08-29 04:00 . 2008-08-29 04:00 1099 ----a-w- c:\program files\vpnclient_setup.ini
    2008-08-29 04:00 . 2008-08-29 04:00 52224 ----a-w- c:\program files\vpnclient_jp.mst
    2008-08-29 04:00 . 2008-08-29 04:00 10935808 ----a-w- c:\program files\vpnclient_setup.msi
    2008-08-29 04:00 . 2008-08-29 04:00 51200 ----a-w- c:\program files\vpnclient_fc.mst
    2008-08-29 04:00 . 2008-08-29 04:00 819 ----a-w- c:\program files\vpnclient_setup.sms
    2008-08-29 04:00 . 2008-08-29 04:00 640 ----a-w- c:\program files\vpnclient_setup.pdf
    2008-08-29 04:00 . 2008-08-29 04:00 1822520 ----a-w- c:\program files\instmsiw.exe
    2008-08-29 04:00 . 2008-08-29 04:00 1708856 ----a-w- c:\program files\instmsi.exe
    2008-08-29 03:59 . 2008-08-29 03:59 56832 ----a-w- c:\program files\vpnclient_setup.exe
    2008-08-29 03:58 . 2008-08-29 03:58 221315 ----a-w- c:\program files\installservice.exe
    2008-08-29 03:57 . 2008-08-29 03:57 16505 ----a-w- c:\program files\DelayInst.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
    "Google Update"="c:\documents and settings\willmonotti\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-06-16 136176]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "LaunchApp"="Alaunch" [X]
    "BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-03 110592]
    "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]
    "MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-03 59392]
    "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
    "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-02-15 417792]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\DC++\\DCPlusPlus.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3453:TCP"= 3453:TCP:huxutzgk
    "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

    R2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [13/11/2009 11:28 AM 110592]
    R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [16/06/2009 8:58 AM 20480]
    S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
    S2 ywyyitdy;System Monitor;c:\windows\system32\svchost.exe -k netsvcs [24/05/2005 2:35 PM 14336]
    S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [21/06/2010 4:01 PM 11520]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    getPlusHelper REG_MULTI_SZ getPlusHelper

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    ywyyitdy
    .
    Contents of the 'Scheduled Tasks' folder

    2010-08-30 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 02:34]

    2010-03-24 c:\windows\Tasks\Install_NSS.job
    - c:\windows\system32\Adobe\Shockwave 11\nssstub.exe [2010-03-15 13:58]

    2010-09-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4089067542-3450742136-2425182029-1004Core1cb4c3f70ac632c.job
    - c:\documents and settings\willmonotti\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-06-16 10:03]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://trinity.unimelb.edu.au/portal
    uInternet Connection Wizard,ShellNext = hxxp://global.acer.com/
    uInternet Settings,ProxyServer = wwwproxy.student.unimelb.edu.au:8000
    uInternet Settings,ProxyOverride = <local>
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    FF - ProfilePath - c:\documents and settings\willmonotti\Application Data\Mozilla\Firefox\Profiles\qtrsc0zj.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/search/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us
    FF - prefs.js: browser.startup.homepage - hxxps://www.trinitycollege.vic.edu.au/portal/today/today.php
    FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50-ff-aim-ab-en-us&query=
    FF - prefs.js: network.proxy.ftp - wwwproxy.unimelb.edu.au
    FF - prefs.js: network.proxy.ftp_port - 8000
    FF - prefs.js: network.proxy.gopher - wwwproxy.unimelb.edu.au
    FF - prefs.js: network.proxy.gopher_port - 8000
    FF - prefs.js: network.proxy.http - wwwproxy.unimelb.edu.au
    FF - prefs.js: network.proxy.http_port - 8000
    FF - prefs.js: network.proxy.socks - wwwproxy.unimelb.edu.au
    FF - prefs.js: network.proxy.socks_port - 8000
    FF - prefs.js: network.proxy.ssl - wwwproxy.unimelb.edu.au
    FF - prefs.js: network.proxy.ssl_port - 8000
    FF - prefs.js: network.proxy.type - 1
    FF - plugin: c:\documents and settings\willmonotti\Application Data\Mozilla\Firefox\Profiles\qtrsc0zj.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
    FF - plugin: c:\documents and settings\willmonotti\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
    FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
    FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll

    ---- FIREFOX POLICIES ----
    FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false.
    - - - - ORPHANS REMOVED - - - -

    URLSearchHooks-HookURL - (no file)
    URLSearchHooks-Rank - (no file)
    HKCU-Run-MsnMsgr - c:\program files\Windows Live\Messenger\MsnMsgr.Exe
    HKCU-Run-DW6 - c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe
    HKCU-Run-vgr60 - c:\windows\system32\6xc81oz.exe
    HKCU-Run-lbhc6y - c:\windows\system32\lr2xd2jk.exe
    HKCU-Run-llmcdi - c:\windows\system32\bm5hdyuu.exe
    HKCU-Run-rcc86 - c:\windows\system32\q1gw1ni13p.exe
    HKCU-Run-mcdi3e - c:\windows\system32\bm86y3pl.exe
    HKCU-Run-yuupgg - c:\windows\system32\ytkkfwwr.exe
    HKCU-Run-zuvqm - c:\windows\system32\kkfwwrii.exe
    HKCU-Run-upggbs - c:\windows\system32\dzpplbbxnn.exe
    HKCU-Run-wbxxoo3 - c:\windows\system32\0xdyep0.exe
    HKCU-Run-teea6r - c:\windows\system32\w39ee5v1wb.exe
    HKCU-Run-tkkfww - c:\windows\system32\i1eaavmmhy.exe
    HKCU-Run-pkkgww - c:\windows\system32\ni1eaavmmh.exe
    HKCU-Run-ezqqlcc - c:\windows\system32\oojaavmmhy.exe
    HKCU-Run-snoejuf - c:\windows\system32\86y2ff6.exe
    HKCU-Run-yzpf0w - c:\windows\system32\n20zvfbw.exe
    HKCU-Run-nojpk0r - c:\windows\system32\0jff66w.exe
    HKCU-Run-falhcc - c:\windows\system32\1qmmhyy.exe
    HKCU-Run-xdtyuua - c:\windows\system32\vlw2nyojzav.exe
    HKCU-Run-dzuklg2 - c:\windows\system32\rsnt66k8708.exe
    HKCU-Run-uplbbxc - c:\windows\system32\pff69m1i.exe
    HKCU-Run-faawmm - c:\windows\system32\3wwriid.exe
    HKCU-Run-mmiyy6k - c:\windows\system32\fwwriiduupg.exe
    HKCU-Run-hcyytkk - c:\windows\system32\qlccxoojaa.exe
    HKCU-Run-zaflw - c:\windows\system32\70bxny1.exe
    HKCU-Run-cydo8 - c:\windows\system32\cttuzf81.exe
    HKCU-Run-wcxtoeu - c:\windows\system32\70i1zuv.exe
    HKCU-Run-akvwx - c:\windows\system32\e1vbg3sn.exe
    HKCU-Run-vqwxin - c:\windows\system32\60niy1p.exe
    HKCU-Run-qhxiioj - c:\windows\system32\1cdi81u.exe
    HKCU-Run-hxdtp - c:\windows\system32\hm2noj081q.exe
    HKCU-Run-xsoo8 - c:\windows\system32\sndu1klq.exe
    HKCU-Run-wrmns - c:\windows\system32\60xs0zf.exe
    HKCU-Run-cito0 - c:\windows\system32\chxd60flvr.exe
    HKCU-Run-dezpq - c:\windows\system32\w2xyt081alm.exe
    HKCU-Run-dzuva - c:\windows\system32\1epqlr8.exe
    HKLM-Run-IgfxTray - c:\windows\system32\igfxtray.exe
    HKLM-Run-HotKeysCmds - c:\windows\system32\hkcmd.exe
    HKLM-Run-SoundMan - SOUNDMAN.EXE
    HKLM-Run-KTPWare - c:\program files\Elantech\ktp.exe
    AddRemove-Trillian - c:\program files\Trillian\trillian.exe
    AddRemove-Universal Soccer Manager 2 - c:\program files\Universal Soccer Manager 2\Uninstal.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-09-11 23:37
    Windows 5.1.2600 Service Pack 2 FAT NTAPI

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(840)
    c:\windows\system32\Ati2evxx.dll
    c:\windows\system32\igfxsrvc.dll
    c:\windows\system32\hccutils.DLL
    .
    Completion time: 2010-09-11 23:40:07
    ComboFix-quarantined-files.txt 2010-09-11 13:40

    Pre-Run: 4,167,008,256 bytes free
    Post-Run: 4,139,712,512 bytes free

    - - End Of File - - C6D230758D0672820BBC94C84E897482

  2. #32
    Senior Member
    Join Date
    Feb 2010
    Location
    Port Hedland, Western Australia
    Posts
    155

    Default

    Hi

    CFScript
    Close any open browsers.
    Open notepad and copy/paste the text in the code box below into it:

    Code:
    Registry::
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3453:TCP"=-
    Driver::
    ywyyitdy
    Netsvc::
    ywyyitdy
    Save this as CFScript.txt, in the same location as ComboFix.exe



    Referring to the picture above, drag CFScript into ComboFix.exe
    If prompted by ComboFix to update, please do so
    When finished, it shall produce a log for you at "C:\ComboFix.txt"
    Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
    A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
    ComboFix SHOULD NOT be used unless requested by a forum helper


    Update Java Runtime
    You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, & also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 21.
    • Download the latest version of Java Runtime Environment (JRE) 6 Here
    • Scroll down to where it says "JDK 6 Update 21 (JDK or JRE)"
    • Click the orange Download JRE button to the right
    • Select the Windows platform from the dropdown menu
    • Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue.The page will refresh
    • Click on the link to download Windows Offline Installation & save the file to your desktop
    • Close any programs you may have running - especially your web browser
    • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs & remove all older versions of Java
    • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name
    • Click the Remove or Change/Remove button.
    • Repeat as many times as necessary to remove each Java versions
    • Reboot your computer once all Java components are removed
    • Then from your desktop double-click on jre-6u21-windows-i586.exe to install the newest version
    • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
      • On the General tab, under Temporary Internet Files, click the Settings button
      • Next, click on the Delete Files button
      • There are two options in the window to clear the cache - Leave BOTH Checked
        • Applications and Applets
          Trace and Log Files
      • Click OK on Delete Temporary Files Window
        Note: This deletes ALL the Downloaded Applications and Applets from the CACHE
      • Click OK to leave the Temporary Files Window
      • Click OK to leave the Java Control Panel
    Kaspersky Online Scan
    Do an online scan with >Kaspersky Online Scanner<
    • Read through the requirements and privacy statement and click on Accept button
    • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run
    • When the downloads have finished, click on Settings
    • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      • Spyware, Adware, Dialers, and other potentially dangerous programs
        Archives
        Mail databases
    • Click on My Computer under Scan
    • Once the scan is complete, it will display the results. Click on View Scan Report
    • You will see a list of infected items there. Click on Save Report As...
    • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button
    • Please post this log in your next reply
    Pictured tutorial if required.
    This scan will take quite some time to update & scan, so be patient with it.

    To post in next reply:
    ComboFix log
    Kaspersky Online Scan log
    Update on how the computer is running

  3. #33
    Junior Member
    Join Date
    Sep 2010
    Posts
    21

    Default

    Hi there, thanks for your help again.

    Kaspersky is not running. It's telling me I don't fulfill the system requirements to let it run, though I installed Java exactly as you stipulated. These are the requirements according to the "Help" centre of Kaspersky: is there anything in here that you think I'd be missing??

    Hardware and software requirements

    For successful startup and operation of Kaspersky Online Scanner 7.0 the hardware and software of your computer must meet the following minimum requirements:
    50 MB of available disk space;
    Microsoft Windows 2000 Professional SP4, 32-bit / 64-bit Microsoft Windows XP SP2 or 32-bit / 64-bit Microsoft Windows Vista: Microsoft Internet Explorer 6 or 7, Opera 9 or Firefox 2;
    Ubuntu 7.10: Firefox 2;
    Sun Java SE Runtime Environment (JRE): for Microsoft Windows Vista version 1.6.0 or higher; for other operating systems version 1.5.0 or higher;
    Java and JavaScript support for internet applications must be enabled in the browser.
    Note.
    Successful launch of Kaspersky Online Scanner 7.0 on a computer running Microsoft Windows Vista requires starting the browser with the administrator credentials (Run as Administrator).


    Anyway I ran Combofix before all that, here's the log while I'm at it:


    ComboFix 10-09-09.04 - willmonotti 12/09/2010 11:35:39.2.1 - FAT32x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1015.555 [GMT 10:00]
    Running from: c:\documents and settings\willmonotti\Desktop\commy.exe
    Command switches used :: c:\documents and settings\willmonotti\Desktop\CFScript.txt
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_YWYYITDY
    -------\Service_ywyyitdy


    ((((((((((((((((((((((((( Files Created from 2010-08-12 to 2010-09-12 )))))))))))))))))))))))))))))))
    .

    2010-09-09 13:11 . 2010-09-09 13:11 -------- d-----w- C:\_OTL
    2010-09-09 13:09 . 2010-09-09 13:09 -------- d-----w- c:\program files\ERUNT
    2010-09-08 12:11 . 2010-09-08 12:11 -------- d-----w- c:\documents and settings\willmonotti\Application Data\Malwarebytes
    2010-09-08 12:11 . 2010-04-29 05:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-09-08 12:11 . 2010-09-08 12:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-09-08 12:11 . 2010-09-08 12:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-09-08 12:11 . 2010-04-29 05:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-09-08 09:57 . 2010-09-08 09:57 -------- d-----w- C:\ComboFix
    2010-09-01 13:56 . 2010-09-01 13:56 -------- d-----w- c:\program files\Safer Networking
    2010-08-15 10:24 . 2010-08-15 10:24 503808 ----a-w- c:\documents and settings\willmonotti\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-4d9ba47b-n\msvcp71.dll
    2010-08-15 10:24 . 2010-08-15 10:24 499712 ----a-w- c:\documents and settings\willmonotti\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-4d9ba47b-n\jmc.dll
    2010-08-15 10:24 . 2010-08-15 10:24 61440 ----a-w- c:\documents and settings\willmonotti\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-40226f48-n\decora-sse.dll
    2010-08-15 10:24 . 2010-08-15 10:24 348160 ----a-w- c:\documents and settings\willmonotti\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-4d9ba47b-n\msvcr71.dll
    2010-08-15 10:24 . 2010-08-15 10:24 12800 ----a-w- c:\documents and settings\willmonotti\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-40226f48-n\decora-d3d.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-09-12 01:41 . 2005-05-24 05:18 12 ----a-w- c:\windows\bthservsdp.dat
    2010-08-03 07:15 . 2009-05-23 10:52 664 ----a-w- c:\windows\system32\d3d9caps.dat
    2008-10-16 01:46 . 2008-10-16 01:46 700 ----a-w- c:\program files\studentVPN.pcf
    2008-08-29 04:00 . 2008-08-29 04:00 1073 ----a-w- c:\program files\sig.dat
    2008-08-29 04:00 . 2008-08-29 04:00 1099 ----a-w- c:\program files\vpnclient_setup.ini
    2008-08-29 04:00 . 2008-08-29 04:00 52224 ----a-w- c:\program files\vpnclient_jp.mst
    2008-08-29 04:00 . 2008-08-29 04:00 10935808 ----a-w- c:\program files\vpnclient_setup.msi
    2008-08-29 04:00 . 2008-08-29 04:00 51200 ----a-w- c:\program files\vpnclient_fc.mst
    2008-08-29 04:00 . 2008-08-29 04:00 819 ----a-w- c:\program files\vpnclient_setup.sms
    2008-08-29 04:00 . 2008-08-29 04:00 640 ----a-w- c:\program files\vpnclient_setup.pdf
    2008-08-29 04:00 . 2008-08-29 04:00 1822520 ----a-w- c:\program files\instmsiw.exe
    2008-08-29 04:00 . 2008-08-29 04:00 1708856 ----a-w- c:\program files\instmsi.exe
    2008-08-29 03:59 . 2008-08-29 03:59 56832 ----a-w- c:\program files\vpnclient_setup.exe
    2008-08-29 03:58 . 2008-08-29 03:58 221315 ----a-w- c:\program files\installservice.exe
    2008-08-29 03:57 . 2008-08-29 03:57 16505 ----a-w- c:\program files\DelayInst.exe
    .

    ((((((((((((((((((((((((((((( SnapShot@2010-09-11_13.37.52 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2010-09-12 01:42 . 2010-09-12 01:42 16384 c:\windows\Temp\Perflib_Perfdata_4f0.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
    "Google Update"="c:\documents and settings\willmonotti\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-06-16 136176]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "LaunchApp"="Alaunch" [X]
    "BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-03 110592]
    "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]
    "MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-03 59392]
    "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
    "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-02-15 417792]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\DC++\\DCPlusPlus.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

    R2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [13/11/2009 11:28 AM 110592]
    R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [16/06/2009 8:58 AM 20480]
    S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
    S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [21/06/2010 4:01 PM 11520]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    getPlusHelper REG_MULTI_SZ getPlusHelper
    .
    Contents of the 'Scheduled Tasks' folder

    2010-08-30 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 02:34]

    2010-03-24 c:\windows\Tasks\Install_NSS.job
    - c:\windows\system32\Adobe\Shockwave 11\nssstub.exe [2010-03-15 13:58]

    2010-09-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4089067542-3450742136-2425182029-1004Core1cb4c3f70ac632c.job
    - c:\documents and settings\willmonotti\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-06-16 10:03]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://trinity.unimelb.edu.au/portal
    uInternet Connection Wizard,ShellNext = hxxp://global.acer.com/
    uInternet Settings,ProxyServer = wwwproxy.student.unimelb.edu.au:8000
    uInternet Settings,ProxyOverride = <local>
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    FF - ProfilePath - c:\documents and settings\willmonotti\Application Data\Mozilla\Firefox\Profiles\qtrsc0zj.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/search/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us
    FF - prefs.js: browser.startup.homepage - hxxps://www.trinitycollege.vic.edu.au/portal/today/today.php
    FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50-ff-aim-ab-en-us&query=
    FF - prefs.js: network.proxy.ftp - wwwproxy.unimelb.edu.au
    FF - prefs.js: network.proxy.ftp_port - 8000
    FF - prefs.js: network.proxy.gopher - wwwproxy.unimelb.edu.au
    FF - prefs.js: network.proxy.gopher_port - 8000
    FF - prefs.js: network.proxy.http - wwwproxy.unimelb.edu.au
    FF - prefs.js: network.proxy.http_port - 8000
    FF - prefs.js: network.proxy.socks - wwwproxy.unimelb.edu.au
    FF - prefs.js: network.proxy.socks_port - 8000
    FF - prefs.js: network.proxy.ssl - wwwproxy.unimelb.edu.au
    FF - prefs.js: network.proxy.ssl_port - 8000
    FF - prefs.js: network.proxy.type - 1
    FF - plugin: c:\documents and settings\willmonotti\Application Data\Mozilla\Firefox\Profiles\qtrsc0zj.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
    FF - plugin: c:\documents and settings\willmonotti\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
    FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
    FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll

    ---- FIREFOX POLICIES ----
    FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false.
    - - - - ORPHANS REMOVED - - - -

    URLSearchHooks-HookURL - (no file)
    URLSearchHooks-Rank - (no file)



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-09-12 11:43
    Windows 5.1.2600 Service Pack 2 FAT NTAPI

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(848)
    c:\windows\system32\Ati2evxx.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Cisco Systems\VPN Client\cvpnd.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\windows\system32\wscntfy.exe
    c:\windows\system32\rundll32.exe
    c:\program files\iPod\bin\iPodService.exe
    c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
    c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe
    .
    **************************************************************************
    .
    Completion time: 2010-09-12 11:46:06 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-09-12 01:46
    ComboFix2.txt 2010-09-11 13:40

    Pre-Run: 3,845,029,888 bytes free
    Post-Run: 3,789,979,648 bytes free

    - - End Of File - - 04CDED9696069A4E89B9E4253B1EBD73

  4. #34
    Senior Member
    Join Date
    Feb 2010
    Location
    Port Hedland, Western Australia
    Posts
    155

    Default

    Hi

    If your having problems with the Kaspersky scan, try this one:

    ESET Online Scanner
    Go here to run an online scannner from ESET.
    • Note: You will need to use Internet explorer for this scan
    • Turn off the real time scanner of any existing antivirus program while performing the online scan
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the activex control to install
    • Click Start
    • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked
    • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked
    • Click Scan
    • Wait for the scan to finish
    • Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
    • Copy and paste that log as a reply to this topic

  5. #35
    Junior Member
    Join Date
    Sep 2010
    Posts
    21

    Default

    Here's the log:

    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner.ocx - registred OK
    # version=7
    # iexplore.exe=6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=af314bc8d461c742a26a4c0ace62f01d
    # end=finished
    # remove_checked=false
    # archives_checked=true
    # unwanted_checked=true
    # unsafe_checked=true
    # antistealth_checked=true
    # utc_time=2010-09-12 06:43:50
    # local_time=2010-09-12 04:43:50 (+1000, AUS Eastern Standard Time)
    # country="Australia"
    # lang=1033
    # osver=5.1.2600 NT Service Pack 2
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=65060
    # found=65
    # cleaned=0
    # scan_time=2382
    C:\Documents and Settings\willmonotti\My Documents\Stuff\Procrastination central\Random music\Portishead\Third\07 Deep Water.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{7800EBD7-CFEF-41F0-BA9C-926303D6447E}\RP2\A0001383.exe a variant of Win32/Injector.AIF trojan 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{7800EBD7-CFEF-41F0-BA9C-926303D6447E}\RP2\A0001384.exe Win32/Peerfrag.FL worm 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{7800EBD7-CFEF-41F0-BA9C-926303D6447E}\RP2\A0001407.exe a variant of Win32/Injector.CQD trojan 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{7800EBD7-CFEF-41F0-BA9C-926303D6447E}\RP2\A0001408.exe a variant of Win32/Injector.CQD trojan 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{7800EBD7-CFEF-41F0-BA9C-926303D6447E}\RP2\A0001411.exe a variant of Win32/Injector.CQD trojan 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{7800EBD7-CFEF-41F0-BA9C-926303D6447E}\RP2\A0001412.exe a variant of Win32/Injector.CQD trojan 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{7800EBD7-CFEF-41F0-BA9C-926303D6447E}\RP2\A0001415.exe a variant of Win32/Injector.CQD trojan 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{7800EBD7-CFEF-41F0-BA9C-926303D6447E}\RP2\A0001416.exe a variant of Win32/Injector.CQD trojan 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{7800EBD7-CFEF-41F0-BA9C-926303D6447E}\RP2\A0001419.exe a variant of Win32/Injector.CQD trojan 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{7800EBD7-CFEF-41F0-BA9C-926303D6447E}\RP2\A0001422.exe a variant of Win32/Injector.CQB trojan 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{7800EBD7-CFEF-41F0-BA9C-926303D6447E}\RP2\A0001425.exe a variant of Win32/Injector.CQD trojan 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{7800EBD7-CFEF-41F0-BA9C-926303D6447E}\RP2\A0001426.exe a variant of Win32/Injector.CQB trojan 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{7800EBD7-CFEF-41F0-BA9C-926303D6447E}\RP2\A0001427.exe a variant of Win32/Injector.CQD trojan 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{7800EBD7-CFEF-41F0-BA9C-926303D6447E}\RP2\A0001428.exe a variant of Win32/Injector.CQB trojan 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{7800EBD7-CFEF-41F0-BA9C-926303D6447E}\RP2\A0001433.exe a variant of Win32/Injector.CQB trojan 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{7800EBD7-CFEF-41F0-BA9C-926303D6447E}\RP2\A0001435.exe a variant of Win32/Injector.CQD trojan 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{7800EBD7-CFEF-41F0-BA9C-926303D6447E}\RP2\A0001437.exe a variant of Win32/Injector.CQD trojan 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{7800EBD7-CFEF-41F0-BA9C-926303D6447E}\RP2\A0001438.exe a variant of Win32/Injector.CQB trojan 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{7800EBD7-CFEF-41F0-BA9C-926303D6447E}\RP2\A0001439.exe a variant of Win32/Injector.CQD trojan 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{7800EBD7-CFEF-41F0-BA9C-926303D6447E}\RP2\A0001440.exe a variant of Win32/Injector.CQB trojan 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{7800EBD7-CFEF-41F0-BA9C-926303D6447E}\RP2\A0001441.exe a variant of Win32/Injector.CQD trojan 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{7800EBD7-CFEF-41F0-BA9C-926303D6447E}\RP2\A0001443.exe a variant of Win32/Injector.CXM trojan 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{7800EBD7-CFEF-41F0-BA9C-926303D6447E}\RP2\A0001446.exe a variant of Win32/Injector.CTK trojan 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{7800EBD7-CFEF-41F0-BA9C-926303D6447E}\RP2\A0001449.exe a variant of Win32/Injector.CXM trojan 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{7800EBD7-CFEF-41F0-BA9C-926303D6447E}\RP2\A0001450.exe a variant of Win32/Injector.CXM trojan 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{7800EBD7-CFEF-41F0-BA9C-926303D6447E}\RP2\A0001451.exe a variant of Win32/Injector.CTK trojan 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{7800EBD7-CFEF-41F0-BA9C-926303D6447E}\RP2\A0001453.exe Win32/Lethic.AA trojan 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{7800EBD7-CFEF-41F0-BA9C-926303D6447E}\RP2\A0001454.exe a variant of Win32/Injector.CTK trojan 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{7800EBD7-CFEF-41F0-BA9C-926303D6447E}\RP2\A0001455.exe a variant of Win32/Injector.CXM trojan 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{7800EBD7-CFEF-41F0-BA9C-926303D6447E}\RP2\A0001457.exe a variant of Win32/Injector.CTK trojan 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{7800EBD7-CFEF-41F0-BA9C-926303D6447E}\RP2\A0001459.exe a variant of Win32/Injector.CTK trojan 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{7800EBD7-CFEF-41F0-BA9C-926303D6447E}\RP2\A0001461.exe a variant of Win32/Injector.CXM trojan 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{7800EBD7-CFEF-41F0-BA9C-926303D6447E}\RP2\A0001465.exe a variant of Win32/Injector.CXM trojan 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{7800EBD7-CFEF-41F0-BA9C-926303D6447E}\RP2\A0001468.exe a variant of Win32/Injector.CXM trojan 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{7800EBD7-CFEF-41F0-BA9C-926303D6447E}\RP2\A0001469.exe a variant of Win32/Injector.CTK trojan 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{7800EBD7-CFEF-41F0-BA9C-926303D6447E}\RP2\A0001471.exe a variant of Win32/Injector.CXM trojan 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{7800EBD7-CFEF-41F0-BA9C-926303D6447E}\RP2\A0001475.exe a variant of Win32/Injector.CXM trojan 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{7800EBD7-CFEF-41F0-BA9C-926303D6447E}\RP2\A0001476.exe a variant of Win32/Injector.CXM trojan 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{7800EBD7-CFEF-41F0-BA9C-926303D6447E}\RP2\A0001478.exe a variant of Win32/Injector.CXM trojan 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{7800EBD7-CFEF-41F0-BA9C-926303D6447E}\RP2\A0001480.exe a variant of Win32/Injector.CXM trojan 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{7800EBD7-CFEF-41F0-BA9C-926303D6447E}\RP2\A0001486.exe Win32/Lethic.AA trojan 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{7800EBD7-CFEF-41F0-BA9C-926303D6447E}\RP2\A0001488.exe a variant of Win32/Injector.CTK trojan 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{7800EBD7-CFEF-41F0-BA9C-926303D6447E}\RP2\A0001490.exe Win32/Lethic.AA trojan 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{7800EBD7-CFEF-41F0-BA9C-926303D6447E}\RP2\A0001491.exe a variant of Win32/Injector.CXM trojan 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{7800EBD7-CFEF-41F0-BA9C-926303D6447E}\RP2\A0001495.exe a variant of Win32/Injector.CXM trojan 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{7800EBD7-CFEF-41F0-BA9C-926303D6447E}\RP2\A0001499.exe a variant of Win32/Injector.CTK trojan 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{7800EBD7-CFEF-41F0-BA9C-926303D6447E}\RP2\A0001502.exe a variant of Win32/Injector.CTK trojan 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{7800EBD7-CFEF-41F0-BA9C-926303D6447E}\RP2\A0001503.exe Win32/Lethic.AA trojan 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{7800EBD7-CFEF-41F0-BA9C-926303D6447E}\RP2\A0001504.exe a variant of Win32/Injector.CTK trojan 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{7800EBD7-CFEF-41F0-BA9C-926303D6447E}\RP2\A0001505.exe a variant of Win32/Injector.CTK trojan 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{7800EBD7-CFEF-41F0-BA9C-926303D6447E}\RP2\A0001506.exe Win32/Lethic.AA trojan 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{7800EBD7-CFEF-41F0-BA9C-926303D6447E}\RP2\A0001508.exe a variant of Win32/Injector.CTK trojan 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{7800EBD7-CFEF-41F0-BA9C-926303D6447E}\RP2\A0001510.exe a variant of Win32/Injector.CXM trojan 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{7800EBD7-CFEF-41F0-BA9C-926303D6447E}\RP2\A0001511.exe a variant of Win32/Injector.CXM trojan 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{7800EBD7-CFEF-41F0-BA9C-926303D6447E}\RP2\A0001513.exe a variant of Win32/Injector.CXM trojan 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{7800EBD7-CFEF-41F0-BA9C-926303D6447E}\RP2\A0001514.exe a variant of Win32/Injector.CXM trojan 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{7800EBD7-CFEF-41F0-BA9C-926303D6447E}\RP2\A0001515.exe a variant of Win32/Injector.CXM trojan 00000000000000000000000000000000 I
    C:\_OTL\MovedFiles\09092010_231100\C_WINDOWS\system32\gnhnveo.dll a variant of Win32/Conficker.X worm 00000000000000000000000000000000 I
    C:\_OTL\MovedFiles\09092010_231100\C_\FOUND.024\FILE0000.CHK a variant of Win32/Injector.CTK trojan 00000000000000000000000000000000 I
    C:\_OTL\MovedFiles\09092010_231100\C_\FOUND.024\FILE0001.CHK a variant of Win32/Injector.CXM trojan 00000000000000000000000000000000 I
    C:\_OTL\MovedFiles\09092010_231100\C_\FOUND.024\FILE0002.CHK a variant of Win32/Injector.CTK trojan 00000000000000000000000000000000 I
    C:\_OTL\MovedFiles\09092010_231100\C_\FOUND.024\FILE0003.CHK a variant of Win32/Injector.CTK trojan 00000000000000000000000000000000 I
    C:\_OTL\MovedFiles\09092010_231100\C_\FOUND.024\FILE0004.CHK a variant of Win32/Injector.CXM trojan 00000000000000000000000000000000 I
    C:\_OTL\MovedFiles\09092010_231100\C_\FOUND.024\FILE0005.CHK a variant of Win32/Injector.CTK trojan 00000000000000000000000000000000 I

  6. #36
    Senior Member
    Join Date
    Feb 2010
    Location
    Port Hedland, Western Australia
    Posts
    155

    Default

    Hi

    Just about done, I think.

    Update Adobe Reader
    Recently there have been vunerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version: Adobe Reader 9.3
    You can download it from http://www.adobe.com/products/acrobat/readstep2.html
    If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed Uncheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

    Adobe 9 is a large program and if you prefer a smaller program you can get Foxit 3 instead from Foxit Software
    Note: Do not install anything dealing with AskBar... presented as an installation option.

    OTL
    • Double click on OTL.exe to run it
    • Copy & paste the contents of the Code box below into Paste Instructions for Items to be Moved

    Note: Do not type it out to minimize the risk of typo error
    Code:
    :Files
    C:\Documents and Settings\willmonotti\My Documents\Stuff\Procrastination central\Random music\Portishead\Third\07 Deep Water.mp3
    :Commands
    [Purity]
    [EmptyTemp]
    [Reboot]
    • Click on Run Fix
    • When done, click on Exit

    Note: If a file or folder can't be moved immediately, you may be asked to restart your computer. Choose Yes.
    Post the resulting log in your next reply along with an update on how the computer is running.

  7. #37
    Junior Member
    Join Date
    Sep 2010
    Posts
    21

    Default

    Hey there

    Here's the log. The computer is running smoothly at the moment - definitely a lot faster and it's not shutting down of its own accord all the time.



    All processes killed
    ========== FILES ==========
    C:\Documents and Settings\willmonotti\My Documents\Stuff\Procrastination central\Random music\Portishead\Third\07 Deep Water.mp3 moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: All Users

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: willmonotti
    ->Temp folder emptied: 32211914 bytes
    ->Temporary Internet Files folder emptied: 4589978 bytes
    ->Java cache emptied: 5401 bytes
    ->FireFox cache emptied: 3575562 bytes
    ->Google Chrome cache emptied: 193444434 bytes
    ->Apple Safari cache emptied: 0 bytes
    ->Flash cache emptied: 12593 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 16384 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 15923882 bytes

    Total Files Cleaned = 238.00 mb


    OTL by OldTimer - Version 3.2.11.0 log created on 09122010_231232

    Files\Folders moved on Reboot...
    File\Folder C:\Documents and Settings\willmonotti\Local Settings\Temp\Perflib_Perfdata_934.dat not found!

    Registry entries deleted on Reboot...

  8. #38
    Senior Member
    Join Date
    Feb 2010
    Location
    Port Hedland, Western Australia
    Posts
    155

    Default

    Hi

    You should now update your computer to Windows XP Service Pack 3:
    http://www.microsoft.com/downloads/e...displaylang=en

    Once that's done, post a new DDS log for review

  9. #39
    Junior Member
    Join Date
    Sep 2010
    Posts
    21

    Default

    Hey there. sorry for the delay. Here are the DDS logs after having updated with the Windows XP service pack.

    Also - the past few startups, an installation wizard for something called "Windows Genuine Advantage Notications" has popped up after I log in. What is this, and should I let it install?

    Here's the dds log ("attach" is attached)


    DDS (Ver_10-03-17.01) - FAT32x86
    Run by willmonotti at 0:43:01.37 on Wed 15/09/2010
    Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_21
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.534 [GMT 10:00]


    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    svchost.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
    C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\msiexec.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Documents and Settings\willmonotti\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
    C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Documents and Settings\willmonotti\Desktop\dds.scr
    C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\csc.exe

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://trinity.unimelb.edu.au/portal
    uInternet Connection Wizard,ShellNext = hxxp://global.acer.com/
    uInternet Settings,ProxyServer = wwwproxy.student.unimelb.edu.au:8000
    uInternet Settings,ProxyOverride = <local>
    uURLSearchHooks: AOLSearchHook Class: {54eb34ea-e6be-4cfd-9f4f-c4a0c2eafa22} - c:\program files\aim search\AOLSearch.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
    BHO: AOLSearchHook Class: {54eb34ea-e6be-4cfd-9f4f-c4a0c2eafa22} - c:\program files\aim search\AOLSearch.dll
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
    BHO: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - No File
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
    uRun: [Google Update] "c:\documents and settings\willmonotti\local settings\application data\google\update\GoogleUpdate.exe" /c
    mRun: [LaunchApp] Alaunch
    mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
    mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
    mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
    mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{51fb15f4-ad27-43bc-ad4b-dd0354fb6bbd}\Icon3E5562ED7.ico
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wddmst~1.lnk - c:\program files\western digital\wd smartware\wd drive manager\WDDMStatus.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wdsmar~1.lnk - c:\program files\western digital\wd smartware\front parlor\WDSmartWare.exe
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
    DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
    DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
    Notify: AtiExtEvent - Ati2evxx.dll
    Notify: igfxcui - igfxsrvc.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\willmo~1\applic~1\mozilla\firefox\profiles\qtrsc0zj.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/search/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us
    FF - prefs.js: browser.startup.homepage - hxxps://www.trinitycollege.vic.edu.au/portal/today/today.php
    FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50-ff-aim-ab-en-us&query=
    FF - prefs.js: network.proxy.ftp - wwwproxy.unimelb.edu.au
    FF - prefs.js: network.proxy.ftp_port - 8000
    FF - prefs.js: network.proxy.gopher - wwwproxy.unimelb.edu.au
    FF - prefs.js: network.proxy.gopher_port - 8000
    FF - prefs.js: network.proxy.http - wwwproxy.unimelb.edu.au
    FF - prefs.js: network.proxy.http_port - 8000
    FF - prefs.js: network.proxy.socks - wwwproxy.unimelb.edu.au
    FF - prefs.js: network.proxy.socks_port - 8000
    FF - prefs.js: network.proxy.ssl - wwwproxy.unimelb.edu.au
    FF - prefs.js: network.proxy.ssl_port - 8000
    FF - prefs.js: network.proxy.type - 1
    FF - plugin: c:\documents and settings\willmonotti\application data\mozilla\firefox\profiles\qtrsc0zj.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
    FF - plugin: c:\documents and settings\willmonotti\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
    FF - plugin: c:\program files\quicktime\plugins\npqtplugin8.dll
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
    c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

    ============= SERVICES / DRIVERS ===============

    R2 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-11-14 394952]
    R2 WDDMService;WD SmartWare Drive Manager;c:\program files\western digital\wd smartware\wd drive manager\WDDMService.exe [2009-11-13 110592]
    R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\western digital\wd smartware\front parlor\WDSmartWareBackgroundService.exe [2009-6-16 20480]
    R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2010-6-21 11520]
    S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]

    =============== Created Last 30 ================

    2010-09-14 13:56:45 0 d-----w- c:\windows\LastGood.Tmp
    2010-09-14 13:56:33 8840 ----a-w- c:\windows\SEC15A6.PNF
    2010-09-14 13:50:33 294912 ------w- c:\windows\system32\dllcache\dlimport.exe
    2010-09-14 13:47:23 2948 ----a-w- c:\windows\SEC12.PNF
    2010-09-14 13:46:56 19569 ----a-w- c:\windows\003139_.tmp
    2010-09-13 22:35:19 0 d-----w- c:\windows\system32\XPSViewer
    2010-09-13 22:34:42 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
    2010-09-13 22:34:42 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
    2010-09-13 22:34:42 575488 ------w- c:\windows\system32\xpsshhdr.dll
    2010-09-13 22:34:42 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
    2010-09-13 22:34:42 1676288 ------w- c:\windows\system32\xpssvcs.dll
    2010-09-13 22:34:42 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
    2010-09-13 22:34:42 117760 ------w- c:\windows\system32\prntvpt.dll
    2010-09-13 22:32:24 0 d-----w- c:\program files\MSXML 6.0
    2010-09-13 04:02:23 221184 ----a-w- c:\windows\system32\wmpns.dll
    2010-09-12 13:16:11 2560 ------w- c:\windows\system32\xpsp4res.dll
    2010-09-12 13:16:10 215552 ------w- c:\windows\system32\dllcache\wordpad.exe
    2010-09-12 06:01:44 0 d-----w- c:\program files\ESET
    2010-09-12 03:50:54 0 d-sh--w- C:\Recycled
    2010-09-12 02:13:56 353792 ------w- c:\windows\system32\dllcache\srv.sys
    2010-09-12 02:13:26 455680 ------w- c:\windows\system32\dllcache\mrxsmb.sys
    2010-09-12 02:13:23 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
    2010-09-12 02:13:15 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
    2010-09-12 02:09:47 203136 ------w- c:\windows\system32\dllcache\rmcast.sys
    2010-09-12 02:05:01 337408 ------w- c:\windows\system32\dllcache\netapi32.dll
    2010-09-12 02:01:28 0 d-sh--w- C:\FOUND.000
    2010-09-12 01:55:03 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2010-09-12 01:51:12 0 d-----w- c:\windows\system32\PreInstall
    2010-09-12 01:44:40 0 d-----w- c:\windows\system32\SoftwareDistribution
    2010-09-11 13:29:46 0 d-sha-r- C:\cmdcons
    2010-09-09 13:11:00 0 d-----w- C:\_OTL
    2010-09-08 12:11:29 0 d-----w- c:\docume~1\willmo~1\applic~1\Malwarebytes
    2010-09-08 12:11:18 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-09-08 12:11:17 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-09-08 12:11:17 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-09-08 12:11:17 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2010-09-08 09:57:45 0 d-----w- C:\ComboFix
    2010-09-08 09:54:53 98816 ----a-w- c:\windows\sed.exe
    2010-09-08 09:54:53 77312 ----a-w- c:\windows\MBR.exe
    2010-09-08 09:54:53 256512 ----a-w- c:\windows\PEV.exe
    2010-09-08 09:54:53 161792 ----a-w- c:\windows\SWREG.exe
    2010-09-01 13:56:04 0 d-----w- c:\program files\Safer Networking
    2010-09-01 13:53:23 0 d-----w- c:\windows\pss

    ==================== Find3M ====================

    2010-09-12 01:54:42 423656 ----a-w- c:\windows\system32\deployJava1.dll
    2008-10-16 01:46:40 700 ----a-w- c:\program files\studentVPN.pcf
    2008-08-29 04:00:22 1073 ----a-w- c:\program files\sig.dat
    2008-08-29 04:00:20 1099 ----a-w- c:\program files\vpnclient_setup.ini
    2008-08-29 04:00:18 52224 ----a-w- c:\program files\vpnclient_jp.mst
    2008-08-29 04:00:06 10935808 ----a-w- c:\program files\vpnclient_setup.msi
    2008-08-29 04:00:04 51200 ----a-w- c:\program files\vpnclient_fc.mst
    2008-08-29 04:00:00 819 ----a-w- c:\program files\vpnclient_setup.sms
    2008-08-29 04:00:00 640 ----a-w- c:\program files\vpnclient_setup.pdf
    2008-08-29 04:00:00 1822520 ----a-w- c:\program files\instmsiw.exe
    2008-08-29 04:00:00 1708856 ----a-w- c:\program files\instmsi.exe
    2008-08-29 03:59:58 56832 ----a-w- c:\program files\vpnclient_setup.exe
    2008-08-29 03:58:04 221315 ----a-w- c:\program files\installservice.exe
    2008-08-29 03:57:32 16505 ----a-w- c:\program files\DelayInst.exe

    ============= FINISH: 0:43:37.45 ===============

  10. #40
    Senior Member
    Join Date
    Feb 2010
    Location
    Port Hedland, Western Australia
    Posts
    155

    Default

    Hi

    Sorry for the delay.

    Windows Genuine Advantage Notifications -
    Windows Genuine Advantage Notifications for Windows XP notifies you if a copy of Windows XP is not genuine. The notification messages only appear on computers that have failed the WGA validation process and that are running a copy of Windows XP that is not genuine. If you are running a validated, genuine copy of Windows XP, you will not receive notification messages.
    http://support.microsoft.com/kb/905474
    You are probably getting this as you have just updated to Service Pack 3. Allow it to install.

    Clean Up
    Now we need to clear out the programs we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if used inappropriately.
    Remove ComboFix
    The following will implement some cleanup procedures as well as reset System Restore points:
    Click Start > Run then copy/paste the following bolded text into the Run box and click OK:
    ComboFix /Uninstall
    • Double-click OTL
    • Click the CleanUp! button
    • Select Yes when the Begin cleanup Process? prompt appears
    • If you are prompted to Reboot during the cleanup, select Yes
    • The tool will delete itself once it finishes, if not delete it yourself
    You can delete the following from your desktop:
    TFC.exe
    The Gmer.exe file (it will be randomly named .exe file)
    Any logs that may have been saved to your desktop
    ESET Online Scanner v3 - via Add or Remove Programs

    If you haven't already done so, open Malwarebytes' Anti-Malware, click Quarantine then Delete All. Close the program.

    All Clean
    Now that your system is safe we would like you to keep it that way.
    Take the time to follow these recommendations & it will greatly reduce the risk of further infections and greatly diminish the chances of you having to visit here again.

    Create a Clean System Restore Point
    Create a new, clean System Restore point which you can use in case of future system problems:
    Press Start->All Programs->Accessories->System Tools->System Restore
    Select Create a restore point, then Next, type a name like All Clean then press the Create button and once it's done press Close
    Now remove old, infected System Restore points:
    Next click Start->Run and type cleanmgr in the box and click OK
    Ensure the boxes for Temporary Files & Temporary Internet Files are checked. You can choose to check other boxes if you wish but they are not required.
    Select the More Options tab, under System Restore click Clean up... and click Yes to the prompt
    Click OK and Yes to confirm.

    Microsoft Windows Update
    Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office products loopholes and fix any bugs found. Install the updates immediately if they are found.
    To update Windows
    Go to Start > All Programs > Windows Update
    To update Office
    Open up any Office program.
    Go to Help > Check for Updates

    Malwarebytes' Anti-Malware
    Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is totally free but for real-time protection you will have to pay a small one-time fee.
    You can find a tutorial here. Keep it updated & run it regularly.

    SpywareBlaster
    Download and install Javacools SpywareBlaster from here
    SpywareBlaster adds a list of ActiveX controls, tracking cookies and sites which will be blocked in either Internet Explorer or Firefox browsers. You need to manually check for updates regularly.

    Download and Install a HOSTS File
    A HOSTS file is a big list of bad web sites. The list has a specific format, a specific name, (name is just HOSTS with no file extension), and a specific location. Your machine always looks at that file in that location before connecting to a web site to verify the address. So the HOSTS listing can be used to "short circuit" a request to a bad website by giving it the address of your own machine.
    Install MVPS Hosts File From Here
    The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
    You can Find the Tutorial HERE

    Install WinPatrol
    Download it here
    You can find information about how WinPatrol works here

    Read some information here on how to prevent Malware.

    Hopefully these steps will help keep your computer clean.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •